crylock | 647f46899b472f8a3ce181bd07ab2219a56e965bf4e24a0b489edb2bc5c8aa8d

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
28-02-2024 06:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab337d28b494a966f107fc428d71f78b.exe
Size

1.8MB
MD5

ab337d28b494a966f107fc428d71f78b
SHA1

5c77dc1f673fbfb9d45de2a63aa16616f80b7a12
SHA256

647f46899b472f8a3ce181bd07ab2219a56e965bf4e24a0b489edb2bc5c8aa8d
SHA512

98ea77a94465780030eb05189ff9061790e438732b2b1245559c5ea0ad1c91f5c1458cf14d50f05c6ef4e97f3e1ab0a6c73109980644cd7ea9ae9a1555eec71a
SSDEEP

6144:Hrn8am/jie/+9h4/cdIG4Uues+f5PfZlfTBoIbY5RUvNjC4LBtJrJyCjSJlIyfh+:Hr

Score

10^/10

crylock persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-2721934792-624042501-2768869379-1000\how_to_decrypt.hta

Ransom Note

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <title>CryLock</title> <hta:application showInTaskBar="no" APPLICATION="yes" ICON='msiexec.exe' SINGLEINSTANCE='yes' SysMenu="no" applicationname="CryLock" border="thick" contexmenu="no" scroll="no" selection="yes" singleinstance="yes" windowstate="normal" MAXIMIZEBUTTON="NO" BORDER="DIALOG" width="100" height="100" MINIMIZEBUTTON="NO"></hta:application> <script language="JavaScript"> var ud=0; var op=0xc7bf30; var zoc=0; function document.onkeydown() { var alt=window.event.altKey; if (event.keyCode==116 || event.keyCode==27 || alt && event.keyCode==115) { event.keyCode=0; event.cancelBubble=true; return false; } } function document.onblur() { alert('Attention! This important information for you!'); } function ChangeTime() { var sd = new Date('March 1 2024 06:16:24'); var dn = new Date(); if (sd.getTime()<dn.getTime()) { var dt=document.getElementById('pwr'); dt.innerHTML='<font color="red" size="5"><b>Price is raised!</b></font>'; dt.style.height=78; zoc=1; } else { var delta=sd.getTime()-dn.getTime(); delta=new Date(delta); var dd=(delta.getUTCDate()-1)+((delta.getUTCMonth())*31); var hh=delta.getUTCHours(); var mm=delta.getUTCMinutes(); var ss=delta.getUTCSeconds(); if (dd!=1) { dd=dd+' days'; } else { dd=dd+' day'; } if (hh<10) { hh='0'+hh; } if (mm<10) { mm='0'+mm; } if (ss<10) { ss='0'+ss; } var dt=document.getElementById('dt'); dt.innerHTML='<font face="monospace" color="#c2c2c2" size="4"><b>'+dd+' '+hh+':'+mm+':'+ss+'</b></font>'; } var sd = new Date('March 2 2024 06:16:24'); dn = new Date(); if (sd.getTime()<dn.getTime()) { var dt=document.getElementById('lctw'); dt.innerHTML='<font color="red" size="5"><b>Last chance to decrypt your files!</b></font>'; zoc=2; } else { var delta=sd.getTime()-dn.getTime(); delta=new Date(delta); var dd=(delta.getUTCDate()-1)+((delta.getUTCMonth())*31); var hh=delta.getUTCHours(); var mm=delta.getUTCMinutes(); var ss=delta.getUTCSeconds(); if (dd!=1) { dd=dd+' days'; } else { dd=dd+' day'; } if (hh<10) { hh='0'+hh; } if (mm<10) { mm='0'+mm; } if (ss<10) { ss='0'+ss; } var dt=document.getElementById('et'); dt.innerHTML='<font face="monospace" color="#c2c2c2" size="4"><b>'+dd+' '+hh+':'+mm+':'+ss+'</b></font>'; } } function getRandomArbitrary(min, max) { min = Math.ceil(min); max = Math.floor(max); return Math.floor(Math.random() * (max - min)) + min; } function Rndom() { document.getElementById("blumid").focus(); var bid=document.getElementById('blumid'); var bem=document.getElementById('blummail'); if (ud==0) { op=op-0x10; } else { op=op+0x10; } if (op<=0xc00000) { ud=1; } if (op>=0xc7bf30) { ud=0; } bid.style.backgroundColor=op; bem.style.backgroundColor=op; var xx=''; var i=0; while (i<19) { xx=xx+getRandomArbitrary(0,2); i=i+1; } if (zoc==0) { var dt=document.getElementById('rc'); rc.innerHTML='<font face="monospace" color="white" size="5"><b>'+xx+'</b></font>'; } else { if (zoc==1) { var dt=document.getElementById('rc'); rc.innerHTML='<font face="monospace" color="red" size="5"><b>Price is raised!