Overview
overview
10Static
static
5order.exe
windows7-x64
10UGH CRYSIS RANSOm.exe
windows7-x64
10crusususus...is.exe
windows7-x64
6crysisisis.exe
windows7-x64
9encrypt da ct.exe
windows7-x64
10i dunno i ...om.exe
windows7-x64
10i no crysi...it.exe
windows7-x64
10im gonna cry sis.exe
windows7-x64
10omg its fu...IS.exe
windows7-x64
10why crysis...as.exe
windows7-x64
10Analysis
-
max time kernel
85s -
max time network
63s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
04-11-2024 18:55
Behavioral task
behavioral1
Sample
order.exe
Resource
win7-20240708-en
dharmacredential_accessdefense_evasiondiscoveryexecutionimpactpersistenceransomwarespywarestealerupx
windows7-x64
22 signatures
1800 seconds
Behavioral task
behavioral2
Sample
UGH CRYSIS RANSOm.exe
Resource
win7-20240903-en
windows7-x64
21 signatures
1800 seconds
Behavioral task
behavioral3
Sample
crususususussu crysis.exe
Resource
win7-20240903-en
windows7-x64
6 signatures
1800 seconds
Behavioral task
behavioral4
Sample
crysisisis.exe
Resource
win7-20240708-en
windows7-x64
12 signatures
1800 seconds
Behavioral task
behavioral5
Sample
encrypt da ct.exe
Resource
win7-20240708-en
windows7-x64
24 signatures
1800 seconds
Behavioral task
behavioral6
Sample
i dunno i think its crysis ransom.exe
Resource
win7-20240903-en
windows7-x64
13 signatures
1800 seconds
Behavioral task
behavioral7
Sample
i no crysis dis shit.exe
Resource
win7-20240903-en
windows7-x64
20 signatures
1800 seconds
Behavioral task
behavioral8
Sample
im gonna cry sis.exe
Resource
win7-20240708-en
windows7-x64
24 signatures
1800 seconds
Behavioral task
behavioral9
Sample
omg its fucking CRYSIS.exe
Resource
win7-20240903-en
dharmacredential_accessdefense_evasiondiscoveryexecutionimpactpersistenceransomwarespywarestealerupx
windows7-x64
24 signatures
1800 seconds
Behavioral task
behavioral10
Sample
why crysis go raas.exe
Resource
win7-20240729-en
windows7-x64
26 signatures
1800 seconds
General
-
Target
encrypt da ct.exe
-
Size
496KB
-
MD5
d04bd9640cf05c1d8ec150b8ec3dea9d
-
SHA1
9f1d2b477e072b993144df959e46bff88885d161
-
SHA256
7b3e28d2f4946196b60ac5feb807984cc6ea82ef7ab535dbc291707c19e8eb69
-
SHA512
806ccb9ab75e0b0fd41bc6d1b9de3be1e58f75a8af3db1bffbb9c1137a40e49587c6fad8eb8c1dfae89aef5b23a90e2bbadfb02ff9600557e398d67407730542
-
SSDEEP
6144:wYiWcGsEld6itHpoNu6HwcDK1668T1wGTtE2hmDnVBjrvNtwNoI:wYSEj6itHp6JHwMc6/+2oDnXe1
Malware Config
Extracted
Path
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
Ransom Note
All your files have been encrypted!
All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail [email protected]
Write this ID in the title of your message 677A96F2
In case of no answer in 24 hours write us to theese e-mails: [email protected]
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files.
