Overview

overview

10

Static

static

de693a0ae0...9d.exe

windows7_x64

10

de693a0ae0...9d.exe

windows10_x64

10

Analysis

  • max time kernel
    65s
  • max time network
    116s
  • platform
    windows10_x64
  • resource
    win10
  • submitted
    12-07-2020 08:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    de693a0ae0b1cdefbe778a8d8af1cd9d.exe

  • Size

    717KB

  • MD5

    de693a0ae0b1cdefbe778a8d8af1cd9d

  • SHA1

    bc7fd9e2066415a9939d25c0c9ea2ee29176726a

  • SHA256

    6dc5dc06eba82eb3dbfc51c48f44a0b6bc519d2432d357cb84d65cf7b9b4e763

  • SHA512

    a82b2dc6aa9b48346c8747db22153249f18c76e45ddbd503144cae6853cb5d7c839839521dc83a6046a9b5e04b1ff81ab46aa7f9d1101a11b5eead6d6c4bba4d

Score
10/10
ransomware

Malware Config

Extracted

Path

C:\Boot\bg-BG\Read_Me.txt

Ransom Note
Attention! All your files, documents, photos, databases and other important files are encrypted The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. The server with your decryptor is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- 1. Download Tor browser - https://www.torproject.org/ 2. Install Tor browser 3. Open Tor Browser 4. Open link in TOR browser: http://7rzpyw3hflwe2c7h.onion/?FWYZBDEG 5. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. Alternate communication channel here: http://helpqvrg3cc5mvb3.onion/
URLs

http://7rzpyw3hflwe2c7h.onion/?FWYZBDEG

http://helpqvrg3cc5mvb3.onion/

Signatures

  • Suspicious use of WriteProcessMemory 9 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8316 IoCs
  • Drops file in Program Files directory 11249 IoCs
  • Drops desktop.ini file(s) 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\de693a0ae0b1cdefbe778a8d8af1cd9d.exe
    "C:\Users\Admin\AppData\Local\Temp\de693a0ae0b1cdefbe778a8d8af1cd9d.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    • Suspicious use of SetThreadContext
    PID:2288
    • C:\Users\Admin\AppData\Local\Temp\de693a0ae0b1cdefbe778a8d8af1cd9d.exe
      "{path}"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Drops file in Program Files directory
      • Drops desktop.ini file(s)
      PID:3900

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3900-1-0x0000000000407CA0-mapping.dmp
    Download
  • memory/3900-0-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/3900-2-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB

    Download