Overview

overview

9

Static

static

3

Encryptor.exe

windows7-x64

1

Encryptor.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    40s
  • max time network
    42s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-10-2024 01:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Encryptor.exe

  • Size

    275KB

  • MD5

    04cd010315e0a958619211a633e5f9c0

  • SHA1

    dcf3f728e40c3f6d6879ea2b1b2f5d2930881a25

  • SHA256

    019a90f2cdb054f7302fb40b673d4883a569d43d982d4a710b4942787b8cec0b

  • SHA512

    716dd7288270fe01a4db89272c99ef1b08584518d74ecb3ff097ed8a25d41e167c5cae28c62a009682c566d7c5e711a09d6457e64e6d515243f6ce15a9cae9b2

  • SSDEEP

    6144:9csCKzugqUYynir0Z4IKlPqa4nEFlatBOALF:OKXqUYyir0Z4fr4EFJ4F

Score
9/10
credential_accessdiscoveryransomwarespywarestealer

Malware Config

Signatures

  • Renames multiple (1959) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

    credential_accessstealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 38 IoCs
  • Suspicious use of SendNotifyMessage 37 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Encryptor.exe
    "C:\Users\Admin\AppData\Local\Temp\Encryptor.exe"
    1⤵
      PID:3252
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /4
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2572
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\README_guapo.txt
      1⤵
      • Opens file in notepad (likely ransom note)
      PID:3784

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\Desktop\README_guapo.txt
      Filesize

      31B

      MD5

      8e43e8e6540d26aaf658d7220d4310f8

      SHA1

      bd960fb6c0f9b566682f3c8eea8b84fedc06c9d5

      SHA256

      b530c0174839d0c277bc128a05c817ece7888c3a667dbb78cae11b7b832978c4

      SHA512

      317eb0552391c633fca76b2c3820758a56279c1bb831b2be7cb66e3ec21b1b978178fe1663e0d470794466d9baa24103032aeeb93b4f9c03403c2f79c65c9694

      Download Submit

    • memory/2572-1962-0x0000028E7D2B0000-0x0000028E7D2B1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2572-1963-0x0000028E7D2B0000-0x0000028E7D2B1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2572-1964-0x0000028E7D2B0000-0x0000028E7D2B1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2572-1969-0x0000028E7D2B0000-0x0000028E7D2B1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2572-1974-0x0000028E7D2B0000-0x0000028E7D2B1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2572-1973-0x0000028E7D2B0000-0x0000028E7D2B1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2572-1972-0x0000028E7D2B0000-0x0000028E7D2B1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2572-1971-0x0000028E7D2B0000-0x0000028E7D2B1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2572-1970-0x0000028E7D2B0000-0x0000028E7D2B1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2572-1968-0x0000028E7D2B0000-0x0000028E7D2B1000-memory.dmp

      Filesize

      4KB

      Download