Analysis

  • max time kernel
    131s
  • max time network
    6s
  • platform
    windows7_x64
  • resource
    win7v200722
  • submitted
    06-08-2020 17:16

General

  • Target

    dbbefe25c1c2ad178d1c91a69d91a7f06c9c1e40cce74d124c1a6f147eb6ab96.ps1

  • Size

    783KB

  • MD5

    d6211efef89fa31ffa17a39aeb64df6b

  • SHA1

    c0d6047feba7b5112d1d94bf03a03c7b41528fd9

  • SHA256

    dbbefe25c1c2ad178d1c91a69d91a7f06c9c1e40cce74d124c1a6f147eb6ab96

  • SHA512

    9a79d0ea2bc5c805a0fea771458172e7b6d30305dc6012712520c5547f02355e2c9ae838826bd472637dabd2d3c7d492c7acb5524a6897bef3cf43d7ad6f95df

Malware Config

Extracted

Path

C:\Users\Public\Libraries\3BBF33-Readme.txt

Family

mailto_hamlampampom

Ransom Note
Hi! Your files are encrypted. All encrypted files for this computer has extension: .3bbf33 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. Additionally, your data may have been stolen and if you do not cooperate with us, it will become publicly available on our blog. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_3bbf33: TI3pYOldkZkXr5mT7ZfR4KaoGrYfeWFvLlj4pAx5tLDhftYxWP DrON+NTplYvPBEMXWWwXJJRjHAXAFJP01qFmYXXfaajAdisEsr MLf0mJbXjnmlWjYBp/V/53IkHj1MB0Ynm/2ESYkxACSQs2gh7d YmKoJnRbSOsFsXthi+sMmHXde3iC+qGumKoibsCU+M+cxjCenJ MiiGNg2cDJ7j5PtnzVlAE4askJP4qDlHk8dyGWBIeLq+URK8pm 4J+HrxyIauTYo5t169rVi+CKm8UzGUaXF+wqZn4A==}

Extracted

Path

C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\3BBF33-Readme.txt

Family

mailto_hamlampampom

Ransom Note
Hi! Your files are encrypted. All encrypted files for this computer has extension: .3bbf33 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. Additionally, your data may have been stolen and if you do not cooperate with us, it will become publicly available on our blog. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_3bbf33: TI3pYOldkZkXr5mT7ZfR4KaoGrYfeWFvLlj4pAx5tLDhftYxWP DrON+NTplYvPBEMXWWwXJJRjHAXAFJP01qFmYXXfaajAdisEsr MLf0mJbXjnmlWjYBp/V/53IkHj1MB0Ynm/2ESYkxACSQs2gh7d YmKoJnRbSOsFsXthi+sMmHXde3iC+qGumKoibsCU+M+cxjCenJ MiiGNg2cDJ7j5PtnzVlAE4askJP4qDlHk8dyGWBIeLq+URK8pm 4J+HrxyIauTYo5t169rVi+CKm8UzGUaXF+wqZn4A==}Hi! Your files are encrypted. All encrypted files for this computer has extension: .3bbf33 -- If for some reason you read this text before the encryption ended, this can be understood by the fact that the computer slows down, and your heart rate has increased due to the ability to turn it off, then we recommend that you move away from the computer and accept that you have been compromised. Rebooting/shutdown will cause you to lose files without the possibility of recovery. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. Additionally, your data may have been stolen and if you do not cooperate with us, it will become publicly available on our blog. -- Steps to get access on our website: 1.Download and install tor-browser: https://torproject.org/ 2.Open our website: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_3bbf33: TI3pYOldkZkXr5mT7ZfR4KaoGrYfeWFvLlj4pAx5tLDhftYxWP DrON+NTplYvPBEMXWWwXJJRjHAXAFJP01qFmYXXfaajAdisEsr MLf0mJbXjnmlWjYBp/V/53IkHj1MB0Ynm/2ESYkxACSQs2gh7d YmKoJnRbSOsFsXthi+sMmHXde3iC+qGumKoibsCU+M+cxjCenJ MiiGNg2cDJ7j5PtnzVlAE4askJP4qDlHk8dyGWBIeLq+URK8pm 4J+HrxyIauTYo5t169rVi+CKm8UzGUaXF+wqZn4A==}

Signatures

  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 6 IoCs
  • Drops file in Program Files directory 7500 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Modifies service 2 TTPs 5 IoCs
  • Modifies extensions of user files 5 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Suspicious behavior: EnumeratesProcesses 272 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • MailTo (Hamlampampom Variant)

    Ransomware family discovered in late 2019 with variants named based on contact emails.

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Drops file in Program Files directory
    • Modifies extensions of user files
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • Checks whether UAC is enabled
    • Suspicious use of AdjustPrivilegeToken
    PID:1256
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\dbbefe25c1c2ad178d1c91a69d91a7f06c9c1e40cce74d124c1a6f147eb6ab96.ps1
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      • Suspicious use of AdjustPrivilegeToken
      PID:1480
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ama3rknv\ama3rknv.cmdline"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1028
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9DF3.tmp" "c:\Users\Admin\AppData\Local\Temp\ama3rknv\CSCF5F49EA967374416B8316EBCC0218D9F.TMP"
          4⤵
            PID:1528
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vbwakrd4\vbwakrd4.cmdline"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1684
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
            C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9FA8.tmp" "c:\Users\Admin\AppData\Local\Temp\vbwakrd4\CSC1F29B6C3CD1A4A8CB1B5DE444B58858C.TMP"
            4⤵
              PID:1796
        • C:\Windows\system32\notepad.exe
          C:\Windows\system32\notepad.exe "C:\Users\Admin\Desktop\3BBF33-Readme.txt"
          2⤵
            PID:7364
        • C:\Windows\system32\vssvc.exe
          C:\Windows\system32\vssvc.exe
          1⤵
          • Modifies service
          • Suspicious use of AdjustPrivilegeToken
          PID:1728

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\RES9DF3.tmp

        • C:\Users\Admin\AppData\Local\Temp\RES9FA8.tmp

        • C:\Users\Admin\AppData\Local\Temp\ama3rknv\ama3rknv.dll

        • C:\Users\Admin\AppData\Local\Temp\vbwakrd4\vbwakrd4.dll

        • C:\Users\Admin\Desktop\3BBF33-Readme.txt

        • \??\c:\Users\Admin\AppData\Local\Temp\ama3rknv\CSCF5F49EA967374416B8316EBCC0218D9F.TMP

        • \??\c:\Users\Admin\AppData\Local\Temp\ama3rknv\ama3rknv.0.cs

        • \??\c:\Users\Admin\AppData\Local\Temp\ama3rknv\ama3rknv.cmdline

        • \??\c:\Users\Admin\AppData\Local\Temp\vbwakrd4\CSC1F29B6C3CD1A4A8CB1B5DE444B58858C.TMP

        • \??\c:\Users\Admin\AppData\Local\Temp\vbwakrd4\vbwakrd4.0.cs

        • \??\c:\Users\Admin\AppData\Local\Temp\vbwakrd4\vbwakrd4.cmdline

        • memory/1028-6-0x0000000000000000-mapping.dmp

        • memory/1480-21-0x00000000025A0000-0x00000000025A2000-memory.dmp

          Filesize

          8KB

        • memory/1480-25-0x00000000025C0000-0x00000000025DB000-memory.dmp

          Filesize

          108KB

        • memory/1480-1-0x0000000002400000-0x0000000002401000-memory.dmp

          Filesize

          4KB

        • memory/1480-28-0x00000000025C0000-0x00000000025DB000-memory.dmp

          Filesize

          108KB

        • memory/1480-5-0x000000001C2A0000-0x000000001C2A1000-memory.dmp

          Filesize

          4KB

        • memory/1480-27-0x00000000025C0000-0x00000000025DB000-memory.dmp

          Filesize

          108KB

        • memory/1480-4-0x0000000002220000-0x0000000002221000-memory.dmp

          Filesize

          4KB

        • memory/1480-3-0x0000000002540000-0x0000000002541000-memory.dmp

          Filesize

          4KB

        • memory/1480-2-0x000000001AB70000-0x000000001AB71000-memory.dmp

          Filesize

          4KB

        • memory/1480-0-0x000007FEF6020000-0x000007FEF6A0C000-memory.dmp

          Filesize

          9.9MB

        • memory/1480-22-0x000000001C0D0000-0x000000001C0D1000-memory.dmp

          Filesize

          4KB

        • memory/1480-23-0x00000000025C0000-0x00000000025DB000-memory.dmp

          Filesize

          108KB

        • memory/1480-24-0x00000000025C0000-0x00000000025DB000-memory.dmp

          Filesize

          108KB

        • memory/1480-13-0x00000000024B0000-0x00000000024B2000-memory.dmp

          Filesize

          8KB

        • memory/1480-26-0x00000000025C0000-0x00000000025DB000-memory.dmp

          Filesize

          108KB

        • memory/1528-9-0x0000000000000000-mapping.dmp

        • memory/1684-14-0x0000000000000000-mapping.dmp

        • memory/1796-17-0x0000000000000000-mapping.dmp

        • memory/7364-30-0x0000000000000000-mapping.dmp