Free decryption as guarantee
Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)
How to obtain Bitcoins
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins
Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/
Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Signatures
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Dharma family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (316) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Drops startup file 5 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\encrypt da ct.exe encrypt da ct.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini encrypt da ct.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-677A96F2.[[email protected]].money encrypt da ct.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-677A96F2.[[email protected]].money encrypt da ct.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta encrypt da ct.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\encrypt da ct.exe = "C:\\Windows\\System32\\encrypt da ct.exe" encrypt da ct.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\"" encrypt da ct.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\"" encrypt da ct.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification C:\Users\Public\Desktop\desktop.ini encrypt da ct.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini encrypt da ct.exe File opened for modification C:\Program Files (x86)\desktop.ini encrypt da ct.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini encrypt da ct.exe File opened for modification C:\Users\Admin\Documents\desktop.ini encrypt da ct.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini encrypt da ct.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini encrypt da ct.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini encrypt da ct.exe File opened for modification C:\Users\Public\desktop.ini encrypt da ct.exe File opened for modification C:\Users\Public\Documents\desktop.ini encrypt da ct.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini encrypt da ct.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini encrypt da ct.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini encrypt da ct.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini encrypt da ct.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini encrypt da ct.exe File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini encrypt da ct.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini encrypt da ct.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\IQBL5G2Z\desktop.ini encrypt da ct.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9C9T5AL\desktop.ini encrypt da ct.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini encrypt da ct.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini encrypt da ct.exe File opened for modification C:\Users\Admin\Links\desktop.ini encrypt da ct.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini encrypt da ct.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini encrypt da ct.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini encrypt da ct.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini encrypt da ct.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini encrypt da ct.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini encrypt da ct.exe File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini encrypt da ct.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini encrypt da ct.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini encrypt da ct.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini encrypt da ct.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini encrypt da ct.exe File opened for modification C:\Program Files\desktop.ini encrypt da ct.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini encrypt da ct.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\YQ90JXIE\desktop.ini encrypt da ct.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini encrypt da ct.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROVWYKHE\desktop.ini encrypt da ct.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini encrypt da ct.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini encrypt da ct.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-3551809350-4263495960-1443967649-1000\desktop.ini encrypt da ct.exe File opened for modification C:\Users\Public\Downloads\desktop.ini encrypt da ct.exe File opened for modification C:\Users\Admin\Videos\desktop.ini encrypt da ct.exe File opened for modification C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini encrypt da ct.exe File opened for modification C:\Users\Admin\Music\desktop.ini encrypt da ct.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini encrypt da ct.exe File opened for modification C:\Users\Public\Pictures\desktop.ini encrypt da ct.exe File opened for modification C:\Users\Public\Videos\desktop.ini encrypt da ct.exe File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini encrypt da ct.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini encrypt da ct.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini encrypt da ct.exe File opened for modification C:\Users\Admin\Searches\desktop.ini encrypt da ct.exe File opened for modification C:\Users\Public\Libraries\desktop.ini encrypt da ct.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini encrypt da ct.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini encrypt da ct.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\7CO3PKGI\desktop.ini encrypt da ct.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini encrypt da ct.exe File opened for modification C:\Users\Public\Recorded TV\desktop.ini encrypt da ct.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini encrypt da ct.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini encrypt da ct.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini encrypt da ct.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MYC3PENY\desktop.ini encrypt da ct.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini encrypt da ct.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini encrypt da ct.exe -
