Overview

overview

10

Static

static

6

f0fbd0654d...le.exe

windows7_x64

10

f0fbd0654d...le.exe

windows10_x64

9

Resubmissions

19-11-2020 14:39

201119-59epbrqadx 10

19-11-2020 14:22

201119-ff99dc42e6 10

19-11-2020 14:16

201119-298y5e8ncj 9

Analysis

  • max time kernel
    144s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    19-11-2020 14:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe

  • Size

    1.8MB

  • MD5

    10d7151b9ee53b8da8ee6f85001ffb20

  • SHA1

    76d33ef58ea7b012342d975d871db64840da9675

  • SHA256

    f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093

  • SHA512

    1c6d2d7f509b462b5d48db61817ee42a7204d10141c59394eb190d0dba733b831a6344bb85197dfac358939379e640c9f38732d376e28f92e187806ca574d10f

Score
10/10
persistenceransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OPENTHIS.html

Ransom Note
Critical Error! Your files have been corrupted! Follow these directions to easily restore them: 1. Purchase around $200 in Bitcoin (BTC). To learn more about Bitcoin, visit https://bitcoin.org/en/buy or https://buy.bitcoin.com 2. Send the new Bitcoin to the following address: 14BfVG4vH71NLmhu7vFKi9EMmeZFoiAsYP 3. Contact our Tech Support team at insupport@messagesafe.io and explain your issue. 4. After confirming your Bitcoin transfer, we will send you a file-repair tool to fix your entire system. 5. Run our file-cleaner and wait... Your data will be restored. To test our services, you may send up to 2 files for repairing before making the Bitcoin transfer. Estimated repair time after Bitcoin transfer: 24 hours
Emails

insupport@messagesafe.io

Wallets

14BfVG4vH71NLmhu7vFKi9EMmeZFoiAsYP

URLs

https://bitcoin.org/en/buy

https://buy.bitcoin.com

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Grants admin privileges 1 TTPs

    Uses net.exe to modify the user's privileges.

  • Modifies extensions of user files 14 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Drops startup file 1 IoCs
  • Modifies service 2 TTPs 5 IoCs
    persistence
  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Internet Explorer settings 1 TTPs 63 IoCs
    adwarespyware
  • Modifies registry class 36 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe
    "C:\Users\Admin\AppData\Local\Temp\f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe"
    1⤵
    • Modifies extensions of user files
    • Drops startup file
    • Suspicious use of WriteProcessMemory
    PID:1360
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -WindowStyle Hidden get-wmiobject win32_computersystem | "fl model"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:928
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" Start-Process C:\ProgramData\amdkey.bat -Verb runas
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:344
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C "C:\ProgramData\amdkey.bat"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:308
        • C:\Windows\system32\vssadmin.exe
          vssadmin.exe Delete Shadows /All /Quiet
          4⤵
          • Interacts with shadow copies
          PID:1608
        • C:\Windows\system32\vssadmin.exe
          vssadmin.exe Resize ShadowStorage /For=C: /On=C: /MaxSize=320MB
          4⤵
          • Interacts with shadow copies
          PID:2620
        • C:\Windows\system32\net.exe
          net user /add RedROMAN p4zzaub71h
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2652
          • C:\Windows\system32\net1.exe
            C:\Windows\system32\net1 user /add RedROMAN p4zzaub71h
            5⤵
              PID:2664
          • C:\Windows\system32\net.exe
            net localgroup administrators RedROMAN /add
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2692
            • C:\Windows\system32\net1.exe
              C:\Windows\system32\net1 localgroup administrators RedROMAN /add
              5⤵
                PID:2704
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Modifies service
        • Suspicious use of AdjustPrivilegeToken
        PID:816
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OPENTHIS.html
        1⤵
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2772
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2772 CREDAT:275457 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2880
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2772 CREDAT:406541 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2324
      • C:\Windows\system32\AUDIODG.EXE
        C:\Windows\system32\AUDIODG.EXE 0x488
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2164
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\ProgramData\RR_README.html
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2300
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2300 CREDAT:275457 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:324

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Account Manipulation

      1
      T1098

      Modify Existing Service

      1
      T1031

      Privilege Escalation

      Defense Evasion

      File Deletion

      2
      T1107

      Modify Registry

      2
      T1112

      Credential Access

      Discovery

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Inhibit System Recovery

      2
      T1490

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\RR_README.html
        MD5

        a15162a522fbd1ed603ab6415f4de0de

        SHA1

        33299e2baaff029b82c724630d4b5e5424353f18

        SHA256

        5d4d8f87b815bbc435d6b8b1b3d3349d06a6d82226a4ad0e17accf8b750d80dc

        SHA512

        d45ba782b9977131ce3b30661ec5db27fd94a169dc42ca6f0a907db20186c54348eaeae763279113fb81783d56478b9c98b2038948eb4c7cb18d00f4c292650d

        Download Submit
      • C:\ProgramData\amdkey.bat
        MD5

        e1ccfa2c9fccc3306d6a2beafee97e88

        SHA1

        769a6f5692364611fb1c97b7f8909e305df46b0c

        SHA256

        8c6a13f418d0c11640ea15a0c42a4edc9f4175c4c924573c35b86929a7d25aaf

        SHA512

        f5ecf42ded57faa60cd98f7e43438c7b7158afb7061b836805469840880ae6b980dfe99f66bce8b52f2fa27eb0d07a48631da8f8fb82a3f12754a2024d70460c

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1FC0448E6D3D5712272FAF5B90A70C5E
        MD5

        ce16928d38d0901c418aff44b227cedb

        SHA1

        9007bff6afc91daad3e817b4286130781a6542b1

        SHA256

        c2ab6b4ebd1b078712e9bf8ce2d5966763525edf4063dc367afba3be13690d14

        SHA512

        2941e3a6e20f59f0001c3ecadcbad19bcf3f271637cc26eea35d6a7fc66c5916afc19040918f5f44e253d514ca2f76f949c0bb46328788ef76d08225e92fd792

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08
        MD5

        081d36f197084f70fea789af4c4c3437

        SHA1

        2bde05c8344d838c1766e1f6d03d7194a0c95953

        SHA256

        b09b06f04df6e235dddede2c5d9e85782e733dc057e1afd58963ca020cc0f4a5

        SHA512

        a6dff92c0b473c25ac82e8382b35fb7c73ed61e8469863e5baed0ae6c8f84448c9e4ca52b1bef06103946f2bfeee128ab22e9d71b8653c62db782a1ba4135bcd

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1FC0448E6D3D5712272FAF5B90A70C5E
        MD5

        a142c049102cfb1a971570598cdb9d6b

        SHA1

        6b8e58ccf1052523786f22c532bb70b9f0610442

        SHA256

        210716504493a8b4730b84d72fccab36daeb00d0551cc62a64e19bb5c7230cdc

        SHA512

        996f7a6beed508e89e1c738b47bb799f12377d22e9ee2ac5fccf1f5c3d857d14efe138dfa09a5d07fd46ba1a6cba4229c000189e8d5abd931bb8e4356acb81d4

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        MD5

        26f61685911dca72407748550ae39238

        SHA1

        ca42c1b43845a89f73489db1815423cd79108909

        SHA256

        2474a15b274487da981308612515a4ca0ef7af25f25df8abbc9c035cfb54d90b

        SHA512

        39843bf7b0fcf564862d26f46d881096f8bc0f43bbd99c208a5a273464bb8090162e1f2ff88526a2c973b3a9ba2a1af67d91ece081cb9bcbbfbba5acc20ef174

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08
        MD5

        50394070d7c576e2547ca91f2fac267a

        SHA1

        35ae0fbce2f3b6e045ba74708ab27c6735e57d7b

        SHA256

        1bda9c259d3303ba395788b76b5b7b83d28e40d7d4430ddd694904f3379996df

        SHA512

        c74b0188c70722a1a309a24bad5f4ef778bb0ca5abef09aade78b1af23b2e875998309e270f2aad42478f813742f75d73277530a72c5b36cad767846266da936

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\RecoveryStore.{C5457E20-1950-11EB-8A4C-EE401B9E63CB}.dat
        MD5

        72234a28b8d8e1abba4012ee4caddd6f

        SHA1

        f83749e9b6ad91618993033d838d5d88c89453b4

        SHA256

        0d9c245c61c87c46762961a7c3376cf0ba1aa280d9ac1290989b4c1c13b0fd9c

        SHA512

        2deb3d930c84e7572728b6820176a7d1d7d06ae3c1a9f36b49aedc8a651784b4cbd1f1bf8691f3c8232f0edb6f34cdc161b67921546d6b6de809a727e6112fd0

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\{A8B7A740-2A74-11EB-B97E-C2515532CB8E}.dat
        MD5

        451d69d9c5e016fbabf779da471253c5

        SHA1

        412a05e256dec00559ca6af71a73011524f38805

        SHA256

        8a43aa8746f40228b1e391809439d6ada60a2670a060523b2f73d77df1dce91e

        SHA512

        a646cb5cf1d5fa4a2e0f723cedcb019681b9dc69bf02d116262ec0c992c086ce20be5ff117762f011498a18b89032842431a446b1c82b6ec7e43c92d6f53e705

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\{A8B7A741-2A74-11EB-B97E-C2515532CB8E}.dat
        MD5

        3ca3fcd68b636e740b1fe93ae7f814a8

        SHA1

        5e4e7d2450ac84a171958d98ca56741807a781be

        SHA256

        71b41d0f5ed05ed411a104dcd5559633536b06e5f8538a690fc76dd8423bcae7

        SHA512

        ed17cd84aa84458ca3feb17513c9896b42a985fa556bc81be07854292c0d0d7ea2846228e22c573db295542fc8d1571329445e780f13a4894ca900b48bcd8ffe

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
        MD5

        f2a1d83d62fc57c60847d2b60ab72783

        SHA1

        ef7dc42433df61644eb8260e8f9d311da0a0635c

        SHA256

        72ddbe0c347462e8f04d53a8fd79e13699b7b598f2701215f797cffad72828fe

        SHA512

        b5dc6610571791c71c5a41e687578d783f401adabcebb3120886e979362f111ca3d0592fbf923ac6138e158931069ad901f5a986282294c1cb8a044b4ea5ddb5

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D73194RS\small_red_dot[1].png
        MD5

        0c2c38ba38932e23f84267ef229fb59a

        SHA1

        6e9c9303af9a6172a1868c352ea8978a3cc29b87

        SHA256

        3d6751064b2f32f038aca08c197acea9b5bf514cabc3461fe9ec8a77180301f3

        SHA512

        c609905ca019e4acd3acf42c5eef2a36c7aee3bfc5741e8cc556e44a7ddd110467e14efbcfbb095d50dd3f53288256602cbc2f7372bdf3cac4a156486c1b99b4

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
        MD5

        24437168fa337f109afbf16a7e533ac2

        SHA1

        e1af9a54ea28171417b49e5cc4b46bb01f4ea99c

        SHA256

        ce145af1f6a731429cb87f34478a88eb4699b79b59c3306a1d3809364aa4008d

        SHA512

        42e884749861b5a6a5f0b3f2359b778bd5de900dc72b71022bb2ad7782e4c898ff14c4cd0a02ea5560817507ab081bb7792446d5bcb7840a5b5ec4ee331fcb3c

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OPENTHIS.html
        MD5

        a15162a522fbd1ed603ab6415f4de0de

        SHA1

        33299e2baaff029b82c724630d4b5e5424353f18

        SHA256

        5d4d8f87b815bbc435d6b8b1b3d3349d06a6d82226a4ad0e17accf8b750d80dc

        SHA512

        d45ba782b9977131ce3b30661ec5db27fd94a169dc42ca6f0a907db20186c54348eaeae763279113fb81783d56478b9c98b2038948eb4c7cb18d00f4c292650d

        Download Submit
      • memory/308-19-0x0000000000000000-mapping.dmp
        Download
      • memory/324-39-0x0000000000000000-mapping.dmp
        Download
      • memory/344-17-0x000000001AB40000-0x000000001AB41000-memory.dmp
        Filesize

        4KB

        Download
      • memory/344-15-0x0000000002500000-0x0000000002501000-memory.dmp
        Filesize

        4KB

        Download
      • memory/344-11-0x000007FEF54F0000-0x000007FEF5EDC000-memory.dmp
        Filesize

        9.9MB

        Download
      • memory/344-12-0x0000000002020000-0x0000000002021000-memory.dmp
        Filesize

        4KB

        Download
      • memory/344-13-0x000000001AC70000-0x000000001AC71000-memory.dmp
        Filesize

        4KB

        Download
      • memory/344-9-0x0000000000000000-mapping.dmp
        Download
      • memory/344-14-0x00000000020D0000-0x00000000020D1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/928-3-0x00000000022E0000-0x00000000022E1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/928-4-0x000000001AAC0000-0x000000001AAC1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/928-8-0x000000001C670000-0x000000001C671000-memory.dmp
        Filesize

        4KB

        Download
      • memory/928-5-0x0000000002440000-0x0000000002441000-memory.dmp
        Filesize

        4KB

        Download
      • memory/928-6-0x0000000002510000-0x0000000002511000-memory.dmp
        Filesize

        4KB

        Download
      • memory/928-2-0x000007FEF5560000-0x000007FEF5F4C000-memory.dmp
        Filesize

        9.9MB

        Download
      • memory/928-7-0x000000001B430000-0x000000001B431000-memory.dmp
        Filesize

        4KB

        Download
      • memory/928-1-0x0000000000000000-mapping.dmp
        Download
      • memory/1360-0-0x000000013FB60000-0x000000013FD31000-memory.dmp
        Filesize

        1.8MB

        Download
      • memory/1608-20-0x0000000000000000-mapping.dmp
        Download
      • memory/2324-30-0x0000000000000000-mapping.dmp
        Download
      • memory/2620-21-0x0000000000000000-mapping.dmp
        Download
      • memory/2652-22-0x0000000000000000-mapping.dmp
        Download
      • memory/2664-23-0x0000000000000000-mapping.dmp
        Download
      • memory/2692-24-0x0000000000000000-mapping.dmp
        Download
      • memory/2704-25-0x0000000000000000-mapping.dmp
        Download
      • memory/2784-26-0x000007FEF60B0000-0x000007FEF632A000-memory.dmp
        Filesize

        2.5MB

        Download
      • memory/2880-27-0x0000000000000000-mapping.dmp
        Download
      • memory/2880-38-0x00000000061F0000-0x0000000006213000-memory.dmp
        Filesize

        140KB

        Download