Analysis

  • max time kernel
    129s
  • max time network
    146s
  • platform
    windows10_x64
  • resource
    win10v200430
  • submitted
    13-07-2020 10:59

General

  • Target

    70BC.tmp.exe

  • Size

    676KB

  • MD5

    07566fb66073abafbd438f08fa1c7245

  • SHA1

    e73eed815412a3cb1929add64b3ba7639006eb2e

  • SHA256

    6eb60af3c1f6688fee7286b384fd107552bdf95dc951101df4a1d4f861623134

  • SHA512

    fd853360ba32b8f8c23fbda55b88fa66c802b53e33c169a8a4d1d87ba84e4895640a5ef3b341d67e3733e76c379598490167ad4ae486262eba5e2cf098d79f24

Malware Config

Extracted

Path

C:\_readme.txt

Ransom Note
ATTENTION! Don't worry, you can return all your files! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-q9ro1midUb Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: helpmanager@mail.ch Reserve e-mail address to contact us: restoremanager@airmail.cc Your personal ID: 0240regyjnkjddrtgjAPJNEQoue2941bbvln0FlNgqZ8mrbh5FmCQGfK
Emails

helpmanager@mail.ch

restoremanager@airmail.cc

URLs

https://we.tl/t-q9ro1midUb

Signatures

  • Suspicious use of WriteProcessMemory 27 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Checks for installed software on the system 1 TTPs 28 IoCs
  • Drops file in Drivers directory 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Modifies file permissions 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 32 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Kills process with taskkill 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Modifies system certificate store 2 TTPs 2 IoCs
  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Adds Run entry to start application 2 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\70BC.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\70BC.tmp.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    • Suspicious behavior: EnumeratesProcesses
    • Modifies system certificate store
    • Adds Run entry to start application
    PID:1492
    • C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Users\Admin\AppData\Local\d25b2a2c-fcbe-4b79-bda8-281a3fbb3dd5" /deny *S-1-1-0:(OI)(CI)(DE,DC)
      2⤵
      • Modifies file permissions
      PID:2120
    • C:\Users\Admin\AppData\Local\Temp\70BC.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\70BC.tmp.exe" --Admin IsNotAutoStart IsNotTask
      2⤵
      • Suspicious use of WriteProcessMemory
      • Suspicious behavior: EnumeratesProcesses
      PID:2204
      • C:\Users\Admin\AppData\Local\f5cc18bd-408f-4f60-885c-875bf1256246\updatewin1.exe
        "C:\Users\Admin\AppData\Local\f5cc18bd-408f-4f60-885c-875bf1256246\updatewin1.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        • Executes dropped EXE
        PID:3776
        • C:\Users\Admin\AppData\Local\f5cc18bd-408f-4f60-885c-875bf1256246\updatewin1.exe
          "C:\Users\Admin\AppData\Local\f5cc18bd-408f-4f60-885c-875bf1256246\updatewin1.exe" --Admin
          4⤵
          • Suspicious use of WriteProcessMemory
          • Executes dropped EXE
          PID:3568
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -Command Set-ExecutionPolicy -Scope CurrentUser RemoteSigned
            5⤵
              PID:3436
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 668
                6⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Program crash
                PID:2996
        • C:\Users\Admin\AppData\Local\f5cc18bd-408f-4f60-885c-875bf1256246\updatewin2.exe
          "C:\Users\Admin\AppData\Local\f5cc18bd-408f-4f60-885c-875bf1256246\updatewin2.exe"
          3⤵
          • Drops file in Drivers directory
          • Executes dropped EXE
          PID:4024
        • C:\Users\Admin\AppData\Local\f5cc18bd-408f-4f60-885c-875bf1256246\5.exe
          "C:\Users\Admin\AppData\Local\f5cc18bd-408f-4f60-885c-875bf1256246\5.exe"
          3⤵
          • Suspicious use of WriteProcessMemory
          • Checks for installed software on the system
          • Suspicious behavior: EnumeratesProcesses
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks processor information in registry
          PID:3944
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c taskkill /im 5.exe /f & erase C:\Users\Admin\AppData\Local\f5cc18bd-408f-4f60-885c-875bf1256246\5.exe & exit
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1648
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im 5.exe /f
              5⤵
              • Suspicious use of AdjustPrivilegeToken
              • Kills process with taskkill
              PID:1500
    • C:\Users\Admin\AppData\Local\d25b2a2c-fcbe-4b79-bda8-281a3fbb3dd5\70BC.tmp.exe
      C:\Users\Admin\AppData\Local\d25b2a2c-fcbe-4b79-bda8-281a3fbb3dd5\70BC.tmp.exe --Task
      1⤵
      • Suspicious behavior: EnumeratesProcesses
      • Executes dropped EXE
      PID:1464
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:1144
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\_readme.txt
        1⤵
        • Opens file in notepad (likely ransom note)
        PID:1012

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Persistence

      Registry Run Keys / Startup Folder

      1
      T1060

      Defense Evasion

      File Permissions Modification

      1
      T1222

      Install Root Certificate

      1
      T1130

      Modify Registry

      2
      T1112

      Credential Access

      Credentials in Files

      2
      T1081

      Discovery

      Query Registry

      2
      T1012

      System Information Discovery

      1
      T1082

      Collection

      Data from Local System

      2
      T1005

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
      • C:\Users\Admin\AppData\Local\d25b2a2c-fcbe-4b79-bda8-281a3fbb3dd5\70BC.tmp.exe
      • C:\Users\Admin\AppData\Local\d25b2a2c-fcbe-4b79-bda8-281a3fbb3dd5\70BC.tmp.exe
      • C:\Users\Admin\AppData\Local\f5cc18bd-408f-4f60-885c-875bf1256246\5.exe
      • C:\Users\Admin\AppData\Local\f5cc18bd-408f-4f60-885c-875bf1256246\5.exe
      • C:\Users\Admin\AppData\Local\f5cc18bd-408f-4f60-885c-875bf1256246\updatewin1.exe
      • C:\Users\Admin\AppData\Local\f5cc18bd-408f-4f60-885c-875bf1256246\updatewin1.exe
      • C:\Users\Admin\AppData\Local\f5cc18bd-408f-4f60-885c-875bf1256246\updatewin1.exe
      • C:\Users\Admin\AppData\Local\f5cc18bd-408f-4f60-885c-875bf1256246\updatewin2.exe
      • C:\Users\Admin\AppData\Local\f5cc18bd-408f-4f60-885c-875bf1256246\updatewin2.exe
      • C:\_readme.txt
      • \ProgramData\mozglue.dll
      • \ProgramData\nss3.dll
      • memory/1464-297-0x00000000011E0000-0x00000000011E1000-memory.dmp
        Filesize

        4KB

      • memory/1492-1-0x0000000001280000-0x0000000001281000-memory.dmp
        Filesize

        4KB

      • memory/1500-242-0x0000000000000000-mapping.dmp
      • memory/1648-241-0x0000000000000000-mapping.dmp
      • memory/2120-2-0x0000000000000000-mapping.dmp
      • memory/2204-298-0x0000000003AF0000-0x0000000003AF1000-memory.dmp
        Filesize

        4KB

      • memory/2204-300-0x0000000003AF0000-0x0000000003AF1000-memory.dmp
        Filesize

        4KB

      • memory/2204-4-0x0000000000000000-mapping.dmp
      • memory/2204-6-0x00000000011F0000-0x00000000011F1000-memory.dmp
        Filesize

        4KB

      • memory/2204-299-0x00000000042F0000-0x00000000042F1000-memory.dmp
        Filesize

        4KB

      • memory/2996-289-0x0000000004D80000-0x0000000004D81000-memory.dmp
        Filesize

        4KB

      • memory/2996-281-0x0000000004C80000-0x0000000004C81000-memory.dmp
        Filesize

        4KB

      • memory/2996-290-0x0000000000BF0000-0x0000000000BF1000-memory.dmp
        Filesize

        4KB

      • memory/2996-279-0x0000000004C80000-0x0000000004C81000-memory.dmp
        Filesize

        4KB

      • memory/2996-274-0x0000000004C80000-0x0000000004C81000-memory.dmp
        Filesize

        4KB

      • memory/2996-270-0x0000000004C80000-0x0000000004C81000-memory.dmp
        Filesize

        4KB

      • memory/2996-260-0x0000000004C80000-0x0000000004C81000-memory.dmp
        Filesize

        4KB

      • memory/2996-250-0x0000000004680000-0x0000000004681000-memory.dmp
        Filesize

        4KB

      • memory/2996-251-0x0000000004680000-0x0000000004681000-memory.dmp
        Filesize

        4KB

      • memory/2996-253-0x0000000004680000-0x0000000004681000-memory.dmp
        Filesize

        4KB

      • memory/2996-261-0x0000000004C80000-0x0000000004C81000-memory.dmp
        Filesize

        4KB

      • memory/3436-249-0x0000000000000000-mapping.dmp
      • memory/3436-285-0x0000000000000000-mapping.dmp
      • memory/3436-257-0x0000000000000000-mapping.dmp
      • memory/3436-258-0x0000000000000000-mapping.dmp
      • memory/3436-259-0x0000000000000000-mapping.dmp
      • memory/3436-255-0x0000000000000000-mapping.dmp
      • memory/3436-254-0x0000000000000000-mapping.dmp
      • memory/3436-256-0x0000000000000000-mapping.dmp
      • memory/3436-288-0x0000000000000000-mapping.dmp
      • memory/3436-286-0x0000000000000000-mapping.dmp
      • memory/3436-287-0x0000000000000000-mapping.dmp
      • memory/3436-283-0x0000000000000000-mapping.dmp
      • memory/3436-284-0x0000000000000000-mapping.dmp
      • memory/3568-248-0x00000000004D4000-0x00000000004D7000-memory.dmp
        Filesize

        12KB

      • memory/3568-244-0x0000000000000000-mapping.dmp
      • memory/3568-246-0x00000000020B0000-0x00000000020B1000-memory.dmp
        Filesize

        4KB

      • memory/3776-243-0x000000000048E000-0x000000000048F000-memory.dmp
        Filesize

        4KB

      • memory/3776-12-0x0000000002000000-0x0000000002001000-memory.dmp
        Filesize

        4KB

      • memory/3776-9-0x0000000000000000-mapping.dmp
      • memory/3944-21-0x0000000001210000-0x0000000001211000-memory.dmp
        Filesize

        4KB

      • memory/3944-20-0x0000000000F25000-0x0000000000F26000-memory.dmp
        Filesize

        4KB

      • memory/3944-17-0x0000000000000000-mapping.dmp
      • memory/4024-247-0x000000000065E000-0x000000000065F000-memory.dmp
        Filesize

        4KB

      • memory/4024-16-0x00000000020E0000-0x00000000020E1000-memory.dmp
        Filesize

        4KB

      • memory/4024-13-0x0000000000000000-mapping.dmp