Overview
overview
10Static
static
10Tear.exe
windows7-x64
10adochi.exe
windows7-x64
7autoit.exe
windows7-x64
10autoit2.exe
windows7-x64
10autoit3.exe
windows7-x64
10deviation.exe
windows7-x64
8encoder.exe
windows7-x64
10encoder2.exe
windows7-x64
9encoder3.exe
windows7-x64
10encoder4.exe
windows7-x64
5encoder5.exe
windows7-x64
10erebus.exe
windows7-x64
9myxaha.exe
windows7-x64
7$LOCALAPPD...er.exe
windows7-x64
7$PLUGINSDI...LL.dll
windows7-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDIR/inetc.dll
windows7-x64
3$PLUGINSDI...ll.dll
windows7-x64
7$PLUGINSDI...gs.dll
windows7-x64
3$PLUGINSDI...om.dll
windows7-x64
5trucry.exe
windows7-x64
10wlock.exe
windows7-x64
3wlock2.exe
windows7-x64
8Analysis
-
max time kernel
299s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20-11-2024 00:15
Behavioral task
behavioral1
Sample
Tear.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
adochi.exe
Resource
win7-20240903-en
Behavioral task
behavioral3
Sample
autoit.exe
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
autoit2.exe
Resource
win7-20240903-en
Behavioral task
behavioral5
Sample
autoit3.exe
Resource
win7-20240708-en
Behavioral task
behavioral6
Sample
deviation.exe
Resource
win7-20240903-en
Behavioral task
behavioral7
Sample
encoder.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
encoder2.exe
Resource
win7-20240903-en
Behavioral task
behavioral9
Sample
encoder3.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
encoder4.exe
Resource
win7-20241023-en
Behavioral task
behavioral11
Sample
encoder5.exe
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
erebus.exe
Resource
win7-20240903-en
Behavioral task
behavioral13
Sample
myxaha.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
$LOCALAPPDATA/ConduitInstaller.exe
Resource
win7-20240903-en
Behavioral task
behavioral15
Sample
$PLUGINSDIR/LangDLL.dll
Resource
win7-20240708-en
Behavioral task
behavioral16
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240903-en
Behavioral task
behavioral17
Sample
$PLUGINSDIR/inetc.dll
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
$PLUGINSDIR/md5dll.dll
Resource
win7-20241023-en
Behavioral task
behavioral19
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
$PLUGINSDIR/nsRandom.dll
Resource
win7-20241010-en
Behavioral task
behavioral21
Sample
trucry.exe
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
wlock.exe
Resource
win7-20241010-en
Behavioral task
behavioral23
Sample
wlock2.exe
Resource
win7-20240903-en
General
-
Target
trucry.exe
-
Size
527KB
-
MD5
548bbee5bde54f123e7f3704a3a9116a
-
SHA1
7236dc5821b1e9fcde0a227de57f928af5f7edb5
-
SHA256
623fdfb190b9cd0a1d8729842efd1edf41aec13dda70e447a69b7f94921a0f88
-
SHA512
bf113c90707d38fcbb6ecd0b33cbb564d0c15c37970e293ce2d1f7b8541fb823b3380e02a8c5c5064ee830ef35c9f228f9cd705e22f7651c5ad73b4b5ac3ecca
-
SSDEEP
6144:l1n1kY7ejab1KDnn5mumMrkPtbFenNP3Fhwg9S1G:r13bKbmMrkyPVhTS1
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" trucry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" trucry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" trucry.exe -
Renames multiple (67) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\TrueCrypter = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\TrueCrypter\\TrueCrypter.exe" trucry.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA trucry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" trucry.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification F:\$RECYCLE.BIN\S-1-5-21-4177215427-74451935-3209572229-1000\desktop.ini trucry.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\TrueCrypter\\background.jpg" trucry.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 trucry.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 trucry.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1984 trucry.exe 1984 trucry.exe 1984 trucry.exe 1984 trucry.exe 1984 trucry.exe 1984 trucry.exe 1984 trucry.exe 1984 trucry.exe 1984 trucry.exe 1984 trucry.exe 1984 trucry.exe 1984 trucry.exe 1984 trucry.exe 1984 trucry.exe 1984 trucry.exe 1984 trucry.exe 1984 trucry.exe 1984 trucry.exe 1984 trucry.exe 1984 trucry.exe 1984 trucry.exe 1984 trucry.exe 1984 trucry.exe 1984 trucry.exe 1984 trucry.exe 1984 trucry.exe 1984 trucry.exe 1984 trucry.exe 1984 trucry.exe 1984 trucry.exe 1984 trucry.exe 1984 trucry.exe 1984 trucry.exe 1984 trucry.exe 1984 trucry.exe 1984 trucry.exe 1984 trucry.exe 1984 trucry.exe 1984 trucry.exe 1984 trucry.exe 1984 trucry.exe 1984 trucry.exe 1984 trucry.exe 1984 trucry.exe 1984 trucry.exe 1984 trucry.exe 1984 trucry.exe 1984 trucry.exe 1984 trucry.exe 1984 trucry.exe 1984 trucry.exe 1984 trucry.exe 1984 trucry.exe 1984 trucry.exe 1984 trucry.exe 1984 trucry.exe 1984 trucry.exe 1984 trucry.exe 1984 trucry.exe 1984 trucry.exe 1984 trucry.exe 1984 trucry.exe 1984 trucry.exe 1984 trucry.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1984 trucry.exe -
System policy modification 1 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" trucry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" trucry.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" trucry.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\trucry.exe"C:\Users\Admin\AppData\Local\Temp\trucry.exe"1⤵
- UAC bypass
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1984
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1