Overview

overview

10

Static

static

644fd4c06b...in.exe

windows7_x64

10

644fd4c06b...in.exe

windows10_x64

10

Analysis

  • max time kernel
    132s
  • max time network
    137s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    07/09/2020, 13:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    644fd4c06b04899ca4b1c432c2139c68aeeb4fb9a0bf7f51eee3c26e30c1c1f2.bin.exe

  • Size

    140KB

  • MD5

    cb4eb930077d38e517886b9f44d73d01

  • SHA1

    720f309a06cb0941661e6d52b8f7a13dcb977c58

  • SHA256

    644fd4c06b04899ca4b1c432c2139c68aeeb4fb9a0bf7f51eee3c26e30c1c1f2

  • SHA512

    0dd96955bb3d5ecb591e77a84238fa7d6e18d657e10d14654d77d4c1a15cbb511f6a61e1b33e12f7088bd0d5048471d7205aba5c66e091e328dfa854ccaec583

Score
10/10
ransomwarepersistence

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0011-0000-1000-0000000FF1CE}-C\readme.txt

Ransom Note
Attention! Your network has been locked All files on each host has been encrypted For this server all encrypted files have extension: .SNwyR ---- You cant open or work with encrypted files while it encrypted All backups has been deleted or formatted, do not worry, we can help you restore your files We use strongest encryption algoriths, the only way to return your files back - contact us and receive decryption program. Do not worry about guarantees - you can decrypt any 3 files FOR FREE as guarantee ---- Contact us: [email protected] or [email protected] And attach in first letter this file or just send all info below (copy all info!): key: eyJleHQiOiIuU053eVIiLCJrZXkiOiJKMElrck9JTW9DVnFaTjdhRTFHOUtzdkUrS2N2dU9YVHVUTXZmV1lQMW9SUzZjaW1xbkFGWG9nR3UvUHd5TTlzOUZOZGRXeWVRV2pack90TzhGWDRWQkZ1eHlXZHNvNFVtVXN0QjVNOFNxdkQwZW9mL3NvMkJNVnRjTUpqcjVUWGJYektVdDNyamRtekRqRHppQXN5Yjc5NGtYNENuelFsR0pacmduNnlKem1ROHc2dng0aUhnRU9NQld2cWxxb1ozeUxSVThPSTh3RS8xWjFYYUdYRDFaTjBmNWx1SUZ6SG8wNG1XeHBnSXdMUDdhNUx4dFdsSnNkenRBLy9SSUNkT2FBVGl5QWRMZGgxNlpQRStKVXYwUzdyRmJraEFDdWF1OWFqcFZZR0RUNDc3aGg3ZEswYWFPMHNMVWpIUm1pc0NMVHB3VTg0cVBpaUtZZzV1MURuYWRRdnNIdEN2MktXMEIxRmJsdTV4MmxyaFE4YVBQMUN0dGUzS0tlMHJFOEYxTHRwaFJaSzlNWit3YVpCNkg0SThEQXU3YmlmaTh5UUN2cGpNQ1BGSFVRQ3RDRjFwemw2Umg4eGozNEd6UjRkaU5MeDBWYWEvTmJsb2F4WTM1NGxISkttZEFzUEJxdlI0a0NMUlVoV1VjSEJtS1hMNWcwb3JaTzVHTnp2QlBvUVVSRk1Rd1RFRFJHcEFUUGYwQThsb3RvbXJxaHFRazJiS0FKSjdCeU5TSWc4MmdlOEZweHZOeFNxbjVpOEJrUWZsWTh4Y3lQaFRVS3RoRXc0eUIxVnZzN25NVEQwTHMzTTJNendScEhuU1ZBVU9YRzd1TklnV0dGNU83Tjlhd2VLQ1k4RDYyS3lnMTlLbkZJOXJrbks2cXd2eEUxS0FNTVlwR2kzWEhnWXYxQT0iLCJuZXR3b3JrIjoidHJ1ZSIsInN1YmlkIjoiNTQ4MyIsImxhbmciOiJlbi1VUwAifQ== personal id: AX90F0H4

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 11 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Enumerates connected drives 3 TTPs
  • Modifies service 2 TTPs 4 IoCs
    persistence
  • Interacts with shadow copies 2 TTPs 5 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 998 IoCs
  • Suspicious use of AdjustPrivilegeToken 103 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\644fd4c06b04899ca4b1c432c2139c68aeeb4fb9a0bf7f51eee3c26e30c1c1f2.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\644fd4c06b04899ca4b1c432c2139c68aeeb4fb9a0bf7f51eee3c26e30c1c1f2.bin.exe"
    1⤵
    • Modifies extensions of user files
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:900
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1528
    • C:\Windows\SysWOW64\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      2⤵
      • Interacts with shadow copies
      PID:1648
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1900
    • C:\Windows\SysWOW64\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      2⤵
      • Interacts with shadow copies
      PID:1964
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1032
    • C:\Windows\SysWOW64\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      2⤵
      • Interacts with shadow copies
      PID:1008
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1296
    • C:\Windows\SysWOW64\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      2⤵
      • Interacts with shadow copies
      PID:1216
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
        PID:868
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin.exe Delete Shadows /All /Quiet
        2⤵
        • Interacts with shadow copies
        PID:1088
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Modifies service
      • Suspicious use of AdjustPrivilegeToken
      PID:1672

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads