Overview

overview

10

Static

static

3

encrypter-...86.exe

windows7-x64

10

encrypter-...86.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    91s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/03/2025, 16:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    encrypter-windows-gui-x86.exe

  • Size

    1.1MB

  • MD5

    f1ade7769b7fdc2401798106ec7a9180

  • SHA1

    61bd89ed258c4ed8901c6f02e18743607b52247e

  • SHA256

    5bd8f9cbd108abc53fb1c44b8d10239a2a0a9dd20c698fd2fb5dc1938ae7ba96

  • SHA512

    6795df546a9212e75a969a8f3393da5bd572cf5d1ddeee085c367327b2f038e1822f0f992abbb5b8d59d397670465cb4023eba8f361744950ee2f3dbffc33ff0

  • SSDEEP

    24576:UPntpHzhp8e0j+nAZRN7UNFDAp8vj/iXcSDvKP/BEXYWXE:UrHzhp8nSRV6tDvKP/BEIWXE

Score
10/10
discoverypersistenceransomware

Malware Config

Extracted

Path

C:\ProgramData\README.TXT

Ransom Note
I'll try to be brief: 1. It is beneficial for us that your files are decrypted no less than you, we don't want to harm you, we just want to get a ransom for our work. 2. Its only takes for us at list 20 minutes after payment to completely decrypt you, to its original state, it's very simple for us! 3.If you contact decryption companies, you are automatically exposed to publicity,also, these companies do not care about your files at all, they only think about their own benefit! 4.They also contact the police. Again, only you suffer from this treatment! 5. We have developed a scheme for your secure decryption without any problems, unlike the above companies, who just as definitely come to us to decipher you and simply make a profit from you as intermediaries, preventing a quick resolution of this issue! 6. In case of refusal to pay, we transfer all your personal data such as (emails, link to panel, payment documents , certificates , personal information of you staff, SQL,ERP,financial information for other hacker groups) and they will come to you again for sure! We will also publicize this attack using social networks and other media, which will significantly affect your reputation! 7. If you contact us no more than 12 hours after the attack, the price is only 50% of the price afterwards! 8. Do not under any circumstances try to decrypt the files yourself; you will simply break them! YOU MUST UNDERSTAND THAT THIS IS BIG MARKET AND DATA RECOVERY NEED MONEY ONLY !!! 9.IF YOU CHOOSE TO USE DATA RECOVERY COMPANY ASK THEM FOR DECRYPT TEST FILE FOR YOU IF THEY CANT DO IT DO NOT BELIEVE THEM ! 10.Do not give data recovery companies acces to your network they make your data cant be decrypted by us - for make more money from you !!!!! DO NOT TELL THEM YOUR COMPANY NAME BEFORE THEY GIVE YOU TEST FILE !!!!!! Contacts : Download the (Session) messenger (https://getsession.org) You fined me "0585ae8a3c3a688c78cf2e2b2b7df760630377f29c0b36d999862861bdbf93380d" MAIL:[email protected]
Emails

MAIL:[email protected]

URLs

https://getsession.org

Signatures

  • Renames multiple (5814) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 2 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\encrypter-windows-gui-x86.exe
    "C:\Users\Admin\AppData\Local\Temp\encrypter-windows-gui-x86.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4164
    • C:\ProgramData\{6530DB5D-3EB1-2EA0-914B-5F2CBAAA094E}\pcqtawwc.exe
      "C:\ProgramData\{6530DB5D-3EB1-2EA0-914B-5F2CBAAA094E}\pcqtawwc.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • Enumerates connected drives
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3664
      • C:\Windows\SysWOW64\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\README.TXT
        3⤵
        • System Location Discovery: System Language Discovery
        • Opens file in notepad (likely ransom note)
        PID:4648
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2208
  • C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\README.TXT
    1⤵
    • Opens file in notepad (likely ransom note)
    PID:10508

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\README.TXT
    Filesize

    2KB

    MD5

    43c1c3b2bb220b36d04f6df75d4c6867

    SHA1

    3102092c89ec70f871e6032d194c68f5882b8fba

    SHA256

    6974f151f2b897a96f6e3be89579e53561bba80ca1fb78028af48406c6302461

    SHA512

    97661d280be7647e814a36f7796de4069228f3128366fb5da9e4f591a096865398219abb057831f1c5dcfaa1f6be46dcaf69debe0030a37e8f1a8fdf998d046c

    Download Submit

  • C:\ProgramData\{6530DB5D-3EB1-2EA0-914B-5F2CBAAA094E}\pcqtawwc.exe
    Filesize

    1.1MB

    MD5

    f1ade7769b7fdc2401798106ec7a9180

    SHA1

    61bd89ed258c4ed8901c6f02e18743607b52247e

    SHA256

    5bd8f9cbd108abc53fb1c44b8d10239a2a0a9dd20c698fd2fb5dc1938ae7ba96

    SHA512

    6795df546a9212e75a969a8f3393da5bd572cf5d1ddeee085c367327b2f038e1822f0f992abbb5b8d59d397670465cb4023eba8f361744950ee2f3dbffc33ff0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\default.tmp
    Filesize

    576B

    MD5

    8a01a03d22f81b8e5f03304e0ab97bb7

    SHA1

    76ae90b98760d27617c10fe12b8af1445197269e

    SHA256

    c9fd7f8cbd855858daceee5e888094d88a6f6532afd403d6f96d01fce12db7c6

    SHA512

    98d5ce029dc471ebeac3793d74cbc9772a0d85908947b8cd79276a9c41bc062af3735b40ed686145b41f93ac7798bec0099bda6667f5df42cfcea89caa22630c

    Download Submit