Analysis

  • max time kernel
    280s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7v200430
  • submitted
    12-05-2020 11:19

General

  • Target

    E214.tmp.exe

  • Size

    818KB

  • MD5

    eb6c5d9f2aeed5e494370f4d28a0307b

  • SHA1

    bf3d7db88f44c7440e81dd96b83b70038e88e3f5

  • SHA256

    fafa82e7a61c1a516bb83c19d0e5ffce99eac17d34bb9280da34c515e1279653

  • SHA512

    eb332247ee9006e7b64da251c929a40d38a0cab40e0b47e60c71f4ee0c3f24b887916aebc160f0dc954cf3a8a428c4c264068886155f6376d70481682e59c49d

Malware Config

Extracted

Path

C:\_readme.txt

Ransom Note
ATTENTION! Don't worry, you can return all your files! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-PHmSJZS9ey Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: helpmanager@mail.ch Reserve e-mail address to contact us: restoremanager@firemail.cc Your personal ID: 0225yiuduy6S5dcnlKQ98kXDvxgsXzukMEM5f3xFKfqIWvhqUxfWVb
Emails

helpmanager@mail.ch

restoremanager@firemail.cc

URLs

https://we.tl/t-PHmSJZS9ey

Signatures

  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Drops file in Drivers directory 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Disables Task Manager via registry modification
  • Executes dropped EXE 5 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
  • Checks for installed software on the system 1 TTPs 29 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Adds Run entry to start application 2 TTPs 1 IoCs
  • Suspicious use of WriteProcessMemory 77 IoCs
  • Loads dropped DLL 16 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Kills process with taskkill 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\E214.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\E214.tmp.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Adds Run entry to start application
    • Suspicious use of WriteProcessMemory
    PID:1520
    • C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Users\Admin\AppData\Local\80f457ce-6e3a-4a8f-b143-ac81ecafd120" /deny *S-1-1-0:(OI)(CI)(DE,DC)
      2⤵
      • Modifies file permissions
      PID:1532
    • C:\Users\Admin\AppData\Local\Temp\E214.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\E214.tmp.exe" --Admin IsNotAutoStart IsNotTask
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      • Loads dropped DLL
      PID:1796
      • C:\Users\Admin\AppData\Local\72d0db9e-61a6-4da0-88d6-792011d3fe3b\updatewin1.exe
        "C:\Users\Admin\AppData\Local\72d0db9e-61a6-4da0-88d6-792011d3fe3b\updatewin1.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        • Loads dropped DLL
        PID:1144
        • C:\Users\Admin\AppData\Local\72d0db9e-61a6-4da0-88d6-792011d3fe3b\updatewin1.exe
          "C:\Users\Admin\AppData\Local\72d0db9e-61a6-4da0-88d6-792011d3fe3b\updatewin1.exe" --Admin
          4⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          • Loads dropped DLL
          PID:1640
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -Command Set-ExecutionPolicy -Scope CurrentUser RemoteSigned
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1624
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -NoProfile -ExecutionPolicy Bypass -Command "& {Start-Process PowerShell -ArgumentList '-NoProfile -ExecutionPolicy Bypass -File ""C:\Users\Admin\AppData\Local\script.ps1""' -Verb RunAs}"
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1856
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\script.ps1
              6⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1824
          • C:\Program Files\Windows Defender\mpcmdrun.exe
            "C:\Program Files\Windows Defender\mpcmdrun.exe" -removedefinitions -all
            5⤵
              PID:1044
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c ""C:\Users\Admin\AppData\Local\Temp\delself.bat""
              5⤵
                PID:1768
          • C:\Users\Admin\AppData\Local\72d0db9e-61a6-4da0-88d6-792011d3fe3b\updatewin2.exe
            "C:\Users\Admin\AppData\Local\72d0db9e-61a6-4da0-88d6-792011d3fe3b\updatewin2.exe"
            3⤵
            • Drops file in Drivers directory
            • Executes dropped EXE
            PID:956
          • C:\Users\Admin\AppData\Local\72d0db9e-61a6-4da0-88d6-792011d3fe3b\5.exe
            "C:\Users\Admin\AppData\Local\72d0db9e-61a6-4da0-88d6-792011d3fe3b\5.exe"
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            • Executes dropped EXE
            • Checks for installed software on the system
            • Loads dropped DLL
            • Checks processor information in registry
            PID:1952
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /c taskkill /im 5.exe /f & erase C:\Users\Admin\AppData\Local\72d0db9e-61a6-4da0-88d6-792011d3fe3b\5.exe & exit
              4⤵
                PID:1840
                • C:\Windows\SysWOW64\taskkill.exe
                  taskkill /im 5.exe /f
                  5⤵
                  • Suspicious use of AdjustPrivilegeToken
                  • Kills process with taskkill
                  PID:1592
        • C:\Windows\system32\taskeng.exe
          taskeng.exe {7EC98CF2-FA1A-4AF7-9E2B-F6A1BDDA3BCF} S-1-5-21-910373003-3952921535-3480519689-1000:DJRWGDLZ\Admin:Interactive:[1]
          1⤵
            PID:1596
            • C:\Users\Admin\AppData\Local\80f457ce-6e3a-4a8f-b143-ac81ecafd120\E214.tmp.exe
              C:\Users\Admin\AppData\Local\80f457ce-6e3a-4a8f-b143-ac81ecafd120\E214.tmp.exe --Task
              2⤵
              • Suspicious behavior: EnumeratesProcesses
              • Executes dropped EXE
              PID:1748
          • C:\Windows\explorer.exe
            "C:\Windows\explorer.exe"
            1⤵
              PID:1552
            • C:\Windows\system32\AUDIODG.EXE
              C:\Windows\system32\AUDIODG.EXE 0x4f0
              1⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:1748
            • C:\Windows\system32\NOTEPAD.EXE
              "C:\Windows\system32\NOTEPAD.EXE" C:\_readme.txt
              1⤵
              • Suspicious use of FindShellTrayWindow
              • Opens file in notepad (likely ransom note)
              PID:1920