</b></font>'; } else { var dt=document.getElementById('rc'); rc.innerHTML='<font face="monospace" color="red" size="4"><b>Price is raised!<br>Last chance to decrypt your files!</b></font>'; } } } function Start() { window.resizeTo(800,500) setInterval(ChangeTime,1000); setInterval(Rndom,100); } function copytext(s) { window.clipboardData.setData("Text",s); alert(s+' copied to clipboard'); } function Restart() { alert('Attention! This important information for you!'); } </script> <body style="background-color:#0066CC;" OnLoad="Start()"> <div id="pwr" align="center" style="position:absolute; top:10px; left:10px; width:20%; border: 2px solid #c2c2c2;"> <font color="#c7bf30"><b>Payment will be raised after</b></font> <br> <div id="dt"> <font face="monospace" color="#c2c2c2" size="4">-- days --:--:--</font> </div> </div> <div align="center" style="position:absolute; top:10px; left:170px; width:58%;"> <font face="monospace" color="white" size="4"><b>Your files have been encrypted...</b></font> </div> <div align="center" style="position:absolute; top:60px; left:170px; width:58%;"> <div id="rc"> <font face="monospace" color="white" size="5"><b>00000000000000000000</b></font> </div> </div> <div id="lctw" align="center" style="position:absolute; top:10px; left:620px; width:20%; border: 2px solid #c2c2c2;"> <font color="#c7bf30"><b>Your files will be lost after</b></font> <br> <div id="et"> <font face="monospace" color="#c2c2c2" size="4">-- days --:--:--</font> </div> </div> <div style="background-color:white;overflow-x:hide; overflow-y:scroll; position:absolute; top:100px; left:10px; width:768px; height:320px"> <b>What happened?</b><br> All your documents, databases, backups and other important files have been encrypted due to a security problem with your PC. The only way to recover files is to purchase a unique private decryption key. If you want to recover files, write to us by e-mail: <b>[email protected]</b> with the following details: <ul> <li>External IP</li> <li>You unique ID <font face="monospace" OnClick="copytext('[5FEF09AB-E822B099]')"><b>[5FEF09AB-E822B099] <font size="2">[copy]</font></b></font></li> </ul> The price depends on how fast you write to us, on timers you can see how many time do you have before price increasing. After payment we will send you the tool that will decrypt all your files. In case of no answer in 24 hours write us to this e-mail: <font face="monospace" OnClick="copytext('[email protected]')"><b>[email protected] <font size="2">[copy]</font></b></font><br> <br> <b>Any guarantees?</b><br> Before paying you can send us up to 3 files for free decryption. The total size of files must be less than <i><u>5Mb</u></i> (<i><u>non archived</u></i>), and files should not contain valuable information. (<u><i>databases, backups, large excel sheets, etc.</i></u>)<br> <br> <b><font color="red">Attention!</font></b><br> <ul> <li>Do not try to decrypt your data using third party software, it may cause permanent data loss.</li> <li>Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. </li> <li>Use trusted email clients (gmail.com, protonmail.com, aol.com, etc.) for communication; sometimes your letters do not reach us from corporate letters. </li> <li>Communication with us lasts 2-4 weeks, then we block mail for communication </li> </ul> </div> <div title="Click to copy" OnClick="copytext('[5FEF09AB-E822B099]')" id="blumid" style="cursor:pointer;background-color:#c7bf30; position:absolute; top:430px; left:10px; width:380px; height:20px"> <b>Your ID [5FEF09AB-E822B099] <font size="2">[copy]</font></b> </div> <div title="Click to copy" OnClick="copytext('[email protected]')" id="blummail" style="cursor:pointer;background-color:#c7bf30; position:absolute; top:430px; left:400px; width:380px; height:20px"> <b>Write to [email protected] <font size="2">[copy]</font></b> </div> </body> </html>

