73c129ab01e74eb487bc6b6484a9f5085c6f78134493a73637ca7d355b2b587e

General

Target

194270766c8afe4cdd99c8f1ebdbc18321bd79ac6f2f3e0c0638ea93ffe8aaf6.exe
Size

2.0MB
MD5

13ee6ed04ada2524eabdf26bcc4849fe
SHA1

ea5aa317603aea0a39972f521792edc62d941fbc
SHA256

194270766c8afe4cdd99c8f1ebdbc18321bd79ac6f2f3e0c0638ea93ffe8aaf6
SHA512

8fd889ffc305e39702c7f2c2b798dfc5c0ea29ce9c39268321ad2917e8a90ee373862bff12bb6613f4ba3a2becc9236534f53a7aba85c248363aa419dc902920

Score

10^/10

ransomware persistence

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\READ_ME_Heyyyyyyy.txt

Ransom Note

All your files have been encrypted! All your documents (databases, texts, images, videos, musics etc.) were encrypted. The encryption was done using a secret keythat is now on our servers. To decrypt your files you will need to buy the secret key from us. We are the only on the world who can provide this for you. What can I do? Pay the ransom, in bitcoins, in the amount and wallet below. You can use www.coindirect.com/de - coinbase.com - coinmama.com - LocalBitcoins.com to buy bitcoins. 0,036 Bitcoin = 300 EURO Send BTC Address = 1NxoWvpXufC5PkagnfWD9Rf19wm5jchVkX

Wallets

1NxoWvpXufC5PkagnfWD9Rf19wm5jchVkX

Signatures

Executes dropped EXE 3 IoCs

pid	Process
3908	XVlBzgbaiC.exe
648	xX.exe
752	xc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
752	xc.exe
752	xc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	648	xX.exe

Adds Run entry to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\svñhîst = "%USERPROFILE%\\AppData\\Local\\Temp\\xc.exe"	xc.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run	xc.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	xc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	xc.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\ransom.jpg"	xX.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3884	timeout.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 3944 wrote to memory of 3908	3944	194270766c8afe4cdd99c8f1ebdbc18321bd79ac6f2f3e0c0638ea93ffe8aaf6.exe	66
PID 3944 wrote to memory of 3908	3944	194270766c8afe4cdd99c8f1ebdbc18321bd79ac6f2f3e0c0638ea93ffe8aaf6.exe	66
PID 3908 wrote to memory of 648	3908	XVlBzgbaiC.exe	67
PID 3908 wrote to memory of 648	3908	XVlBzgbaiC.exe	67
PID 3908 wrote to memory of 648	3908	XVlBzgbaiC.exe	67
PID 3908 wrote to memory of 752	3908	XVlBzgbaiC.exe	68
PID 3908 wrote to memory of 752	3908	XVlBzgbaiC.exe	68
PID 3908 wrote to memory of 752	3908	XVlBzgbaiC.exe	68
PID 648 wrote to memory of 4024	648	xX.exe	71
PID 648 wrote to memory of 4024	648	xX.exe	71
PID 648 wrote to memory of 4024	648	xX.exe	71
PID 4024 wrote to memory of 3884	4024	cmd.exe	73
PID 4024 wrote to memory of 3884	4024	cmd.exe	73
PID 4024 wrote to memory of 3884	4024	cmd.exe	73

C:\Users\Admin\AppData\Local\Temp\194270766c8afe4cdd99c8f1ebdbc18321bd79ac6f2f3e0c0638ea93ffe8aaf6.exe
"C:\Users\Admin\AppData\Local\Temp\194270766c8afe4cdd99c8f1ebdbc18321bd79ac6f2f3e0c0638ea93ffe8aaf6.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3944
- C:\Users\Admin\AppData\Local\Temp\XVlBzgbaiC.exe
  C:\Users\Admin\AppData\Local\Temp\XVlBzgbaiC.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3908
- - C:\Users\Admin\AppData\Local\Temp\xX.exe
    "C:\Users\Admin\AppData\Local\Temp\xX.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Sets desktop wallpaper using registry
    - Suspicious use of WriteProcessMemory
    PID:648
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C timeout 2 && Del /Q /F C:\Users\Admin\AppData\Local\Temp\xX.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4024
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        5⤵
        Delays execution with timeout.exe
        
        PID:3884
- - C:\Users\Admin\AppData\Local\Temp\xc.exe
    "C:\Users\Admin\AppData\Local\Temp\xc.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Adds Run entry to start application
    - Modifies Internet Explorer settings
    PID:752

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads