9be3b8dff2d24146e732fa8f81b1a56860b579622e31c991ceaf847ade9717ae.zip

General
Target

9be3b8dff2d24146e732fa8f81b1a56860b579622e31c991ceaf847ade9717ae.exe

Filesize

592KB

Completed

26-10-2020 12:51

Score
10 /10
MD5

2bc8eb9cd7e24da82800105ce3fc52e7

SHA1

1b75ab3c677b082fae270da1e8d0d2841837d67a

SHA256

9be3b8dff2d24146e732fa8f81b1a56860b579622e31c991ceaf847ade9717ae

Malware Config

Extracted

Path C:\Users\Admin\Desktop\README_encrypted.txt
Ransom Note
ATTENTION!!! ALL YOUR FILES HAVE BEEN ENCRYPTED YOU HAVE TO PAY $1000 DOLLARS TO UNLOCK YOUR FILES. PLEASE CONTACT <insert onion site here>.onion using Tor Browser. Make sure to provide the metadata.bin file that you can find in your user folder.
Signatures 4

Filter: none

Collection
Credential Access
Defense Evasion
Persistence
  • Modifies extensions of user files
    9be3b8dff2d24146e732fa8f81b1a56860b579622e31c991ceaf847ade9717ae.exe

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

    Reported IOCs

    descriptioniocprocess
    File createdC:\Users\Admin\Pictures\LockDisable.png_encrypted9be3b8dff2d24146e732fa8f81b1a56860b579622e31c991ceaf847ade9717ae.exe
    File createdC:\Users\Admin\Pictures\RevokeSet.tiff_encrypted9be3b8dff2d24146e732fa8f81b1a56860b579622e31c991ceaf847ade9717ae.exe
    File createdC:\Users\Admin\Pictures\SkipUnlock.crw_encrypted9be3b8dff2d24146e732fa8f81b1a56860b579622e31c991ceaf847ade9717ae.exe
    File createdC:\Users\Admin\Pictures\StopSwitch.raw_encrypted9be3b8dff2d24146e732fa8f81b1a56860b579622e31c991ceaf847ade9717ae.exe
    File createdC:\Users\Admin\Pictures\SwitchDeny.crw_encrypted9be3b8dff2d24146e732fa8f81b1a56860b579622e31c991ceaf847ade9717ae.exe
    File createdC:\Users\Admin\Pictures\DenyEnable.png_encrypted9be3b8dff2d24146e732fa8f81b1a56860b579622e31c991ceaf847ade9717ae.exe
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Modifies service
    9be3b8dff2d24146e732fa8f81b1a56860b579622e31c991ceaf847ade9717ae.exevssvc.exe

    TTPs

    Modify RegistryModify Existing Service

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher9be3b8dff2d24146e732fa8f81b1a56860b579622e31c991ceaf847ade9717ae.exe
    Key created\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writervssvc.exe
    Key created\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writervssvc.exe
    Key created\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writervssvc.exe
    Key created\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writervssvc.exe
  • Suspicious use of AdjustPrivilegeToken
    vssvc.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeBackupPrivilege1828vssvc.exe
    Token: SeRestorePrivilege1828vssvc.exe
    Token: SeAuditPrivilege1828vssvc.exe
Processes 2
  • C:\Users\Admin\AppData\Local\Temp\9be3b8dff2d24146e732fa8f81b1a56860b579622e31c991ceaf847ade9717ae.exe
    "C:\Users\Admin\AppData\Local\Temp\9be3b8dff2d24146e732fa8f81b1a56860b579622e31c991ceaf847ade9717ae.exe"
    Modifies extensions of user files
    Modifies service
    PID:3884
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    Modifies service
    Suspicious use of AdjustPrivilegeToken
    PID:1828
Network
MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
    Discovery
      Execution
        Exfiltration
          Impact
            Initial Access
              Lateral Movement
                Privilege Escalation
                  Replay Monitor
                  00:00 00:00
                  Downloads
                  • memory/3884-0-0x0000000000400000-0x000000000049B000-memory.dmp

                    Download