Analysis
-
max time kernel
149s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
29/02/2024, 05:38
Static task
static1
Behavioral task
behavioral1
Sample
Trojan-Ransom.Win32.GenericCryptor.exe
Resource
win7-20240221-en
General
-
Target
Trojan-Ransom.Win32.GenericCryptor.exe
-
Size
467KB
-
MD5
4e573e2371d005c4b87d4f6d763531f2
-
SHA1
2b07fb3ec245aa24b2799a9d225207fcd2a0d56f
-
SHA256
308e2d9a98066c0789a73be20246262b10d29d5b0859421ede2274af17a57190
-
SHA512
05e3f12a871bcfad6eead8ef8636c98914beef04ec48a3ffcd13b103dfe132efb9649cb32eddc9f931852cbba21d41a0148ca99be4a749c1f16cafd580c0f228
-
SSDEEP
12288:olJ+TFukCI+P9CcrmwEuBwUqA5qFbAGTALHaspT:00U9CcrmwEPA5qFxT7CT
Malware Config
Extracted
urelas
1.234.83.146
133.242.129.155
218.54.31.226
218.54.31.165
Signatures
-
resource yara_rule behavioral2/files/0x0008000000023225-31.dat aspack_v212_v242 -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation Trojan-Ransom.Win32.GenericCryptor.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation hekey.exe -
Executes dropped EXE 2 IoCs
pid Process 3608 hekey.exe 3724 xemed.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3724 xemed.exe 3724 xemed.exe 3724 xemed.exe 3724 xemed.exe 3724 xemed.exe 3724 xemed.exe 3724 xemed.exe 3724 xemed.exe 3724 xemed.exe 3724 xemed.exe 3724 xemed.exe 3724 xemed.exe 3724 xemed.exe 3724 xemed.exe 3724 xemed.exe 3724 xemed.exe 3724 xemed.exe 3724 xemed.exe 3724 xemed.exe 3724 xemed.exe 3724 xemed.exe 3724 xemed.exe 3724 xemed.exe 3724 xemed.exe 3724 xemed.exe 3724 xemed.exe 3724 xemed.exe 3724 xemed.exe 3724 xemed.exe 3724 xemed.exe 3724 xemed.exe 3724 xemed.exe 3724 xemed.exe 3724 xemed.exe 3724 xemed.exe 3724 xemed.exe 3724 xemed.exe 3724 xemed.exe 3724 xemed.exe 3724 xemed.exe 3724 xemed.exe 3724 xemed.exe 3724 xemed.exe 3724 xemed.exe 3724 xemed.exe 3724 xemed.exe 3724 xemed.exe 3724 xemed.exe 3724 xemed.exe 3724 xemed.exe 3724 xemed.exe 3724 xemed.exe 3724 xemed.exe 3724 xemed.exe 3724 xemed.exe 3724 xemed.exe 3724 xemed.exe 3724 xemed.exe 3724 xemed.exe 3724 xemed.exe 3724 xemed.exe 3724 xemed.exe 3724 xemed.exe 3724 xemed.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2668 wrote to memory of 3608 2668 Trojan-Ransom.Win32.GenericCryptor.exe 91 PID 2668 wrote to memory of 3608 2668 Trojan-Ransom.Win32.GenericCryptor.exe 91 PID 2668 wrote to memory of 3608 2668 Trojan-Ransom.Win32.GenericCryptor.exe 91 PID 2668 wrote to memory of 3732 2668 Trojan-Ransom.Win32.GenericCryptor.exe 92 PID 2668 wrote to memory of 3732 2668 Trojan-Ransom.Win32.GenericCryptor.exe 92 PID 2668 wrote to memory of 3732 2668 Trojan-Ransom.Win32.GenericCryptor.exe 92 PID 3608 wrote to memory of 3724 3608 hekey.exe 99 PID 3608 wrote to memory of 3724 3608 hekey.exe 99 PID 3608 wrote to memory of 3724 3608 hekey.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.GenericCryptor.exe"C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.GenericCryptor.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Users\Admin\AppData\Local\Temp\hekey.exe"C:\Users\Admin\AppData\Local\Temp\hekey.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3608 -
C:\Users\Admin\AppData\Local\Temp\xemed.exe"C:\Users\Admin\AppData\Local\Temp\xemed.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3724
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "2⤵PID:3732
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
280B
MD5c1a0648fe9d4b93ec746a6e41f3f7ca8
SHA157e04f2693480be87a11398ca938f8183e62db7c
SHA2563de16b3be327336ff28d2383af13c7c6f0ae7d3b75884c4dc7a4885f54110e0c
SHA5123c4320927f9468c11ef7e3641db0af457a344492873d49262b57d1fd4cc47d1c08f02a959a4e2cb93a6e2f447899501f4fb35da53726ded737f22c906fb4878d
-
Filesize
512B
MD5cfa173f565973e1e53932ed6fbf85176
SHA102b4a70ca089a16df9959c75e355abc7f8d69a41
SHA256cfdc4de5c83b66e16ca0dd636ab5c97e43e8dad1a7140a7bc30a28736978006c
SHA5127c4349ff63e2bb245bd71e6af2b8208fb2660fc0187cc4c711e5825ae406892daca9199469ef72f4e395d16969b0a7cf0e56e2b230854b7fd797f98d11fd5548
-
Filesize
467KB
MD5a5c46d21a52c4e0acab53dde87b3c41e
SHA184d373d216eac1919a5037e89bf17b1c2eca9784
SHA256814e69cd594e8d09b6c470ef3bb2a5a202eff7445c4e459b484c2903d453bfb1
SHA51260d952b735db40371b3c41adf6ff21da7735e348e29fe7b02b0094cf40cc0b3ff75837338f6bfbb009a39c70ecb0b82bd48dbd0b9045cedb1e012898e768b7aa
-
Filesize
242KB
MD52a7d1dd97b22db38d807bb3a62dfa799
SHA17406f6f4f5b70614d0ee9ef017b9cdd3e2e1c97a
SHA25656620cf71d52d8f474e96c1a4618ff85a75074f76b389e427c807cd6fc585cca
SHA5122b3320596b8e227e1a74bb72fe45cd52efc8b1910de0320e786fd2cddebf67386f136ce1490e5c30255a8208b5d3f363e8b77c734e56cd52626829aa4e2eccf0