Emails

<b>[email protected]</b>

OnClick="copytext('[email protected]')"><b>[email protected]

OnClick="copytext('[email protected]')"

[email protected]

Signatures

Crylock
Ransomware family, which is a new variant of Cryakl ransomware.
ransomware crylock
Renames multiple (619) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ab337d28b494a966f107fc428d71f78b.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\1660033 = "1660033"	ab337d28b494a966f107fc428d71f78b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\5FEF09AB-E822B099hta = "C:\\Users\\Admin\\AppData\\Local\\Temp\\how_to_decrypt.hta"	ab337d28b494a966f107fc428d71f78b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\5FEF09AB-E822B099 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ab337d28b494a966f107fc428d71f78b.exe"	ab337d28b494a966f107fc428d71f78b.exe

Drops desktop.ini file(s) 36 IoCs

Processes:

ab337d28b494a966f107fc428d71f78b.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\66RFTKYZ\desktop.ini	ab337d28b494a966f107fc428d71f78b.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	ab337d28b494a966f107fc428d71f78b.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	ab337d28b494a966f107fc428d71f78b.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	ab337d28b494a966f107fc428d71f78b.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	ab337d28b494a966f107fc428d71f78b.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	ab337d28b494a966f107fc428d71f78b.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	ab337d28b494a966f107fc428d71f78b.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	ab337d28b494a966f107fc428d71f78b.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	ab337d28b494a966f107fc428d71f78b.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	ab337d28b494a966f107fc428d71f78b.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	ab337d28b494a966f107fc428d71f78b.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	ab337d28b494a966f107fc428d71f78b.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	ab337d28b494a966f107fc428d71f78b.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	ab337d28b494a966f107fc428d71f78b.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-2721934792-624042501-2768869379-1000\desktop.ini	ab337d28b494a966f107fc428d71f78b.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	ab337d28b494a966f107fc428d71f78b.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	ab337d28b494a966f107fc428d71f78b.exe
File opened for modification	C:\Users\Public\desktop.ini	ab337d28b494a966f107fc428d71f78b.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	ab337d28b494a966f107fc428d71f78b.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	ab337d28b494a966f107fc428d71f78b.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	ab337d28b494a966f107fc428d71f78b.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	ab337d28b494a966f107fc428d71f78b.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	ab337d28b494a966f107fc428d71f78b.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	ab337d28b494a966f107fc428d71f78b.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	ab337d28b494a966f107fc428d71f78b.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\M221U1AY\desktop.ini	ab337d28b494a966f107fc428d71f78b.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	ab337d28b494a966f107fc428d71f78b.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	ab337d28b494a966f107fc428d71f78b.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\NNULH633\desktop.ini	ab337d28b494a966f107fc428d71f78b.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	ab337d28b494a966f107fc428d71f78b.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	ab337d28b494a966f107fc428d71f78b.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2721934792-624042501-2768869379-1000\desktop.ini	ab337d28b494a966f107fc428d71f78b.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\KEQD8ZAD\desktop.ini	ab337d28b494a966f107fc428d71f78b.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	ab337d28b494a966f107fc428d71f78b.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	ab337d28b494a966f107fc428d71f78b.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	ab337d28b494a966f107fc428d71f78b.exe

Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

ab337d28b494a966f107fc428d71f78b.exe

description ioc process

File opened (read-only) \??\F: ab337d28b494a966f107fc428d71f78b.exe

description	ioc	process
File opened (read-only)	\??\F:	ab337d28b494a966f107fc428d71f78b.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs

Processes:

ab337d28b494a966f107fc428d71f78b.exe

pid	process
2860	ab337d28b494a966f107fc428d71f78b.exe
2860	ab337d28b494a966f107fc428d71f78b.exe
2860	ab337d28b494a966f107fc428d71f78b.exe
2860	ab337d28b494a966f107fc428d71f78b.exe
2860	ab337d28b494a966f107fc428d71f78b.exe
2860	ab337d28b494a966f107fc428d71f78b.exe
2860	ab337d28b494a966f107fc428d71f78b.exe
2860	ab337d28b494a966f107fc428d71f78b.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

ab337d28b494a966f107fc428d71f78b.exe

description pid process target process

PID 2860 set thread context of 2584 2860 ab337d28b494a966f107fc428d71f78b.exe ab337d28b494a966f107fc428d71f78b.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Delays execution with timeout.exe 3 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exe

