30c4ed4509726173dfbb176a35e6cbc70b97cc7cad46c615e8bf89ad653b9ce6

General

Target

A2-Cryptor.cmd
Size

32KB
MD5

e031c713842d1db79d96101f8c0cf523
SHA1

f97ce721472dd931998b272eeeec4e31cfedbfa5
SHA256

30c4ed4509726173dfbb176a35e6cbc70b97cc7cad46c615e8bf89ad653b9ce6
SHA512

a97a688c0663d2937377eb379da4e5cbdea9b28d09611a634b66cfb251091890722d160b44154fe073c4a5eb89b5dee27f06e17b0b3aea96b2bab8ef03d5360e
SSDEEP

768:5yZE+8xnU25JWrmk2g9Ta1wCvKinXKCuY:5tU25J+a1hvhaCP

Score

7^/10

ransomware

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	wscript.exe

Enumerates connected drives 3 TTPs 3 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	cmd.exe
File opened (read-only)	\??\B:	cmd.exe
File opened (read-only)	\??\E:	cmd.exe

Sets desktop wallpaper using registry 2 TTPs 3 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\18177_5476.jpeg"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\18177_5476.jpeg"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\18177_5476.jpeg"	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 5 IoCs

evasion

pid	Process
3436	timeout.exe
688	timeout.exe
4500	timeout.exe
2600	timeout.exe
1452	timeout.exe

Modifies Control Panel 3 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\Desktop	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\Desktop	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\Desktop	wscript.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 2136	2036	cmd.exe	86
PID 2036 wrote to memory of 2136	2036	cmd.exe	86
PID 2036 wrote to memory of 3436	2036	cmd.exe	87
PID 2036 wrote to memory of 3436	2036	cmd.exe	87
PID 2036 wrote to memory of 688	2036	cmd.exe	88
PID 2036 wrote to memory of 688	2036	cmd.exe	88
PID 2036 wrote to memory of 4500	2036	cmd.exe	89
PID 2036 wrote to memory of 4500	2036	cmd.exe	89
PID 2036 wrote to memory of 2600	2036	cmd.exe	90
PID 2036 wrote to memory of 2600	2036	cmd.exe	90
PID 2036 wrote to memory of 4596	2036	cmd.exe	91
PID 2036 wrote to memory of 4596	2036	cmd.exe	91
PID 2036 wrote to memory of 916	2036	cmd.exe	93
PID 2036 wrote to memory of 916	2036	cmd.exe	93
PID 2036 wrote to memory of 1768	2036	cmd.exe	92
PID 2036 wrote to memory of 1768	2036	cmd.exe	92
PID 2036 wrote to memory of 1452	2036	cmd.exe	94
PID 2036 wrote to memory of 1452	2036	cmd.exe	94
PID 4596 wrote to memory of 1152	4596	wscript.exe	96
PID 4596 wrote to memory of 1152	4596	wscript.exe	96
PID 1768 wrote to memory of 4936	1768	wscript.exe	95
PID 1768 wrote to memory of 4936	1768	wscript.exe	95
PID 916 wrote to memory of 1480	916	wscript.exe	97
PID 916 wrote to memory of 1480	916	wscript.exe	97
PID 2036 wrote to memory of 3648	2036	cmd.exe	98
PID 2036 wrote to memory of 3648	2036	cmd.exe	98

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\A2-Cryptor.cmd"
1⤵
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Windows\system32\certutil.exe
  certutil -decode "Image.bin" "18177_5476.jpeg"
  2⤵
  PID:2136
- C:\Windows\system32\timeout.exe
  timeout /t 2
  2⤵
  - Delays execution with timeout.exe
  PID:3436
- C:\Windows\system32\timeout.exe
  timeout /t 2
  2⤵
  - Delays execution with timeout.exe
  PID:688
- C:\Windows\system32\timeout.exe
  timeout /t 2
  2⤵
  - Delays execution with timeout.exe
  PID:4500
- C:\Windows\system32\timeout.exe
  timeout /t 4
  2⤵
  - Delays execution with timeout.exe
  PID:2600
- C:\Windows\system32\wscript.exe
  wscript "0.vbs"
  2⤵
  - Checks computer location settings
  - Sets desktop wallpaper using registry
  - Modifies Control Panel
  - Suspicious use of WriteProcessMemory
  PID:4596
- - C:\Windows\System32\RUNDLL32.EXE
    "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
    3⤵
    PID:1152
- C:\Windows\system32\wscript.exe
  wscript "0.vbs"
  2⤵
  - Checks computer location settings
  - Sets desktop wallpaper using registry
  - Modifies Control Panel
  - Suspicious use of WriteProcessMemory
  PID:1768
- - C:\Windows\System32\RUNDLL32.EXE
    "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
    3⤵
    PID:4936
- C:\Windows\system32\wscript.exe
  wscript "0.vbs"
  2⤵
  - Checks computer location settings
  - Sets desktop wallpaper using registry
  - Modifies Control Panel
  - Suspicious use of WriteProcessMemory
  PID:916
- - C:\Windows\System32\RUNDLL32.EXE
    "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
    3⤵
    PID:1480
- C:\Windows\system32\timeout.exe
  timeout /t 3
  2⤵
  - Delays execution with timeout.exe
  PID:1452
- C:\Windows\system32\mode.com
  MODE CON: COLS=100 LINES=25
  2⤵
  PID:3648

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0.vbs

Filesize
384B

MD5
b7a7938c66a80e1340076bd7a77dadc7

SHA1
f2933f77a511a16a4845fd1e491c0566e518d51d

SHA256
b5c95334085208b47c71a2a9d0fdadb7a74174e25a9ef2f3ef93620fa2e08946

SHA512
3e68154dc2fc2d31be228e2dd9180ba848b80ec6b873abe457e545d0808d988054892ca632bf293d3ccb0286ef7de3f40dc2c3931f77991417ec184fa5260f51

Download Submit
C:\Users\Admin\AppData\Local\Temp\Image.bin

Filesize
21KB

MD5
f6f72da7cd731682ff5442ba541457e2

SHA1
60bddfc609fad2f80c0688905e795e51003d9433

SHA256
00a5048d9f74271e4cd5c36cf1434c789a8c16206ff5fca1c785156e01693bc1

SHA512
2a09df3df3d89ec413f31f7a20254513db6323e7c7e5e041161f55dfefcc80d22870c512f71aad77e7e9ef775b635a707ddf60b0bb4ef458bff6e15f1e425e5d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads