Analysis

  • max time kernel
    123s
  • max time network
    140s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    02-11-2020 04:22

General

  • Target

    a188e147ba147455ce5e3a6eb8ac1a46bdd58588de7af53d4ad542c6986491f4.exe

Malware Config

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-3825035466-2522850611-591511364-1000\HOW TO RESTORE FILES.TXT

Ransom Note
Hello, friend. All your files were encrypted. If you want to restore them, please email us : petro@ctemplar.com
Emails

petro@ctemplar.com

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\HOW TO RESTORE FILES.TXT

Ransom Note
Hello, friend. All your files were encrypted. If you want to restore them, please email us : petro@ctemplar.com Your hash: 593235305054517A4F44556D5A57356B5054456D615751394D535A706344307 84E5451754E6A45754E7A45754E54456D61325635505441314D55557A4D5468 42517A51794D6B4647526A5642515446444E446B794D6A67304E5546464F546 C424D4545324D3055774E444178517A6B314E6A457A4D4545794D6A4A464F44 4242526A497A51546377526A633352546B7A4D6A6777526A4642516A59774E5 559774E7A41334E6B49304E6B4E4452455531526B4A45515449304D7A6B304D 4545324E5451774F544E444E304A434D54597A4D7A684552446842517A4A434 E6A59314F4451334E6A4E454E7A45794D6A4A474D7A4E434D6A677952545243 52554931516B55354E7A46424D454D34515445304E7A51334E6B45334D544A4 34D7A52424E6B56444D5451784D545A454E6A5A4652546734524467304F5556 424E6B4E434D6A6847516A6C434E6A424652455243516A5245516A457952444 1344E6A633251305A4452444D32525552464E3045354E455245524455304E7A 6846517A4E424F4467324F554E444D44676D64476C745A543077534334674D5 53075494455785579346D64584E7950575A6B59546B324F5749304A6E5A7662 4431444F6C77674D5463754D7A6448596938794E5455754E7A464859676F41
Emails

petro@ctemplar.com

Signatures

  • RegretLocker

    Ransomware first reported on Twitter in October 2020.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies extensions of user files 4 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops desktop.ini file(s) 29 IoCs
  • Enumerates connected drives 3 TTPs 3 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Modifies service 2 TTPs 4 IoCs
  • Drops file in Program Files directory 7811 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 1057 IoCs
  • Suspicious use of AdjustPrivilegeToken 43 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a188e147ba147455ce5e3a6eb8ac1a46bdd58588de7af53d4ad542c6986491f4.exe
    "C:\Users\Admin\AppData\Local\Temp\a188e147ba147455ce5e3a6eb8ac1a46bdd58588de7af53d4ad542c6986491f4.exe"
    1⤵
    • Modifies extensions of user files
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1744
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /Create /SC MINUTE /TN "Mouse Application" /TR "C:\Users\Admin\AppData\Local\Temp\a188e147ba147455ce5e3a6eb8ac1a46bdd58588de7af53d4ad542c6986491f4.exe" /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1448
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /Create /SC MINUTE /TN "Mouse Application" /TR "C:\Users\Admin\AppData\Local\Temp\a188e147ba147455ce5e3a6eb8ac1a46bdd58588de7af53d4ad542c6986491f4.exe" /f
        3⤵
        • Creates scheduled task(s)
        PID:1992
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C wmic SHADOWCOPY DELETE & wbadmin DELETE SYSTEMSTATEBACKUP & bcdedit.exe / set{ default } bootstatuspolicy ignoreallfailures & bcdedit.exe / set{ default } recoveryenabled No
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1244
      • C:\Windows\SysWOW64\Wbem\WMIC.exe
        wmic SHADOWCOPY DELETE
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1868
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Modifies service
    • Suspicious use of AdjustPrivilegeToken
    PID:1824
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {3097E237-3EC9-4911-BC6C-F18603321BC1} S-1-5-21-3825035466-2522850611-591511364-1000:EIDQHRRL\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2724
    • C:\Users\Admin\AppData\Local\Temp\a188e147ba147455ce5e3a6eb8ac1a46bdd58588de7af53d4ad542c6986491f4.exe
      C:\Users\Admin\AppData\Local\Temp\a188e147ba147455ce5e3a6eb8ac1a46bdd58588de7af53d4ad542c6986491f4.exe
      2⤵
        PID:2756
      • C:\Users\Admin\AppData\Local\Temp\a188e147ba147455ce5e3a6eb8ac1a46bdd58588de7af53d4ad542c6986491f4.exe
        C:\Users\Admin\AppData\Local\Temp\a188e147ba147455ce5e3a6eb8ac1a46bdd58588de7af53d4ad542c6986491f4.exe
        2⤵
          PID:2800