pid process

2812 timeout.exe
2792 timeout.exe
2156 timeout.exe
Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

mshta.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main mshta.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

ab337d28b494a966f107fc428d71f78b.exe

pid process

2860 ab337d28b494a966f107fc428d71f78b.exe
2860 ab337d28b494a966f107fc428d71f78b.exe
2860 ab337d28b494a966f107fc428d71f78b.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

ab337d28b494a966f107fc428d71f78b.exe

description pid process

Token: SeDebugPrivilege 2860 ab337d28b494a966f107fc428d71f78b.exe

description	pid	process	target process
PID 2860 set thread context of 2584	2860	ab337d28b494a966f107fc428d71f78b.exe	ab337d28b494a966f107fc428d71f78b.exe

pid	process
2812	timeout.exe
2792	timeout.exe
2156	timeout.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

description	pid	process
Token: SeDebugPrivilege	2860	ab337d28b494a966f107fc428d71f78b.exe

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

ab337d28b494a966f107fc428d71f78b.execmd.execmd.execmd.exeab337d28b494a966f107fc428d71f78b.exe

description	pid	process	target process
PID 2860 wrote to memory of 2716	2860	ab337d28b494a966f107fc428d71f78b.exe	cmd.exe
PID 2860 wrote to memory of 2716	2860	ab337d28b494a966f107fc428d71f78b.exe	cmd.exe
PID 2860 wrote to memory of 2716	2860	ab337d28b494a966f107fc428d71f78b.exe	cmd.exe
PID 2860 wrote to memory of 2716	2860	ab337d28b494a966f107fc428d71f78b.exe	cmd.exe
PID 2716 wrote to memory of 2792	2716	cmd.exe	timeout.exe
PID 2716 wrote to memory of 2792	2716	cmd.exe	timeout.exe
PID 2716 wrote to memory of 2792	2716	cmd.exe	timeout.exe
PID 2716 wrote to memory of 2792	2716	cmd.exe	timeout.exe
PID 2860 wrote to memory of 2612	2860	ab337d28b494a966f107fc428d71f78b.exe	cmd.exe
PID 2860 wrote to memory of 2612	2860	ab337d28b494a966f107fc428d71f78b.exe	cmd.exe
PID 2860 wrote to memory of 2612	2860	ab337d28b494a966f107fc428d71f78b.exe	cmd.exe
PID 2860 wrote to memory of 2612	2860	ab337d28b494a966f107fc428d71f78b.exe	cmd.exe
PID 2612 wrote to memory of 2156	2612	cmd.exe	timeout.exe
PID 2612 wrote to memory of 2156	2612	cmd.exe	timeout.exe
PID 2612 wrote to memory of 2156	2612	cmd.exe	timeout.exe
PID 2612 wrote to memory of 2156	2612	cmd.exe	timeout.exe
PID 2860 wrote to memory of 2672	2860	ab337d28b494a966f107fc428d71f78b.exe	cmd.exe
PID 2860 wrote to memory of 2672	2860	ab337d28b494a966f107fc428d71f78b.exe	cmd.exe
PID 2860 wrote to memory of 2672	2860	ab337d28b494a966f107fc428d71f78b.exe	cmd.exe
PID 2860 wrote to memory of 2672	2860	ab337d28b494a966f107fc428d71f78b.exe	cmd.exe
PID 2672 wrote to memory of 2812	2672	cmd.exe	timeout.exe
PID 2672 wrote to memory of 2812	2672	cmd.exe	timeout.exe
PID 2672 wrote to memory of 2812	2672	cmd.exe	timeout.exe
PID 2672 wrote to memory of 2812	2672	cmd.exe	timeout.exe
PID 2860 wrote to memory of 2584	2860	ab337d28b494a966f107fc428d71f78b.exe	ab337d28b494a966f107fc428d71f78b.exe
PID 2860 wrote to memory of 2584	2860	ab337d28b494a966f107fc428d71f78b.exe	ab337d28b494a966f107fc428d71f78b.exe
PID 2860 wrote to memory of 2584	2860	ab337d28b494a966f107fc428d71f78b.exe	ab337d28b494a966f107fc428d71f78b.exe
PID 2860 wrote to memory of 2584	2860	ab337d28b494a966f107fc428d71f78b.exe	ab337d28b494a966f107fc428d71f78b.exe
PID 2860 wrote to memory of 2584	2860	ab337d28b494a966f107fc428d71f78b.exe	ab337d28b494a966f107fc428d71f78b.exe
PID 2860 wrote to memory of 2584	2860	ab337d28b494a966f107fc428d71f78b.exe	ab337d28b494a966f107fc428d71f78b.exe
PID 2860 wrote to memory of 2584	2860	ab337d28b494a966f107fc428d71f78b.exe	ab337d28b494a966f107fc428d71f78b.exe
PID 2860 wrote to memory of 2584	2860	ab337d28b494a966f107fc428d71f78b.exe	ab337d28b494a966f107fc428d71f78b.exe
PID 2860 wrote to memory of 2584	2860	ab337d28b494a966f107fc428d71f78b.exe	ab337d28b494a966f107fc428d71f78b.exe
PID 2860 wrote to memory of 2584	2860	ab337d28b494a966f107fc428d71f78b.exe	ab337d28b494a966f107fc428d71f78b.exe
PID 2860 wrote to memory of 2584	2860	ab337d28b494a966f107fc428d71f78b.exe	ab337d28b494a966f107fc428d71f78b.exe
PID 2860 wrote to memory of 2584	2860	ab337d28b494a966f107fc428d71f78b.exe	ab337d28b494a966f107fc428d71f78b.exe
PID 2584 wrote to memory of 5104	2584	ab337d28b494a966f107fc428d71f78b.exe	mshta.exe
PID 2584 wrote to memory of 5104	2584	ab337d28b494a966f107fc428d71f78b.exe	mshta.exe
PID 2584 wrote to memory of 5104	2584	ab337d28b494a966f107fc428d71f78b.exe	mshta.exe
PID 2584 wrote to memory of 5104	2584	ab337d28b494a966f107fc428d71f78b.exe	mshta.exe

