Overview

overview

10

Static

static

6

602c753ee7...a9.exe

windows7_x64

10

602c753ee7...a9.exe

windows10_x64

10

Analysis

  • max time kernel
    54s
  • max time network
    6s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    13-07-2020 13:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    602c753ee7337a5398df34b82238dd243d6afc9aa0f2d6e75f9d5a98cb609aa9.exe

  • Size

    4.6MB

  • MD5

    1d3e630e85d4055a6b00bf588f30af21

  • SHA1

    64658fd77ddcb9496d2c6a6f174210010bbcdf54

  • SHA256

    602c753ee7337a5398df34b82238dd243d6afc9aa0f2d6e75f9d5a98cb609aa9

  • SHA512

    0fe39d9fdfc317c5fbbafa7dab5380be6daac8e9cee54df4814e976b8d4a95db45e1259b2a99f1a451dc2a8d4c1435bc9134e13a6ead2df6c812c4a128236246

Score
10/10
ransomwarespywarepersistence

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0011-0000-1000-0000000FF1CE}-C\HOW TO RESTORE YOUR FILES.TXT

Ransom Note
Hello! All your files are encrypted and only I can decrypt them. Contact me: [email protected] Write me if you want to return your files - I can do it very quickly! The header of letter must contain extension of encrypted files. I'm always reply within 24 hours. If not - check spam folder, resend your letter or try send letter from another email service (like protonmail.com). Attention! Do not rename or edit encrypted files: you may have permanent data loss. To prove that I can recover your files, I am ready to decrypt any three files (less than 1Mb) for free (except databases, Excel and backups) HURRY UP! ! ! ! If you do not email me in the next 48 hours then your data may be lost permanently ! ! !

Signatures

  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Suspicious use of WriteProcessMemory 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Drops startup file 2 IoCs
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Drops file in Program Files directory 14827 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies service 2 TTPs 5 IoCs
    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\602c753ee7337a5398df34b82238dd243d6afc9aa0f2d6e75f9d5a98cb609aa9.exe
    "C:\Users\Admin\AppData\Local\Temp\602c753ee7337a5398df34b82238dd243d6afc9aa0f2d6e75f9d5a98cb609aa9.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    • Drops startup file
    • Drops file in Program Files directory
    PID:1324
    • C:\Windows\system32\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\nhnbyqhmkfbwpmos.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1420
      • C:\Windows\system32\sc.exe
        SC QUERY
        3⤵
          PID:976
        • C:\Windows\system32\findstr.exe
          FINDSTR SERVICE_NAME
          3⤵
            PID:900
        • C:\Windows\system32\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\cpmpxruqajffusqrl.bat
          2⤵
            PID:688
          • C:\Windows\system32\cmd.exe
            cmd /c C:\Users\Admin\AppData\Local\Temp\nonyhhaipsbdmfrwx.bat
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:1396
            • C:\Windows\system32\vssadmin.exe
              vssadmin delete shadows /all /quiet
              3⤵
              • Interacts with shadow copies
              PID:1784
          • C:\Windows\system32\cmd.exe
            cmd /c C:\Users\Admin\AppData\Local\Temp\jjqsuskj.bat
            2⤵
              PID:1964
          • C:\Windows\system32\vssvc.exe
            C:\Windows\system32\vssvc.exe
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            • Modifies service
            PID:1760

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\nhnbyqhmkfbwpmos.bat
            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\nonyhhaipsbdmfrwx.bat
            Download Submit

          • memory/688-4-0x0000000000000000-mapping.dmp

            Download

          • memory/900-3-0x0000000000000000-mapping.dmp

            Download

          • memory/976-2-0x0000000000000000-mapping.dmp

            Download

          • memory/1396-5-0x0000000000000000-mapping.dmp

            Download

          • memory/1420-0-0x0000000000000000-mapping.dmp

            Download

          • memory/1784-7-0x0000000000000000-mapping.dmp

            Download

          • memory/1964-8-0x0000000000000000-mapping.dmp

            Download