73c129ab01e74eb487bc6b6484a9f5085c6f78134493a73637ca7d355b2b587e

General

Target

194270766c8afe4cdd99c8f1ebdbc18321bd79ac6f2f3e0c0638ea93ffe8aaf6.exe
Size

2.0MB
MD5

13ee6ed04ada2524eabdf26bcc4849fe
SHA1

ea5aa317603aea0a39972f521792edc62d941fbc
SHA256

194270766c8afe4cdd99c8f1ebdbc18321bd79ac6f2f3e0c0638ea93ffe8aaf6
SHA512

8fd889ffc305e39702c7f2c2b798dfc5c0ea29ce9c39268321ad2917e8a90ee373862bff12bb6613f4ba3a2becc9236534f53a7aba85c248363aa419dc902920

Score

10^/10

ransomware evasion spyware trojan persistence

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\READ_ME_Heyyyyyyy.txt

Ransom Note

All your files have been encrypted! All your documents (databases, texts, images, videos, musics etc.) were encrypted. The encryption was done using a secret keythat is now on our servers. To decrypt your files you will need to buy the secret key from us. We are the only on the world who can provide this for you. What can I do? Pay the ransom, in bitcoins, in the amount and wallet below. You can use www.coindirect.com/de - coinbase.com - coinmama.com - LocalBitcoins.com to buy bitcoins. 0,036 Bitcoin = 300 EURO Send BTC Address = 1NxoWvpXufC5PkagnfWD9Rf19wm5jchVkX

Wallets

1NxoWvpXufC5PkagnfWD9Rf19wm5jchVkX

Signatures

Adds Run entry to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

xc.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run	xc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\svñhîst = "%USERPROFILE%\\AppData\\Local\\Temp\\xc.exe"	xc.exe

Loads dropped DLL 1 IoCs

Processes:

194270766c8afe4cdd99c8f1ebdbc18321bd79ac6f2f3e0c0638ea93ffe8aaf6.exe

pid process

1060 194270766c8afe4cdd99c8f1ebdbc18321bd79ac6f2f3e0c0638ea93ffe8aaf6.exe

pid	process
1060	194270766c8afe4cdd99c8f1ebdbc18321bd79ac6f2f3e0c0638ea93ffe8aaf6.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

194270766c8afe4cdd99c8f1ebdbc18321bd79ac6f2f3e0c0638ea93ffe8aaf6.exeXVlBzgbaiC.exexX.execmd.exe

description	pid	process	target process
PID 1060 wrote to memory of 1308	1060	194270766c8afe4cdd99c8f1ebdbc18321bd79ac6f2f3e0c0638ea93ffe8aaf6.exe	XVlBzgbaiC.exe
PID 1060 wrote to memory of 1308	1060	194270766c8afe4cdd99c8f1ebdbc18321bd79ac6f2f3e0c0638ea93ffe8aaf6.exe	XVlBzgbaiC.exe
PID 1060 wrote to memory of 1308	1060	194270766c8afe4cdd99c8f1ebdbc18321bd79ac6f2f3e0c0638ea93ffe8aaf6.exe	XVlBzgbaiC.exe
PID 1060 wrote to memory of 1308	1060	194270766c8afe4cdd99c8f1ebdbc18321bd79ac6f2f3e0c0638ea93ffe8aaf6.exe	XVlBzgbaiC.exe
PID 1308 wrote to memory of 1496	1308	XVlBzgbaiC.exe	xX.exe
PID 1308 wrote to memory of 1496	1308	XVlBzgbaiC.exe	xX.exe
PID 1308 wrote to memory of 1496	1308	XVlBzgbaiC.exe	xX.exe
PID 1308 wrote to memory of 1496	1308	XVlBzgbaiC.exe	xX.exe
PID 1308 wrote to memory of 1616	1308	XVlBzgbaiC.exe	xc.exe
PID 1308 wrote to memory of 1616	1308	XVlBzgbaiC.exe	xc.exe
PID 1308 wrote to memory of 1616	1308	XVlBzgbaiC.exe	xc.exe
PID 1308 wrote to memory of 1616	1308	XVlBzgbaiC.exe	xc.exe
PID 1496 wrote to memory of 1904	1496	xX.exe	cmd.exe
PID 1496 wrote to memory of 1904	1496	xX.exe	cmd.exe
PID 1496 wrote to memory of 1904	1496	xX.exe	cmd.exe
PID 1496 wrote to memory of 1904	1496	xX.exe	cmd.exe
PID 1904 wrote to memory of 1948	1904	cmd.exe	timeout.exe
PID 1904 wrote to memory of 1948	1904	cmd.exe	timeout.exe
PID 1904 wrote to memory of 1948	1904	cmd.exe	timeout.exe
PID 1904 wrote to memory of 1948	1904	cmd.exe	timeout.exe

Executes dropped EXE 3 IoCs

Processes:

XVlBzgbaiC.exexX.exexc.exe

pid process

1308 XVlBzgbaiC.exe
1496 xX.exe
1616 xc.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

xc.exe

pid process

1616 xc.exe
1616 xc.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

xX.exe

description pid process

Token: SeDebugPrivilege 1496 xX.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1948 timeout.exe

pid	process
1308	XVlBzgbaiC.exe
1496	xX.exe
1616	xc.exe

pid	process
1616	xc.exe
1616	xc.exe

description	pid	process
Token: SeDebugPrivilege	1496	xX.exe

pid	process
1948	timeout.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

xc.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Main	xc.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	xc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	xc.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

xc.exexX.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	xc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	xX.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	xX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	xc.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

xX.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\ransom.jpg"	xX.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\Wallpaper.jpg"	xX.exe

C:\Users\Admin\AppData\Local\Temp\194270766c8afe4cdd99c8f1ebdbc18321bd79ac6f2f3e0c0638ea93ffe8aaf6.exe
"C:\Users\Admin\AppData\Local\Temp\194270766c8afe4cdd99c8f1ebdbc18321bd79ac6f2f3e0c0638ea93ffe8aaf6.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1060

C:\Users\Admin\AppData\Local\Temp\XVlBzgbaiC.exe
C:\Users\Admin\AppData\Local\Temp\XVlBzgbaiC.exe
2⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
PID:1308

C:\Users\Admin\AppData\Local\Temp\xX.exe
"C:\Users\Admin\AppData\Local\Temp\xX.exe"
3⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Modifies system certificate store
- Sets desktop wallpaper using registry
PID:1496

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C timeout 2 && Del /Q /F C:\Users\Admin\AppData\Local\Temp\xX.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:1904

C:\Windows\SysWOW64\timeout.exe
timeout 2
5⤵
- Delays execution with timeout.exe
PID:1948

C:\Users\Admin\AppData\Local\Temp\xc.exe
"C:\Users\Admin\AppData\Local\Temp\xc.exe"
3⤵
- Adds Run entry to start application
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Modifies Internet Explorer settings
- Modifies system certificate store
PID:1616

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

4

T1112

Install Root Certificate

1

T1130

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XVlBzgbaiC.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\XVlBzgbaiC.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\xX.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\xX.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\xc.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\xc.exe

Download Submit
\Users\Admin\AppData\Local\Temp\XVlBzgbaiC.exe

Download Submit
memory/1308-1-0x0000000000000000-mapping.dmp

Download
memory/1496-4-0x0000000000000000-mapping.dmp

Download
memory/1616-6-0x0000000000000000-mapping.dmp

Download
memory/1904-15-0x0000000000000000-mapping.dmp

Download
memory/1948-20-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads