Analysis

  • max time kernel
    258s
  • max time network
    261s
  • platform
    windows10_x64
  • resource
    win10v200722
  • submitted
    01-10-2020 14:18

General

  • Target

    run.bat

  • Size

    131B

  • MD5

    8edbf5df7aebe871b491e0ec7e52038a

  • SHA1

    f41b24074ed38cad1be394ff7cb5a7086c6b7fa1

  • SHA256

    d4088bf2fe9e25800f51bc1176ae711a3f1038fedeb72d9c406ed963795a1f8f

  • SHA512

    682ea13ef588627b5d3955cab498b21390031b1042fab0532d4273c78564a957641f3f303e8b42a6b90472483eb49ed5dc0bf1aac58b910d51d0b7f4b0c1ff0b

Malware Config

Extracted

Path

C:\RECOVER-FILES.txt

Family

sekhmet

Ransom Note
-------------- | Attention! | -------------- Your company network has been hacked and breached. We downloaded confidential and private data. In case of not contacting us in 3 business days this data will be published on a special website available for public view. Also we had executed a special software that turned files, databases and other important data in your network into an encrypted state using RSA-2048 and ChaCha algorithms. A special key is required to decrypt and restore these files. Only we have this key and only we can give it to you with a reliable decryption software. --------------------------------------- | How to contact us and be safe again | --------------------------------------- The only method to restore your files and be safe from data leakage is to purchase a private key which is unique for you and securely stored on our servers. After the payment we provide you with decryption software that will decrypt all your files, also we remove the downloaded data from your network and never post any information about you. There are 2 ways to directly contact us: 1) Using hidden TOR network: a) Download a special TOR browser: https://www.torproject.org/ b) Install the TOR browser c) Open our website in the TOR browser: http://o3n4bhhtybbtwqqs.onion/B36B1ABBE151F36D d) Follow the instructions on this page. 2) If you have any problems connecting or using TOR network a) Open our website: https://sekhmet.top/B36B1ABBE151F36D b) Follow the instructions on this page On this web site, you will get instructions on how to make a free decryption test and how to pay. Also it has a live chat with our operators and support team. ----------------------- |Questions and answers| ----------------------- We understand you may have questions, so we provide here answers to the frequently asked questions. ==== Q: What about decryption guarantees? A: You have a FREE opportunity to test a service by instantly decrypting for free 3 files from every system in your network. If you have any problems our friendly support team is always here to assist you in a live chat. ==== ==== Q: How can we be sure that after the payment data is removed and not published or used in any nefarious ways? A: We can assure you, downloaded data will be securely removed using DoD 5220.22-M wiping standart. We are not interested in keeping this data as we do not gain any profit from it. This data is used only to leverage you to make a payment and nothing more. On the market the data itself are relatively useless and cheap. Also we perfectly understand that using or publishing this data after the payment will compromise our reliable business operations and we are not interested in it. ==== ==== Q: How did you get into the network? A: Detailed report on how we did it and how to fix your vulnerabilities can be provided by request after the payment. ==== -------------------------------------------------------------------------------------- This is techinal information we need to identify you correctly and give decryption key to you, do not redact! ---SEKHMET--- vGHJcYEXnZsFb1sXHjmttcn8szHRzZG7konq+WCV6fFcyRPI7QmncfeafmF5z1xpcNwerOu9g7femC3POye6hI1/KmbRD53xEEUoJlVdhXmqiTmuxE3LTVrsLZedZEFInLvTTE7S5o42mFDZNtqVmpRVMD+7iGbnavkDo5XWtkAzlYdDbsynn2l4TeMR7SxLrbACo2gjY8Zf79GZ9Dt5/U81IXgHPItA6AUSleevGrarTHEBS087rE+5vrgl2MJ7whVhjnlVbhSTgEuKs3gTTlp8ytbDA7YIaqHH6I4KBso+ZukXMSWkxUyxve6l7RE51tz5PpZ95L6UgvfxYhw+fhkKkIonOV2mBEzq9D6KEYSFoVeo3aIbrajACNm0R6s1zi7C0riVKaekM3AdYn7I4IDoAlGTW+k7tmE2jul2xUtoUKIpaBUfpqgLmFoJbPXX1gVvM4xVKEbq9ZsDbNiJ5B9GzwZvwxMvhzJxyjYEuWjGTQkLmACM7GiMaBoRXAdYZGaSWvcBFXYBs5Ro1aMiJV+kpVwZdtLcoNghOAXvSl/GwCVdlgiS2N2WSHKY+6JDb/weYc/1nFFawArHCXgOhclwpjj78NPHxQ/qs5lmVBN3RXFapXqk/PBdc+fEg5TbpD4FU8zIhXX/i5qynqFAbmKD2Zl9OKjNewa2VOhA2vft8DmOUP5sVJRGvrXWZ9h7GGFoIqjd9AKXM3zLdU/ZzmFdkk4d5yuYFoXUabBnjebhGlOFrkJjWxXrE4+AVU+VNbQnJK1g2qkDHd8IjquZ67ZQN+VIBC3WSYp37owy5hrh9TVoD2a3E6F+4w479zjJRhxtbDE6PBosteHgkFDTCVJnwq5M2AZx4L9I7xclQomceN1JboWGDGWhQOnH2FPFLPfCaqpkdY0OMDzZM2WZbRLOSzeUjtHLhDLpU69dPfuLO0x1JtOhdZD+7T2BlK0FsfL+sXpQSoT0M08WY6fqul6qx7n9bQeFr24d5aOIVpN7HJGK7gkA6XnbM1Je7w8I58fuV50NWIzKT0vUqUL+Ls8R7gmzjLSctdTwZCLL355C/Qq9uW/S8UW+pyen4hNz1Hx9hjdqy2wdSx/mH2SVWZ6MmIQ3Y1Janq6ynuTTT9QfpTKgzyHdbWYxM4/Z1Af+oN0KKjEbJ+ho57gvR3fIjYVdJeImCEUGIsF5BAfPOc1QEfynrppqeFPDU+PmRTk7GjUqYtJvE4N4dJ/NgRuGAtIxBGZu1s3vd9pQs1Z3t+ppSAQo3YpzaouRR7sI4E5B8OnFigg34iZ6UhgvwTTF/pWAA9rXwBgZvJfx3NWLHFZpCExSi1YTiI4RNVO9mlyiNh8Kw6fma7FZHObU099HOczaZSSE3hWkws1lCaWrDw20rmKpeaYlbsFcmV5oZl4zE8nrXQGIc5QZLc4ZOCuKkguDWwOHat5lSA1rg8lvH2vpBWJUA3+wtBT3zJpagZroKNh2mJTV1PBa8plgArLdtjhdF1kNc9SxasJ8OEGu6Uevg2/fzFHlF8t8T52SX1xjxD+g2RbHSprh/faYQCuMQenGDkX4tM2juC7+nuaCeVXwTpfESEuudZp5t3qm+B4dmEmrA7aNzGlbD1PX3vzWfuwfF8QrJS4f0HBO6RB2bvmdrW4t1aUUhuOktNT2C+IWeZYYf07hP2d1awVbuvdLbb0jFyNHzKE34gimK3DhNk18OkJWsfiZt/sFDLC+vBRODZ8zlTxnAC/b++gHs3D4l0ztv+jrjdFmnnHEh9alMBdgEnYiSjIB7D179Co61OcU+/jRB9a7Vguqg9YehVZHwSU83Pl81VCRQdBFhVnWU1ht/g8znKWMThqdxlnVB2QV3VkApezRNmgpaZCvUHwrqyWHSPd/xkCNbrv1lkohb5suDE1uRyTC0xZx8M89YrxRFHtA+EDkRvo1w+Y0H/tRvdr51ej/KDgF9rGj0Hyrf57lAS8//rOEeNg7JQF7Bg/5Upb+dWVlZfIXzqIQ9vzSZTIhkVnkX96SSRve0d5vC5veO2xCSEQrIlpFakQ3c8Bq1GoFBdUMGNde4smx5K9MT8/tSyPLlgM1Fhfg+LyV0EDJ1dqbHUaQYJXYGjapM4UsWZSN6OqqQcWtOnyWwIVK6Z2DHVQe62wXDcCxtvAou5/mp8xFLcBiZ1RxgXM5HNPo1wCn8xtU9LzUV7TL7cgWZng+mD69Dvbv9BZVL5Xo8L7urpyZtJUY8/cv+RIMqZbH/EnyNggBEAEYASCAAigAOhJWAEcARgBQAEUAUABLAFcAAABCIkIAMwA2AEIAMQBBAEIAQgBFADEANQAxAEYAMwA2AEQAAABKOHwAQwA6AEYAXwAyADQANAAzADAAOAAvADIANgAyADAANAAxAHwARAA6AEMAXwAwAC8AMAB8AAAAUgxBAGQAbQBpAG4AAABoAHIeVwBpAG4AZABvAHcAcwAgADEAMAAgAFAAcgBvAAAAehRXAE8AUgBLAEcAUgBPAFUAUAAAAA== ---SEKHMET---
URLs

http://o3n4bhhtybbtwqqs.onion/B36B1ABBE151F36D

https://sekhmet.top/B36B1ABBE151F36D

Signatures

  • Sekhmet Ransomware

    Ransomware family active in the wild since early 2020.

  • Modifies extensions of user files 3 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Drops startup file 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Modifies service 2 TTPs 5 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 42 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\run.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:864
    • C:\Windows\system32\regsvr32.exe
      regsvr32.exe /s "C:\Users\Admin\AppData\Local\Temp\fceb299326ef4298a3c30e10b31d8c64f1369b182ac256d1eeaf148c1adcea8d.dll"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2172
      • C:\Windows\SysWOW64\regsvr32.exe
        /s "C:\Users\Admin\AppData\Local\Temp\fceb299326ef4298a3c30e10b31d8c64f1369b182ac256d1eeaf148c1adcea8d.dll"
        3⤵
        • Modifies extensions of user files
        • Drops startup file
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: RenamesItself
        • Suspicious use of AdjustPrivilegeToken
        PID:2608
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Modifies service
    • Suspicious use of AdjustPrivilegeToken
    PID:2076

Network

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Modify Existing Service

1
T1031

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Collection

Data from Local System

1
T1005

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2172-0-0x0000000000000000-mapping.dmp
  • memory/2608-1-0x0000000000000000-mapping.dmp
  • memory/2608-2-0x0000000002B30000-0x0000000002B58000-memory.dmp
    Filesize

    160KB