Overview

overview

9

Static

static

3

encrypter_...64.exe

windows7-x64

9

encrypter_...64.exe

windows10-2004-x64

9

Resubmissions

27-04-2024 15:05

240427-sgathadb21 7

26-04-2024 02:45

240426-c87dsahd43 9

26-04-2024 02:41

240426-c6vxzahd34 3

26-04-2024 02:37

240426-c4f12ahd28 3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    encrypter_windows_x64.exe

  • Size

    649KB

  • Sample

    240426-c87dsahd43

  • MD5

    cf0d4fc268aff11360d2b7be7c2dfcf3

  • SHA1

    d168449bccb146830e41de28b16712dd6ffd10b3

  • SHA256

    caaa4c02c3903e76f7e85c84fe59ddbcbbd0bb51e87630c501b76e688a8a3480

  • SHA512

    72a58dd148835a6dfee496b70c71438bea9506e50021999e8f79dc1bfa6c68b1afab4cc2450ddb6fb997fe849d57e5c11722a309bda7dd32511325cee2b45555

  • SSDEEP

    12288:hVx8nywcAegpvFdgxaosQqehUeFhJE1JFKqhqV4zRLIxGkT:stcAegoHg1fKqhqV4J23

Score
9/10
evasionransomwarespywarestealer

Malware Config

Targets

    • Target

      encrypter_windows_x64.exe

    • Size

      649KB

    • MD5

      cf0d4fc268aff11360d2b7be7c2dfcf3

    • SHA1

      d168449bccb146830e41de28b16712dd6ffd10b3

    • SHA256

      caaa4c02c3903e76f7e85c84fe59ddbcbbd0bb51e87630c501b76e688a8a3480

    • SHA512

      72a58dd148835a6dfee496b70c71438bea9506e50021999e8f79dc1bfa6c68b1afab4cc2450ddb6fb997fe849d57e5c11722a309bda7dd32511325cee2b45555

    • SSDEEP

      12288:hVx8nywcAegpvFdgxaosQqehUeFhJE1JFKqhqV4zRLIxGkT:stcAegoHg1fKqhqV4J23

    Score
    9/10
    evasionransomwarespywarestealer

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Renames multiple (322) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Deletes System State backups

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

3
T1070

File Deletion

3
T1070.004

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

4
T1490

Resource Development

Reconnaissance

Tasks