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Execution

      Scheduled Task

      1
      T1053

      Persistence

      Registry Run Keys / Startup Folder

      1
      T1060

      Modify Existing Service

      1
      T1031

      Scheduled Task

      1
      T1053

      Privilege Escalation

      Scheduled Task

      1
      T1053

      Defense Evasion

      File Deletion

      1
      T1107

      Modify Registry

      2
      T1112

      Credential Access

      Credentials in Files

      1
      T1081

      Discovery

      Query Registry

      1
      T1012

      Peripheral Device Discovery

      1
      T1120

      System Information Discovery

      1
      T1082

      Collection

      Data from Local System

      1
      T1005

      Impact

      Inhibit System Recovery

      1
      T1490

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\$Recycle.Bin\S-1-5-21-3825035466-2522850611-591511364-1000\desktop.ini
        MD5

        8cc162be409eac6514a36627b79a7027

        SHA1

        d7b3672574876bf5e8e41fe85e9555d8a875eee0

        SHA256

        6073f0e85bcd53393cee8103feb9d727a7461d69addab9f8d4a7505d23007c35

        SHA512

        e15af6c15b11deb3c133e8d8517b4a2122513b8efb894ca3e734e33a2ba94bd22688c45e957b259d0de74eb64bd43075460b6d72e2e2eaaded9319b452724a85

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\HOW TO RESTORE FILES.TXT
        MD5

        f2d4bd5baf01737a0429a8d1247bfb5c

        SHA1

        90ef3e5a5e62680c6889b92fba67c1f5ff7120b3

        SHA256

        95d922e57fe813be6a5448864151c082da03502f3cc67135d93b6a064976f3ba

        SHA512

        65441e0a9265193eca5e98c4449015c48199ab6fffdcec6755ed1753f3057f155f1bec5cfb141f61f13558731bfd9aa786729b6ab6bf9af5d19cb177d12c41e3

      • \Users\Admin\AppData\Local\Temp\tor-lib.dll
        MD5

        dc7e564809d6c2a2f3457c3c9b91f22b

        SHA1

        f28c63fc7ac58162c27428a179d2113200814e7e

        SHA256

        9969c1e4cf32d1fe6140d6fabf63b6b093a6c6ff7045a187b14175d46cfb74a0

        SHA512

        f37a46895062318aef808c65bd2a074c8177b6e90f9368aae1892db837f7962c4ed1d75ba34c533895f096d3d71b56aecdb6eafbf61b3ecd50b0d4e8c79021f0

      • memory/1244-3-0x0000000000000000-mapping.dmp
      • memory/1448-1-0x0000000000000000-mapping.dmp
      • memory/1744-9-0x0000000000390000-0x0000000000391000-memory.dmp
        Filesize

        4KB

      • memory/1868-4-0x0000000000000000-mapping.dmp
      • memory/1992-2-0x0000000000000000-mapping.dmp
      • memory/2756-6-0x0000000000000000-mapping.dmp
      • memory/2800-7-0x0000000000000000-mapping.dmp
      • memory/2916-8-0x0000000000000000-mapping.dmp
      • memory/2932-10-0x0000000000000000-mapping.dmp
      • memory/2956-12-0x0000000000000000-mapping.dmp
      • memory/3000-15-0x0000000000000000-mapping.dmp
      • memory/3016-16-0x0000000000000000-mapping.dmp