5dd45efe2b08a6566739cb61978ea7f0ce3badc64220475c6e62eadb16938278

Analysis

max time kernel
84s
max time network
138s
platform
windows7_x64
resource
win7v200722
submitted
23/08/2020, 17:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DirectX_Update.bin.exe
Size

401KB
MD5

feaccffc7990693228933d5a5f67b833
SHA1

adcad8fe079bfcfdcf09cca72920d5e93d61594a
SHA256

30718dcdb6fc8e48a442f5b1f63e413e69f6cf2a279fed1c7c80e9517a133317
SHA512

739151a037f3a27699c4f14df4e613e0f86bc6e39988fbceb978935c6a048de3c4ce8117b413a17bc8a1a1d0f4dbb5867a96eb5d0fa369c020a8c39e40535c03

Score

10^/10

ransomware persistence

Malware Config

Extracted

Path

C:\ATTENTION-feeef-README.txt

Ransom Note

Sorry, but your files are locked due to a critical error in your system. If you yourself want to decrypt the files - you will lose them FOREVER. You have to pay BITCOINS to get your file decoder. DO NOT TAKE TIME, you have SEVERAL DAYS to pay, otherwise the cost of the decoder will double. How to do it is written below. If you cannot do it yourself, then search the Internet for file recovery services in your country or city. Go to the page through the browser: http://restore-now.top/online-chat/ If your site does not open, then download the TOR browser (https://torproject.org/). If you can�t access the download page of the TOR browser, then download the VPN! After you install the TOR browser on your computer go to the site: http://i6jppiczqa5moqfl57gssi33npwfseqppdsnz7rriiv7suf4pf4w42id.onion After going to the site, enter the information: Your ID: 67622281495 Personal key: bWxsbG0oSGt0cHUoPT49OTk5Pzg7QDwoSkEnOTw8Njk6PidOaUM2aXlFJw== Your Email

URLs

http://restore-now.top/online-chat/

http://i6jppiczqa5moqfl57gssi33npwfseqppdsnz7rriiv7suf4pf4w42id.onion

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 6 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\UnpublishUndo.raw => C:\Users\Admin\Pictures\UnpublishUndo.raw.feeef	DirectX_Update.bin.exe
File opened for modification	C:\Users\Admin\Pictures\ConfirmPop.tiff	DirectX_Update.bin.exe
File renamed	C:\Users\Admin\Pictures\ConfirmPop.tiff => C:\Users\Admin\Pictures\ConfirmPop.tiff.feeef	DirectX_Update.bin.exe
File renamed	C:\Users\Admin\Pictures\RemoveSplit.tif => C:\Users\Admin\Pictures\RemoveSplit.tif.feeef	DirectX_Update.bin.exe
File renamed	C:\Users\Admin\Pictures\SendConfirm.crw => C:\Users\Admin\Pictures\SendConfirm.crw.feeef	DirectX_Update.bin.exe
File renamed	C:\Users\Admin\Pictures\UnprotectEdit.raw => C:\Users\Admin\Pictures\UnprotectEdit.raw.feeef	DirectX_Update.bin.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	DirectX_Update.bin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Windows\CurrentVersion\Run\Fuck_this_PC = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DirectX_Update.bin.exe"	DirectX_Update.bin.exe

Drops desktop.ini file(s) 26 IoCs

description	ioc	Process
File created	C:\Users\Admin\Saved Games\desktop.ini	DirectX_Update.bin.exe
File created	C:\Users\Admin\Searches\desktop.ini	DirectX_Update.bin.exe
File created	C:\Users\Public\Music\Sample Music\desktop.ini	DirectX_Update.bin.exe
File created	C:\Users\Public\Pictures\desktop.ini	DirectX_Update.bin.exe
File created	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	DirectX_Update.bin.exe
File created	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	DirectX_Update.bin.exe
File created	C:\Users\Public\Videos\Sample Videos\desktop.ini	DirectX_Update.bin.exe
File created	C:\Users\Admin\Desktop\desktop.ini	DirectX_Update.bin.exe
File created	C:\Users\Admin\Downloads\desktop.ini	DirectX_Update.bin.exe
File created	C:\Users\Admin\Favorites\desktop.ini	DirectX_Update.bin.exe
File created	C:\Users\Admin\Links\desktop.ini	DirectX_Update.bin.exe
File created	C:\Users\Admin\Videos\desktop.ini	DirectX_Update.bin.exe
File created	C:\Users\Public\Videos\desktop.ini	DirectX_Update.bin.exe
File created	C:\Users\Admin\Documents\desktop.ini	DirectX_Update.bin.exe
File created	C:\Users\Admin\Favorites\Links for United States\desktop.ini	DirectX_Update.bin.exe
File created	C:\Users\Admin\Music\desktop.ini	DirectX_Update.bin.exe
File created	C:\Users\Admin\Pictures\desktop.ini	DirectX_Update.bin.exe
File created	C:\Users\Public\Recorded TV\desktop.ini	DirectX_Update.bin.exe
File created	C:\Users\Admin\Contacts\desktop.ini	DirectX_Update.bin.exe
File created	C:\Users\Admin\Favorites\Links\desktop.ini	DirectX_Update.bin.exe
File created	C:\Users\Public\desktop.ini	DirectX_Update.bin.exe
File created	C:\Users\Public\Desktop\desktop.ini	DirectX_Update.bin.exe
File created	C:\Users\Public\Documents\desktop.ini	DirectX_Update.bin.exe
File created	C:\Users\Public\Downloads\desktop.ini	DirectX_Update.bin.exe
File created	C:\Users\Public\Libraries\desktop.ini	DirectX_Update.bin.exe
File created	C:\Users\Public\Music\desktop.ini	DirectX_Update.bin.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Modifies service 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	DirectX_Update.bin.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier	DirectX_Update.bin.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	DirectX_Update.bin.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	DirectX_Update.bin.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
852	DirectX_Update.bin.exe
852	DirectX_Update.bin.exe
852	DirectX_Update.bin.exe
852	DirectX_Update.bin.exe
852	DirectX_Update.bin.exe
852	DirectX_Update.bin.exe
852	DirectX_Update.bin.exe
852	DirectX_Update.bin.exe
852	DirectX_Update.bin.exe
852	DirectX_Update.bin.exe
852	DirectX_Update.bin.exe
852	DirectX_Update.bin.exe
852	DirectX_Update.bin.exe
852	DirectX_Update.bin.exe
852	DirectX_Update.bin.exe
852	DirectX_Update.bin.exe
852	DirectX_Update.bin.exe
852	DirectX_Update.bin.exe
852	DirectX_Update.bin.exe
852	DirectX_Update.bin.exe
852	DirectX_Update.bin.exe
852	DirectX_Update.bin.exe
852	DirectX_Update.bin.exe
852	DirectX_Update.bin.exe
852	DirectX_Update.bin.exe
852	DirectX_Update.bin.exe
852	DirectX_Update.bin.exe
852	DirectX_Update.bin.exe
852	DirectX_Update.bin.exe
852	DirectX_Update.bin.exe
852	DirectX_Update.bin.exe
852	DirectX_Update.bin.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	768	WMIC.exe
Token: SeSecurityPrivilege	768	WMIC.exe
Token: SeTakeOwnershipPrivilege	768	WMIC.exe
Token: SeLoadDriverPrivilege	768	WMIC.exe
Token: SeSystemProfilePrivilege	768	WMIC.exe
Token: SeSystemtimePrivilege	768	WMIC.exe
Token: SeProfSingleProcessPrivilege	768	WMIC.exe
Token: SeIncBasePriorityPrivilege	768	WMIC.exe
Token: SeCreatePagefilePrivilege	768	WMIC.exe
Token: SeBackupPrivilege	768	WMIC.exe
Token: SeRestorePrivilege	768	WMIC.exe
Token: SeShutdownPrivilege	768	WMIC.exe
Token: SeDebugPrivilege	768	WMIC.exe
Token: SeSystemEnvironmentPrivilege	768	WMIC.exe
Token: SeRemoteShutdownPrivilege	768	WMIC.exe
Token: SeUndockPrivilege	768	WMIC.exe
Token: SeManageVolumePrivilege	768	WMIC.exe
Token: 33	768	WMIC.exe
Token: 34	768	WMIC.exe
Token: 35	768	WMIC.exe
Token: SeIncreaseQuotaPrivilege	768	WMIC.exe
Token: SeSecurityPrivilege	768	WMIC.exe
Token: SeTakeOwnershipPrivilege	768	WMIC.exe
Token: SeLoadDriverPrivilege	768	WMIC.exe
Token: SeSystemProfilePrivilege	768	WMIC.exe
Token: SeSystemtimePrivilege	768	WMIC.exe
Token: SeProfSingleProcessPrivilege	768	WMIC.exe
Token: SeIncBasePriorityPrivilege	768	WMIC.exe
Token: SeCreatePagefilePrivilege	768	WMIC.exe
Token: SeBackupPrivilege	768	WMIC.exe
Token: SeRestorePrivilege	768	WMIC.exe
Token: SeShutdownPrivilege	768	WMIC.exe
Token: SeDebugPrivilege	768	WMIC.exe
Token: SeSystemEnvironmentPrivilege	768	WMIC.exe
Token: SeRemoteShutdownPrivilege	768	WMIC.exe
Token: SeUndockPrivilege	768	WMIC.exe
Token: SeManageVolumePrivilege	768	WMIC.exe
Token: 33	768	WMIC.exe
Token: 34	768	WMIC.exe
Token: 35	768	WMIC.exe
Token: SeBackupPrivilege	1004	vssvc.exe
Token: SeRestorePrivilege	1004	vssvc.exe
Token: SeAuditPrivilege	1004	vssvc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 852 wrote to memory of 1316	852	DirectX_Update.bin.exe	26
PID 852 wrote to memory of 1316	852	DirectX_Update.bin.exe	26
PID 852 wrote to memory of 1316	852	DirectX_Update.bin.exe	26
PID 852 wrote to memory of 1316	852	DirectX_Update.bin.exe	26
PID 1316 wrote to memory of 768	1316	cmd.exe	28
PID 1316 wrote to memory of 768	1316	cmd.exe	28
PID 1316 wrote to memory of 768	1316	cmd.exe	28
PID 1316 wrote to memory of 768	1316	cmd.exe	28

C:\Users\Admin\AppData\Local\Temp\DirectX_Update.bin.exe
"C:\Users\Admin\AppData\Local\Temp\DirectX_Update.bin.exe"
1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates system info in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:852
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic.exe shadowcopy delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1316
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic.exe shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:768

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:1004

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/852-0-0x0000000000860000-0x0000000000871000-memory.dmp

Filesize
68KB

Download
memory/852-1-0x00000000024B0000-0x00000000024C1000-memory.dmp

Filesize
68KB

Download
memory/852-2-0x0000000000860000-0x0000000000871000-memory.dmp

Filesize
68KB

Download
memory/1568-66-0x000007FEF7C60000-0x000007FEF7EDA000-memory.dmp

Filesize
2.5MB

Download