Analysis

  • max time kernel
    136s
  • max time network
    130s
  • platform
    windows10_x64
  • resource
    win10v200722
  • submitted
    07/09/2020, 13:56

General

  • Target

    644fd4c06b04899ca4b1c432c2139c68aeeb4fb9a0bf7f51eee3c26e30c1c1f2.bin.exe

  • Size

    140KB

  • MD5

    cb4eb930077d38e517886b9f44d73d01

  • SHA1

    720f309a06cb0941661e6d52b8f7a13dcb977c58

  • SHA256

    644fd4c06b04899ca4b1c432c2139c68aeeb4fb9a0bf7f51eee3c26e30c1c1f2

  • SHA512

    0dd96955bb3d5ecb591e77a84238fa7d6e18d657e10d14654d77d4c1a15cbb511f6a61e1b33e12f7088bd0d5048471d7205aba5c66e091e328dfa854ccaec583

Score
10/10

Malware Config

Extracted

Path

C:\Users\Admin\.oracle_jre_usage\readme.txt

Ransom Note
Attention! Your network has been locked All files on each host has been encrypted For this server all encrypted files have extension: .tulCp ---- You cant open or work with encrypted files while it encrypted All backups has been deleted or formatted, do not worry, we can help you restore your files We use strongest encryption algoriths, the only way to return your files back - contact us and receive decryption program. Do not worry about guarantees - you can decrypt any 3 files FOR FREE as guarantee ---- Contact us: [email protected] or [email protected] And attach in first letter this file or just send all info below (copy all info!): key: eyJleHQiOiIudHVsQ3AiLCJrZXkiOiI4NDA5UU15RWxwaUo5UEg2Q29aNklPTHlsY28xVG81bWllNHA0aXRZNndYdkxLVFF3L2Z5azd1dkp6OHAzdkFJWDBuclRiT3QxcG05VHVtdlJPbkVCdldMVmcvbXlZakJvTkF0WmN2M251c2lQMHBrSWo2TThLa01yUHYrYXpTVFV0YUhaRHhvM1pSU2NvaTZicGk5VmF0TEFJQWhaL0k4dE5uK0NGcGVIejkxTkVXaGMyb0xSRUt1ZWxsb3FVR052TkZkcENEbGVMWkRFdmt4TFJXT2RmUm4vaGk5QjZoNTFkblVaY3pEV2p4R0xxTU9KVGs1TlY1dEYyOUUzUG1ndTlwaHVQVEhyY1JMTVRlUDIxVzVLQlJLWm9EQXNlSmI5R0N1R0lTVFA2a0RIaEdwa3o2VnBRSHBraXJXcG85czhUMHhHclE5RnV5WkJKZVh2STNySGF4UlJZb25UQlZJN252Tk5tUFY4WXZyd09sSFppR0sxS1dIY09sUmNubDRRRmExa1ZCMGhQSEZDOUYyRmFtWk1KTEVSRkZTdk5UeWVqMzZPREROMkEwYUI0WGxxaWJZaEM2eFp6NEJWd1VOYzlKdm5VQjg3d1ZTcVN6WTVOSmpGZUdjbEF2aGhqYkFrS053MWlPVzB0TVRDWWExaGVBZzJJSEd4K0pmZVNxd1Y3L0lHMVlmdTNxb2toQVcveVBnT0JGWXU4SzdCK1JGUEJqZXhjcTZjZGJZayt5WmdCUkp2VHNFaS9PcDhZMmtFRzFTMFNlVVg1OFVmZDZlbGl1UmxyWVBnOFM2RDJSYWxYOTk5K3hxemNlakwvT3BYVEdrelhpVlpmV2h4Y1IzRlhNQ2ppOVVtKzRNRXFaWFZGMUhBWlJoSjQxNE1NYTFibkdGSlNiaWVaMD0iLCJuZXR3b3JrIjoidHJ1ZSIsInN1YmlkIjoiNTQ4MyIsImxhbmciOiJlbi1VUwAifQ== personal id: AX90F0H4

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies extensions of user files 10 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Enumerates connected drives 3 TTPs
  • Modifies service 2 TTPs 4 IoCs
  • Drops file in Windows directory 1 IoCs
  • Interacts with shadow copies 2 TTPs 5 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies data under HKEY_USERS 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 656 IoCs
  • Suspicious use of AdjustPrivilegeToken 113 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\644fd4c06b04899ca4b1c432c2139c68aeeb4fb9a0bf7f51eee3c26e30c1c1f2.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\644fd4c06b04899ca4b1c432c2139c68aeeb4fb9a0bf7f51eee3c26e30c1c1f2.bin.exe"
    1⤵
    • Modifies extensions of user files
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3984
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2652
    • C:\Windows\SysWOW64\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      2⤵
      • Interacts with shadow copies
      PID:3896
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4004
    • C:\Windows\SysWOW64\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      2⤵
      • Interacts with shadow copies
      PID:3348
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3448
    • C:\Windows\SysWOW64\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      2⤵
      • Interacts with shadow copies
      PID:3900
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
        PID:1184
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin.exe Delete Shadows /All /Quiet
        2⤵
        • Interacts with shadow copies
        PID:2232
      • C:\Windows\SysWOW64\Wbem\wmic.exe
        wmic.exe SHADOWCOPY /nointeractive
        2⤵
          PID:988
        • C:\Windows\SysWOW64\vssadmin.exe
          vssadmin.exe Delete Shadows /All /Quiet
          2⤵
          • Interacts with shadow copies
          PID:4076
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc
        1⤵
        • Drops file in Windows directory
        • Modifies data under HKEY_USERS
        • Suspicious use of AdjustPrivilegeToken
        PID:1868
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Modifies service
        • Suspicious use of AdjustPrivilegeToken
        PID:3880
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3604

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads