Analysis
-
max time kernel
200s -
max time network
175s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
29/02/2024, 05:38
Static task
static1
Behavioral task
behavioral1
Sample
Trojan-Ransom.Win32.GenericCryptor.exe
Resource
win7-20240221-en
General
-
Target
Trojan-Ransom.Win32.GenericCryptor.exe
-
Size
467KB
-
MD5
4e573e2371d005c4b87d4f6d763531f2
-
SHA1
2b07fb3ec245aa24b2799a9d225207fcd2a0d56f
-
SHA256
308e2d9a98066c0789a73be20246262b10d29d5b0859421ede2274af17a57190
-
SHA512
05e3f12a871bcfad6eead8ef8636c98914beef04ec48a3ffcd13b103dfe132efb9649cb32eddc9f931852cbba21d41a0148ca99be4a749c1f16cafd580c0f228
-
SSDEEP
12288:olJ+TFukCI+P9CcrmwEuBwUqA5qFbAGTALHaspT:00U9CcrmwEPA5qFxT7CT
Malware Config
Extracted
urelas
1.234.83.146
133.242.129.155
218.54.31.226
218.54.31.165
Signatures
-
resource yara_rule behavioral1/files/0x0004000000004ed7-33.dat aspack_v212_v242 -
Deletes itself 1 IoCs
pid Process 2492 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2892 lyfod.exe 2096 piotw.exe -
Loads dropped DLL 2 IoCs
pid Process 2444 Trojan-Ransom.Win32.GenericCryptor.exe 2892 lyfod.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 49 IoCs
pid Process 2096 piotw.exe 2096 piotw.exe 2096 piotw.exe 2096 piotw.exe 2096 piotw.exe 2096 piotw.exe 2096 piotw.exe 2096 piotw.exe 2096 piotw.exe 2096 piotw.exe 2096 piotw.exe 2096 piotw.exe 2096 piotw.exe 2096 piotw.exe 2096 piotw.exe 2096 piotw.exe 2096 piotw.exe 2096 piotw.exe 2096 piotw.exe 2096 piotw.exe 2096 piotw.exe 2096 piotw.exe 2096 piotw.exe 2096 piotw.exe 2096 piotw.exe 2096 piotw.exe 2096 piotw.exe 2096 piotw.exe 2096 piotw.exe 2096 piotw.exe 2096 piotw.exe 2096 piotw.exe 2096 piotw.exe 2096 piotw.exe 2096 piotw.exe 2096 piotw.exe 2096 piotw.exe 2096 piotw.exe 2096 piotw.exe 2096 piotw.exe 2096 piotw.exe 2096 piotw.exe 2096 piotw.exe 2096 piotw.exe 2096 piotw.exe 2096 piotw.exe 2096 piotw.exe 2096 piotw.exe 2096 piotw.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2444 wrote to memory of 2892 2444 Trojan-Ransom.Win32.GenericCryptor.exe 29 PID 2444 wrote to memory of 2892 2444 Trojan-Ransom.Win32.GenericCryptor.exe 29 PID 2444 wrote to memory of 2892 2444 Trojan-Ransom.Win32.GenericCryptor.exe 29 PID 2444 wrote to memory of 2892 2444 Trojan-Ransom.Win32.GenericCryptor.exe 29 PID 2444 wrote to memory of 2492 2444 Trojan-Ransom.Win32.GenericCryptor.exe 30 PID 2444 wrote to memory of 2492 2444 Trojan-Ransom.Win32.GenericCryptor.exe 30 PID 2444 wrote to memory of 2492 2444 Trojan-Ransom.Win32.GenericCryptor.exe 30 PID 2444 wrote to memory of 2492 2444 Trojan-Ransom.Win32.GenericCryptor.exe 30 PID 2892 wrote to memory of 2096 2892 lyfod.exe 32 PID 2892 wrote to memory of 2096 2892 lyfod.exe 32 PID 2892 wrote to memory of 2096 2892 lyfod.exe 32 PID 2892 wrote to memory of 2096 2892 lyfod.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.GenericCryptor.exe"C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.GenericCryptor.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Users\Admin\AppData\Local\Temp\lyfod.exe"C:\Users\Admin\AppData\Local\Temp\lyfod.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Users\Admin\AppData\Local\Temp\piotw.exe"C:\Users\Admin\AppData\Local\Temp\piotw.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2096
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵
- Deletes itself
PID:2492
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
280B
MD5c1a0648fe9d4b93ec746a6e41f3f7ca8
SHA157e04f2693480be87a11398ca938f8183e62db7c
SHA2563de16b3be327336ff28d2383af13c7c6f0ae7d3b75884c4dc7a4885f54110e0c
SHA5123c4320927f9468c11ef7e3641db0af457a344492873d49262b57d1fd4cc47d1c08f02a959a4e2cb93a6e2f447899501f4fb35da53726ded737f22c906fb4878d
-
Filesize
512B
MD5c84c819b9a1e342f8fba9dd480a7a154
SHA1f5e355c1b74dd98eccce1493661b0f8ad8c0a7c7
SHA256aa97a1d943d5595194092e7f080891f3e9b27c784162f81b3a6de5ef9005dc8d
SHA512810e245418ac4d25fa78a181c4d6e86f04125b2f91b5568685d5779e15d3d269361232b162a2353498062f9fa47b4be86c8971fceb67678cbaf1ccff1f4e7c53
-
Filesize
467KB
MD51b8156b4d4ed55ac8a15b511ad708bb6
SHA1e7aa4dc84ef417c156726351da8745b2ba8c670c
SHA256a46ec81202d475eb22614e8623a4f3282f01beace4db9a6d4f95d63719f80d37
SHA51291d023f06890a9d0cc4d45ebf2184f88ce1eb2fc9215dda59660abf13739d90f203068c3f098e86c24163e1d8290a55121180ae42b58f99743151839f5792bc2
-
Filesize
242KB
MD5890e693cdde54bbd1e26e5addc821ac0
SHA12a1711a13c2b24eb40446fe271c6c281d12e5b98
SHA25631dbdaf305907bb1db8431d4f947e6e28c177f96149b63cdb6b6675da71da4d5
SHA51285c3090b91442631291f99606089a19f1453fff7b412980215486ebb3fc4a47c4d5fa014fd428ff0067aae3bab20ceb6f9fe37a984c18c085f6baccba545fb49