Overview

overview

10

Static

static

10

9d3a482d94...in.exe

windows7_x64

6

9d3a482d94...in.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10_x64
  • resource
    win10
  • submitted
    17-09-2020 19:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9d3a482d9441876096e0cee429fedf7b9f7e1c6a50b3e4b2009884019627d879.bin.exe

  • Size

    166KB

  • MD5

    63ae6ca6853552716571555546833d99

  • SHA1

    09e37e98a74ec8edb36b22a4eb51dbed4390544a

  • SHA256

    9d3a482d9441876096e0cee429fedf7b9f7e1c6a50b3e4b2009884019627d879

  • SHA512

    087baf5fbf764f480f384cbdee878d3dfb8b3880f378b4597d5e292f392341e5da196ee2232a441c6268b7760afffdde293f35f536ee55cff4992b4b45238f86

Score
10/10
ransomwarepersistence

Malware Config

Extracted

Path

C:\readme-w6nk8a0i7-NOW.txt

Ransom Note
Your files are locked due to a vulnerability in your system by "w6nk8a0i7" extension. You will not be able to decrypt the files yourself, in the worst case you can destroy the data irreversibly. The only way to unlock your data is to buy the decryption program. Go to the link written below to more details. If you cannot do this yourself, find a data recovery company in internet. They cannot help you unlock your data, because only we have decryption key, but will help you make a payment and provide you guarantees. ATTENTION! DATA RECOVERY AGENCIES WORK AND DURING THE CORONOVIRUS QUARANTINE, THEY WILL HELP YOU REMOTE. Also, I ask you to note, you have no long time, if you do not make payment soon, the price for the decryptor will double. So I recommend you dont waste time and move! Go to the page through the browser: http://decryptor.cc/BF0BAB5EF88A0393 If your site does not open, then download the "TOR Browser" (https://torproject.org/). If you cannot access the download page of the "TOR Browser", then download the VPN! After installing "TOR Browser", open it and follow the link: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/BF0BAB5EF88A0393 After going to the site, enter the following code: bSWDNlB/4HjDEVl3CTLPzT7HTm81TQzz0jRbBkGLunjyVZxH0/6bw4UwtiFsldjB op3zFOMHaLiw1xqZLhxztmLGAwFtC29ErRZ9qweCAMhKFhFtFdeciG9C81vS9y1D AQil6aTdoGKH644S/iVqO/gcgG7022nLfFA0gkusTNLw6F5th6m1PSLK32WeLKly 7E8E0NXWrsYvewbWzLRXSb6KhkkJILoyZqvrnkZMSpR7lfqI6gQiP3/8F0kZm1O5 PiN8zYM6QwWuKXRESwcszJWYk1iPGmjIyC0bhL1aaftAXGUe+10LDTa5vsJuutLS lQhalufMxfvv4EIHAgi9wdbEXyhpucOU/gMTVLGkfLFM7nNT1k8kAieF0KraKi+7 1VYInNp3sL7UYMkdAEVpWrukHDb+HLPlJoYwb38PYEjljDlCL5KKygOaByZNu07h iUOqhY685IQ/SK4+an/5J50mYgytEF9ggJEGJCxZ4XvpsB+B9HdJ2TVJp2T8V5zn ai7HHQCdXfpXqUWe/ARJ1McdHrI8aVmAXncuHcqoU4rMkwI5eMMF55tAHPyOKwNk bKq7uXlVY9s5tQvNuyhJ3tVAx8BIPdJlsF/2Mg0TBYFD/8IJMoyj9I74BN7qZKxY x2bd0ppD5cgdHrXPbuoCNFRBsP54RUmIfPEi3b+k10CPWq/fRqJ08NXF5rEsmvmL c3m1yXujETS5wxEF/hqC3TlbjPsFIqTCbfvSJ/PKQ1PJ55btymixBJ2Zpm1tlc/g mWJLe3OeO60z6mV0JF2Xy89M7HRFLIWTH38m1tkYrVExWXg1i1XCGZfOMDX0LWT7 3SWE4wvybWHHFqkTaeFgF/ISFykXUNn2MAkmAJmgHj6M29GedP7T7YWsjseRplRY tm133HyD2Y7GwAT9zXQGEqXYbkPm4Qebpehj4ARZShCp1x+S1zCVt2xZd+jGDKX/ sQ5OyGfhBsrWx1fSRkAqyKZvgIbXAEnmUzZ1P4YPiZlYnUykWH2pOV0lIvwNUXwz D1CAQ6L+k6imR9/tfZz0JOnQnOSHCfvR6OWd42hQ3Or8w+UAnjd+VW5VewXZDNzS l3hVY4YKdDEav/Y1Q8jOb84mYPSZbCo9RtnrtZ/GC4G21+3Vgyh/I7UBjA77wPHB cPM/pQdKUYV6aOfhLm/QBjW2CKSx6AlCWbq/CuCP+lbRfCWBX5vL87Csxxzb7LM+ y2thdVRoZxedRQ5Ccs/sbM3MeBoTS07APUDWTT1evharkwvLHKE1iSWgBR5JtiE8 zmpt667HzSkCnI+oKCeayvAfC9XV3A==
URLs

http://decryptor.cc/BF0BAB5EF88A0393

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/BF0BAB5EF88A0393

Signatures

  • Modifies extensions of user files 2 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies service 2 TTPs 5 IoCs
    persistence
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 39 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9d3a482d9441876096e0cee429fedf7b9f7e1c6a50b3e4b2009884019627d879.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\9d3a482d9441876096e0cee429fedf7b9f7e1c6a50b3e4b2009884019627d879.bin.exe"
    1⤵
    • Modifies extensions of user files
    • Adds Run key to start application
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2788
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3168
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:908
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Modifies service
      • Suspicious use of AdjustPrivilegeToken
      PID:2452

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/3168-0-0x0000000000000000-mapping.dmp

      Download

    • memory/3168-1-0x00007FFA23A20000-0x00007FFA2440C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/3168-2-0x0000020804A30000-0x0000020804A31000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3168-3-0x000002081ED60000-0x000002081ED61000-memory.dmp

      Filesize

      4KB

      Download