Overview

overview

7

Static

static

1

A2-Cryptor.cmd

windows7-x64

6

A2-Cryptor.cmd

windows10-2004-x64

7

Analysis

  • max time kernel
    882s
  • max time network
    884s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    30-05-2023 00:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    A2-Cryptor.cmd

  • Size

    32KB

  • MD5

    e031c713842d1db79d96101f8c0cf523

  • SHA1

    f97ce721472dd931998b272eeeec4e31cfedbfa5

  • SHA256

    30c4ed4509726173dfbb176a35e6cbc70b97cc7cad46c615e8bf89ad653b9ce6

  • SHA512

    a97a688c0663d2937377eb379da4e5cbdea9b28d09611a634b66cfb251091890722d160b44154fe073c4a5eb89b5dee27f06e17b0b3aea96b2bab8ef03d5360e

  • SSDEEP

    768:5yZE+8xnU25JWrmk2g9Ta1wCvKinXKCuY:5tU25J+a1hvhaCP

Score
6/10
ransomware

Malware Config

Signatures

  • Enumerates connected drives 3 TTPs 3 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 3 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 5 IoCs
    evasion
  • Modifies Control Panel 3 IoCs
    evasion
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\A2-Cryptor.cmd"
    1⤵
    • Enumerates connected drives
    • Suspicious use of WriteProcessMemory
    PID:2040
    • C:\Windows\system32\certutil.exe
      certutil -decode "Image.bin" "18769_25985.jpeg"
      2⤵
        PID:976
      • C:\Windows\system32\timeout.exe
        timeout /t 2
        2⤵
        • Delays execution with timeout.exe
        PID:1684
      • C:\Windows\system32\timeout.exe
        timeout /t 2
        2⤵
        • Delays execution with timeout.exe
        PID:320
      • C:\Windows\system32\timeout.exe
        timeout /t 2
        2⤵
        • Delays execution with timeout.exe
        PID:1876
      • C:\Windows\system32\timeout.exe
        timeout /t 4
        2⤵
        • Delays execution with timeout.exe
        PID:1484
      • C:\Windows\system32\wscript.exe
        wscript "0.vbs"
        2⤵
        • Sets desktop wallpaper using registry
        • Modifies Control Panel
        • Suspicious use of WriteProcessMemory
        PID:1992
        • C:\Windows\System32\RUNDLL32.EXE
          "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
          3⤵
            PID:1724
        • C:\Windows\system32\wscript.exe
          wscript "0.vbs"
          2⤵
          • Sets desktop wallpaper using registry
          • Modifies Control Panel
          • Suspicious use of WriteProcessMemory
          PID:540
          • C:\Windows\System32\RUNDLL32.EXE
            "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
            3⤵
              PID:840
          • C:\Windows\system32\timeout.exe
            timeout /t 3
            2⤵
            • Delays execution with timeout.exe
            PID:1472
          • C:\Windows\system32\wscript.exe
            wscript "0.vbs"
            2⤵
            • Sets desktop wallpaper using registry
            • Modifies Control Panel
            • Suspicious use of WriteProcessMemory
            PID:684
            • C:\Windows\System32\RUNDLL32.EXE
              "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
              3⤵
                PID:396
            • C:\Windows\system32\mode.com
              MODE CON: COLS=100 LINES=25
              2⤵
                PID:1564

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\0.vbs
              Filesize

              385B

              MD5

              cd7ed110bcef703245c88c8436792832

              SHA1

              5780714df40dbda0a3372cb3ed968e18d852aa03

              SHA256

              eaba70d2be7fc6376bbf81ff4eba4ebb1861e951f24ef35b15ce213718d9ee32

              SHA512

              eeab9499c8e8802678433a7ad083718f7807b62475483ddefcc43be78f7332d0f2514795bb6dcc995a7dd6d417561be42011f2bed6ec3c110422865e0747b01a

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\18769_25985.jpeg
              Filesize

              15KB

              MD5

              20aba01130e85571476712c784af05b0

              SHA1

              54c9002381bafbfa648dd3f5c77b1830efc1dc85

              SHA256

              72bdac2468fa4e19f8915817f380ceeb96ff94a64a3e29e64ac79b65bed2f6ac

              SHA512

              c84a603b359d3e7097229161d22a69c574a582cbbd21c8343fa06986b5058125763196b8d4e2f7bf51400ffaba63e9c565e42c32759b973439f46e5a9f84b19f

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\Image.bin
              Filesize

              21KB

              MD5

              f6f72da7cd731682ff5442ba541457e2

              SHA1

              60bddfc609fad2f80c0688905e795e51003d9433

              SHA256

              00a5048d9f74271e4cd5c36cf1434c789a8c16206ff5fca1c785156e01693bc1

              SHA512

              2a09df3df3d89ec413f31f7a20254513db6323e7c7e5e041161f55dfefcc80d22870c512f71aad77e7e9ef775b635a707ddf60b0bb4ef458bff6e15f1e425e5d

              Download Submit