Analysis
-
max time kernel
38s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
30/03/2023, 16:24
Static task
static1
Behavioral task
behavioral1
Sample
encryptor.exe
Resource
win7-20230220-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
encryptor.exe
Resource
win10v2004-20230220-en
windows10-2004-x64
10 signatures
150 seconds
General
-
Target
encryptor.exe
-
Size
766KB
-
MD5
400fa5d02c1ac704cd290d959b725e67
-
SHA1
456e5cb1739cb5f29020d1a692289a5af07ce90d
-
SHA256
dc563953f845fb88c6375b3e9311ebed49ce4bcd613f7044989304c8de384dac
-
SHA512
0240c6608931d975aa45e2a2c76ea43d311fd4660c091510197e30e65ccb69002e47006d1656abc71425186b3c7823881ae56ea39500afaef0fc4b5094b384ad
-
SSDEEP
12288:aH3fcbXX/qkpwGarA0iKKjk/1RobRWGDmEd7nLTzGnabKJiM:aH3fcbXX9pwGarA0iKj/1RCWGDmIHQpX
Score
9/10
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\ProtectRegister.crw => C:\Users\Admin\Pictures\ProtectRegister.crwxxyyzzr encryptor.exe File opened for modification C:\Users\Admin\Pictures\ProtectRegister.crwxxyyzzr encryptor.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation encryptor.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\J: encryptor.exe File opened (read-only) \??\B: encryptor.exe File opened (read-only) \??\Q: encryptor.exe File opened (read-only) \??\M: encryptor.exe File opened (read-only) \??\T: encryptor.exe File opened (read-only) \??\O: encryptor.exe File opened (read-only) \??\F: encryptor.exe File opened (read-only) \??\X: encryptor.exe File opened (read-only) \??\W: encryptor.exe File opened (read-only) \??\N: encryptor.exe File opened (read-only) \??\H: encryptor.exe File opened (read-only) \??\D: encryptor.exe File opened (read-only) \??\U: encryptor.exe File opened (read-only) \??\R: encryptor.exe File opened (read-only) \??\V: encryptor.exe File opened (read-only) \??\S: encryptor.exe File opened (read-only) \??\P: encryptor.exe File opened (read-only) \??\L: encryptor.exe File opened (read-only) \??\K: encryptor.exe File opened (read-only) \??\I: encryptor.exe File opened (read-only) \??\Z: encryptor.exe File opened (read-only) \??\Y: encryptor.exe File opened (read-only) \??\A: encryptor.exe File opened (read-only) \??\G: encryptor.exe File opened (read-only) \??\E: encryptor.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2032 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeAssignPrimaryTokenPrivilege 4492 encryptor.exe Token: SeBackupPrivilege 3912 vssvc.exe Token: SeRestorePrivilege 3912 vssvc.exe Token: SeAuditPrivilege 3912 vssvc.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 4492 wrote to memory of 2036 4492 encryptor.exe 86 PID 4492 wrote to memory of 2036 4492 encryptor.exe 86 PID 2036 wrote to memory of 2032 2036 cmd.exe 87 PID 2036 wrote to memory of 2032 2036 cmd.exe 87 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\encryptor.exe"C:\Users\Admin\AppData\Local\Temp\encryptor.exe"1⤵
- Modifies extensions of user files
- Checks computer location settings
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4492 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:2032
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3912