Overview

overview

10

Static

static

de693a0ae0...9d.exe

windows7_x64

10

de693a0ae0...9d.exe

windows10_x64

10

Analysis

  • max time kernel
    136s
  • max time network
    133s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    12-07-2020 08:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    de693a0ae0b1cdefbe778a8d8af1cd9d.exe

  • Size

    717KB

  • MD5

    de693a0ae0b1cdefbe778a8d8af1cd9d

  • SHA1

    bc7fd9e2066415a9939d25c0c9ea2ee29176726a

  • SHA256

    6dc5dc06eba82eb3dbfc51c48f44a0b6bc519d2432d357cb84d65cf7b9b4e763

  • SHA512

    a82b2dc6aa9b48346c8747db22153249f18c76e45ddbd503144cae6853cb5d7c839839521dc83a6046a9b5e04b1ff81ab46aa7f9d1101a11b5eead6d6c4bba4d

Score
10/10
ransomwarepersistencespyware

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0011-0000-1000-0000000FF1CE}-C\Read_Me.txt

Ransom Note
Attention! All your files, documents, photos, databases and other important files are encrypted The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. The server with your decryptor is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- 1. Download Tor browser - https://www.torproject.org/ 2. Install Tor browser 3. Open Tor Browser 4. Open link in TOR browser: http://7rzpyw3hflwe2c7h.onion/?FFFFFFFF 5. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. Alternate communication channel here: http://helpqvrg3cc5mvb3.onion/
URLs

http://7rzpyw3hflwe2c7h.onion/?FFFFFFFF

http://helpqvrg3cc5mvb3.onion/

Signatures

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Suspicious use of SetThreadContext 1 IoCs
  • Modifies service 2 TTPs 4 IoCs
    persistence
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SendNotifyMessage 73 IoCs
  • Enumerates connected drives 3 TTPs
  • Drops startup file 1 IoCs
  • Modifies Installed Components in the registry 2 TTPs 3 IoCs
    persistence
  • Drops desktop.ini file(s) 41 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Suspicious use of FindShellTrayWindow 57 IoCs
  • Modifies registry class 15 IoCs
  • Drops file in Program Files directory 12081 IoCs
  • Suspicious behavior: EnumeratesProcesses 4524 IoCs
  • Suspicious use of AdjustPrivilegeToken 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\de693a0ae0b1cdefbe778a8d8af1cd9d.exe
    "C:\Users\Admin\AppData\Local\Temp\de693a0ae0b1cdefbe778a8d8af1cd9d.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1668
    • C:\Users\Admin\AppData\Local\Temp\de693a0ae0b1cdefbe778a8d8af1cd9d.exe
      "{path}"
      2⤵
      • Drops startup file
      • Drops desktop.ini file(s)
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      PID:1768
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Modifies service
    • Suspicious use of SendNotifyMessage
    • Modifies Installed Components in the registry
    • Drops desktop.ini file(s)
    • Suspicious use of FindShellTrayWindow
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:1968
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Suspicious use of SendNotifyMessage
    • Modifies Installed Components in the registry
    • Suspicious use of FindShellTrayWindow
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:1368
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Modifies service
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SendNotifyMessage
    • Modifies Installed Components in the registry
    • Suspicious use of FindShellTrayWindow
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:1672

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\WPDNSE\Read_Me.txt
    Download Submit
  • C:\Users\Admin\Desktop\BackupRestore.mpg.readme
    Download Submit
  • C:\Users\Admin\Desktop\BlockDisconnect.odp.readme
    Download Submit
  • C:\Users\Admin\Desktop\BlockSet.i64.readme
    Download Submit
  • C:\Users\Admin\Desktop\CheckpointClear.snd.readme
    Download Submit
  • C:\Users\Admin\Desktop\CompressProtect.TS.readme
    Download Submit
  • C:\Users\Admin\Desktop\ConvertFromWatch.jpeg.readme
    Download Submit
  • C:\Users\Admin\Desktop\DebugStart.mp4.readme
    Download Submit
  • C:\Users\Admin\Desktop\DenyExpand.vstm.readme
    Download Submit
  • C:\Users\Admin\Desktop\DismountEnter.svgz.readme
    Download Submit
  • C:\Users\Admin\Desktop\ExitComplete.ini.readme
    Download Submit
  • C:\Users\Admin\Desktop\ExitImport.lock.readme
    Download Submit
  • C:\Users\Admin\Desktop\LimitRename.iso.readme
    Download Submit
  • C:\Users\Admin\Desktop\LockPing.cfg.readme
    Download Submit
  • C:\Users\Admin\Desktop\MountRead.eprtx.readme
    Download Submit
  • C:\Users\Admin\Desktop\NewClose.xltm.readme
    Download Submit
  • C:\Users\Admin\Desktop\OutClose.MOD.readme
    Download Submit
  • C:\Users\Admin\Desktop\PingProtect.cr2.readme
    Download Submit
  • C:\Users\Admin\Desktop\PopMount.wm.readme
    Download Submit
  • C:\Users\Admin\Desktop\Read_Me.txt
    Download Submit
  • C:\Users\Admin\Desktop\RedoClear.snd.readme
    Download Submit
  • C:\Users\Admin\Desktop\RequestUndo.vb.readme
    Download Submit
  • C:\Users\Admin\Desktop\RevokeUnlock.cmd.readme
    Download Submit
  • C:\Users\Admin\Desktop\SplitGet.xlsm.readme
    Download Submit
  • C:\Users\Admin\Desktop\StepUnblock.contact.readme
    Download Submit
  • C:\Users\Admin\Desktop\UnblockImport.rtf.readme
    Download Submit
  • C:\Users\Admin\Desktop\UninstallDebug.csv.readme
    Download Submit
  • C:\Users\Admin\Desktop\UnregisterEdit.vdw.readme
    Download Submit
  • C:\Users\Admin\Desktop\UnregisterEnable.TTS.readme
    Download Submit
  • C:\Users\Admin\Desktop\UpdateUninstall.wma.readme
    Download Submit
  • C:\Users\Admin\Desktop\desktop.ini.readme
    Download Submit
  • C:\Users\Public\Desktop\Adobe Reader 9.lnk.readme
    Download Submit
  • C:\Users\Public\Desktop\Firefox.lnk.readme
    Download Submit
  • C:\Users\Public\Desktop\Google Chrome.lnk.readme
    Download Submit
  • C:\Users\Public\Desktop\Read_Me.txt
    Download Submit
  • C:\Users\Public\Desktop\VLC media player.lnk.readme
    Download Submit
  • C:\Users\Public\Desktop\desktop.ini.readme
    Download Submit
  • \??\M:\$RECYCLE.BIN\S-1-5-21-1131729243-447456001-3632642222-1000\desktop.ini
    Download Submit
  • memory/1368-7-0x0000000003BA0000-0x0000000003BA1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1672-47-0x00000000038F0000-0x00000000038F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1672-48-0x0000000003F90000-0x0000000003F91000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1768-1-0x0000000000407CA0-mapping.dmp
    Download
  • memory/1768-2-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/1768-0-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/1968-5-0x0000000003B40000-0x0000000003B41000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1968-6-0x0000000003B40000-0x0000000003B41000-memory.dmp
    Filesize

    4KB

    Download