ransomexx_win | 4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458

Analysis

max time kernel
39s
max time network
9s
platform
windows7_x64
resource
win7v20201028
submitted
14-12-2020 22:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.bin.exe
Size

156KB
MD5

fcd21c6fca3b9378961aa1865bee7ecb
SHA1

0abaa05da2a05977e0baf68838cff1712f1789e0
SHA256

4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458
SHA512

e39c1f965f6faeaa33dfec6eba23fbfff14b287f4777797ea79480bb037d6d806516bda7046315e051961fce12e935ac546819c1e0bef5c33568d68955a9792a

Score

10^/10

ransomexx_win evasion ransomware

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\!TXDOT_READ_ME!.txt

Ransom Note

Greetings, Texas Department of Transportation! Read this message CAREFULLY and contact someone from IT department. Your files are securely ENCRYPTED. No third party decryption software EXISTS. MODIFICATION or RENAMING encrypted files may cause decryption failure. You can send us an encrypted file (not greater than 400KB) and we will decrypt it FOR FREE, so you have no doubts in possibility to restore all files from all affected systems ANY TIME. Encrypted file SHOULD NOT contain sensitive information (technical, backups, databases, large documents). The rest of data will be available after the PAYMENT. Infrastructure rebuild will cost you MUCH more. Contact us ONLY if you officially represent the whole affected network. The ONLY attachments we accept are non archived encrypted files for test decryption. Speak ENGLISH when contacting us. Mail us: [email protected] We kindly ask you not to use GMAIL, YAHOO or LIVE to contact us. The PRICE depends on how quickly you do it. �

Emails

[email protected]

Signatures

Deletes NTFS Change Journal 2 TTPs
The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.
ransomware

Inhibit System Recovery
T1490

Data Destruction
T1485
RansomEXX Ransomware
Targeted ransomware with variants which affect Windows and Linux systems.
ransomware ransomexx_win
Clears Windows event logs 1 TTPs
evasion ransomware

Indicator Removal on Host
T1070

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
1516	bcdedit.exe
1840	bcdedit.exe

Deletes backup catalog 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command-Line Interface

T1059

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1088	wbadmin.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Modifies extensions of user files 9 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\SuspendShow.png => C:\Users\Admin\Pictures\SuspendShow.png.txd0t	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.bin.exe
File renamed	C:\Users\Admin\Pictures\UseConvertTo.crw => C:\Users\Admin\Pictures\UseConvertTo.crw.txd0t	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.bin.exe
File renamed	C:\Users\Admin\Pictures\ConvertFromReceive.crw => C:\Users\Admin\Pictures\ConvertFromReceive.crw.txd0t	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.bin.exe
File renamed	C:\Users\Admin\Pictures\EnableEnter.crw => C:\Users\Admin\Pictures\EnableEnter.crw.txd0t	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.bin.exe
File renamed	C:\Users\Admin\Pictures\RestartSave.raw => C:\Users\Admin\Pictures\RestartSave.raw.txd0t	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.bin.exe
File renamed	C:\Users\Admin\Pictures\SaveUpdate.raw => C:\Users\Admin\Pictures\SaveUpdate.raw.txd0t	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.bin.exe
File renamed	C:\Users\Admin\Pictures\HideAdd.tif => C:\Users\Admin\Pictures\HideAdd.tif.txd0t	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.bin.exe
File renamed	C:\Users\Admin\Pictures\MountSync.raw => C:\Users\Admin\Pictures\MountSync.raw.txd0t	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.bin.exe
File renamed	C:\Users\Admin\Pictures\PingMeasure.raw => C:\Users\Admin\Pictures\PingMeasure.raw.txd0t	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.bin.exe

Overwrites deleted data with Cipher tool 1 TTPs
Cipher is a Windows tool which be used to securely wipe deallocated HDD space, preventing recovery of deleted data.
ransomware

