Overview

overview

10

Static

static

6

DUMP_00A10...iR.exe

windows7-x64

7

DgH5SjZFle...DI.exe

windows7-x64

10

Dumped_.exe

windows7-x64

7

EntrateSetup.exe

windows7-x64

9

ErrorFileRemover.exe

windows7-x64

10

ExtraTools.exe

windows7-x64

7

F45F47EDCE...54.exe

windows7-x64

10

decrypt_00...00.exe

windows7-x64

6

dffde400ad...3d.exe

windows7-x64

10

dircrypt.deobf.exe

windows7-x64

10

dma locker 4.0.exe

windows7-x64

9

downloader.js

windows7-x64

10

dump.mem.exe

windows7-x64

6

e0ff79cc94...ss.exe

windows7-x64

7

e37dc428ec...ad.vbs

windows7-x64

1

e5df2d114c...8a.exe

windows7-x64

10

e6c4ae4709...ss.exe

windows7-x64

7

e77df2ce34...2d.exe

windows7-x64

7

e8e07496df...d2.exe

windows7-x64

ea8292721a...1e.exe

windows7-x64

5

eaa857c95f...er.dll

windows7-x64

1

ed3a685ca6...91.exe

windows7-x64

9

edffa07d66...9d5.js

windows7-x64

10

encrypter.exe

windows7-x64

10

encryptor_...81.exe

windows7-x64

9

f002618c01...35.apk

windows7-x64

3

f213e54c85...ea.exe

windows7-x64

1

f2c8eee2cd...3f.exe

windows7-x64

10

f31bfe95e3...7_.exe

windows7-x64

9

f6a8d7a429...da.exe

windows7-x64

10

f915110765...da.exe

windows7-x64

7

fb8823e949...-0.dll

windows7-x64

1

Analysis

  • max time kernel
    248s
  • max time network
    199s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    22-11-2024 03:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe

  • Size

    111KB

  • MD5

    2ce82b2c3e43a6090685bf7e3ec36d0f

  • SHA1

    112a99938d60abd821e345538b0b1446cd9113a5

  • SHA256

    d4410c277e4120169a546d613d06b6f1ca1c09ea94494baeb0af796bfaefeefa

  • SHA512

    9f0fc8a81da4977d683e4051169b5ca0f3fcd592a6946da8a4da962c2519c1fd0044baa0c950332334d9bb6e56a43aceb174bd18166cd183921d5d4213c01ece

  • SSDEEP

    1536:Nynce2jUA5AaPcHbh7g9WKBvwAYbwdlR3zkWOSgiC81rZ8R9YgAic2i:RrjxwHbhgNwAp/R7pgi7rWv

Score
9/10
defense_evasiondiscoveryexecutionimpactpersistenceransomwarespywarestealer

Malware Config

Signatures

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Drops file in Drivers directory 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
    adwarespyware
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe
    "C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe"
    1⤵
    • Drops file in Drivers directory
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1520
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /Quiet /All
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1528
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin Delete Shadows /Quiet /All
        3⤵
        • System Location Discovery: System Language Discovery
        • Interacts with shadow copies
        PID:1428
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://kqd2eml2kjib53oe.onion.link/vict?cust=9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581&guid=38b42d9b-3e83-45f4-8789-a30be34574b0
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:276
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:276 CREDAT:275457 /prefetch:2
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1728
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Direct Volume Access

1
T1006

Indicator Removal

2
T1070

File Deletion

2
T1070.004

Modify Registry

2
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

System Information Discovery

1
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

2
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Common Files\Microsoft Shared\ink\readme_liesmich_encryptor_raas.txt
    Filesize

    821B

    MD5

    786097a7fe5f30ab1d97be6611bc3c51

    SHA1

    ad11fa2e2587117698154ce2a4c6417a65328273

    SHA256

    9dd3bf02727725ae223060a4c07f3f2b37218da49632f4c5318581bdd34ce7cc

    SHA512

    9e9a3856af1cb12e5e168a2ae72ec3029f0acad123e4174e8d9529be4e8bc02efea1d4d4349226e66372bfc3e3d0332f8a10e80647c9a2a2b21bf85ab2ee9e65

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    57951d1c2624e63d6ae65c17f144eb5f

    SHA1

    d33b8a0a595fec85e3d74ce390bbf1627337d02f

    SHA256

    0495407cee550969e37139a336c18944f65a070b767c6f706942099bc182ea53

    SHA512

    83f569700f68f2c426d1bb5989b498b5af149b86ffb0997e874be38568d6d0f44713cbdef837bd575d52f22b77045d77ed477ee3c8d6f5c6c74c110a1b8ff7ae

