Overview

overview

10

Static

static

DirectX_Up...in.exe

windows7_x64

10

DirectX_Up...in.exe

windows10_x64

10

Analysis

  • max time kernel
    100s
  • max time network
    116s
  • platform
    windows10_x64
  • resource
    win10
  • submitted
    23/08/2020, 17:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DirectX_Update.bin.exe

  • Size

    401KB

  • MD5

    feaccffc7990693228933d5a5f67b833

  • SHA1

    adcad8fe079bfcfdcf09cca72920d5e93d61594a

  • SHA256

    30718dcdb6fc8e48a442f5b1f63e413e69f6cf2a279fed1c7c80e9517a133317

  • SHA512

    739151a037f3a27699c4f14df4e613e0f86bc6e39988fbceb978935c6a048de3c4ce8117b413a17bc8a1a1d0f4dbb5867a96eb5d0fa369c020a8c39e40535c03

Score
10/10
ransomwarepersistence

Malware Config

Extracted

Path

C:\ATTENTION-acbbf-README.txt

Ransom Note
Sorry, but your files are locked due to a critical error in your system. If you yourself want to decrypt the files - you will lose them FOREVER. You have to pay BITCOINS to get your file decoder. DO NOT TAKE TIME, you have SEVERAL DAYS to pay, otherwise the cost of the decoder will double. How to do it is written below. If you cannot do it yourself, then search the Internet for file recovery services in your country or city. Go to the page through the browser: http://restore-now.top/online-chat/ If your site does not open, then download the TOR browser (https://torproject.org/). If you can�t access the download page of the TOR browser, then download the VPN! After you install the TOR browser on your computer go to the site: http://i6jppiczqa5moqfl57gssi33npwfseqppdsnz7rriiv7suf4pf4w42id.onion After going to the site, enter the information: Your ID: 09302895631 Personal key: aGppaW0oSGt0cHUoN0A6Nzk/QDw9OjgoSkEnOTw8Njk6PydOaUM2aXlFJw== Your Email
URLs

http://restore-now.top/online-chat/

http://i6jppiczqa5moqfl57gssi33npwfseqppdsnz7rriiv7suf4pf4w42id.onion

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 7 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops desktop.ini file(s) 24 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Modifies service 2 TTPs 4 IoCs
    persistence
  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 45 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\DirectX_Update.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\DirectX_Update.bin.exe"
    1⤵
    • Modifies extensions of user files
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3588
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c wmic.exe shadowcopy delete
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2204
      • C:\Windows\SysWOW64\Wbem\WMIC.exe
        wmic.exe shadowcopy delete
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:504
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Modifies service
    • Suspicious use of AdjustPrivilegeToken
    PID:376

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3588-0-0x0000000001550000-0x0000000001551000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3588-1-0x0000000001D50000-0x0000000001D51000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3588-2-0x0000000001550000-0x0000000001551000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3588-59-0x0000000001D50000-0x0000000001D51000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3588-60-0x0000000001550000-0x0000000001551000-memory.dmp

    Filesize

    4KB

    Download