f1bb5ce204bc9e9fd12c3cb8c376e36e9ab47528c7c1ca865b38b8bd02314fc9

General

Target

Crypter.exe
Size

141KB
MD5

26156564a104eae0cc9b06306a63ed9a
SHA1

a81e06b82d233c813b8803ce1c608b83cbbba8e6
SHA256

f1bb5ce204bc9e9fd12c3cb8c376e36e9ab47528c7c1ca865b38b8bd02314fc9
SHA512

f5d502ded9705a7dc53243d9dfae2095f95fbbc288a737f2d4259caa8a6ecbc6b256d786fae042d12af4931b79033540ef0aee98fc6a5ed99539fc7a122b7c98
SSDEEP

3072:4qHmFIAcneRB2ukEtRJ2XgqNjjCvvkfV7mF:JmsexkEt2hWCm

Score

9^/10

ransomware spyware stealer

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Renames multiple (10303) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Modifies extensions of user files 16 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

Crypter.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\BackupInitialize.png.resq100	Crypter.exe
File renamed	C:\Users\Admin\Pictures\ConvertToStop.tif => C:\Users\Admin\Pictures\ConvertToStop.tif.resq100	Crypter.exe
File opened for modification	C:\Users\Admin\Pictures\ConvertToStop.tif.resq100	Crypter.exe
File renamed	C:\Users\Admin\Pictures\PushLock.png => C:\Users\Admin\Pictures\PushLock.png.resq100	Crypter.exe
File renamed	C:\Users\Admin\Pictures\MountSuspend.png => C:\Users\Admin\Pictures\MountSuspend.png.resq100	Crypter.exe
File opened for modification	C:\Users\Admin\Pictures\UnprotectMeasure.raw.resq100	Crypter.exe
File opened for modification	C:\Users\Admin\Pictures\WaitRedo.png.resq100	Crypter.exe
File renamed	C:\Users\Admin\Pictures\BackupInitialize.png => C:\Users\Admin\Pictures\BackupInitialize.png.resq100	Crypter.exe
File renamed	C:\Users\Admin\Pictures\ConfirmTest.tif => C:\Users\Admin\Pictures\ConfirmTest.tif.resq100	Crypter.exe
File opened for modification	C:\Users\Admin\Pictures\ConfirmTest.tif.resq100	Crypter.exe
File opened for modification	C:\Users\Admin\Pictures\MountSuspend.png.resq100	Crypter.exe
File opened for modification	C:\Users\Admin\Pictures\PushLock.png.resq100	Crypter.exe
File renamed	C:\Users\Admin\Pictures\StopPublish.png => C:\Users\Admin\Pictures\StopPublish.png.resq100	Crypter.exe
File renamed	C:\Users\Admin\Pictures\UnprotectMeasure.raw => C:\Users\Admin\Pictures\UnprotectMeasure.raw.resq100	Crypter.exe
File renamed	C:\Users\Admin\Pictures\WaitRedo.png => C:\Users\Admin\Pictures\WaitRedo.png.resq100	Crypter.exe
File opened for modification	C:\Users\Admin\Pictures\StopPublish.png.resq100	Crypter.exe

Executes dropped EXE 1 IoCs

Processes:

L11.tmp

pid process

924 L11.tmp
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

288 cmd.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
924	L11.tmp

pid	process
288	cmd.exe

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Crypter.exe

description	ioc	process
File opened (read-only)	\??\H:	Crypter.exe
File opened (read-only)	\??\M:	Crypter.exe
File opened (read-only)	\??\P:	Crypter.exe
File opened (read-only)	\??\T:	Crypter.exe
File opened (read-only)	\??\V:	Crypter.exe
File opened (read-only)	\??\W:	Crypter.exe
File opened (read-only)	\??\A:	Crypter.exe
File opened (read-only)	\??\E:	Crypter.exe
File opened (read-only)	\??\L:	Crypter.exe
File opened (read-only)	\??\O:	Crypter.exe
File opened (read-only)	\??\Q:	Crypter.exe
File opened (read-only)	\??\S:	Crypter.exe
File opened (read-only)	\??\Y:	Crypter.exe
File opened (read-only)	\??\F:	Crypter.exe
File opened (read-only)	\??\G:	Crypter.exe
File opened (read-only)	\??\Z:	Crypter.exe
File opened (read-only)	\??\D:	Crypter.exe
File opened (read-only)	\??\B:	Crypter.exe
File opened (read-only)	\??\U:	Crypter.exe
File opened (read-only)	\??\K:	Crypter.exe
File opened (read-only)	\??\N:	Crypter.exe
File opened (read-only)	\??\R:	Crypter.exe
File opened (read-only)	\??\X:	Crypter.exe
File opened (read-only)	\??\I:	Crypter.exe
File opened (read-only)	\??\J:	Crypter.exe

Drops file in Program Files directory 64 IoCs

Processes:

Crypter.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEIRM.XML.resq100	Crypter.exe
File opened for modification	C:\Program Files\Java\jre7\lib\content-types.properties	Crypter.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099196.GIF.resq100	Crypter.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-util-enumerations.xml.resq100	Crypter.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSOUTL.OLB.resq100	Crypter.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\Gadget_Waitcursor.gif	Crypter.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\activity16v.png.resq100	Crypter.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Port_Moresby	Crypter.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Enderbury	Crypter.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BabyBlue\HEADER.GIF.resq100	Crypter.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-keyring.xml	Crypter.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\en-US\wmpnssci.dll.mui.resq100	Crypter.exe
File opened for modification	C:\Program Files\Common Files\System\es-ES\wab32res.dll.mui.resq100	Crypter.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0102002.WMF	Crypter.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR23F.GIF	Crypter.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\resq_Recovery.txt	Crypter.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0298653.WMF	Crypter.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR25F.GIF.resq100	Crypter.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Miquelon	Crypter.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Discussion\DiscussionToolIconImages.jpg	Crypter.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\resq_Recovery.txt	Crypter.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGREPFRM.DPV	Crypter.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\J0143743.GIF	Crypter.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR9F.GIF.resq100	Crypter.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Hong_Kong.resq100	Crypter.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Australia\Darwin	Crypter.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Indian\Mahe.resq100	Crypter.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Tarawa.resq100	Crypter.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0296288.WMF.resq100	Crypter.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04269_.WMF.resq100	Crypter.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105336.WMF.resq100	Crypter.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00938_.WMF.resq100	Crypter.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Regular.otf	Crypter.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21321_.GIF	Crypter.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1250.TXT.resq100	Crypter.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PSRCHSRN.DAT	Crypter.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BOLDSTRI\THMBNAIL.PNG	Crypter.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02198_.GIF.resq100	Crypter.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\LoanAmortization.xltx.resq100	Crypter.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\drag.png	Crypter.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SL00268_.WMF.resq100	Crypter.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGCINFO.XML.resq100	Crypter.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.transport.ecf_1.1.0.v20140408-1354.jar	Crypter.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.nl_ja_4.4.0.v20140623020002.jar.resq100	Crypter.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\DataType\Status.accft.resq100	Crypter.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\Alphabet.xml	Crypter.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\css\settings.css.resq100	Crypter.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Pago_Pago.resq100	Crypter.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\updater.jar.resq100	Crypter.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\resq_Recovery.txt	Crypter.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\0.png	Crypter.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-multitabs_zh_CN.jar	Crypter.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-multiview_ja.jar	Crypter.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Civic.xml.resq100	Crypter.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\OLAPPT.FAE	Crypter.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\graph_down.png.resq100	Crypter.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightOrange\TAB_ON.GIF	Crypter.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00468_.WMF.resq100	Crypter.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui.resq100	Crypter.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\circleround_videoinset.png.resq100	Crypter.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152702.WMF	Crypter.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02051_.WMF	Crypter.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.p2.ui.overridden_5.5.0.165303.jar	Crypter.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\es-ES\setup_wm.exe.mui.resq100	Crypter.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1064 schtasks.exe
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

1728 vssadmin.exe
828 vssadmin.exe
Opens file in notepad (likely ransom note) 3 IoCs
ransomware

Processes:

NOTEPAD.EXENOTEPAD.EXENOTEPAD.EXE

pid process

204 NOTEPAD.EXE
852 NOTEPAD.EXE
1512 NOTEPAD.EXE

pid	process
1064	schtasks.exe

pid	process
1728	vssadmin.exe
828	vssadmin.exe

pid	process
204	NOTEPAD.EXE
852	NOTEPAD.EXE
1512	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 36 IoCs

Processes:

Crypter.exe

pid	process
1768	Crypter.exe
1768	Crypter.exe
1768	Crypter.exe
1768	Crypter.exe
1768	Crypter.exe
1768	Crypter.exe
1768	Crypter.exe
1768	Crypter.exe
1768	Crypter.exe
1768	Crypter.exe
1768	Crypter.exe
1768	Crypter.exe
1768	Crypter.exe
1768	Crypter.exe
1768	Crypter.exe
1768	Crypter.exe
1768	Crypter.exe
1768	Crypter.exe
1768	Crypter.exe
1768	Crypter.exe
1768	Crypter.exe
1768	Crypter.exe
1768	Crypter.exe
1768	Crypter.exe
1768	Crypter.exe
1768	Crypter.exe
1768	Crypter.exe
1768	Crypter.exe
1768	Crypter.exe
1768	Crypter.exe
1768	Crypter.exe
1768	Crypter.exe
1768	Crypter.exe
1768	Crypter.exe
1768	Crypter.exe
1768	Crypter.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Crypter.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	1768	Crypter.exe
Token: SeRestorePrivilege	1768	Crypter.exe
Token: SeBackupPrivilege	1768	Crypter.exe
Token: SeTakeOwnershipPrivilege	1768	Crypter.exe
Token: SeAuditPrivilege	1768	Crypter.exe
Token: SeSecurityPrivilege	1768	Crypter.exe
Token: SeIncBasePriorityPrivilege	1768	Crypter.exe
Token: SeBackupPrivilege	960	vssvc.exe
Token: SeRestorePrivilege	960	vssvc.exe
Token: SeAuditPrivilege	960	vssvc.exe
Token: SeTakeOwnershipPrivilege	1768	Crypter.exe
Token: SeTakeOwnershipPrivilege	1768	Crypter.exe
Token: SeTakeOwnershipPrivilege	1768	Crypter.exe
Token: SeTakeOwnershipPrivilege	1768	Crypter.exe
Token: SeTakeOwnershipPrivilege	1768	Crypter.exe
Token: SeTakeOwnershipPrivilege	1768	Crypter.exe
Token: SeTakeOwnershipPrivilege	1768	Crypter.exe
Token: SeTakeOwnershipPrivilege	1768	Crypter.exe
Token: SeTakeOwnershipPrivilege	1768	Crypter.exe
Token: SeTakeOwnershipPrivilege	1768	Crypter.exe
Token: SeTakeOwnershipPrivilege	1768	Crypter.exe
Token: SeTakeOwnershipPrivilege	1768	Crypter.exe
Token: SeTakeOwnershipPrivilege	1768	Crypter.exe
Token: SeTakeOwnershipPrivilege	1768	Crypter.exe
Token: SeTakeOwnershipPrivilege	1768	Crypter.exe
Token: SeTakeOwnershipPrivilege	1768	Crypter.exe
Token: SeTakeOwnershipPrivilege	1768	Crypter.exe
Token: SeTakeOwnershipPrivilege	1768	Crypter.exe
Token: SeTakeOwnershipPrivilege	1768	Crypter.exe
Token: SeTakeOwnershipPrivilege	1768	Crypter.exe
Token: SeTakeOwnershipPrivilege	1768	Crypter.exe
Token: SeTakeOwnershipPrivilege	1768	Crypter.exe
Token: SeTakeOwnershipPrivilege	1768	Crypter.exe
Token: SeTakeOwnershipPrivilege	1768	Crypter.exe
Token: SeTakeOwnershipPrivilege	1768	Crypter.exe
Token: SeTakeOwnershipPrivilege	1768	Crypter.exe
Token: SeTakeOwnershipPrivilege	1768	Crypter.exe
Token: SeTakeOwnershipPrivilege	1768	Crypter.exe
Token: SeTakeOwnershipPrivilege	1768	Crypter.exe
Token: SeTakeOwnershipPrivilege	1768	Crypter.exe
Token: SeTakeOwnershipPrivilege	1768	Crypter.exe
Token: SeTakeOwnershipPrivilege	1768	Crypter.exe
Token: SeTakeOwnershipPrivilege	1768	Crypter.exe
Token: SeTakeOwnershipPrivilege	1768	Crypter.exe
Token: SeTakeOwnershipPrivilege	1768	Crypter.exe
Token: SeTakeOwnershipPrivilege	1768	Crypter.exe
Token: SeTakeOwnershipPrivilege	1768	Crypter.exe
Token: SeTakeOwnershipPrivilege	1768	Crypter.exe
Token: SeTakeOwnershipPrivilege	1768	Crypter.exe
Token: SeTakeOwnershipPrivilege	1768	Crypter.exe
Token: SeTakeOwnershipPrivilege	1768	Crypter.exe
Token: SeTakeOwnershipPrivilege	1768	Crypter.exe
Token: SeTakeOwnershipPrivilege	1768	Crypter.exe
Token: SeTakeOwnershipPrivilege	1768	Crypter.exe
Token: SeTakeOwnershipPrivilege	1768	Crypter.exe
Token: SeTakeOwnershipPrivilege	1768	Crypter.exe
Token: SeTakeOwnershipPrivilege	1768	Crypter.exe
Token: SeTakeOwnershipPrivilege	1768	Crypter.exe
Token: SeTakeOwnershipPrivilege	1768	Crypter.exe
Token: SeTakeOwnershipPrivilege	1768	Crypter.exe
Token: SeTakeOwnershipPrivilege	1768	Crypter.exe
Token: SeTakeOwnershipPrivilege	1768	Crypter.exe
Token: SeTakeOwnershipPrivilege	1768	Crypter.exe
Token: SeTakeOwnershipPrivilege	1768	Crypter.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

7zG.exe

pid process

292 7zG.exe

pid	process
292	7zG.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

Crypter.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1768 wrote to memory of 1716	1768	Crypter.exe	cmd.exe
PID 1768 wrote to memory of 1716	1768	Crypter.exe	cmd.exe
PID 1768 wrote to memory of 1716	1768	Crypter.exe	cmd.exe
PID 1768 wrote to memory of 1716	1768	Crypter.exe	cmd.exe
PID 1768 wrote to memory of 1252	1768	Crypter.exe	cmd.exe
PID 1768 wrote to memory of 1252	1768	Crypter.exe	cmd.exe
PID 1768 wrote to memory of 1252	1768	Crypter.exe	cmd.exe
PID 1768 wrote to memory of 1252	1768	Crypter.exe	cmd.exe
PID 1716 wrote to memory of 1064	1716	cmd.exe	schtasks.exe
PID 1716 wrote to memory of 1064	1716	cmd.exe	schtasks.exe
PID 1716 wrote to memory of 1064	1716	cmd.exe	schtasks.exe
PID 1716 wrote to memory of 1064	1716	cmd.exe	schtasks.exe
PID 1252 wrote to memory of 1728	1252	cmd.exe	vssadmin.exe
PID 1252 wrote to memory of 1728	1252	cmd.exe	vssadmin.exe
PID 1252 wrote to memory of 1728	1252	cmd.exe	vssadmin.exe
PID 1768 wrote to memory of 1948	1768	Crypter.exe	cmd.exe
PID 1768 wrote to memory of 1948	1768	Crypter.exe	cmd.exe
PID 1768 wrote to memory of 1948	1768	Crypter.exe	cmd.exe
PID 1768 wrote to memory of 1948	1768	Crypter.exe	cmd.exe
PID 1768 wrote to memory of 288	1768	Crypter.exe	cmd.exe
PID 1768 wrote to memory of 288	1768	Crypter.exe	cmd.exe
PID 1768 wrote to memory of 288	1768	Crypter.exe	cmd.exe
PID 1768 wrote to memory of 288	1768	Crypter.exe	cmd.exe
PID 1768 wrote to memory of 1288	1768	Crypter.exe	cmd.exe
PID 1768 wrote to memory of 1288	1768	Crypter.exe	cmd.exe
PID 1768 wrote to memory of 1288	1768	Crypter.exe	cmd.exe
PID 1768 wrote to memory of 1288	1768	Crypter.exe	cmd.exe
PID 1948 wrote to memory of 828	1948	cmd.exe	vssadmin.exe
PID 1948 wrote to memory of 828	1948	cmd.exe	vssadmin.exe
PID 1948 wrote to memory of 828	1948	cmd.exe	vssadmin.exe
PID 288 wrote to memory of 924	288	cmd.exe	L11.tmp
PID 288 wrote to memory of 924	288	cmd.exe	L11.tmp
PID 288 wrote to memory of 924	288	cmd.exe	L11.tmp
PID 288 wrote to memory of 924	288	cmd.exe	L11.tmp
PID 1288 wrote to memory of 1060	1288	cmd.exe	schtasks.exe
PID 1288 wrote to memory of 1060	1288	cmd.exe	schtasks.exe
PID 1288 wrote to memory of 1060	1288	cmd.exe	schtasks.exe
PID 1288 wrote to memory of 1060	1288	cmd.exe	schtasks.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Crypter.exe
"C:\Users\Admin\AppData\Local\Temp\Crypter.exe"
1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1768

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Update BETA" /TR "C:\Users\Admin\AppData\Local\Temp\Crypter.exe" /F
2⤵
- Suspicious use of WriteProcessMemory
PID:1716

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Update BETA" /TR "C:\Users\Admin\AppData\Local\Temp\Crypter.exe" /F
3⤵
- Creates scheduled task(s)
PID:1064

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
2⤵
- Suspicious use of WriteProcessMemory
PID:1252

C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:1728

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
2⤵
- Suspicious use of WriteProcessMemory
PID:1948

C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:828

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\L11.tmp"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:288

C:\Users\Admin\AppData\Local\Temp\L11.tmp
C:\Users\Admin\AppData\Local\Temp\L11.tmp
3⤵
- Executes dropped EXE
PID:924

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Delete /TN "Windows Update BETA" /F
2⤵
- Suspicious use of WriteProcessMemory
PID:1288

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS.exe /Delete /TN "Windows Update BETA" /F
3⤵
PID:1060

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:960

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\resq_Recovery.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:852

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\resq_Recovery.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1512

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Documents\resq_Recovery.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:204

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" a -i#7zMap18302:282:7zEvent14191 -ad -saa -- "C:\Users\Admin\Documents\Documents"
1⤵
- Suspicious use of FindShellTrayWindow
PID:292

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x570
1⤵
PID:2040

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

File Deletion

2

T1107

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\L11.tmp
Filesize
5KB

MD5
ab65af4349e7c5b0872c8b808d036980

SHA1
414b2a2748b7ea6176c1d2453f89fdc8a2d349d0

SHA256
a6c41f368f42a7c57c307a48ce2440a60a744226b6414fadb6517a80a5d160a2

SHA512
2c61c56e8c299677bad4ce223e3187200c341aa4dd4503fac1217aa8e15687af03544a6d160bb2b1b131a56ea9df2967e00359aa622f12d1b82605c40cca6679

