Overview

overview

10

Static

static

4cae449450...58.exe

windows7_x64

10

4cae449450...58.exe

windows10_x64

10

Analysis

  • max time kernel
    68s
  • max time network
    120s
  • platform
    windows10_x64
  • resource
    win10
  • submitted
    28-06-2020 16:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe

  • Size

    156KB

  • MD5

    fcd21c6fca3b9378961aa1865bee7ecb

  • SHA1

    0abaa05da2a05977e0baf68838cff1712f1789e0

  • SHA256

    4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458

  • SHA512

    e39c1f965f6faeaa33dfec6eba23fbfff14b287f4777797ea79480bb037d6d806516bda7046315e051961fce12e935ac546819c1e0bef5c33568d68955a9792a

Score
10/10
ransomwareevasion

Malware Config

Extracted

Path

C:\odt\!TXDOT_READ_ME!.txt

Ransom Note
Greetings, Texas Department of Transportation! Read this message CAREFULLY and contact someone from IT department. Your files are securely ENCRYPTED. No third party decryption software EXISTS. MODIFICATION or RENAMING encrypted files may cause decryption failure. You can send us an encrypted file (not greater than 400KB) and we will decrypt it FOR FREE, so you have no doubts in possibility to restore all files from all affected systems ANY TIME. Encrypted file SHOULD NOT contain sensitive information (technical, backups, databases, large documents). The rest of data will be available after the PAYMENT. Infrastructure rebuild will cost you MUCH more. Contact us ONLY if you officially represent the whole affected network. The ONLY attachments we accept are non archived encrypted files for test decryption. Speak ENGLISH when contacting us. Mail us: txdot911@protonmail.com We kindly ask you not to use GMAIL, YAHOO or LIVE to contact us. The PRICE depends on how quickly you do it. �
Emails

txdot911@protonmail.com

Signatures

  • Suspicious use of WriteProcessMemory 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Disables use of System Restore points 1 TTPs
    evasion
  • Clears Windows event logs 1 TTPs
    evasionransomware
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Deletes system backup catalog 2 TTPs

    Ransomware often tries to delete backup files to inhibit system recovery.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe
    "C:\Users\Admin\AppData\Local\Temp\4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    • Suspicious behavior: EnumeratesProcesses
    PID:3100
    • C:\Windows\SysWOW64\cipher.exe
      "C:\Windows\System32\cipher.exe" /w:C:
      2⤵
        PID:3612
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable
        2⤵
          PID:736
        • C:\Windows\System32\wevtutil.exe
          "C:\Windows\System32\wevtutil.exe" cl Security
          2⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:3164
        • C:\Windows\System32\wbadmin.exe
          "C:\Windows\System32\wbadmin.exe" delete catalog -quiet
          2⤵
          • Deletes backup catalog
          PID:3060
        • C:\Windows\System32\bcdedit.exe
          "C:\Windows\System32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures
          2⤵
          • Modifies boot configuration data using bcdedit
          PID:3608
        • C:\Windows\System32\bcdedit.exe
          "C:\Windows\System32\bcdedit.exe" /set {default} recoveryenabled no
          2⤵
          • Modifies boot configuration data using bcdedit
          PID:3780
        • C:\Windows\System32\fsutil.exe
          "C:\Windows\System32\fsutil.exe" usn deletejournal /D C:
          2⤵
            PID:3668
          • C:\Windows\System32\wevtutil.exe
            "C:\Windows\System32\wevtutil.exe" cl Setup
            2⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:3768
          • C:\Windows\System32\wevtutil.exe
            "C:\Windows\System32\wevtutil.exe" sl Security /e:false
            2⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2328
          • C:\Windows\SysWOW64\cipher.exe
            "C:\Windows\System32\cipher.exe" /w:D:
            2⤵
              PID:3132
            • C:\Windows\System32\wevtutil.exe
              "C:\Windows\System32\wevtutil.exe" cl Application
              2⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:2324
            • C:\Windows\System32\wevtutil.exe
              "C:\Windows\System32\wevtutil.exe" cl System
              2⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:3136
          • C:\Windows\system32\wbengine.exe
            "C:\Windows\system32\wbengine.exe"
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:3032
          • C:\Windows\System32\vdsldr.exe
            C:\Windows\System32\vdsldr.exe -Embedding
            1⤵
              PID:3448
            • C:\Windows\System32\vds.exe
              C:\Windows\System32\vds.exe
              1⤵
              • Checks SCSI registry key(s)
              PID:2164

            Network

            MITRE ATT&CK Matrix ATT&CK v6

            Initial Access

            Execution

            Command-Line Interface

            1
            T1059

            Persistence

            Privilege Escalation

            Defense Evasion

            Indicator Removal on Host

            1
            T1070

            File Deletion

            2
            T1107

            Credential Access

            Discovery

            Query Registry

            1
            T1012

            Peripheral Device Discovery

            1
            T1120

            System Information Discovery

            1
            T1082

            Lateral Movement

            Collection

            Exfiltration

            Command and Control

            Impact

            Inhibit System Recovery

            4
            T1490

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • memory/736-2-0x0000000000000000-mapping.dmp
              Download
            • memory/2324-1-0x0000000000000000-mapping.dmp
              Download
            • memory/2328-0-0x0000000000000000-mapping.dmp
              Download
            • memory/3060-6-0x0000000000000000-mapping.dmp
              Download
            • memory/3132-11-0x0000000000000000-mapping.dmp
              Download
            • memory/3136-8-0x0000000000000000-mapping.dmp
              Download
            • memory/3164-7-0x0000000000000000-mapping.dmp
              Download
            • memory/3608-3-0x0000000000000000-mapping.dmp
              Download
            • memory/3612-5-0x0000000000000000-mapping.dmp
              Download
            • memory/3668-4-0x0000000000000000-mapping.dmp
              Download
            • memory/3768-9-0x0000000000000000-mapping.dmp
              Download
            • memory/3780-10-0x0000000000000000-mapping.dmp
              Download