Overview

overview

10

Static

static

6

f0fbd0654d...le.exe

windows7_x64

10

f0fbd0654d...le.exe

windows10_x64

9

Resubmissions

19/11/2020, 14:39

201119-59epbrqadx 10

19/11/2020, 14:22

201119-ff99dc42e6 10

19/11/2020, 14:16

201119-298y5e8ncj 9

Analysis

  • max time kernel
    150s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    19/11/2020, 14:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe

  • Size

    1.8MB

  • MD5

    10d7151b9ee53b8da8ee6f85001ffb20

  • SHA1

    76d33ef58ea7b012342d975d871db64840da9675

  • SHA256

    f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093

  • SHA512

    1c6d2d7f509b462b5d48db61817ee42a7204d10141c59394eb190d0dba733b831a6344bb85197dfac358939379e640c9f38732d376e28f92e187806ca574d10f

Score
10/10
persistenceransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OPENTHIS.html

Ransom Note
Critical Error! Your files have been corrupted! Follow these directions to easily restore them: 1. Purchase around $200 in Bitcoin (BTC). To learn more about Bitcoin, visit https://bitcoin.org/en/buy or https://buy.bitcoin.com 2. Send the new Bitcoin to the following address: 14BfVG4vH71NLmhu7vFKi9EMmeZFoiAsYP 3. Contact our Tech Support team at [email protected] and explain your issue. 4. After confirming your Bitcoin transfer, we will send you a file-repair tool to fix your entire system. 5. Run our file-cleaner and wait... Your data will be restored. To test our services, you may send up to 2 files for repairing before making the Bitcoin transfer. Estimated repair time after Bitcoin transfer: 24 hours
Wallets

14BfVG4vH71NLmhu7vFKi9EMmeZFoiAsYP

URLs

https://bitcoin.org/en/buy

https://buy.bitcoin.com

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Grants admin privileges 1 TTPs

    Uses net.exe to modify the user's privileges.

  • Modifies extensions of user files 2 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Drops startup file 2 IoCs
  • Modifies service 2 TTPs 5 IoCs
    persistence
  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 2 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe
    "C:\Users\Admin\AppData\Local\Temp\f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe"
    1⤵
    • Modifies extensions of user files
    • Drops startup file
    • Suspicious use of WriteProcessMemory
    PID:1740
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -WindowStyle Hidden get-wmiobject win32_computersystem | "fl model"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1380
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" Start-Process C:\ProgramData\amdkey.bat -Verb runas
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1472
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C "C:\ProgramData\amdkey.bat"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:396
        • C:\Windows\system32\vssadmin.exe
          vssadmin.exe Delete Shadows /All /Quiet
          4⤵
          • Interacts with shadow copies
          PID:1488
        • C:\Windows\system32\vssadmin.exe
          vssadmin.exe Resize ShadowStorage /For=C: /On=C: /MaxSize=320MB
          4⤵
          • Interacts with shadow copies
          PID:2524
        • C:\Windows\system32\net.exe
          net user /add RedROMAN p4zzaub71h
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2556
          • C:\Windows\system32\net1.exe
            C:\Windows\system32\net1 user /add RedROMAN p4zzaub71h
            5⤵
              PID:2568
          • C:\Windows\system32\net.exe
            net localgroup administrators RedROMAN /add
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2596
            • C:\Windows\system32\net1.exe
              C:\Windows\system32\net1 localgroup administrators RedROMAN /add
              5⤵
                PID:2608
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Modifies service
        • Suspicious use of AdjustPrivilegeToken
        PID:2356
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\TraceRename.ex_.REDROMAN
        1⤵
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:2408
        • C:\Windows\system32\NOTEPAD.EXE
          "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\TraceRename.ex_.REDROMAN
          2⤵
          • Opens file in notepad (likely ransom note)
          PID:2644
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OPENTHIS.html
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2788
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2788 CREDAT:275457 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2852
      • C:\Program Files\7-Zip\7zG.exe
        "C:\Program Files\7-Zip\7zG.exe" a -i#7zMap21596:184:7zEvent14446 -ad -saa -- "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OPENTHIS"
        1⤵
        • Drops startup file
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:1876

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1380-8-0x000000001C5F0000-0x000000001C5F1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1380-6-0x00000000023A0000-0x00000000023A1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1380-7-0x000000001C200000-0x000000001C201000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1380-2-0x000007FEF58A0000-0x000007FEF628C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/1380-3-0x00000000024F0000-0x00000000024F1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1380-4-0x000000001AC90000-0x000000001AC91000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1380-5-0x0000000002440000-0x0000000002441000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1472-14-0x0000000002750000-0x0000000002751000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1472-12-0x00000000023D0000-0x00000000023D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1472-17-0x000000001B9B0000-0x000000001B9B1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1472-13-0x000000001ABE0000-0x000000001ABE1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1472-15-0x0000000002780000-0x0000000002781000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1472-11-0x000007FEF5830000-0x000007FEF621C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/1740-0-0x000000013F640000-0x000000013F811000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/2664-29-0x000007FEF7730000-0x000007FEF79AA000-memory.dmp

        Filesize

        2.5MB

        Download