Download Submit
C:\Users\Admin\AppData\Local\Temp\L11.tmp
Filesize
5KB

MD5
ab65af4349e7c5b0872c8b808d036980

SHA1
414b2a2748b7ea6176c1d2453f89fdc8a2d349d0

SHA256
a6c41f368f42a7c57c307a48ce2440a60a744226b6414fadb6517a80a5d160a2

SHA512
2c61c56e8c299677bad4ce223e3187200c341aa4dd4503fac1217aa8e15687af03544a6d160bb2b1b131a56ea9df2967e00359aa622f12d1b82605c40cca6679

Download Submit
C:\Users\Admin\Desktop\resq_Recovery.txt
Filesize
690B

MD5
557f56a43cfbac7ddf83eeefb5aaeaa6

SHA1
0a9a5a5d46c60dd3d2acaae5e0a7c5bfd2677c4a

SHA256
3aa1bc73e902b58f6ab3dc7ff49e71e355eae50ae00448b554c8c509e99f4c78

SHA512
1c1c5cf1101195f19036ac7f2cd1addb3412ae53401801443becfa708bbe9ed3198093455a608947af5a211dc787913f06902c10e3c850d0272cac69df4993df

Download Submit
C:\Users\Admin\Documents\ResetRead.dotm.resq100
Filesize
821KB

MD5
eb01332a8b8c2fa528c0d2f8d35f5a85

SHA1
5bf0972a788b0312c2084452b081c022edb0290a

SHA256
4944a94c603a747582d2bce8fa0c88786b0eb30afeda46acfcd34c483ad06cf4

SHA512
7316544220f8a2269cba8cd1037b6a90cc6695680f8ce78faafb7c1c65380e82025544d33cea390c923cb725bfab0fd789221d193365db5a944f23803f584151

Download Submit
C:\Users\Admin\Documents\ResolveOut.xlsb.resq100
Filesize
403KB

MD5
3e10e0145b26950172d73096e853e95c

SHA1
796d15533fbdec1943088513d483484bdb2f3ee3

SHA256
701372039a93f9c2ee1bd1c47348e4d6961a48587d835cbebb0d50d3a566b3a2

SHA512
7dfa16e4687dfec304bf3da426f34cc375c047f474e309fd3163f40c60a370c7d70cd4fe0f7db445b7acc115d92ddb4f0ae53000df1f0ab9fe1d59f284ed74b7

Download Submit
C:\Users\Admin\Documents\resq_Recovery.txt
Filesize
690B

MD5
557f56a43cfbac7ddf83eeefb5aaeaa6

SHA1
0a9a5a5d46c60dd3d2acaae5e0a7c5bfd2677c4a

SHA256
3aa1bc73e902b58f6ab3dc7ff49e71e355eae50ae00448b554c8c509e99f4c78

SHA512
1c1c5cf1101195f19036ac7f2cd1addb3412ae53401801443becfa708bbe9ed3198093455a608947af5a211dc787913f06902c10e3c850d0272cac69df4993df

Download Submit
C:\Users\resq_Recovery.txt
Filesize
690B

MD5
557f56a43cfbac7ddf83eeefb5aaeaa6

SHA1
0a9a5a5d46c60dd3d2acaae5e0a7c5bfd2677c4a

SHA256
3aa1bc73e902b58f6ab3dc7ff49e71e355eae50ae00448b554c8c509e99f4c78

SHA512
1c1c5cf1101195f19036ac7f2cd1addb3412ae53401801443becfa708bbe9ed3198093455a608947af5a211dc787913f06902c10e3c850d0272cac69df4993df

Download Submit
\Users\Admin\AppData\Local\Temp\L11.tmp
Filesize
5KB

MD5
ab65af4349e7c5b0872c8b808d036980

SHA1
414b2a2748b7ea6176c1d2453f89fdc8a2d349d0

SHA256
a6c41f368f42a7c57c307a48ce2440a60a744226b6414fadb6517a80a5d160a2

SHA512
2c61c56e8c299677bad4ce223e3187200c341aa4dd4503fac1217aa8e15687af03544a6d160bb2b1b131a56ea9df2967e00359aa622f12d1b82605c40cca6679

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads