Analysis
-
max time kernel
65s -
max time network
67s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
03-08-2020 14:59
Static task
static1
Behavioral task
behavioral1
Sample
ransomware.exe
Resource
win7
Behavioral task
behavioral2
Sample
ransomware.exe
Resource
win10v200722
General
-
Target
ransomware.exe
-
Size
5.7MB
-
MD5
e3204b2e61223989b1562f5dee40eee0
-
SHA1
7bd50a3b0e3f9b4a543f750869ca3ee29b4798e1
-
SHA256
1ee39f6cd500940ad97c444778dc717361e01ce5579a28d761aedae86e85af64
-
SHA512
19df0eb4c803e6eeb41abb1fb425f4d9cd6e4262aaeb8bbf7eb959a30f3db2533fd6aed13e055a9781371e9de37de4212d80a32862798368e5dd798763012bc4
Malware Config
Extracted
C:\Boot\bg-BG\read_me.txt
deathransom
death@firemail.cc
death@cumallover.me
Signatures
-
DeathRansom
Ransomware family first seen at the start of 2020. Initial versions did not actually encrypt files.
-
Modifies extensions of user files 10 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
ransomware.exedescription ioc process File renamed C:\Users\Admin\Pictures\EnterWrite.tiff => C:\Users\Admin\Pictures\EnterWrite.tiff.wctc ransomware.exe File renamed C:\Users\Admin\Pictures\PublishMerge.tif => C:\Users\Admin\Pictures\PublishMerge.tif.wctc ransomware.exe File renamed C:\Users\Admin\Pictures\SubmitTest.tiff => C:\Users\Admin\Pictures\SubmitTest.tiff.wctc ransomware.exe File renamed C:\Users\Admin\Pictures\UnpublishUnregister.raw => C:\Users\Admin\Pictures\UnpublishUnregister.raw.wctc ransomware.exe File renamed C:\Users\Admin\Pictures\EditOpen.tif => C:\Users\Admin\Pictures\EditOpen.tif.wctc ransomware.exe File opened for modification C:\Users\Admin\Pictures\EnterWrite.tiff ransomware.exe File renamed C:\Users\Admin\Pictures\SendOut.png => C:\Users\Admin\Pictures\SendOut.png.wctc ransomware.exe File opened for modification C:\Users\Admin\Pictures\SubmitTest.tiff ransomware.exe File opened for modification C:\Users\Admin\Pictures\ConvertFromEnter.tiff ransomware.exe File renamed C:\Users\Admin\Pictures\ConvertFromEnter.tiff => C:\Users\Admin\Pictures\ConvertFromEnter.tiff.wctc ransomware.exe -
Drops desktop.ini file(s) 23 IoCs
Processes:
ransomware.exedescription ioc process File opened for modification C:\Users\Admin\Documents\desktop.ini ransomware.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini ransomware.exe File opened for modification C:\Users\Public\Desktop\desktop.ini ransomware.exe File opened for modification C:\Users\Public\Downloads\desktop.ini ransomware.exe File opened for modification C:\Users\Public\Pictures\desktop.ini ransomware.exe File opened for modification C:\Users\Public\Videos\desktop.ini ransomware.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini ransomware.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini ransomware.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini ransomware.exe File opened for modification C:\Users\Public\desktop.ini ransomware.exe File opened for modification C:\Users\Public\Libraries\desktop.ini ransomware.exe File opened for modification C:\Users\Admin\Music\desktop.ini ransomware.exe File opened for modification C:\Users\Admin\Videos\desktop.ini ransomware.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini ransomware.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini ransomware.exe File opened for modification C:\Users\Admin\Links\desktop.ini ransomware.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini ransomware.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini ransomware.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini ransomware.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini ransomware.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini ransomware.exe File opened for modification C:\Users\Public\Documents\desktop.ini ransomware.exe File opened for modification C:\Users\Public\Music\desktop.ini ransomware.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
ransomware.exepid process 60 ransomware.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
ransomware.exepid process 60 ransomware.exe 60 ransomware.exe