CryptMix Ransomware
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Popularity Rank: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
| Popularity Rank: | 3,670 |
| Threat Level: | 80 % (High) |
| Infected Computers: | 2,935 |
| First Seen: | May 5, 2016 |
| Last Seen: | October 13, 2025 |
| OS(es) Affected: | Windows |
The CryptMix Ransomware is a ransomware Trojan. However, the CryptMix Ransomware has a twist that's quite unexpected, particularly if compared to other encryption ransomware Trojans. Apparently, the CryptMix Ransomware claims that it will donate part of the money gathered from its attacks to a children's charity. The CryptMix Ransomware is being distributed by a group of con artists that is calling themselves the 'Charity Team.' The CryptMix Ransomware ransom note claims that part of the money will go to a charity that benefits children. The CryptMix Ransomware was first observed in the Spring of 2016. PC security researchers strongly advise computer users to avoid paying the CryptMix Ransomware ransom. Apart from these supposed claims, the CryptMix Ransomware is no different from other ransomware Trojans, designed to take your money by making your files hostage.
Table of Contents
What are the CryptMix Ransomware Actions After Infecting a Computer
The CryptMix Ransomware has elements of various encryption ransomware families. The CryptMix Ransomware seems to be a combination of versions 3.0 and 4.0 of CryptoWall and the ransomware Trojan CryptXXX. These combined elements, the CryptMix Ransomware got its name. The CryptMix Ransomware is currently being spread through drive-by-downloads. Essentially, the CryptMix Ransomware is hosted on corrupted websites that may include an exploit kit. These exploit kits use vulnerabilities on the victim's computer to deliver the CryptMix Ransomware automatically. Computer users may be directed to the websites associated with the CryptMix Ransomware through redirect scripts on compromised websites or links embedded in spam email messages. When the victims open a link in a spam email message, their Web browser is sent to the attack website immediately, where vulnerabilities in the victim's computer are used to download and install the CryptMix Ransomware.
The CryptMix Ransomware Attack
When the CryptMix Ransomware enters the victim's computer, it starts encrypting the victim's computer automatically. The CryptMix Ransomware can encrypt 862 different types of files. The CryptMix Ransomware adds the extension '.CODE' to files that it has encrypted. After encrypting the victim's files, the CryptMix Ransomware delivers ransom notes to the victim's desktop. The CryptMix Ransomware uses both a HTML ransom note associated with CryptXXX or a text file note that is may be associated with CryptoWall variants. The ransom note is straightforward: it claims that the victim's files were encrypted using the RSA-2048 encryption. It contains an identifier, and the victim is asked to email one or two different email addresses to receive instructions on payment and how to decrypt the files.
When computer users send an email to one of these email addresses, they are provided with a link and password to the One Time Secret, a service that allows computer users to send each other anonymous messages. The ransom demanded by the CryptMix Ransomware is very costly. The CryptMix Ransomware demands a payment of five BitCoin, which is approximately $2,200 USD at the current exchange rate. This is especially high when one considers that most ransomware Trojans demand a ransom of somewhere between 0.5 and 1.5 BitCoin. The CryptMix Ransomware claims that part of the ransom amount will be used to contribute to a charity that benefits children. However, the people responsible for the CryptMix Ransomware also use threats, claiming that if the payment isn't carried out right away, the infected users will have to pay twice the amount after 24 hours. One ironic aspect of the CryptMix Ransomware is that the con artists responsible for this attack offer to 'sweeten the deal' by offering three years of technical support, which is completely ridiculous considering who is offering it.
The decryption of the files encrypted by the CryptMix Ransomware is not possible without access to the decryption key currently. On that account, the best solution when handling the CryptMix Ransomware is to restore the encrypted files from a backup after removing the CryptMix Ransomware. Backup all files on an external device or the cloud to avoid these problems in the future.
Analysis Report
General information
| Family Name: | Trojan.Phorpiex.EA |
|---|---|
| Signature status: | No Signature |
Known Samples
Known Samples
This section lists other file samples believed to be associated with this family.|
MD5:
141b85ef177c295990d7f7f0a725dafb
SHA1:
ba3cfa400efdadbeac16407b73dec1d939bddf53
File Size:
80.38 KB, 80384 bytes
|
|
MD5:
d1bbdee61dabe43d189b1618bd6d9d9e
SHA1:
0d5da94068a47689e693246ed954bda1a1d7f035
SHA256:
4F1DDA9749E38A76FCF0C5A80BAF2F7166C0787C0EB9D86F50C689B1263E94D2
File Size:
85.50 KB, 85504 bytes
|
|
MD5:
4c6b4d2db02f81616dc512392eefc927
SHA1:
663788b339fe6bd25d500080b1a174303042969f
SHA256:
A336B6622760CC6114C4E36B7B4BC645B573278FD6D570EF1D701F4351A5AC10
File Size:
10.24 KB, 10240 bytes
|
|
MD5:
19e4ff6c2903ba92d901fb338636c2a3
SHA1:
d11a3a944c551d1d148d02ec2e9f56c0af258de3
SHA256:
0D5170295798107B652D3A3218FFF759F47A51C35584119DE8CBBDCB0CE10E49
File Size:
10.24 KB, 10240 bytes
|
|
MD5:
19a4a8b772bf80094a8910c956902756
SHA1:
54612fbf19b5afe1bbd8f2ebe334362b05fef094
SHA256:
C5570FFEF7159920C30D9B255C5E9288C5EC1820261BE3E5F5222F38B91DF4F1
File Size:
10.24 KB, 10240 bytes
|
Windows Portable Executable Attributes
- File doesn't have "Rich" header
- File doesn't have debug information
- File doesn't have exports table
- File doesn't have relocations information
- File doesn't have resources
- File doesn't have security information
- File is 32-bit executable
- File is either console or GUI application
- File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
- File is Native application (NOT .NET application)
Show More
- File is not packed
- IMAGE_FILE_DLL is not set inside PE header (Executable)
- IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)
File Traits
- No Version Info
- ntdll
- x86
Block Information
Block Information
During analysis, EnigmaSoft breaks file samples into logical blocks for classification and comparison with other samples. Blocks can be used to generate malware detection rules and to group file samples into families based on shared source code, functionality and other distinguishing attributes and characteristics. This section lists a summary of this block data, as well as its classification by EnigmaSoft. A visual representation of the block data is also displayed, where available.| Total Blocks: | 22 |
|---|---|
| Potentially Malicious Blocks: | 3 |
| Whitelisted Blocks: | 16 |
| Unknown Blocks: | 3 |
Visual Map
? - Unknown Block
x - Potentially Malicious Block
Similar Families
Similar Families
This section lists other families that share similarities with this family, based on EnigmaSoft’s analysis. Many malware families are created from the same malware toolkits and use the same packing and encryption techniques but uniquely extend functionality. Similar families may also share source code, attributes, icons, subcomponents, compromised and/or invalid digital signatures, and network characteristics. Researchers leverage these similarities to rapidly and effectively triage file samples and extend malware detection rules.- Phorpiex.EAA
- Phorpiex.L
Files Modified
Files Modified
This section lists files that were created, modified, moved and/or deleted by samples in this family. File system activity can provide valuable insight into how malware functions on the operating system.| File | Attributes |
|---|---|
| Generic Read,Write Data,Write Attributes,Write extended,Append data | |
| Synchronize,Write Attributes | |
| c:\users\user\appdata\local\microsoft\windows\usrclass.dat{dba6b5ef-640a-11ed-9bcb-f677369d361c}.txr.0.regtrans-ms | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\microsoft\windows\usrclass.dat{dba6b5ef-640a-11ed-9bcb-f677369d361c}.txr.1.regtrans-ms | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\microsoft\windows\usrclass.dat{dba6b5ef-640a-11ed-9bcb-f677369d361c}.txr.2.regtrans-ms | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\temp\104277189.exe | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\1244511931.exe | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\144819867.exe | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\221917830.exe | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\2512714294.exe | Generic Write,Read Attributes |
Show More
| c:\users\user\appdata\local\temp\254904938.exe | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\3121710357.exe | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\323215511.exe | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\429711102.exe | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\97954775.exe | Generic Write,Read Attributes |
| c:\windows\sysgredlvrs.exe | Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144 |
| c:\windows\sysgredlvrs.exe | Synchronize,Write Attributes |
| c:\windows\sysparvadl.exe | Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144 |
| c:\windows\sysparvadl.exe | Synchronize,Write Attributes |
Registry Modifications
Registry Modifications
This section lists registry keys and values that were created, modified and/or deleted by samples in this family. Windows Registry activity can provide valuable insight into malware functionality. Additionally, malware often creates registry values to allow itself to automatically start and indefinitely persist after an initial infection has compromised the system.| Key::Value | Data | API Name |
|---|---|---|
| HKLM\software\wow6432node\microsoft\windows\currentversion\run::windows settings | C:\WINDOWS\sysparvadl.exe | RegNtPreCreateKey |
| HKCU\software\microsoft\windows\currentversion\internet settings\5.0\cache\content::cacheprefix | RegNtPreCreateKey | |
| HKCU\software\microsoft\windows\currentversion\internet settings\5.0\cache\cookies::cacheprefix | Cookie: | RegNtPreCreateKey |
| HKCU\software\microsoft\windows\currentversion\internet settings\5.0\cache\history::cacheprefix | Visited: | RegNtPreCreateKey |
| HKLM\software\wow6432node\microsoft\windows\currentversion\run::windows settings | C:\WINDOWS\sysgredlvrs.exe | RegNtPreCreateKey |
Windows API Usage
Windows API Usage
This section lists Windows API calls that are used by the samples in this family. Windows API usage analysis is a valuable tool that can help identify malicious activity, such as keylogging, security privilege escalation, data encryption, data exfiltration, interference with antivirus software, and network request manipulation.| Category | API |
|---|---|
| Process Manipulation Evasion |
|
| Process Shell Execute |
|
| Network Winsock2 |
|
| Network Winsock |
|
| Anti Debug |
|
| Network Wininet |
|
| Network Urlomon |
|
Shell Command Execution
Shell Command Execution
This section lists Windows shell commands that are run by the samples in this family. Windows Shell commands are often leveraged by malware for nefarious purposes and can be used to elevate security privileges, download and launch other malware, exploit vulnerabilities, collect and exfiltrate data, and hide malicious activity.
C:\WINDOWS\sysparvadl.exe
|
C:\WINDOWS\sysgredlvrs.exe
|