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\D: encrypt da ct.exe File opened (read-only) \??\F: encrypt da ct.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\System32\encrypt da ct.exe encrypt da ct.exe File created C:\Windows\System32\Info.hta encrypt da ct.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2700 set thread context of 2624 2700 encrypt da ct.exe 30 -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-execution.xml.id-677A96F2.[[email protected]].money encrypt da ct.exe File created C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\vlc.mo.id-677A96F2.[[email protected]].money encrypt da ct.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18199_.WMF encrypt da ct.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-favorites.xml.id-677A96F2.[[email protected]].money encrypt da ct.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libty_plugin.dll.id-677A96F2.[[email protected]].money encrypt da ct.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SpringGreen\TAB_ON.GIF.id-677A96F2.[[email protected]].money encrypt da ct.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.views.nl_zh_4.4.0.v20140623020002.jar.id-677A96F2.[[email protected]].money encrypt da ct.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0301044.WMF encrypt da ct.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\trad_h.png encrypt da ct.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe encrypt da ct.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.Office.InfoPath.Client.Internal.CLRHost.dll encrypt da ct.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.widgets_1.0.0.v20140514-1823.jar.id-677A96F2.[[email protected]].money encrypt da ct.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Argentina\Jujuy.id-677A96F2.[[email protected]].money encrypt da ct.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Angles.xml.id-677A96F2.[[email protected]].money encrypt da ct.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PSRCHLTS.DAT.id-677A96F2.[[email protected]].money encrypt da ct.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\TAB_OFF.GIF encrypt da ct.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Stationery\1033\JUNGLE.GIF.id-677A96F2.[[email protected]].money encrypt da ct.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\sw.pak.id-677A96F2.[[email protected]].money encrypt da ct.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-queries.xml.id-677A96F2.[[email protected]].money encrypt da ct.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AXIS\THMBNAIL.PNG.id-677A96F2.[[email protected]].money encrypt da ct.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.concurrent_1.1.0.v20130327-1442.jar.id-677A96F2.[[email protected]].money encrypt da ct.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00439_.WMF encrypt da ct.exe File created C:\Program Files\Java\jre7\bin\JAWTAccessBridge-64.dll.id-677A96F2.[[email protected]].money encrypt da ct.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02085_.GIF encrypt da ct.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\css\clock.css encrypt da ct.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1036\MSO.ACL encrypt da ct.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Knox encrypt da ct.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_lg.gif.id-677A96F2.[[email protected]].money encrypt da ct.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Kolkata.id-677A96F2.[[email protected]].money encrypt da ct.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe encrypt da ct.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher_1.3.0.v20140415-2008.jar encrypt da ct.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Manaus.id-677A96F2.[[email protected]].money encrypt da ct.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access_output\libaccess_output_livehttp_plugin.dll encrypt da ct.exe File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18253_.WMF.id-677A96F2.[[email protected]].money encrypt da ct.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\TipsImage.jpg encrypt da ct.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\weather.js encrypt da ct.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libnoseek_plugin.dll.id-677A96F2.[[email protected]].money encrypt da ct.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01607U.BMP.id-677A96F2.[[email protected]].money encrypt da ct.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\circleround_glass.png encrypt da ct.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_bottom.png encrypt da ct.exe File opened for modification C:\Program Files\Mozilla Firefox\msvcp140.dll.id-677A96F2.[[email protected]].money encrypt da ct.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03257_.WMF encrypt da ct.exe File opened for modification C:\Program Files\Windows Mail\wabimp.dll encrypt da ct.exe File opened for modification C:\Program Files (x86)\Common Files\System\msadc\msadcfr.dll encrypt da ct.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jdwp.dll.id-677A96F2.[[email protected]].money encrypt da ct.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-host.xml.id-677A96F2.[[email protected]].money encrypt da ct.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107152.WMF.id-677A96F2.[[email protected]].money encrypt da ct.exe File created C:\Program Files\Java\jre7\lib\zi\America\Creston.id-677A96F2.[[email protected]].money encrypt da ct.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0237228.WMF.id-677A96F2.[[email protected]].money encrypt da ct.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BORDERS\MSART4.BDR encrypt da ct.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00136_.WMF.id-677A96F2.[[email protected]].money encrypt da ct.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0150861.WMF.id-677A96F2.[[email protected]].money encrypt da ct.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0252669.WMF.id-677A96F2.[[email protected]].money encrypt da ct.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00170_.WMF.id-677A96F2.[[email protected]].money encrypt da ct.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\css\settings.css encrypt da ct.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN00241_.WMF.id-677A96F2.[[email protected]].money encrypt da ct.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Thimphu.id-677A96F2.[[email protected]].money encrypt da ct.exe File created C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WPEQU532.DLL.id-677A96F2.[[email protected]].money encrypt da ct.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.jpg encrypt da ct.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\misc\libaddonsvorepository_plugin.dll.id-677A96F2.[[email protected]].money encrypt da ct.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\HLS.api.id-677A96F2.[[email protected]].money encrypt da ct.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\People\THROAT.WAV encrypt da ct.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\rss_headline_glow_floating.png encrypt da ct.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00405_.WMF.id-677A96F2.[[email protected]].money encrypt da ct.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language encrypt da ct.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language encrypt da ct.exe -
