9be3b8dff2d24146e732fa8f81b1a56860b579622e31c991ceaf847ade9717ae.zip

Report
Files
Registry
Network
Processes
Mutex
Misc

Target

9be3b8dff2d24146e732fa8f81b1a56860b579622e31c991ceaf847ade9717ae.exe

Filesize

592KB

Completed

26-10-2020 12:51

Score

10 ^/10

MD5

2bc8eb9cd7e24da82800105ce3fc52e7

SHA1

1b75ab3c677b082fae270da1e8d0d2841837d67a

SHA256

9be3b8dff2d24146e732fa8f81b1a56860b579622e31c991ceaf847ade9717ae

Extracted

Path	C:\Users\Admin\Desktop\README_encrypted.txt
Ransom Note	ATTENTION!!! ALL YOUR FILES HAVE BEEN ENCRYPTED YOU HAVE TO PAY $1000 DOLLARS TO UNLOCK YOUR FILES. PLEASE CONTACT <insert onion site here>.onion using Tor Browser. Make sure to provide the metadata.bin file that you can find in your user folder.

Collection

Credential Access

Defense Evasion

Persistence

Modifies extensions of user files

9be3b8dff2d24146e732fa8f81b1a56860b579622e31c991ceaf847ade9717ae.exe

Description

Ransomware generally changes the extension on encrypted files.

Reported IOCs

description	ioc	process
File created	C:\Users\Admin\Pictures\ImportSync.png_encrypted	9be3b8dff2d24146e732fa8f81b1a56860b579622e31c991ceaf847ade9717ae.exe
File created	C:\Users\Admin\Pictures\RestartUse.raw_encrypted	9be3b8dff2d24146e732fa8f81b1a56860b579622e31c991ceaf847ade9717ae.exe
File created	C:\Users\Admin\Pictures\SwitchRestart.tif_encrypted	9be3b8dff2d24146e732fa8f81b1a56860b579622e31c991ceaf847ade9717ae.exe
File created	C:\Users\Admin\Pictures\ExpandAdd.png_encrypted	9be3b8dff2d24146e732fa8f81b1a56860b579622e31c991ceaf847ade9717ae.exe

Reads user/profile data of web browsers

Description

Infostealers often target stored browser data, which can include saved credentials etc.

Tags

spyware

TTPs

Data from Local SystemCredentials in Files

Modifies service

9be3b8dff2d24146e732fa8f81b1a56860b579622e31c991ceaf847ade9717ae.exevssvc.exe

TTPs

Modify RegistryModify Existing Service

Reported IOCs

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher	9be3b8dff2d24146e732fa8f81b1a56860b579622e31c991ceaf847ade9717ae.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe

Suspicious use of AdjustPrivilegeToken
vssvc.exe

Reported IOCs

description pid process

Token: SeBackupPrivilege 612 vssvc.exe
Token: SeRestorePrivilege 612 vssvc.exe
Token: SeAuditPrivilege 612 vssvc.exe

description	pid	process
Token: SeBackupPrivilege	612	vssvc.exe
Token: SeRestorePrivilege	612	vssvc.exe
Token: SeAuditPrivilege	612	vssvc.exe

C:\Users\Admin\AppData\Local\Temp\9be3b8dff2d24146e732fa8f81b1a56860b579622e31c991ceaf847ade9717ae.exe

"C:\Users\Admin\AppData\Local\Temp\9be3b8dff2d24146e732fa8f81b1a56860b579622e31c991ceaf847ade9717ae.exe"

Modifies extensions of user files
Modifies service

PID:1892

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Modifies service
Suspicious use of AdjustPrivilegeToken

PID:612

Collection

Data from Local System

Command and Control

Credential Access

Credentials in Files

Defense Evasion

Modify Registry

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Modify Existing Service

Privilege Escalation

00:00 00:00

memory/1892-0-0x0000000000400000-0x000000000049B000-memory.dmp
Download

9be3b8dff2d24146e732fa8f81b1a56860b579622e31c991ceaf847ade9717ae.zip

Extracted

Filter: none

Description

Tags

Reported IOCs

Description

Tags

TTPs

Tags

TTPs

Reported IOCs

Reported IOCs

Title