7eda4a7aad48e8c17fcc5f06f4977fe541af3bac0a666835323873e6a06cec51

Analysis

max time kernel
101s
max time network
64s
platform
windows7_x64
resource
win7
submitted
25-06-2020 08:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4f4dbd505348c33b9435351252aeddba1199df72011e4f83a643790d02231906.exe
Size

936KB
MD5

6cdd7ca85e3828897d6e39b1ab93e6a2
SHA1

b3879d8d6f937d0aabf4660be207e9aabe965397
SHA256

4f4dbd505348c33b9435351252aeddba1199df72011e4f83a643790d02231906
SHA512

8df354a2024b2a047de5fe50437a6842066626953a0740ad1810b10f619266de1fece6d431a0cbb7ecfa300cc4529dd98da77e8a11d0aceedba67d1294a31984

Score

10^/10

ransomware persistence

Malware Config

Extracted

Path

C:\Users\Admin\ReadmeCrypto.txt

Ransom Note

baraka team your files are encrypted to recover them back contact us on pinkiwinki78@mail.ru

Emails

pinkiwinki78@mail.ru

Signatures

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

4f4dbd505348c33b9435351252aeddba1199df72011e4f83a643790d02231906.exe

pid process

1184 4f4dbd505348c33b9435351252aeddba1199df72011e4f83a643790d02231906.exe

pid	process
1184	4f4dbd505348c33b9435351252aeddba1199df72011e4f83a643790d02231906.exe

Adds Run entry to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

4f4dbd505348c33b9435351252aeddba1199df72011e4f83a643790d02231906.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	4f4dbd505348c33b9435351252aeddba1199df72011e4f83a643790d02231906.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\crytoMSG = "C:\\Users\\Admin\\ReadmeCrypto.txt"	4f4dbd505348c33b9435351252aeddba1199df72011e4f83a643790d02231906.exe

Modifies control panel 1 IoCs

evasion

Processes:

4f4dbd505348c33b9435351252aeddba1199df72011e4f83a643790d02231906.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Control Panel\Desktop	4f4dbd505348c33b9435351252aeddba1199df72011e4f83a643790d02231906.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

4f4dbd505348c33b9435351252aeddba1199df72011e4f83a643790d02231906.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Control Panel\Desktop\WallPaper = "C:\\Users\\Admin\\pl.bmp"	4f4dbd505348c33b9435351252aeddba1199df72011e4f83a643790d02231906.exe

C:\Users\Admin\AppData\Local\Temp\4f4dbd505348c33b9435351252aeddba1199df72011e4f83a643790d02231906.exe
"C:\Users\Admin\AppData\Local\Temp\4f4dbd505348c33b9435351252aeddba1199df72011e4f83a643790d02231906.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Adds Run entry to start application
- Modifies control panel
- Sets desktop wallpaper using registry
PID:1184

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

T1491

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads