Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 1 reply
  • Answers 1 answer
  • Subscribers 15 subscribers
  • Views 10429 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

CryptoGuard detected ransomware in C:\Program Files\WindowsApps\5319275A.WhatsAppDesktop_2.2237.5.0_x64__cv1g1gvanyjgm\WhatsApp.exe

fariz@TA

We getting this alert few days ago. Can somebody help me to understand it legit or not? Thank you in advanced.

Endpoint Type:

Computer

OS:

Windows

Device:

HoKahMunNB
Ransomware:

uid: 0bcd57bb-ee99-4a28-b0d0-ec76291e25f4
family_id: 8f45804d-11b2-7ed4-b890-fa4cc7ab7d1c
process_alias_path: $programfiles\WindowsApps\5319275A.WhatsAppDesktop_2.2237.5.0_x64__cv1g1gvanyjgm\WhatsApp.exe
process_name: WhatsApp
process_version: 2.2237.5
thumbprint: d04aac7437df20f9077ef39e95bca83ae49c2bf5a6083a53abe59fb5e3f5a1e7
details: Mitigation CryptoGuard V5
Timestamp 2022-10-06T07:05:49

Platform 10.0.19044/x64 v37 06_8e
PID 20912
Enabled 005D2E3000000100
Silent 0000000000000100
Application C:\Program Files\WindowsApps\5319275A.WhatsAppDesktop_2.2237.5.0_x64__cv1g1gvanyjgm\WhatsApp.exe
Created 2022-10-05T02:29:21
Modified 2022-10-05T02:29:42
Description WhatsApp 2.2237.5

Filename C:\Program Files\WindowsApps\5319275A.WhatsAppDesktop_2.2237.5.0_x64__cv1g1gvanyjgm\WhatsApp.exe

Detection Generic.Ransom.C

1*C:\Users\Ho Kah Mun\AppData\Local\Packages\5319275A.WhatsAppDesktop_cv1g1gvanyjgm\LocalState\tmp\d2548b03397a64ce30520eea091627f27c76d9bd286f3ed9e1236a3090142983.tmp
Opened L0, Write T65536 H32768|^270 #1,8

2 C:\Users\Ho Kah Mun\AppData\Local\Packages\5319275A.WhatsAppDesktop_cv1g1gvanyjgm\LocalState\tmp\d2548b03397a64ce30520eea091627f27c76d9bd286f3ed9e1236a3090142983.tmp
Created L0 #2

3 C:\Users\Ho Kah Mun\AppData\Local\Packages\5319275A.WhatsAppDesktop_cv1g1gvanyjgm\LocalState\shared\transfers\2022_39\IMG-20221006-WA0642.jpg (C:\Users\Ho Kah Mun\AppData\Local\Packages\5319275A.WhatsAppDesktop_cv1g1gvanyjgm\LocalState\shared\transfers\2022_39\0lSLAzl6ZM4wUg7qCRYn8nx22b0obz7Z4SNqMJAUKYM=_plaintext_638006367489295560.jpg)
Opened, Deleted L65046 #3,8

4*C:\Users\Ho Kah Mun\AppData\Local\Packages\5319275A.WhatsAppDesktop_cv1g1gvanyjgm\LocalState\shared\transfers\2022_39\IMG-20221006-WA0642.jpg (C:\Users\Ho Kah Mun\AppData\Local\Packages\5319275A.WhatsAppDesktop_cv1g1gvanyjgm\LocalState\shared\transfers\2022_39\0lSLAzl6ZM4wUg7qCRYn8nx22b0obz7Z4SNqMJAUKYM=_plaintext_638006367489295560.jpg)
Opened L65046, Read T65536|100% H32768|^3097 #8,1

5 C:\Users\Ho Kah Mun\AppData\Local\Packages\5319275A.WhatsAppDesktop_cv1g1gvanyjgm\LocalState\tmp\d2548b03397a64ce30520eea091627f27c76d9bd286f3ed9e1236a3090142983.tmp
Opened, Deleted L65066 #11,17

6 C:\Users\Ho Kah Mun\AppData\Local\Packages\5319275A.WhatsAppDesktop_cv1g1gvanyjgm\LocalState\shared\transfers\2022_39\0lSLAzl6ZM4wUg7qCRYn8nx22b0obz7Z4SNqMJAUKYM=_plaintext_638006367489295560.jpg
Created L0, Write T65536 H32768|^3097 #16

7 C:\Users\Ho Kah Mun\AppData\Local\Packages\5319275A.WhatsAppDesktop_cv1g1gvanyjgm\LocalState\tmp\d2548b03397a64ce30520eea091627f27c76d9bd286f3ed9e1236a3090142983.tmp
Opened L65066, Read T65536|100% H32768|^270 #17

8*C:\Users\Ho Kah Mun\AppData\Local\Packages\5319275A.WhatsAppDesktop_cv1g1gvanyjgm\LocalState\tmp\d2548b03397a64ce30520eea091627f27c76d9bd286f3ed9e1236a3090142983.tmp
Opened L0, Write T65536 H32768|^270 #18,68

9 C:\Users\Ho Kah Mun\AppData\Local\Packages\5319275A.WhatsAppDesktop_cv1g1gvanyjgm\LocalState\tmp\d2548b03397a64ce30520eea091627f27c76d9bd286f3ed9e1236a3090142983.tmp
Created L0 #41

10 C:\Users\Ho Kah Mun\AppData\Local\Packages\5319275A.WhatsAppDesktop_cv1g1gvanyjgm\LocalState\shared\transfers\2022_39\IMG-20221006-WA0641.jpg (C:\Users\Ho Kah Mun\AppData\Local\Packages\5319275A.WhatsAppDesktop_cv1g1gvanyjgm\LocalState\shared\transfers\2022_39\0lSLAzl6ZM4wUg7qCRYn8nx22b0obz7Z4SNqMJAUKYM=_plaintext_638006367480807192.jpg)
Opened, Deleted L65046 #67,68

11*C:\Users\Ho Kah Mun\AppData\Local\Packages\5319275A.WhatsAppDesktop_cv1g1gvanyjgm\LocalState\shared\transfers\2022_39\IMG-20221006-WA0641.jpg (C:\Users\Ho Kah Mun\AppData\Local\Packages\5319275A.WhatsAppDesktop_cv1g1gvanyjgm\LocalState\shared\transfers\2022_39\0lSLAzl6ZM4wUg7qCRYn8nx22b0obz7Z4SNqMJAUKYM=_plaintext_638006367480807192.jpg)
Opened L65046, Read T65536|100% H32768|^3097 #68,18

12 C:\Users\Ho Kah Mun\AppData\Local\Packages\5319275A.WhatsAppDesktop_cv1g1gvanyjgm\LocalState\tmp\d2548b03397a64ce30520eea091627f27c76d9bd286f3ed9e1236a3090142983.tmp
Opened, Deleted L65066 #69,71

13 C:\Users\Ho Kah Mun\AppData\Local\Packages\5319275A.WhatsAppDesktop_cv1g1gvanyjgm\LocalState\shared\transfers\2022_39\0lSLAzl6ZM4wUg7qCRYn8nx22b0obz7Z4SNqMJAUKYM=_plaintext_638006367480807192.jpg
Created L0, Write T65536 H32768|^3097 #70

14 C:\Users\Ho Kah Mun\AppData\Local\Packages\5319275A.WhatsAppDesktop_cv1g1gvanyjgm\LocalState\tmp\d2548b03397a64ce30520eea091627f27c76d9bd286f3ed9e1236a3090142983.tmp
Opened L65066, Read T65536|100% H32768|^270 #71

15*C:\Users\Ho Kah Mun\AppData\Local\Packages\5319275A.WhatsAppDesktop_cv1g1gvanyjgm\LocalState\tmp\d2548b03397a64ce30520eea091627f27c76d9bd286f3ed9e1236a3090142983.tmp
Opened L0, Write T65536 H32768|^270 #72,75

16 C:\Users\Ho Kah Mun\AppData\Local\Packages\5319275A.WhatsAppDesktop_cv1g1gvanyjgm\LocalState\tmp\d2548b03397a64ce30520eea091627f27c76d9bd286f3ed9e1236a3090142983.tmp
Created L0 #73

18*C:\Users\Ho Kah Mun\AppData\Local\Packages\5319275A.WhatsAppDesktop_cv1g1gvanyjgm\LocalState\shared\transfers\2022_39\IMG-20221006-WA0640.jpg (C:\Users\Ho Kah Mun\AppData\Local\Packages\5319275A.WhatsAppDesktop_cv1g1gvanyjgm\LocalState\shared\transfers\2022_39\0lSLAzl6ZM4wUg7qCRYn8nx22b0obz7Z4SNqMJAUKYM=_plaintext_638006367474487474.jpg)
Opened L65046, Read T65536|100% H32768|^3097 #75,72

22*C:\Users\Ho Kah Mun\AppData\Local\Packages\5319275A.WhatsAppDesktop_cv1g1gvanyjgm\LocalState\tmp\d2548b03397a64ce30520eea091627f27c76d9bd286f3ed9e1236a3090142983.tmp
Opened L0, Write T65536 H32768|^270 #79,133

25*C:\Users\Ho Kah Mun\AppData\Local\Packages\5319275A.WhatsAppDesktop_cv1g1gvanyjgm\LocalState\shared\transfers\2022_39\IMG-20221006-WA0639.jpg (C:\Users\Ho Kah Mun\AppData\Local\Packages\5319275A.WhatsAppDesktop_cv1g1gvanyjgm\LocalState\shared\transfers\2022_39\0lSLAzl6ZM4wUg7qCRYn8nx22b0obz7Z4SNqMJAUKYM=_plaintext_638006367465876046.jpg)
Opened L65046, Read T65536|100% H32768|^3097 #133,79

29*C:\Users\Ho Kah Mun\AppData\Local\Packages\5319275A.WhatsAppDesktop_cv1g1gvanyjgm\LocalState\tmp\d2548b03397a64ce30520eea091627f27c76d9bd286f3ed9e1236a3090142983.tmp
Opened L0, Write T65536 H32768|^270 #162,295

32*C:\Users\Ho Kah Mun\AppData\Local\Packages\5319275A.WhatsAppDesktop_cv1g1gvanyjgm\LocalState\shared\transfers\2022_39\IMG-20221006-WA0638.jpg (C:\Users\Ho Kah Mun\AppData\Local\Packages\5319275A.WhatsAppDesktop_cv1g1gvanyjgm\LocalState\shared\transfers\2022_39\0lSLAzl6ZM4wUg7qCRYn8nx22b0obz7Z4SNqMJAUKYM=_plaintext_638006367453495475.jpg)
Opened L65046, Read T65536|100% H32768|^3097 #295,162

Process Trace
1 C:\Program Files\WindowsApps\5319275A.WhatsAppDesktop_2.2237.5.0_x64__cv1g1gvanyjgm\WhatsApp.exe [20912]
"C:\Program Files\WindowsApps\5319275A.WhatsAppDesktop_2.2237.5.0_x64__cv1g1gvanyjgm\WhatsApp.exe" -ServerName:App.AppXkf4yh0averk473g9chjmra34tgccdh3d.mca
2 C:\Windows\System32\svchost.exe [544]
C:\WINDOWS\system32\svchost.exe -k DcomLaunch -p
3 C:\Windows\System32\services.exe [920]
4 C:\Windows\System32\wininit.exe [848]
wininit.exe

Dropped Files
1 C:\Users\Ho Kah Mun\AppData\Local\Packages\5319275A.WhatsAppDesktop_cv1g1gvanyjgm\LocalState\tmp\d2548b03397a64ce30520eea091627f27c76d9bd286f3ed9e1236a3090142983.tmp
Dropped by C:\Program Files\WindowsApps\5319275A.WhatsAppDesktop_2.2237.5.0_x64__cv1g1gvanyjgm\WhatsApp.exe [20912]
Read by C:\Program Files\WindowsApps\5319275A.WhatsAppDesktop_2.2237.5.0_x64__cv1g1gvanyjgm\WhatsApp.exe [20912]
2 C:\Users\Ho Kah Mun\AppData\Local\Packages\5319275A.WhatsAppDesktop_cv1g1gvanyjgm\LocalState\shared\transfers\2022_39\0lSLAzl6ZM4wUg7qCRYn8nx22b0obz7Z4SNqMJAUKYM=_plaintext_638006366793774431.jpg
Dropped by C:\Program Files\WindowsApps\5319275A.WhatsAppDesktop_2.2237.5.0_x64__cv1g1gvanyjgm\WhatsApp.exe [20912]
Read by C:\Program Files\WindowsApps\5319275A.WhatsAppDesktop_2.2237.5.0_x64__cv1g1gvanyjgm\WhatsApp.exe [20912]
3 C:\Users\Ho Kah Mun\AppData\Local\Packages\5319275A.WhatsAppDesktop_cv1g1gvanyjgm\LocalState\tmp\6c5b172e09fa0748a4cb780e53decfb646fd41650b959d5539b887848ebada6f.tmp
Dropped by C:\Program Files\WindowsApps\5319275A.WhatsAppDesktop_2.2237.5.0_x64__cv1g1gvanyjgm\WhatsApp.exe [20912]
Read by C:\Program Files\WindowsApps\5319275A.WhatsAppDesktop_2.2237.5.0_x64__cv1g1gvanyjgm\WhatsApp.exe [20912]
4 C:\Users\Ho Kah Mun\AppData\Local\Packages\5319275a.whatsappdesktop_cv1g1gvanyjgm\AC\INetCache\M3MU30NN\fileG8V8ZM5A.enc
Dropped by C:\Program Files\WindowsApps\5319275A.WhatsAppDesktop_2.2237.5.0_x64__cv1g1gvanyjgm\WhatsApp.exe [20912]
5 C:\Users\Ho Kah Mun\AppData\Local\Packages\5319275A.WhatsAppDesktop_cv1g1gvanyjgm\LocalState\shared\transfers\2022_39\bFsXLgn6B0iky3gOU97Ptkb9QWULlZ1VObiHhI662m8=_plaintext_638006366816264967.jpg
Dropped by C:\Program Files\WindowsApps\5319275A.WhatsAppDesktop_2.2237.5.0_x64__cv1g1gvanyjgm\WhatsApp.exe [20912]
Read by C:\Program Files\WindowsApps\5319275A.WhatsAppDesktop_2.2237.5.0_x64__cv1g1gvanyjgm\WhatsApp.exe [20912]
6 C:\Users\Ho Kah Mun\AppData\Local\Packages\5319275A.WhatsAppDesktop_cv1g1gvanyjgm\LocalState\shared\transfers\2022_39\0lSLAzl6ZM4wUg7qCRYn8nx22b0obz7Z4SNqMJAUKYM=_plaintext_638006366882829609.jpg
Dropped by C:\Program Files\WindowsApps\5319275A.WhatsAppDesktop_2.2237.5.0_x64__cv1g1gvanyjgm\WhatsApp.exe [20912]
Read by C:\Program Files\WindowsApps\5319275A.WhatsAppDesktop_2.2237.5.0_x64__cv1g1gvanyjgm\WhatsApp.exe [20912]
7 C:\Users\Ho Kah Mun\AppData\Local\Packages\5319275A.WhatsAppDesktop_cv1g1gvanyjgm\LocalState\shared\transfers\2022_39\0lSLAzl6ZM4wUg7qCRYn8nx22b0obz7Z4SNqMJAUKYM=_plaintext_638006367111187688.jpg
Dropped by C:\Program Files\WindowsApps\5319275A.WhatsAppDesktop_2.2237.5.0_x64__cv1g1gvanyjgm\WhatsApp.exe [20912]
Read by C:\Program Files\WindowsApps\5319275A.WhatsAppDesktop_2.2237.5.0_x64__cv1g1gvanyjgm\WhatsApp.exe [20912]
8 C:\Users\Ho Kah Mun\AppData\Local\Packages\5319275a.whatsappdesktop_cv1g1gvanyjgm\AC\INetCache\BTHQ2GHQ\fileZ09MM6QV.enc
Dropped by C:\Program Files\WindowsApps\5319275A.WhatsAppDesktop_2.2237.5.0_x64__cv1g1gvanyjgm\WhatsApp.exe [20912]
9 C:\Users\Ho Kah Mun\AppData\Local\Packages\5319275A.WhatsAppDesktop_cv1g1gvanyjgm\LocalState\shared\transfers\2022_39\bFsXLgn6B0iky3gOU97Ptkb9QWULlZ1VObiHhI662m8=_plaintext_638006367124953973.jpg
Dropped by C:\Program Files\WindowsApps\5319275A.WhatsAppDesktop_2.2237.5.0_x64__cv1g1gvanyjgm\WhatsApp.exe [20912]
Read by C:\Program Files\WindowsApps\5319275A.WhatsAppDesktop_2.2237.5.0_x64__cv1g1gvanyjgm\WhatsApp.exe [20912]
10 C:\Users\Ho Kah Mun\AppData\Local\Packages\5319275A.WhatsAppDesktop_cv1g1gvanyjgm\LocalState\shared\transfers\2022_39\0lSLAzl6ZM4wUg7qCRYn8nx22b0obz7Z4SNqMJAUKYM=_plaintext_638006367453495475.jpg
Dropped by C:\Program Files\WindowsApps\5319275A.WhatsAppDesktop_2.2237.5.0_x64__cv1g1gvanyjgm\WhatsApp.exe [20912]
Read by C:\Program Files\WindowsApps\5319275A.WhatsAppDesktop_2.2237.5.0_x64__cv1g1gvanyjgm\WhatsApp.exe [20912]
11 C:\Users\Ho Kah Mun\AppData\Local\Packages\5319275A.WhatsAppDesktop_cv1g1gvanyjgm\LocalState\shared\transfers\2022_39\0lSLAzl6ZM4wUg7qCRYn8nx22b0obz7Z4SNqMJAUKYM=_plaintext_638006367465876046.jpg
Dropped by C:\Program Files\WindowsApps\5319275A.WhatsAppDesktop_2.2237.5.0_x64__cv1g1gvanyjgm\WhatsApp.exe [20912]
Read by C:\Program Files\WindowsApps\5319275A.WhatsAppDesktop_2.2237.5.0_x64__cv1g1gvanyjgm\WhatsApp.exe [20912]
12 C:\Users\Ho Kah Mun\AppData\Local\Packages\5319275A.WhatsAppDesktop_cv1g1gvanyjgm\LocalState\shared\transfers\2022_39\0lSLAzl6ZM4wUg7qCRYn8nx22b0obz7Z4SNqMJAUKYM=_plaintext_638006367474487474.jpg
Dropped by C:\Program Files\WindowsApps\5319275A.WhatsAppDesktop_2.2237.5.0_x64__cv1g1gvanyjgm\WhatsApp.exe [20912]
Read by C:\Program Files\WindowsApps\5319275A.WhatsAppDesktop_2.2237.5.0_x64__cv1g1gvanyjgm\WhatsApp.exe [20912]
13 C:\Users\Ho Kah Mun\AppData\Local\Packages\5319275A.WhatsAppDesktop_cv1g1gvanyjgm\LocalState\shared\transfers\2022_39\0lSLAzl6ZM4wUg7qCRYn8nx22b0obz7Z4SNqMJAUKYM=_plaintext_638006367480807192.jpg
Dropped by C:\Program Files\WindowsApps\5319275A.WhatsAppDesktop_2.2237.5.0_x64__cv1g1gvanyjgm\WhatsApp.exe [20912]
Read by C:\Program Files\WindowsApps\5319275A.WhatsAppDesktop_2.2237.5.0_x64__cv1g1gvanyjgm\WhatsApp.exe [20912]
14 C:\Users\Ho Kah Mun\AppData\Local\Packages\5319275A.WhatsAppDesktop_cv1g1gvanyjgm\LocalState\shared\transfers\2022_39\0lSLAzl6ZM4wUg7qCRYn8nx22b0obz7Z4SNqMJAUKYM=_plaintext_638006367489295560.jpg
Dropped by C:\Program Files\WindowsApps\5319275A.WhatsAppDesktop_2.2237.5.0_x64__cv1g1gvanyjgm\WhatsApp.exe [20912]
Read by C:\Program Files\WindowsApps\5319275A.WhatsAppDesktop_2.2237.5.0_x64__cv1g1gvanyjgm\WhatsApp.exe [20912]

Thumbprint
d04aac7437df20f9077ef39e95bca83ae49c2bf5a6083a53abe59fb5e3f5a1e7
Cryptoguard algorithm based thumbprint
5728a3966147fcb47b577ced6ad1d536dfb2d821a8eadc631598179f220900cc
process_path: C:\Program Files\WindowsApps\5319275A.WhatsAppDesktop_2.2237.5.0_x64__cv1g1gvanyjgm\WhatsApp.exe
type: CryptoGuard
process_pid: 20912
version: 3.8.4.37



This thread was automatically locked due to age.
Parents
  • 0

    Hi fariz@TA,

    Thanks for reaching out to the Sophos Community Forum. 

    I suggest finding out what occurred on the end user's device at the time of the detection. From the output you've shared above, it looks as though a file was being downloaded or shared.

    When files are interacted with by a 3'd party application, if the 3'd party app performs significant modifications to the headers or file structure, you may see this sort of detection raised. Although the actions performed may be for legitimate purposes, Intercept X will only look at the behaviour taking place at the time of detection. 

    One such example is; copying files from a local device, encrypting the files or overwriting the file-headders to be unreadable, then moving (data exfiltration) or overwriting (encryption by ransomware) the files in their existing locations.

    If you trust the application, it is possible to use the steps under Stop detecting ransomware, to allow the operation through. These exclusions are created based on the "Thumbprint" which is an alphanumeric code that corresponds to the specific actions that were observed. If the files interacted with were to change, the thumbprint will also change. 

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
Reply
  • 0

    Hi fariz@TA,

    Thanks for reaching out to the Sophos Community Forum. 

    I suggest finding out what occurred on the end user's device at the time of the detection. From the output you've shared above, it looks as though a file was being downloaded or shared.

    When files are interacted with by a 3'd party application, if the 3'd party app performs significant modifications to the headers or file structure, you may see this sort of detection raised. Although the actions performed may be for legitimate purposes, Intercept X will only look at the behaviour taking place at the time of detection. 

    One such example is; copying files from a local device, encrypting the files or overwriting the file-headders to be unreadable, then moving (data exfiltration) or overwriting (encryption by ransomware) the files in their existing locations.

    If you trust the application, it is possible to use the steps under Stop detecting ransomware, to allow the operation through. These exclusions are created based on the "Thumbprint" which is an alphanumeric code that corresponds to the specific actions that were observed. If the files interacted with were to change, the thumbprint will also change. 

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
Children
No Data
Unfiltered HTML