C:\Users\Admin\AppData\Local\Temp\ab337d28b494a966f107fc428d71f78b.exe
"C:\Users\Admin\AppData\Local\Temp\ab337d28b494a966f107fc428d71f78b.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2860
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout 1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:2792
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout 1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2612
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:2156
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout 1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2672
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:2812
- C:\Users\Admin\AppData\Local\Temp\ab337d28b494a966f107fc428d71f78b.exe
  "C:\Users\Admin\AppData\Local\Temp\ab337d28b494a966f107fc428d71f78b.exe"
  2⤵
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Enumerates connected drives
  - Suspicious use of WriteProcessMemory
  PID:2584
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\how_to_decrypt.hta"
    3⤵
    - Modifies Internet Explorer settings
    PID:5104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2721934792-624042501-2768869379-1000\desktop.ini

Filesize
711B

MD5
83d80be68c1ce5947abea954fd91721d

SHA1
c07e2cc99cc81bba3b9acf0a1725d185a1ebefb2

SHA256
45ef75426387c8a0eb65b36b13a845db0bdb056c94adce4d39d697d421b0f55c

SHA512
54951e51f628875ce2df3ddc853951d137bccfe2a59e6c10b7f2be87a68da16efa309dac5fc5ba62a98d189a6f5c5a5ee8a3941ffe5a63c910ea50193d7d2553

Download Submit
C:\$Recycle.Bin\S-1-5-21-2721934792-624042501-2768869379-1000\how_to_decrypt.hta

Filesize
7KB

MD5
1d69bbf95e35ec8b879d8c827c40c6a2

SHA1
873736a3b7dc33717a4cf0efc69525eed442b5fc

SHA256
125a1f820c084f7e6bad0a0c4ba22004dfe95a62511cadf8c03d9aba5032cbee

SHA512
aab1cf1c89f6134dd65e1813ec2c8030871bbb27e91e460044834de9183416ad42db67219ea4cf5cf17ec3de8aa47e352d8318890f694c2c355e63e235ba4d93

Download Submit
C:\Users\Admin\AppData\Local\Temp\C-1709100984.log

Filesize
365B

MD5
70204467e2d2387b268ac90a3bb7ccfe

SHA1
d776ac759d6ec21f13714389342f372be39a7948

SHA256
bfc4fd838a34276df40f32cc687dc4b5b74ccd264e207f3fcaa37addcd2dcad8

SHA512
ecf74d7ad81447bfe7c52e970e2471135719da7c52d885f5053fc9fd82c75f988bde6db5155219d2427d69e355e67caf3bc044cfb95a1dfa7635e344b762c3cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\C-1709100984.log