Interacts with shadow copies 3 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1332 vssadmin.exe 3600 vssadmin.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious behavior: EnumeratesProcesses 53 IoCs
pid Process 2624 encrypt da ct.exe 2624 encrypt da ct.exe 2624 encrypt da ct.exe 2624 encrypt da ct.exe 2624 encrypt da ct.exe 2624 encrypt da ct.exe 2624 encrypt da ct.exe 2624 encrypt da ct.exe 2624 encrypt da ct.exe 2624 encrypt da ct.exe 2624 encrypt da ct.exe 2624 encrypt da ct.exe 2624 encrypt da ct.exe 2624 encrypt da ct.exe 2624 encrypt da ct.exe 2624 encrypt da ct.exe 2624 encrypt da ct.exe 2624 encrypt da ct.exe 2624 encrypt da ct.exe 2624 encrypt da ct.exe 2624 encrypt da ct.exe 2624 encrypt da ct.exe 2624 encrypt da ct.exe 2624 encrypt da ct.exe 2624 encrypt da ct.exe 2624 encrypt da ct.exe 2624 encrypt da ct.exe 2624 encrypt da ct.exe 2624 encrypt da ct.exe 2624 encrypt da ct.exe 2624 encrypt da ct.exe 2624 encrypt da ct.exe 2624 encrypt da ct.exe 2624 encrypt da ct.exe 2624 encrypt da ct.exe 2624 encrypt da ct.exe 2624 encrypt da ct.exe 2624 encrypt da ct.exe 2624 encrypt da ct.exe 2624 encrypt da ct.exe 2624 encrypt da ct.exe 2624 encrypt da ct.exe 2624 encrypt da ct.exe 2624 encrypt da ct.exe 2624 encrypt da ct.exe 2624 encrypt da ct.exe 2624 encrypt da ct.exe 2624 encrypt da ct.exe 2624 encrypt da ct.exe 2624 encrypt da ct.exe 2624 encrypt da ct.exe 2624 encrypt da ct.exe 2624 encrypt da ct.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeBackupPrivilege 1588 vssvc.exe Token: SeRestorePrivilege 1588 vssvc.exe Token: SeAuditPrivilege 1588 vssvc.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2700 encrypt da ct.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2700 encrypt da ct.exe -
Suspicious use of WriteProcessMemory 33 IoCs
description pid Process procid_target PID 2700 wrote to memory of 2624 2700 encrypt da ct.exe 30 PID 2700 wrote to memory of 2624 2700 encrypt da ct.exe 30 PID 2700 wrote to memory of 2624 2700 encrypt da ct.exe 30 PID 2700 wrote to memory of 2624 2700 encrypt da ct.exe 30 PID 2700 wrote to memory of 2624 2700 encrypt da ct.exe 30 PID 2624 wrote to memory of 1872 2624 encrypt da ct.exe 31 PID 2624 wrote to memory of 1872 2624 encrypt da ct.exe 31 PID 2624 wrote to memory of 1872 2624 encrypt da ct.exe 31 PID 2624 wrote to memory of 1872 2624 encrypt da ct.exe 31 PID 1872 wrote to memory of 1984 1872 cmd.exe 33 PID 1872 wrote to memory of 1984 1872 cmd.exe 33 PID 1872 wrote to memory of 1984 1872 cmd.exe 33 PID 1872 wrote to memory of 1332 1872 cmd.exe 34 PID 1872 wrote to memory of 1332 1872 cmd.exe 34 PID 1872 wrote to memory of 1332 1872 cmd.exe 34 PID 2624 wrote to memory of 2368 2624 encrypt da ct.exe 38 PID 2624 wrote to memory of 2368 2624 encrypt da ct.exe 38 PID 2624 wrote to memory of 2368 2624 encrypt da ct.exe 38 PID 2624 wrote to memory of 2368 2624 encrypt da ct.exe 38 PID 2368 wrote to memory of 2604 2368 cmd.exe 40 PID 2368 wrote to memory of 2604 2368 cmd.exe 40 PID 2368 wrote to memory of 2604 2368 cmd.exe 40 PID 2368 wrote to memory of 3600 2368 cmd.exe 41 PID 2368 wrote to memory of 3600 2368 cmd.exe 41 PID 2368 wrote to memory of 3600 2368 cmd.exe 41 PID 2624 wrote to memory of 480 2624 encrypt da ct.exe 42 PID 2624 wrote to memory of 480 2624 encrypt da ct.exe 42 PID 2624 wrote to memory of 480 2624 encrypt da ct.exe 42 PID 2624 wrote to memory of 480 2624 encrypt da ct.exe 42 PID 2624 wrote to memory of 4048 2624 encrypt da ct.exe 43 PID 2624 wrote to memory of 4048 2624 encrypt da ct.exe 43 PID 2624 wrote to memory of 4048 2624 encrypt da ct.exe 43 PID 2624 wrote to memory of 4048 2624 encrypt da ct.exe 43 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\encrypt da ct.exe"C:\Users\Admin\AppData\Local\Temp\encrypt da ct.exe"1⤵
- Enumerates connected drives
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Users\Admin\AppData\Local\Temp\encrypt da ct.exe"C:\Users\Admin\AppData\Local\Temp\encrypt da ct.exe"2⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Windows\system32\mode.commode con cp select=12514⤵PID:1984
-
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:1332
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\system32\mode.commode con cp select=12514⤵PID:2604
-
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:3600
-
-
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"3⤵
- Modifies Internet Explorer settings
PID:480
-
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"3⤵
- Modifies Internet Explorer settings
PID:4048
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1588
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Direct Volume Access
1Indicator Removal
2File Deletion
2Modify Registry
2Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.id-677A96F2.[[email protected]].money
Filesize24.4MB
MD51d52cf6ba8c8f44a9f8c98200ebae3f4
SHA18b4a1d59cad8064f62f8f154b7270620f127eec7
SHA256f13accaa1b47a259fece41f13dd93d9ea8b4a133e0aa7194910f169279b28902
SHA512ba2d11961ed0bb79eca19e2ca2496fcedc576a35f2d1cb267000a31b0d0e9f4168d945bc012c1a205a63de7ecc0472218a0beacdc1be64ad136c6541106a496b
-
Filesize
13KB
MD53c5d9fa8751b527b6905492142ff1062
SHA151b5a9af10f63b39c43c92adbfe171d4c2549f1a
SHA25632f0dca80cfd87872d84e88840918acc49051f14e030f42d746bf24c7431a4a6
SHA5129cef0cf53f6e8a8a161fa2357bab6f677face3b6ec0bff9b476825efb6cbc4b53c87e6643b9a81fb8c37eec0134353ef6ae364c966ba1d6c01676c9a6d8f00f2