Inhibit System Recovery
T1490

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	cipher.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
1668	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.bin.exe
1668	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.bin.exe
1668	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.bin.exe
1668	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.bin.exe
1668	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.bin.exe
1668	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.bin.exe
1668	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.bin.exe
1668	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.bin.exe
1668	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.bin.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1080	wevtutil.exe
Token: SeBackupPrivilege	1080	wevtutil.exe
Token: SeSecurityPrivilege	1752	wevtutil.exe
Token: SeBackupPrivilege	1752	wevtutil.exe
Token: SeSecurityPrivilege	1100	wevtutil.exe
Token: SeBackupPrivilege	1100	wevtutil.exe
Token: SeSecurityPrivilege	384	wevtutil.exe
Token: SeBackupPrivilege	384	wevtutil.exe
Token: SeSecurityPrivilege	1712	wevtutil.exe
Token: SeBackupPrivilege	1712	wevtutil.exe
Token: SeBackupPrivilege	1680	wbengine.exe
Token: SeRestorePrivilege	1680	wbengine.exe
Token: SeSecurityPrivilege	1680	wbengine.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 1668 wrote to memory of 1080	1668	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.bin.exe	34
PID 1668 wrote to memory of 1080	1668	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.bin.exe	34
PID 1668 wrote to memory of 1080	1668	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.bin.exe	34
PID 1668 wrote to memory of 1080	1668	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.bin.exe	34
PID 1668 wrote to memory of 1100	1668	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.bin.exe	33
PID 1668 wrote to memory of 1100	1668	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.bin.exe	33
PID 1668 wrote to memory of 1100	1668	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.bin.exe	33
PID 1668 wrote to memory of 1100	1668	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.bin.exe	33
PID 1668 wrote to memory of 384	1668	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.bin.exe	38
PID 1668 wrote to memory of 384	1668	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.bin.exe	38
PID 1668 wrote to memory of 384	1668	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.bin.exe	38
PID 1668 wrote to memory of 384	1668	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.bin.exe	38
PID 1668 wrote to memory of 1752	1668	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.bin.exe	37
PID 1668 wrote to memory of 1752	1668	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.bin.exe	37
PID 1668 wrote to memory of 1752	1668	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.bin.exe	37
PID 1668 wrote to memory of 1752	1668	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.bin.exe	37
PID 1668 wrote to memory of 1712	1668	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.bin.exe	36
PID 1668 wrote to memory of 1712	1668	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.bin.exe	36
PID 1668 wrote to memory of 1712	1668	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.bin.exe	36
PID 1668 wrote to memory of 1712	1668	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.bin.exe	36
PID 1668 wrote to memory of 432	1668	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.bin.exe	39
PID 1668 wrote to memory of 432	1668	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.bin.exe	39
PID 1668 wrote to memory of 432	1668	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.bin.exe	39
PID 1668 wrote to memory of 432	1668	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.bin.exe	39
PID 1668 wrote to memory of 1764	1668	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.bin.exe	40
PID 1668 wrote to memory of 1764	1668	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.bin.exe	40
PID 1668 wrote to memory of 1764	1668	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.bin.exe	40
PID 1668 wrote to memory of 1764	1668	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.bin.exe	40
PID 1668 wrote to memory of 1516	1668	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.bin.exe	41
PID 1668 wrote to memory of 1516	1668	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.bin.exe	41
PID 1668 wrote to memory of 1516	1668	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.bin.exe	41
PID 1668 wrote to memory of 1516	1668	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.bin.exe	41
PID 1668 wrote to memory of 1088	1668	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.bin.exe	35
PID 1668 wrote to memory of 1088	1668	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.bin.exe	35
PID 1668 wrote to memory of 1088	1668	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.bin.exe	35
PID 1668 wrote to memory of 1088	1668	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.bin.exe	35
PID 1668 wrote to memory of 1840	1668	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.bin.exe	42
PID 1668 wrote to memory of 1840	1668	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.bin.exe	42
PID 1668 wrote to memory of 1840	1668	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.bin.exe	42
PID 1668 wrote to memory of 1840	1668	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.bin.exe	42
PID 1668 wrote to memory of 860	1668	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.bin.exe	32
PID 1668 wrote to memory of 860	1668	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.bin.exe	32
PID 1668 wrote to memory of 860	1668	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.bin.exe	32
PID 1668 wrote to memory of 860	1668	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.bin.exe	32
PID 1668 wrote to memory of 812	1668	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.bin.exe	31
PID 1668 wrote to memory of 812	1668	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.bin.exe	31
PID 1668 wrote to memory of 812	1668	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.bin.exe	31
PID 1668 wrote to memory of 812	1668	4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.bin.exe	31

C:\Users\Admin\AppData\Local\Temp\4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.bin.exe
"C:\Users\Admin\AppData\Local\Temp\4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458.bin.exe"
1⤵
- Modifies extensions of user files
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1668
- C:\Windows\SysWOW64\cipher.exe
  "C:\Windows\System32\cipher.exe" /w:C:
  2⤵
  PID:812
- C:\Windows\SysWOW64\cipher.exe
  "C:\Windows\System32\cipher.exe" /w:D:
  2⤵
  - Enumerates connected drives
  PID:860
- C:\Windows\System32\wevtutil.exe
  "C:\Windows\System32\wevtutil.exe" cl Setup
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1100
- C:\Windows\System32\wevtutil.exe
  "C:\Windows\System32\wevtutil.exe" cl Security
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1080
- C:\Windows\System32\wbadmin.exe
  "C:\Windows\System32\wbadmin.exe" delete catalog -quiet
  2⤵
  - Deletes backup catalog
  PID:1088
- C:\Windows\System32\wevtutil.exe
  "C:\Windows\System32\wevtutil.exe" cl Application
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1712
- C:\Windows\System32\wevtutil.exe
  "C:\Windows\System32\wevtutil.exe" sl Security /e:false
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1752
- C:\Windows\System32\wevtutil.exe
  "C:\Windows\System32\wevtutil.exe" cl System
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:384
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable
  2⤵
  PID:432
- C:\Windows\System32\fsutil.exe
  "C:\Windows\System32\fsutil.exe" usn deletejournal /D C:
  2⤵
  PID:1764
- C:\Windows\System32\bcdedit.exe
  "C:\Windows\System32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:1516
- C:\Windows\System32\bcdedit.exe
  "C:\Windows\System32\bcdedit.exe" /set {default} recoveryenabled no
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:1840