Overview

overview

10

Static

static

b2a27c3b5c...e3.exe

windows7_x64

10

b2a27c3b5c...e3.exe

windows10_x64

10

Resubmissions

04-05-2020 15:13

200504-6r5nmgfcka 10

21-04-2020 05:49

200421-nvrsxxs6e6 9

Analysis

  • max time kernel
    84s
  • max time network
    56s
  • platform
    windows7_x64
  • resource
    win7v200430
  • submitted
    04-05-2020 15:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe

  • Size

    12KB

  • MD5

    4a7378c7ef7a9b72aa2b38019aa6fcdc

  • SHA1

    7e19a75d8a91fa2e4e6e7519609eb8c300a8a030

  • SHA256

    b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3

  • SHA512

    8eb4cfcd03315f5984ee6909cd33b3086227e610d78d24dd32525a421a92b440fe012f2b5403dbc10be8db875fa5db83731786578395fef44dde8394ec219441

Score
10/10
ransomwareevasiongarrantydecryptpersistencespyware

Malware Config

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-910373003-3952921535-3480519689-1000\!read_me!.txt

Family

garrantydecrypt

Ransom Note
Do you want to return your files? Write to our email: azor2020@protonmail.ch azor@rape.lol Or contact us via jabber azor2020@jxmpp.jp Jabber (Pidgin) client installation instructions, you can find on youtube https://www.youtube.com/results?search_query=pidgin+jabber+install ICQ: @azor2020 !!!Any of your attempts to return files will result in complete loss of the database!!! tell your unique ID bRBOhcDKjvNnsUX4fhoXejTFlhkJDcvGiWyzB9mpzBr4lQotIY0P8jQT/y7S2o9SVFqe2+bFo/JyyvAjRHU2Lvjtgfs6sskfSP7+4GcHRLJmzA0ffVMQM4SeRfiO1YxFmG+EhxPOa9pdCEKkpNzvaTV0w7LGfzMyr/HKZIUEvP5PQEBqJbI0BkiJlun3z6WV1KeMAXmuVbW/yA+SP6kkr5HSaHe0CW19Vp+Kwg9yPVGY/4zoLY4KNa5kHahA/xbTUZSRpJ+PbqPRUiqPj7UJWOqnhyQawYrY5SMpOYAqtcgLkDAq1jBKqcvYnpGtQXwytWrw2E9zt+YOEPZx9cvKpNLu1yYCFsI0hUR546sT52a3T5wLRMqjRCA44r8OdWC48RGG+c0ugovhVNfRrpZTJTNSjrNAYahNYIvq7CGXquvSmwoVIz+rQ4y0Ygqh/QNziQC90bS2L3Xn7f+2XyfxjLarLQCXUNsHDrYMxmDene7CfNdwMGG5uvcgclqzXqKIwNNhxjJIub4dOeAxidXnBRfSO9mW/2gBOttlOMLODfHYDJb5SlrArP7AHs95yOmzIPGVm1Qje6EX+POlU9PaHHX5st91VRrXuuBWhk1QEddBU6uU0MsNMruhUnPM8GZPFfwMtcxT9rMiHoG2aIj8O9ea2Ah0wEOMmTB8b+ahQWzkHeqGljexCVGvdaSXZPnGtWxZTnvicomJX7u6ScwLEnxNoFDBMXCf3temhkgzrbDoBGBpWP/rZHv4q9cMUgFvYBLP/F8PObSc+GLvPHXIeYKFlbjy4xlyZcNOQxkLhSdGKG/ei/VW6mI8az38J75Geg5Uxhk6vnOBzYbvK0+Tbg7NbCDjPo1mfTT06nVnFq0aBNjVrdt1XVCb9RfVRu0FDXYX7pP7K7M6z10uH+moRKV1Dm422E+djGh/ybkU/hnZiWOgxQcsz38kzjmAu0bRYvFvOJ4cYrAqhryFe1QYiW2wPjYXeiNRR6RpAfBdomJQupsrVLiZK8T9PXFWD1wIB9SPLJ/j2NLloNvLl2ULFmepTu68qM7tKtGkEDqfiD4wFL5Z6/jvvZVWqrcKaCrBFjCQPj/o8xXlDODFtKDHM/BGwbJnU8YfEGBpf0xiAwLs2VWW3c2xYNeZ2UUY7OvV9Nr34moAynebcffvFUhd/kNJCurHDZFik2c8wSdfXHaqaytLO9SQxqXmnU9z4HKJ2Wxq7OUF3cOJRCOQsaMtd8wzKCBQrYnKB6mqWawMNXBlZVyHBwUre7vkSlU6lFWBKqLu2FSAbPa0QUEg41LEe5Wi9yQ7p3MTol+B0Pb+aHPCWZxDJ731GZGIE6LgHUEMi6lPsFBaBT4LF4ytaKqsZA==
Emails

azor2020@protonmail.ch

azor@rape.lol

azor2020@jxmpp.jp

Signatures

  • Suspicious use of WriteProcessMemory 24 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • GarrantyDecrypt

    Ransomware family first detected in late 2018.

    ransomwaregarrantydecrypt
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Drops desktop.ini file(s) 41 IoCs
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies service 2 TTPs 10 IoCs
    persistence
  • Drops startup file 1 IoCs
  • Deletes itself 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Drops file in Program Files directory 12087 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe
    "C:\Users\Admin\AppData\Local\Temp\b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    • Suspicious behavior: EnumeratesProcesses
    • Drops desktop.ini file(s)
    • Drops startup file
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    PID:736
    • C:\Windows\system32\vssadmin.exe
      delete shadows /all /quiet
      2⤵
      • Interacts with shadow copies
      PID:824
    • C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd.exe" /c bcdedit /set {current} bootstatuspolicy ignoreallfailures
      2⤵
        PID:1768
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {current} bootstatuspolicy ignoreallfailures
          3⤵
          • Modifies boot configuration data using bcdedit
          PID:1132
      • C:\Windows\system32\cmd.exe
        "C:\Windows\sysnative\cmd.exe" /c bcdedit /set {current} recoveryenabled no
        2⤵
          PID:1864
          • C:\Windows\system32\bcdedit.exe
            bcdedit /set {current} recoveryenabled no
            3⤵
            • Modifies boot configuration data using bcdedit
            PID:1916
        • C:\Windows\system32\cmd.exe
          "C:\Windows\sysnative\cmd.exe" /c netsh advfirewall set allprofiles state off
          2⤵
            PID:1872
            • C:\Windows\system32\netsh.exe
              netsh advfirewall set allprofiles state off
              3⤵
              • Modifies service
              PID:1932
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c timeout 1 && del "C:\Users\Admin\AppData\Local\Temp\b2a27c3b5c301b22260722383a889d491431e4909e4a0bf810840ba882cbbce3.exe" >> NUL
            2⤵
            • Suspicious use of WriteProcessMemory
            • Deletes itself
            PID:812
            • C:\Windows\SysWOW64\timeout.exe
              timeout 1
              3⤵
              • Delays execution with timeout.exe
              PID:1424
        • C:\Windows\system32\vssvc.exe
          C:\Windows\system32\vssvc.exe
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          • Modifies service
          PID:1040

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Modify Existing Service

        2
        T1031

        Privilege Escalation

        Defense Evasion

        File Deletion

        2
        T1107

        Modify Registry

        2
        T1112

        Credential Access

        Credentials in Files

        1
        T1081

        Discovery

        Lateral Movement

        Collection

        Data from Local System

        1
        T1005

        Exfiltration

        Command and Control

        Impact

        Inhibit System Recovery

        3
        T1490

        Defacement

        1
        T1491

        Replay Monitor

        Loading Replay Monitor...

        Downloads