5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2

General

Target

5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exe
Size

324KB
MD5

142a9f0015e581fc7b88db66eec5bf77
SHA1

c9dae1b23c711ef916a55616bf0bd558c51ce97c
SHA256

5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2
SHA512

9cc7d6f6fc0c67a9bd48511094ae1fd16eb04a8876be62c4ab2c319a4b4a6108feb7528a1830e6182bafa3b53b6edb6322fef42827fb25001fd1629ba7c9521a

Score

10^/10

ransomware persistence spyware

Malware Config

Extracted

Path

C:\2D7313-DECRYPT.txt

Ransom Note

---= SHADOW CRYPTOR =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .2D7313 The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. You only have 7 days of payment time, after which the password will be automatically destroyed by the system. You can contact us by the following ways: ---------------------------------------------------------------------------------------- EMAIL:[email protected] REPEAT:[email protected] ---------------------------------------------------------------------------------------- ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN ENCRYPT KEY--- uy/f7j0ziu3yOrclC7HlhFjZVX7DRkBuKqNJlGkzqIIJ1lo47nbejiWx6GO2/h5qTqNkKvld6IXgwrIUf7+Avvod071rZ7Nbu7b06eVHMiHf4yTJZWmU8O8dClJ6HFP0iAveGaaekksN7eFS/HuEnLxkmPftUQGV1zsWfxxb+tARJle5PM4vh3nzROTcTtOT1CTp99C+CDxj+piNuUPeAvyKIX1iddVJ+ehlNkFh/Jr5dQggpYmzsLG3oirNxuaSbC901eDAU/CY/RZPtQUmgualdyFFd/+eLfEedhe0w03so8wHrwhRbzVkyZLBpzc3rgtJ7POA5ZJ9tdCQPfh8BfZrCoc6KZQ1Ek12aSwPilxW6Al4bS9nQyE64CcxAub3413R8nSsUardKryGs2hO5PADFwt2GN8STwxNtof9GBT9wAeX4kH52rNr6JpOdN0f/Ybltj4tCsePkIHCP6juAbCjUQmyy6xKk8xooOEyIZnGCJcYVe54u1ToKCzwX0JWDpSeFreDuh6m3dA8jm96nIVykCA/+C7G5xhccmojHHcmTaITIGmtUKrUadXfYtLuGRVXGeFrAXycXvx5cJkieQYDnBfLVjQvuT/gGfOdN6vuaiu5v1qy27NauMpP+XcvZDPKTn8hs7gBgSAE38Kvq03Uwa8Wn3HIZYyK9U9YjR0nSaIMMPM5qdqXGief4jC7ajMidmTMuj42G6ksSioaGKwKOnnmdNxw+3xM1/Er7UJyo7J/AFsJfjqgBCRftQmG7oUHKXGePDmC0eF+tQ2Ctbn4rKtBU4VUlqmMLnRbLfV5Mi/+V4+HOitr2YZo0P4iKaDhQGUaHkju2/PxdanCzbqsYPp3IWfqB8ZNxs7AOKHVzysSbnBQUtGtFmIJ9OXWiJkOjAEOX1Wcx/hmnifrpaeQFeLmmb4mXCNtlFkcxbV72ykFmyP+ctzPNdwY9BfJYykFlSu44U743V2MKpbBj7rWRQs2cKjB+M/O9f6VZSWg/F7Dzc1Q6zADkQNerqMBAhoymaq9cPd5i4CbSuyXZ36Gp2x4J7dQVFezMEDRBZQfSfJwbWd+llGWsW4P3YcX57L4xq+XibL2csLqOgofRChvMmPONZH7jLRyLiApudxkFE8taTdHEjqPHOIjyQeCyE0GRCFdgdNxTio9EAZde5xUhn9ibauC2ngn9BgONTPrG4E7tw6vy3T2uiP6XAM5u9FdQKijOsgf9qoL1iAvI8U6SzuxeZF4u0scqZCxiF3I91+gopu5dSLxph0d9goD+4OcGelycISRFai61vow/7on5AXr/1oGW9AC3hpfA7VxTqS6K5pnac5eigiP69e8mNurw3uib8pAKvRdMZi3VCSR8G6MagJqJYIz/XT1l1NhznPKLSULnpKUYgiF9DFr94b0oD5G6T0mT0jhghpF2kQ/dX2lJiCQXIkjGcGWe7CnAF5X/Pu03Df74rMM/HfHEp4wym7maYSkeboISLuFDCVeBQr3WGI3nyHDrUh+exNUK7J1wmsFlVmcCmqyqvakpH5VILpvgJBsLKKzEYg2fmSYQbX+tC1/TQCEZKwQPxubVRj7qylprDQVfY/OonSVMjiL2j+g/HTMpyfrcPhJ5pW3J+GSveKhH6aovHwePCtf5cxbojjnXXOf+yHOvzyVTojWFEKDQQVUMtFK95bhfx4C1MjRkKptvjd3o7oBPBQ= ---END ENCRYPT KEY---

Emails

EMAIL:[email protected]

REPEAT:[email protected]

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files\GrantSelect.2D7313	5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exe
File created	C:\Program Files\RemoveWatch.2D7313	5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exe
File created	C:\Program Files\ResumePop.2D7313	5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exe
File created	C:\Program Files\SplitUnblock.2D7313	5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exe
File created	C:\Program Files\2D7313-DECRYPT.txt	5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeBackupPrivilege	1848	vssvc.exe
Token: SeRestorePrivilege	1848	vssvc.exe
Token: SeAuditPrivilege	1848	vssvc.exe
Token: SeIncBasePriorityPrivilege	1600	5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1600 wrote to memory of 3804	1600	5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exe	68
PID 1600 wrote to memory of 3804	1600	5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exe	68
PID 1600 wrote to memory of 3804	1600	5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exe	68
PID 1600 wrote to memory of 2104	1600	5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exe	71
PID 1600 wrote to memory of 2104	1600	5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exe	71
PID 1600 wrote to memory of 2104	1600	5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exe	71
PID 1600 wrote to memory of 3764	1600	5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exe	73
PID 1600 wrote to memory of 3764	1600	5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exe	73
PID 1600 wrote to memory of 3764	1600	5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exe	73
PID 3764 wrote to memory of 2008	3764	cmd.exe	75
PID 3764 wrote to memory of 2008	3764	cmd.exe	75
PID 3764 wrote to memory of 2008	3764	cmd.exe	75

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
3804	vssadmin.exe

Modifies service 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2008	PING.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1600	5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exe
1600	5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exe
1600	5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exe
1600	5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exe
1600	5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exe
1600	5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exe

C:\Users\Admin\AppData\Local\Temp\5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exe
"C:\Users\Admin\AppData\Local\Temp\5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exe"
1⤵
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
PID:1600
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin.exe delete shadows /all /Quiet
  2⤵
  - Interacts with shadow copies
  PID:3804
- C:\Windows\SysWOW64\notepad.exe
  notepad.exe "C:\Users\Admin\AppData\Local\Temp\2D7313-DECRYPT.txt"
  2⤵
  PID:2104
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 3 && del /f/q "C:\Users\Admin\AppData\Local\Temp\5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3764
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 3
    3⤵
    - Runs ping.exe
    PID:2008