            Network

            MITRE ATT&CK Matrix ATT&CK v6

            Persistence

            Registry Run Keys / Startup Folder

            1
            T1060

            Defense Evasion

            File Permissions Modification

            1
            T1222

            Modify Registry

            1
            T1112

            Credential Access

            Credentials in Files

            2
            T1081

            Discovery

            Query Registry

            2
            T1012

            System Information Discovery

            1
            T1082

            Collection

            Data from Local System

            2
            T1005

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            • C:\Users\Admin\AppData\Local\72d0db9e-61a6-4da0-88d6-792011d3fe3b\5.exe
            • C:\Users\Admin\AppData\Local\72d0db9e-61a6-4da0-88d6-792011d3fe3b\5.exe
            • C:\Users\Admin\AppData\Local\72d0db9e-61a6-4da0-88d6-792011d3fe3b\updatewin1.exe
            • C:\Users\Admin\AppData\Local\72d0db9e-61a6-4da0-88d6-792011d3fe3b\updatewin1.exe
            • C:\Users\Admin\AppData\Local\72d0db9e-61a6-4da0-88d6-792011d3fe3b\updatewin1.exe
            • C:\Users\Admin\AppData\Local\72d0db9e-61a6-4da0-88d6-792011d3fe3b\updatewin2.exe
            • C:\Users\Admin\AppData\Local\80f457ce-6e3a-4a8f-b143-ac81ecafd120\E214.tmp.exe
            • C:\Users\Admin\AppData\Local\80f457ce-6e3a-4a8f-b143-ac81ecafd120\E214.tmp.exe
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_2f8f6cc7-ae83-4f79-b06e-2b9a49e06c5b
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_3f934678-4276-4d7d-9a2b-7ccacecf398b
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_670419ca-9b90-4e9d-a6c5-f73b7563d382
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_9065e065-05e7-4eaa-bb93-1db6da178e99
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_a3b7b651-7089-41b5-9155-3fb877609508
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_b7a807a3-f6b6-4397-972a-e9e81988f869
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_e331f9c7-6ec8-40f5-b318-7a4a05eb497d
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
            • C:\Users\Admin\AppData\Local\Temp\delself.bat
            • C:\Users\Admin\AppData\Local\script.ps1
            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
            • C:\_readme.txt
            • \ProgramData\mozglue.dll
            • \ProgramData\msvcp140.dll
            • \ProgramData\nss3.dll
            • \ProgramData\vcruntime140.dll
            • \Users\Admin\AppData\Local\72d0db9e-61a6-4da0-88d6-792011d3fe3b\5.exe
            • \Users\Admin\AppData\Local\72d0db9e-61a6-4da0-88d6-792011d3fe3b\5.exe
            • \Users\Admin\AppData\Local\72d0db9e-61a6-4da0-88d6-792011d3fe3b\updatewin1.exe
            • \Users\Admin\AppData\Local\72d0db9e-61a6-4da0-88d6-792011d3fe3b\updatewin1.exe
            • \Users\Admin\AppData\Local\72d0db9e-61a6-4da0-88d6-792011d3fe3b\updatewin1.exe
            • \Users\Admin\AppData\Local\72d0db9e-61a6-4da0-88d6-792011d3fe3b\updatewin1.exe
            • \Users\Admin\AppData\Local\72d0db9e-61a6-4da0-88d6-792011d3fe3b\updatewin1.exe
            • \Users\Admin\AppData\Local\72d0db9e-61a6-4da0-88d6-792011d3fe3b\updatewin1.exe
            • \Users\Admin\AppData\Local\72d0db9e-61a6-4da0-88d6-792011d3fe3b\updatewin1.exe
            • \Users\Admin\AppData\Local\72d0db9e-61a6-4da0-88d6-792011d3fe3b\updatewin1.exe
            • \Users\Admin\AppData\Local\72d0db9e-61a6-4da0-88d6-792011d3fe3b\updatewin1.exe
            • \Users\Admin\AppData\Local\72d0db9e-61a6-4da0-88d6-792011d3fe3b\updatewin2.exe
            • memory/956-25-0x000000000030F000-0x0000000000310000-memory.dmp
              Filesize

              4KB

            • memory/956-19-0x0000000001DB0000-0x0000000001DC1000-memory.dmp
              Filesize

              68KB

            • memory/1144-13-0x00000000005F0000-0x00000000005F1000-memory.dmp
              Filesize

              4KB

            • memory/1144-12-0x00000000020F0000-0x0000000002101000-memory.dmp
              Filesize

              68KB

            • memory/1520-1-0x0000000000CE0000-0x0000000000CF1000-memory.dmp
              Filesize

              68KB

            • memory/1520-0-0x00000000002D0000-0x0000000000361000-memory.dmp
              Filesize

              580KB

            • memory/1640-23-0x0000000001D40000-0x0000000001D51000-memory.dmp
              Filesize

              68KB

            • memory/1640-24-0x0000000000342000-0x0000000000343000-memory.dmp
              Filesize

              4KB

            • memory/1748-55-0x0000000000220000-0x00000000002B1000-memory.dmp
              Filesize

              580KB

            • memory/1748-56-0x0000000000E90000-0x0000000000EA1000-memory.dmp
              Filesize

              68KB

            • memory/1796-4-0x0000000000BE0000-0x0000000000BF1000-memory.dmp
              Filesize

              68KB

            • memory/1796-3-0x0000000000950000-0x00000000009E1000-memory.dmp
              Filesize

              580KB

            • memory/1796-58-0x0000000003DE0000-0x0000000003DF1000-memory.dmp
              Filesize

              68KB

            • memory/1796-59-0x00000000041F0000-0x0000000004201000-memory.dmp
              Filesize

              68KB

            • memory/1796-60-0x0000000003DE0000-0x0000000003DF1000-memory.dmp
              Filesize

              68KB

            • memory/1952-32-0x0000000000BD0000-0x0000000000BE1000-memory.dmp
              Filesize

              68KB

            • memory/1952-31-0x0000000000989000-0x000000000098A000-memory.dmp
              Filesize

              4KB