Overview

overview

10

Static

static

3

encrypter-...86.exe

windows7-x64

10

encrypter-...86.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    04/03/2025, 16:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    encrypter-windows-gui-x86.exe

  • Size

    1.1MB

  • MD5

    f1ade7769b7fdc2401798106ec7a9180

  • SHA1

    61bd89ed258c4ed8901c6f02e18743607b52247e

  • SHA256

    5bd8f9cbd108abc53fb1c44b8d10239a2a0a9dd20c698fd2fb5dc1938ae7ba96

  • SHA512

    6795df546a9212e75a969a8f3393da5bd572cf5d1ddeee085c367327b2f038e1822f0f992abbb5b8d59d397670465cb4023eba8f361744950ee2f3dbffc33ff0

  • SSDEEP

    24576:UPntpHzhp8e0j+nAZRN7UNFDAp8vj/iXcSDvKP/BEXYWXE:UrHzhp8nSRV6tDvKP/BEIWXE

Score
10/10
discoverypersistenceransomware

Malware Config

Extracted

Path

C:\ProgramData\README.TXT

Ransom Note
I'll try to be brief: 1. It is beneficial for us that your files are decrypted no less than you, we don't want to harm you, we just want to get a ransom for our work. 2. Its only takes for us at list 20 minutes after payment to completely decrypt you, to its original state, it's very simple for us! 3.If you contact decryption companies, you are automatically exposed to publicity,also, these companies do not care about your files at all, they only think about their own benefit! 4.They also contact the police. Again, only you suffer from this treatment! 5. We have developed a scheme for your secure decryption without any problems, unlike the above companies, who just as definitely come to us to decipher you and simply make a profit from you as intermediaries, preventing a quick resolution of this issue! 6. In case of refusal to pay, we transfer all your personal data such as (emails, link to panel, payment documents , certificates , personal information of you staff, SQL,ERP,financial information for other hacker groups) and they will come to you again for sure! We will also publicize this attack using social networks and other media, which will significantly affect your reputation! 7. If you contact us no more than 12 hours after the attack, the price is only 50% of the price afterwards! 8. Do not under any circumstances try to decrypt the files yourself; you will simply break them! YOU MUST UNDERSTAND THAT THIS IS BIG MARKET AND DATA RECOVERY NEED MONEY ONLY !!! 9.IF YOU CHOOSE TO USE DATA RECOVERY COMPANY ASK THEM FOR DECRYPT TEST FILE FOR YOU IF THEY CANT DO IT DO NOT BELIEVE THEM ! 10.Do not give data recovery companies acces to your network they make your data cant be decrypted by us - for make more money from you !!!!! DO NOT TELL THEM YOUR COMPANY NAME BEFORE THEY GIVE YOU TEST FILE !!!!!! Contacts : Download the (Session) messenger (https://getsession.org) You fined me "0585ae8a3c3a688c78cf2e2b2b7df760630377f29c0b36d999862861bdbf93380d" MAIL:[email protected]
Emails

MAIL:[email protected]

URLs

https://getsession.org

Signatures

  • Renames multiple (7137) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 61 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\encrypter-windows-gui-x86.exe
    "C:\Users\Admin\AppData\Local\Temp\encrypter-windows-gui-x86.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2248
    • C:\ProgramData\{69C03192-FDBC-9B92-914B-5F2CBAAA094E}\cpsonftr.exe
      "C:\ProgramData\{69C03192-FDBC-9B92-914B-5F2CBAAA094E}\cpsonftr.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Enumerates connected drives
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1584
      • C:\Windows\SysWOW64\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\README.TXT
        3⤵
        • System Location Discovery: System Language Discovery
        • Opens file in notepad (likely ransom note)
        PID:3100
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2208

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\README.TXT
    Filesize

    2KB

    MD5

    43c1c3b2bb220b36d04f6df75d4c6867

    SHA1

    3102092c89ec70f871e6032d194c68f5882b8fba

    SHA256

    6974f151f2b897a96f6e3be89579e53561bba80ca1fb78028af48406c6302461

    SHA512

    97661d280be7647e814a36f7796de4069228f3128366fb5da9e4f591a096865398219abb057831f1c5dcfaa1f6be46dcaf69debe0030a37e8f1a8fdf998d046c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\default.tmp
    Filesize

    576B

    MD5

    8fbf776d7daaae0b8423729d829d37c7

    SHA1

    91d75567fd98769e549c227d568a8750bf177a28

    SHA256

    19c3c2863b16becc62b093fbb24c92fcb3064797de7c8ab88be83c0d88dd4a6b

    SHA512

    a280b84cf358cc544eced0329b3dc24847f53769a2a7459bc6ee7d971e657aa474bb967061f8cf3585c111fa3f092336dc60f9dd241006d88bbbc15d91cf8d19

    Download Submit

  • \ProgramData\{69C03192-FDBC-9B92-914B-5F2CBAAA094E}\cpsonftr.exe
    Filesize

    1.1MB

    MD5

    f1ade7769b7fdc2401798106ec7a9180

    SHA1

    61bd89ed258c4ed8901c6f02e18743607b52247e

    SHA256

    5bd8f9cbd108abc53fb1c44b8d10239a2a0a9dd20c698fd2fb5dc1938ae7ba96

    SHA512

    6795df546a9212e75a969a8f3393da5bd572cf5d1ddeee085c367327b2f038e1822f0f992abbb5b8d59d397670465cb4023eba8f361744950ee2f3dbffc33ff0

    Download Submit