Filesize
2KB

MD5
b684947c86929331c1fcc1267f8506b9

SHA1
0e0dece4adc60869425b594f07eb7fedaac4c515

SHA256
1433f7a07fe46a3adbd603616a52c3af70abceae5e7c024858bacaee79b72c4a

SHA512
c1353b28e06f5ff465756a78db8c056757352d32582a0258f58dabf2c07ee79a481133f6b8add8f6b09580d7adae47dee0064a1c83dac7211cc91c755149db07

Download Submit
C:\Users\Admin\AppData\Local\Temp\C-1709100984.log

Filesize
3KB

MD5
f65e47cae48511ba91890d5b879d2de2

SHA1
402be0452bd476b4e11cb33311c36d80cb51c9fb

SHA256
963fae92d96f9ce63bb17c7c709699b7bb574a7fa3dae4974c9a9fda9c8ce1eb

SHA512
a523afd74625f1a43c9311c579f55d48e36ffe79c3c98abc00123658731ffb3d94645617e0af53e2df49fe814c5607c89d86dedf5074b65b469cd481efd92979

Download Submit
memory/2584-12-0x0000000000400000-0x000000000137C000-memory.dmp

Filesize
15.5MB

Download
memory/2584-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2584-13-0x0000000000400000-0x000000000137C000-memory.dmp

Filesize
15.5MB

Download
memory/2584-16-0x0000000000400000-0x000000000137C000-memory.dmp

Filesize
15.5MB

Download
memory/2584-17-0x0000000000400000-0x000000000137C000-memory.dmp

Filesize
15.5MB

Download
memory/2584-19-0x0000000000400000-0x000000000137C000-memory.dmp

Filesize
15.5MB

Download
memory/2584-11-0x0000000000400000-0x000000000137C000-memory.dmp

Filesize
15.5MB

Download
memory/2584-23-0x0000000000400000-0x000000000137C000-memory.dmp

Filesize
15.5MB

Download
memory/2584-10-0x0000000000400000-0x000000000137C000-memory.dmp

Filesize
15.5MB

Download
memory/2584-8-0x0000000000400000-0x000000000137C000-memory.dmp

Filesize
15.5MB

Download
memory/2584-6-0x0000000000400000-0x000000000137C000-memory.dmp

Filesize
15.5MB

Download
memory/2584-899-0x0000000000400000-0x000000000137C000-memory.dmp

Filesize
15.5MB

Download
memory/2584-4-0x0000000000400000-0x000000000137C000-memory.dmp

Filesize
15.5MB

Download
memory/2860-41-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/2860-49-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/2860-22-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/2860-25-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/2860-27-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/2860-26-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/2860-28-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/2860-29-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/2860-30-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/2860-32-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/2860-31-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/2860-34-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/2860-33-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/2860-36-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/2860-35-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/2860-38-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/2860-37-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/2860-39-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/2860-21-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/2860-40-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/2860-43-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/2860-44-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/2860-42-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/2860-46-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/2860-45-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/2860-48-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/2860-47-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/2860-24-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/2860-51-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/2860-50-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/2860-53-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/2860-52-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/2860-54-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/2860-55-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/2860-56-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/2860-57-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/2860-59-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/2860-58-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/2860-61-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/2860-60-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/2860-63-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/2860-62-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/2860-65-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/2860-64-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/2860-67-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/2860-66-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/2860-68-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/2860-70-0x0000000074560000-0x0000000074C4E000-memory.dmp

Filesize
6.9MB

Download
memory/2860-20-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/2860-18-0x00000000003F0000-0x00000000004F0000-memory.dmp

Filesize
1024KB

Download
memory/2860-3-0x00000000009A0000-0x00000000009E6000-memory.dmp

Filesize
280KB

Download
memory/2860-2-0x0000000004E30000-0x0000000004E70000-memory.dmp

Filesize
256KB

Download
memory/2860-1-0x0000000074560000-0x0000000074C4E000-memory.dmp

Filesize
6.9MB

Download
memory/2860-0-0x00000000013C0000-0x0000000001590000-memory.dmp

Filesize
1.8MB

Download