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    e3ee9a44881709236011c251aacb7acd

    SHA1

    434522bddf3e7cab91232557ba6b8e09245a6f93

    SHA256

    ca0b119982bdd9692a7f89fd1bab5182214d868ec09aafdb18a80e61d56a2e2f

    SHA512

    97957bc8519abee218c701a13d13920a843d28ed44e489cb8c80a2ed6dc7424438f75a03fd5981b9009a2091f056fecc9b3678051cf0271557e06ac065bae9c4

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    8b67962b77fa5b41211c9af4b42816f6

    SHA1

    c4676f8030137b525a3c6bb71501325f9189998e

    SHA256

    ef0c430e729316a9bd3b735b6c8cf4996e6e9e95b50d0b094ea4cae217e6514e

    SHA512

    7f6f9f4da675a10705f43340d8061415c471932f7ad452342124a9f4de697c29b2365d96d6598bcb74547c7048fac0f0d92fbb42f8971386bee6800fca81c37e

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    49feb8a9df347979571fd2df1dda57bc

    SHA1

    9066d1d8d1be606b9d0079380c84433bb5893007

    SHA256

    33e784c90a2913addf28f5e4bbd058a89c8242b5e46139cd5d24b4ba0b89b4dd

    SHA512

    28fd8a22d42dcff76318d1af96bfa79dd905cb322c80cc7c44cf1926ab03a5af6bbea16165e7c164bbb6ff9df57f218e97b98bb52b06144bd2008a4434b18215

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    90eb5643ecb458679461f24649f25ba6

    SHA1

    87e978174f134c5dbbbe71bbdfb9251618260575

    SHA256

    5a84fc1fe8a9f65d458d5b0153377a01c5e6d60e041e9ce25eac95ce5f392c84

    SHA512

    c6ac27668741feab04f0ecd742a81e75ed6b09c9fd65d4ef7e86e4a61bec57e8fc60d008d3cc28327abdd7c08e3e2fddc65ab64c9d5cccfd02a625d18e8a39db

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    041fc68acfe275ae76738c3c3a3b43a4

    SHA1

    83b96aa81fa5e8b0fb345d91c378f066e9240a48

    SHA256

    894ccca2f401d71057de939d22b95d935a5cfd47ee73232c14b59c7a2382b9a4

    SHA512

    1bff69f0d92d90cf9d257d91250234eeff4e50c31825c1c90e072010a7a3714a1882c9d4c6f337dede463988c278773750a9e66cb6b5d29b86e205509254d4b6

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    c6c7cd2cd21b199ab62c7a10dbf4a68e

    SHA1

    bb449a3dccf0f7bb63b6380a12d7109335976dce

    SHA256

    836143b192b30f58a5bb5c80c112475c99f17511e5e95179277eb8220fc22700

    SHA512

    dfc916d9093676fe56902502b41fb35e3756adf0de015a692d3dc0e0a4c978253bb0b6a2ab44a30d4ab6409cf3dae537cafd7c06bb97fade838522754b791599

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    0f3a96de27274fe26c2e80dfc787b1ba

    SHA1

    8b1d529c1db3d983b946b4adfb10fa87712af525

    SHA256

    4330f81cb5f0662f15cc5798a961c9b411a04ef7d09c1eec6af5bd1d6ce13c10

    SHA512

    727ec1916cd9b462e5e92d0bbc0e5e51fd4a08c6ff8bc7eb92d27106da69b8dc0d59f8312a34315d78e64f493abf57e9117b8de06e1d5d4f3d736ee9a2beabf8

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    16e00c64f4e852767d1299ab63a7cad3

    SHA1

    8246652cef2609b4d5b986993f4c8d54097e029b

    SHA256

    37c47f5832c7d610fd66af224876b865cea93035e3d0d3ac3bb56ca16ea0ffdc

    SHA512

    0518e4385d3e5f2df34bb1f2e965f7ea2b08468d14a2ebc280e7e1e58fbe9894a6956a02d9fd6ccf8b2f4e3fec580656edff22384067408d48007d49c22df7a4

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    9e8b0cc16d6c3f073918ddb9ca4392f0

    SHA1

    cef1f1f1cce1eb3feb815eae6404b8df958f3d62

    SHA256

    c023463301e1daddda31e571f323ffeb153893096e7e94853b9d20bc9505c34e

    SHA512

    99e1b02319a6021faf3bfd4a68f24bc9c127fa173486889d15631d9d8eaacb3f9336cfd82cc0e5ccc471e41b2e268be8a0be2b04696340d21d6be9a9c2aa2059

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    354e19427066467f3913418f5db6be97

    SHA1

    ac4231135c4e303a8ee548f32c3e6d4be1b0fbdf

    SHA256

    2ea971776fc0693cbee7baee491e01af011937c74c90f9ad96da4b1af990bddd

    SHA512

    8129c7c63b831222fa815b30a88c7c169ae7b8b7ccc101a3d2268dddbdeb6d3339b03433b67de82c4a542740fcfc842305095f98c305c95f70a64590c9663add

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    7329882799db87fcfc701f00138fbc00

    SHA1

    37924907366adf35f610c494dfd249700ee11c91

    SHA256

    0217a424d93340d85cd16a03dca7b2323948d27037e373e048b06a9f8daf88cb

    SHA512

    1df7130a848cdbd0fc49fe2f3c305094075458ad3ee8a83fc162c6870960f0e11fc465bf7d6fec206457038cea09da999f51d54dbc112eb79ffb77f82b751554

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    d75f8f699f537fc1a848456d8c658644

    SHA1

    316fbaa7d6a21336895577fcc2cb3e511fec7094

    SHA256

    f4bdf676ebb634cb028d9e27f95f6b100ca7e2df1657b1509c891e8358c270bc

    SHA512

    f582bdcc6c1433a98c4030e9d66fbe81e59857b3c58be401c10a54a3068bfd41753835b260fe86abb38fa2d2f5a1979b9cb05e3620e72655ac56227e8b5819f2

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    8e5749b26ba391b0d7943cfde31701b7

    SHA1

    dda3c0230324da4555fdc389122f2514b39f4bc5

    SHA256

    95aff5aa6173050d3f07454d9b696a1d2a15b9a4ad826f184f473307b5dff943

    SHA512

    afabfb98716abde17c2ab83373da384a1810c6a152cf92f8854bbaba408a91a276a587ffd55fb172c0718e32d23fe3270966ea95edef2a5cded1270c5ba0d458

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    079dfad988c242e96f39445ccb407da8

    SHA1

    51b5fc4ccab999c8979f7bd7e4f904a21027fc09

    SHA256

    89a778af4c86f98e43b15b0ae7ff00371ee0d7b790b2d6bb676547e7dfbef415

    SHA512

    b3ff64218eb7d7b35eb057c76fd098df137895d3004a1745cf8dd42bfffd697103a2d5ecccd37b132a89ef0534311b87aa1259c5aeccc8dca906b977597d274e

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    ed5969718c6d3fc3b7ff59b8f5eac897

    SHA1

    09d277bf4ea1486ed1b0ffbfe64e479845b1721d

    SHA256

    48a1f90d771a490febd877c9c13a0b2f22a3023d161ca653fe5e49064a7bc0b5

    SHA512

    a8b7a57efd2c35ab0c97bf5d18d366d79b1107a1117432f4c0a34d78f719e22b89c8885cc6b4bd6a8102e976eb6dac40fa4307ac9f7bc5ac8e220fba8f82166f

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    f5214c58c19c1cb3573a36a09a7ac612

    SHA1

    1cad93e92901a84967b0e4c44c72016d35c56eda

    SHA256

    6865ffffcebaff10c827bf1485fc074fbab4109dc70da1cdf938a8b328ffe4a1

    SHA512

    52db96ce212a96674e263e5ccd999a6cc83f99e6f8abe494905728477847f26d057dc89bf725d98e96a7793fcc46ed06321905c9c4f5ca5f36fdb9f2541109d5

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    db8c976dae4af4ac51524a377002a6d4

    SHA1

    c069750cadb89ac437294410a338b22d4c57a795

    SHA256

    69e52bce4df8e03a8620fa51ffe716b666b58b069d87b063b8d2373760c8cef7

    SHA512

    f6547498b06c92d8856f2bea7f713643ed04b4044f86089455c2a2a840c5a368c22f969dad40a0905cfe444aff8e82b5c1ddb41d556b107f7804bc4d9daa1528

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    b2b301a515fdcce4fadd12d4772f659a

    SHA1

    23f05bcc3c429950c9c4cd0dfb747ce9c2882448

    SHA256

    1ccc8b00483aef2ca570150f7178d6e66c0a783c21e131857e286b0b2694e384

    SHA512

    a000d4dc2fb521fa66f086cc55b577027b66df175d31b5cada75e820a110f4ebdd20983f5c9eade0649eb52bf75504d2bbd0c26643a24852cf6dfc0ef07e6c42

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cab8632.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar8711.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • memory/1520-3970-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/1520-0-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/1520-99-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/1520-630-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/1520-2706-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/1520-3971-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/1520-4576-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download