Overview

overview

10

Static

static

10

Tear.exe

windows7-x64

10

adochi.exe

windows7-x64

7

autoit.exe

windows7-x64

10

autoit2.exe

windows7-x64

10

autoit3.exe

windows7-x64

10

deviation.exe

windows7-x64

8

encoder.exe

windows7-x64

10

encoder2.exe

windows7-x64

9

encoder3.exe

windows7-x64

10

encoder4.exe

windows7-x64

5

encoder5.exe

windows7-x64

10

erebus.exe

windows7-x64

9

myxaha.exe

windows7-x64

7

$LOCALAPPD...er.exe

windows7-x64

7

$PLUGINSDI...LL.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDIR/inetc.dll

windows7-x64

3

$PLUGINSDI...ll.dll

windows7-x64

7

$PLUGINSDI...gs.dll

windows7-x64

3

$PLUGINSDI...om.dll

windows7-x64

5

trucry.exe

windows7-x64

10

wlock.exe

windows7-x64

3

wlock2.exe

windows7-x64

8

Analysis

  • max time kernel
    299s
  • max time network
    142s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    20-11-2024 00:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    trucry.exe

  • Size

    527KB

  • MD5

    548bbee5bde54f123e7f3704a3a9116a

  • SHA1

    7236dc5821b1e9fcde0a227de57f928af5f7edb5

  • SHA256

    623fdfb190b9cd0a1d8729842efd1edf41aec13dda70e447a69b7f94921a0f88

  • SHA512

    bf113c90707d38fcbb6ecd0b33cbb564d0c15c37970e293ce2d1f7b8541fb823b3380e02a8c5c5064ee830ef35c9f228f9cd705e22f7651c5ad73b4b5ac3ecca

  • SSDEEP

    6144:l1n1kY7ejab1KDnn5mumMrkPtbFenNP3Fhwg9S1G:r13bKbmMrkyPVhTS1

Score
10/10
evasionpersistenceransomwaretrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs 3 IoCs
    evasiontrojan
  • Renames multiple (67) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Drops desktop.ini file(s) 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • System policy modification 1 TTPs 3 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\trucry.exe
    "C:\Users\Admin\AppData\Local\Temp\trucry.exe"
    1⤵
    • UAC bypass
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • System policy modification
    PID:1984

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1984-0-0x000007FEF641E000-0x000007FEF641F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1984-1-0x000007FEF6160000-0x000007FEF6AFD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1984-2-0x000007FEF6160000-0x000007FEF6AFD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1984-3-0x000007FEF6160000-0x000007FEF6AFD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1984-6-0x000007FEF6160000-0x000007FEF6AFD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1984-154-0x000007FEF6160000-0x000007FEF6AFD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1984-155-0x000007FEF641E000-0x000007FEF641F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1984-156-0x000007FEF6160000-0x000007FEF6AFD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1984-157-0x000007FEF6160000-0x000007FEF6AFD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1984-158-0x000007FEF6160000-0x000007FEF6AFD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1984-159-0x000007FEF6160000-0x000007FEF6AFD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1984-160-0x000007FEF6160000-0x000007FEF6AFD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1984-161-0x000007FEF6160000-0x000007FEF6AFD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1984-162-0x000007FEF6160000-0x000007FEF6AFD000-memory.dmp

    Filesize

    9.6MB

    Download