Overview
overview
10Static
static
10ransomware...3n.exe
windows7-x64
ransomware...3n.exe
windows10-2004-x64
ransomware...le.exe
windows7-x64
ransomware...le.exe
windows10-2004-x64
ransomware...it.exe
windows7-x64
10ransomware...it.exe
windows10-2004-x64
10ransomware...le.exe
windows10-2004-x64
10ransomware... 5.exe
windows7-x64
10ransomware... 5.exe
windows10-2004-x64
10ransomware...de.exe
windows7-x64
10ransomware...de.exe
windows10-2004-x64
10ransomware...ck.exe
windows7-x64
7ransomware...ck.exe
windows10-2004-x64
7ransomware...ye.exe
windows7-x64
6ransomware...ye.exe
windows10-2004-x64
6ransomware...ap.exe
windows7-x64
6ransomware...ap.exe
windows10-2004-x64
6ransomware...ya.exe
windows7-x64
1ransomware...ya.exe
windows10-2004-x64
3ransomware...om.exe
windows7-x64
10ransomware...om.exe
windows10-2004-x64
10ransomware...ab.exe
windows7-x64
10ransomware...ab.exe
windows10-2004-x64
10ransomware...ye.exe
windows7-x64
10ransomware...ye.exe
windows10-2004-x64
10ransomware...ni.exe
windows7-x64
10ransomware...ni.exe
windows10-2004-x64
10ransomware...pt.exe
windows7-x64
10ransomware...pt.exe
windows10-2004-x64
10ransomware...ya.exe
windows7-x64
7ransomware...ya.exe
windows10-2004-x64
7ransomware...en.exe
windows7-x64
8Analysis
-
max time kernel
118s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
15-03-2024 21:38
Static task
static1
Behavioral task
behavioral1
Sample
ransomwares/7ev3n/7ev3n.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral2
Sample
ransomwares/7ev3n/7ev3n.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
ransomwares/Annabelle/Annabelle.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral4
Sample
ransomwares/Annabelle/Annabelle.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
ransomwares/BadRabbit/BadRabbit.exe
Resource
win7-20240215-en
windows7-x64
Behavioral task
behavioral6
Sample
ransomwares/BadRabbit/BadRabbit.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
ransomwares/Birele/Birele.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral8
Sample
ransomwares/Cerber 5/Cerber 5.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral9
Sample
ransomwares/Cerber 5/Cerber 5.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral10
Sample
ransomwares/Darkside/Darkside.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral11
Sample
ransomwares/Darkside/Darkside.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral12
Sample
ransomwares/DeriaLock/DeriaLock.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral13
Sample
ransomwares/DeriaLock/DeriaLock.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral14
Sample
ransomwares/Fake GoldenEye/FakeGoldenEye.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral15
Sample
ransomwares/Fake GoldenEye/FakeGoldenEye.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral16
Sample
ransomwares/Fake PetrWrap/FakePetrWrap.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral17
Sample
ransomwares/Fake PetrWrap/FakePetrWrap.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral18
Sample
ransomwares/FakePetya/FakePetya.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral19
Sample
ransomwares/FakePetya/FakePetya.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral20
Sample
ransomwares/Fantom/Fantom.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral21
Sample
ransomwares/Fantom/Fantom.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral22
Sample
ransomwares/GandCrab/GandCrab.exe
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral23
Sample
ransomwares/GandCrab/GandCrab.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral24
Sample
ransomwares/GoldenEye/GoldenEye.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral25
Sample
ransomwares/GoldenEye/GoldenEye.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral26
Sample
ransomwares/Huzuni/Huzuni.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral27
Sample
ransomwares/Huzuni/Huzuni.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral28
Sample
ransomwares/InfinityCrypt/InfinityCrypt.exe
Resource
win7-20240215-en
windows7-x64
Behavioral task
behavioral29
Sample
ransomwares/InfinityCrypt/InfinityCrypt.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral30
Sample
ransomwares/JanusPetya/JanusPetya.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral31
Sample
ransomwares/JanusPetya/JanusPetya.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral32
Sample
ransomwares/Krotten/Krotten.exe
Resource
win7-20240221-en
windows7-x64
General
-
Target
ransomwares/Krotten/Krotten.exe
-
Size
53KB
-
MD5
87ccd6f4ec0e6b706d65550f90b0e3c7
-
SHA1
213e6624bff6064c016b9cdc15d5365823c01f5f
-
SHA256
e79f164ccc75a5d5c032b4c5a96d6ad7604faffb28afe77bc29b9173fa3543e4
-
SHA512
a72403d462e2e2e181dbdabfcc02889f001387943571391befed491aaecba830b0869bdd4d82bca137bd4061bbbfb692871b1b4622c4a7d9f16792c60999c990
-
SSDEEP
768:4yKoNLsn4Jp9ZvRInygrpMoZN+WtOl08jxBEHCDwBLpZTPCUvQK:j/sn4/OycxZN+MKxp8t9zQK
Malware Config
Signatures
-
Disables RegEdit via registry modification 2 IoCs
Processes:
Krotten.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Krotten.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Krotten.exe -
Disables Task Manager via registry modification
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Krotten.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\WINDOWS\\Web\\rundll32.exe" Krotten.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVPCC = "C:\\WINDOWS\\Cursors\\avp.exe" Krotten.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
Krotten.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "DANGER" Krotten.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Äëÿ òîãî ÷òîáû âîññòàíîâèòü íîðìàëüíóþ ðàáîòó ñâîåãî êîìïüþòåðà íå ïîòåðÿâ ÂÑÞ èíôîðìàöèþ! È ñ ýêîíîìèâ äåíüãè, ïðèøëè ìíå íà e-mail [email protected] êîä ïîïîëíåíèÿ ñ÷åòà êèåâñòàð íà 25 ãðèâåíü.  îòâåò â òå÷åíèå äâåíàäöàòè ÷àñîâ íà ñâîé e-mail òû ïîëó÷èøü ôàèë äëÿ óäàëåíèÿ ýòîé ïðîãðàììû." Krotten.exe -
Drops file in Windows directory 1 IoCs
Processes:
Krotten.exedescription ioc Process File opened for modification C:\WINDOWS\Web Krotten.exe -
Modifies Control Panel 6 IoCs
Processes:
Krotten.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\International\sTimeFormat = "ÕÓÉ" Krotten.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop Krotten.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\WallpaperOriginX = "210" Krotten.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\WallpaperOriginY = "187" Krotten.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\MenuShowDelay = "9999" Krotten.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\International Krotten.exe -
Processes:
Krotten.exedescription ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main Krotten.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Window title = ":::::::::::::::::: ÌÎÉ ÕÓÉ ÏÐÎÒÓÕ À ÏÈÇÄÀ ÃÍÈÅÒ ::::::::::::::::::" Krotten.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main Krotten.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window title = ":::::::::::::::::: ÌÎÉ ÕÓÉ ÏÐÎÒÓÕ À ÏÈÇÄÀ ÃÍÈÅÒ ::::::::::::::::::" Krotten.exe -
Modifies Internet Explorer start page 1 TTPs 2 IoCs
Processes:
Krotten.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Start Page = "http://poetry.rotten.com/lightning/" Krotten.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://poetry.rotten.com/lightning/" Krotten.exe -
Modifies registry class 1 IoCs
Processes:
Krotten.exedescription ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\REGFILE\SHELL\OPEN\COMMAND Krotten.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
Krotten.exedescription pid Process Token: SeSystemtimePrivilege 1252 Krotten.exe Token: SeSystemtimePrivilege 1252 Krotten.exe Token: SeSystemtimePrivilege 1252 Krotten.exe -
System policy modification 1 TTPs 37 IoCs
Processes:
Krotten.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLogOff = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetHood = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" Krotten.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMMyPictures = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMMyDocs = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewOnDrive = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPrinters = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispCPL = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives = "1044" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoUserNameInStartMenu = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoToolbarCustomize = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPrinterTabs = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Uninstall\NoAddRemovePrograms = "1" Krotten.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMFUprogramsList = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecentDocsMenu = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFavoritesMenu = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{20D04FE0-3AEA-1069-A2D8-08002B30309D} = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuSubFolders = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktop = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1" Krotten.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{450D8FBA-AD25-11D0-98A8-0800361B1103} = "1" Krotten.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Uninstall Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuPinnedList = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMyMusic = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoThemesTab = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSaveSettings = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMHelp = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoManageMyComputerVerb = "1" Krotten.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ransomwares\Krotten\Krotten.exe"C:\Users\Admin\AppData\Local\Temp\ransomwares\Krotten\Krotten.exe"1⤵
- Disables RegEdit via registry modification
- Adds Run key to start application
- Modifies WinLogon
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1252