Analysis
-
max time kernel
38s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
30-03-2023 16:24
Static task
static1
Behavioral task
behavioral1
Sample
encryptor.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
encryptor.exe
Resource
win10v2004-20230220-en
General
-
Target
encryptor.exe
-
Size
766KB
-
MD5
400fa5d02c1ac704cd290d959b725e67
-
SHA1
456e5cb1739cb5f29020d1a692289a5af07ce90d
-
SHA256
dc563953f845fb88c6375b3e9311ebed49ce4bcd613f7044989304c8de384dac
-
SHA512
0240c6608931d975aa45e2a2c76ea43d311fd4660c091510197e30e65ccb69002e47006d1656abc71425186b3c7823881ae56ea39500afaef0fc4b5094b384ad
-
SSDEEP
12288:aH3fcbXX/qkpwGarA0iKKjk/1RobRWGDmEd7nLTzGnabKJiM:aH3fcbXX9pwGarA0iKj/1RCWGDmIHQpX
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
encryptor.exedescription ioc process File renamed C:\Users\Admin\Pictures\ProtectRegister.crw => C:\Users\Admin\Pictures\ProtectRegister.crwxxyyzzr encryptor.exe File opened for modification C:\Users\Admin\Pictures\ProtectRegister.crwxxyyzzr encryptor.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
encryptor.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation encryptor.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
encryptor.exedescription ioc process File opened (read-only) \??\J: encryptor.exe File opened (read-only) \??\B: encryptor.exe File opened (read-only) \??\Q: encryptor.exe File opened (read-only) \??\M: encryptor.exe File opened (read-only) \??\T: encryptor.exe File opened (read-only) \??\O: encryptor.exe File opened (read-only) \??\F: encryptor.exe File opened (read-only) \??\X: encryptor.exe File opened (read-only) \??\W: encryptor.exe File opened (read-only) \??\N: encryptor.exe File opened (read-only) \??\H: encryptor.exe File opened (read-only) \??\D: encryptor.exe File opened (read-only) \??\U: encryptor.exe File opened (read-only) \??\R: encryptor.exe File opened (read-only) \??\V: encryptor.exe File opened (read-only) \??\S: encryptor.exe File opened (read-only) \??\P: encryptor.exe File opened (read-only) \??\L: encryptor.exe File opened (read-only) \??\K: encryptor.exe File opened (read-only) \??\I: encryptor.exe File opened (read-only) \??\Z: encryptor.exe File opened (read-only) \??\Y: encryptor.exe File opened (read-only) \??\A: encryptor.exe File opened (read-only) \??\G: encryptor.exe File opened (read-only) \??\E: encryptor.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2032 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
encryptor.exepid process 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe 4492 encryptor.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
encryptor.exevssvc.exedescription pid process Token: SeAssignPrimaryTokenPrivilege 4492 encryptor.exe Token: SeBackupPrivilege 3912 vssvc.exe Token: SeRestorePrivilege 3912 vssvc.exe Token: SeAuditPrivilege 3912 vssvc.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
encryptor.execmd.exedescription pid process target process PID 4492 wrote to memory of 2036 4492 encryptor.exe cmd.exe PID 4492 wrote to memory of 2036 4492 encryptor.exe cmd.exe PID 2036 wrote to memory of 2032 2036 cmd.exe vssadmin.exe PID 2036 wrote to memory of 2032 2036 cmd.exe vssadmin.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\encryptor.exe"C:\Users\Admin\AppData\Local\Temp\encryptor.exe"1⤵
- Modifies extensions of user files
- Checks computer location settings
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken