333228ab18216ac15c4e52529b43efb7364502b588d93d41e964789a5f081373

General

Target

9be3b8dff2d24146e732fa8f81b1a56860b579622e31c991ceaf847ade9717ae.exe
Size

592KB
MD5

2bc8eb9cd7e24da82800105ce3fc52e7
SHA1

1b75ab3c677b082fae270da1e8d0d2841837d67a
SHA256

9be3b8dff2d24146e732fa8f81b1a56860b579622e31c991ceaf847ade9717ae
SHA512

ded152931da733433c4b6921313019cae0749bdff91d19bddf489478547628b3a4dcf42438515c83e965b38c7ce256cdba408fe22b68777c583cae014e5d2903

Score

10^/10

ransomware spyware persistence

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\README_encrypted.txt

Ransom Note

ATTENTION!!! ALL YOUR FILES HAVE BEEN ENCRYPTED YOU HAVE TO PAY $1000 DOLLARS TO UNLOCK YOUR FILES. PLEASE CONTACT <insert onion site here>.onion using Tor Browser. Make sure to provide the metadata.bin file that you can find in your user folder.

Signatures

Modifies extensions of user files 4 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

9be3b8dff2d24146e732fa8f81b1a56860b579622e31c991ceaf847ade9717ae.exe

description	ioc	process
File created	C:\Users\Admin\Pictures\ImportSync.png_encrypted	9be3b8dff2d24146e732fa8f81b1a56860b579622e31c991ceaf847ade9717ae.exe
File created	C:\Users\Admin\Pictures\RestartUse.raw_encrypted	9be3b8dff2d24146e732fa8f81b1a56860b579622e31c991ceaf847ade9717ae.exe
File created	C:\Users\Admin\Pictures\SwitchRestart.tif_encrypted	9be3b8dff2d24146e732fa8f81b1a56860b579622e31c991ceaf847ade9717ae.exe
File created	C:\Users\Admin\Pictures\ExpandAdd.png_encrypted	9be3b8dff2d24146e732fa8f81b1a56860b579622e31c991ceaf847ade9717ae.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Modifies service 2 TTPs 5 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe9be3b8dff2d24146e732fa8f81b1a56860b579622e31c991ceaf847ade9717ae.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher	9be3b8dff2d24146e732fa8f81b1a56860b579622e31c991ceaf847ade9717ae.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 612 vssvc.exe
Token: SeRestorePrivilege 612 vssvc.exe
Token: SeAuditPrivilege 612 vssvc.exe

description	pid	process
Token: SeBackupPrivilege	612	vssvc.exe
Token: SeRestorePrivilege	612	vssvc.exe
Token: SeAuditPrivilege	612	vssvc.exe

C:\Users\Admin\AppData\Local\Temp\9be3b8dff2d24146e732fa8f81b1a56860b579622e31c991ceaf847ade9717ae.exe
"C:\Users\Admin\AppData\Local\Temp\9be3b8dff2d24146e732fa8f81b1a56860b579622e31c991ceaf847ade9717ae.exe"
1⤵
- Modifies extensions of user files
- Modifies service
PID:1892