Analysis

  • max time kernel
    42s
  • max time network
    117s
  • platform
    windows10_x64
  • resource
    win10
  • submitted
    14/08/2020, 10:41

General

  • Target

    DCryptSoft.bin.exe

  • Size

    106KB

  • MD5

    8ba537f8d00a73d6cc1cc5dffa566ed1

  • SHA1

    08419f52af8acc1bdac239bd65f64414597a8d96

  • SHA256

    aac2024789ffd2bfce97d6a509136ecf7c43b18c2a83280b596e62d988cedb10

  • SHA512

    7bc28f475d504e945d690ad998987d4184269dac8f7470842f356a50f9ff59dd1595b6cf87b2015844d7c3cf84e39f989a648700d28561251dc59428177a14f7

Score
10/10

Malware Config

Extracted

Path

\??\M:\Read_Me.txt

Ransom Note
Attention! All your files, documents, photos, databases and other important files are encrypted The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. The server with your decryptor is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- 1. Download Tor browser - https://www.torproject.org/ 2. Install Tor browser 3. Open Tor Browser 4. Open link in TOR browser: http://54fjmcwsszltlixn.onion/?UWXZACEF 5. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. Alternate communication channel here: http://helpqvrg3cc5mvb3.onion/
URLs

http://54fjmcwsszltlixn.onion/?UWXZACEF

http://helpqvrg3cc5mvb3.onion/

Signatures

  • Modifies Installed Components in the registry 2 TTPs
  • Drops desktop.ini file(s) 3 IoCs
  • Enumerates connected drives 3 TTPs
  • Drops file in Program Files directory 13621 IoCs
  • Modifies Control Panel 3 IoCs
  • Modifies registry class 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 12720 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\DCryptSoft.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\DCryptSoft.bin.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    PID:976
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2908

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads