Overview

overview

10

Static

static

7d017b7528...in.exe

windows7_x64

10

7d017b7528...in.exe

windows10_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    112s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    18-01-2021 22:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7d017b752826bf83685828bebc8a00b050490f46aaa8c21b0dd1020f0c9b563e.bin.exe

  • Size

    18KB

  • MD5

    d360e4b15da3d3b89640a3ba98464214

  • SHA1

    67816c29b8f35cff28bb4f3f1428d001a8f1f280

  • SHA256

    7d017b752826bf83685828bebc8a00b050490f46aaa8c21b0dd1020f0c9b563e

  • SHA512

    d00295e6d7192c0a2dfa8ccbf18fb344852fae9de074fc843b6ef20967b003c7fcff2b6835fc3dd7bd69c0bfdf714c22f972a5e609f5859d051579c94967179a

Score
10/10
persistenceransomwarespyware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\READ_ME.hta

Ransom Note
E P S I L O N Ransomware ⠀ As you can see, all your files got encrypted. Thats why your files are no longer readable. If you want them back, please contact us at our email below. You can send us a couple of files and we will return the restored ones to prove that only we can do it. [email protected] You can ask for more details and more help by email. You can learn more about bitcoin and encryption on wikipedia. https://wikipedia.org/wiki/Bitcoinhttps://wikipedia.org/wiki/Encryption ⠀ If you already submited your payement, you will receive your private key and another decryption key with the special decryption software. More informations: 1. the infection was due to vulnerabilities in your software. 2. our goal is to return your data, but if you don't contact us, we will not succeed. IMPORTANT: 1. if you want to make sure that it is impossible to recover files using third-party software, do this not on all files, otherwise you may lose all data. 2. only communication through our email can guarantee file recover for you. We are not responsible for the actions of third parties who promise to help you - most often they are scammers. 3. please, do not try to rename encrypted files.
URLs

https://wikipedia.org/wiki/Bitcoinhttps://wikipedia.org/wiki/Encryption

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Executes dropped EXE 2 IoCs
  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 1673 IoCs
  • Drops file in Windows directory 386 IoCs
  • Interacts with shadow copies 2 TTPs 3 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 477 IoCs
  • Suspicious use of AdjustPrivilegeToken 141 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 59 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7d017b752826bf83685828bebc8a00b050490f46aaa8c21b0dd1020f0c9b563e.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\7d017b752826bf83685828bebc8a00b050490f46aaa8c21b0dd1020f0c9b563e.bin.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3940
    • \??\c:\windows\system32\cmstp.exe
      "c:\windows\system32\cmstp.exe" /au C:\Windows\temp\q3ppw5jw.inf
      2⤵
        PID:1648
    • C:\Windows\system32\cmd.exe
      cmd /c start C:\Windows\temp\0xy5pqal.exe
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:3968
      • C:\Windows\temp\0xy5pqal.exe
        C:\Windows\temp\0xy5pqal.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3116
        • C:\Users\Admin\AppData\Local\Temp\TaskHostHelper.exe
          "C:\Users\Admin\AppData\Local\Temp\TaskHostHelper.exe"
          3⤵
          • Executes dropped EXE
          • Drops startup file
          • Adds Run key to start application
          • Drops file in System32 directory
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3156
          • C:\Windows\SysWOW64\mshta.exe
            "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\READ_ME.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
            4⤵
              PID:4032
            • C:\Windows\SysWOW64\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Windows\System32\RNSNKMA6.vbs"
              4⤵
                PID:3912
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /C vssadmin.exe delete shadows /all /quiet
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:2276
                • C:\Windows\SysWOW64\vssadmin.exe
                  vssadmin.exe delete shadows /all /quiet
                  5⤵
                  • Interacts with shadow copies
                  PID:412
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:2172
                • C:\Windows\SysWOW64\Wbem\WMIC.exe
                  wmic shadowcopy delete
                  5⤵
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3896
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
                4⤵
                  PID:2916
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C vssadmin.exe delete shadows /all /quiet
                  4⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2068
                  • C:\Windows\SysWOW64\vssadmin.exe
                    vssadmin.exe delete shadows /all /quiet
                    5⤵
                    • Interacts with shadow copies
                    PID:508
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete
                  4⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1456
                  • C:\Windows\SysWOW64\Wbem\WMIC.exe
                    wmic shadowcopy delete
                    5⤵
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3972
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
                  4⤵
                    PID:3432
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
                    4⤵
                      PID:3260
                    • C:\Windows\SysWOW64\cmd.exe
                      "C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete
                      4⤵
                      • Suspicious use of WriteProcessMemory
                      PID:2168
                      • C:\Windows\SysWOW64\Wbem\WMIC.exe
                        wmic shadowcopy delete
                        5⤵
                          PID:3572
                      • C:\Windows\SysWOW64\cmd.exe
                        "C:\Windows\System32\cmd.exe" /C vssadmin.exe delete shadows /all /quiet
                        4⤵
                        • Suspicious use of WriteProcessMemory
                        PID:2400
                        • C:\Windows\SysWOW64\vssadmin.exe
                          vssadmin.exe delete shadows /all /quiet
                          5⤵
                          • Interacts with shadow copies
                          PID:2272
                • C:\Windows\system32\taskkill.exe
                  taskkill /IM cmstp.exe /F
                  1⤵
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3040
                • C:\Windows\system32\vssvc.exe
                  C:\Windows\system32\vssvc.exe
                  1⤵
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1040
                • C:\Windows\system32\AUDIODG.EXE
                  C:\Windows\system32\AUDIODG.EXE 0x3a4
                  1⤵
                    PID:2964

                  Network

                  MITRE ATT&CK Matrix ATT&CK v6

                  Initial Access

                  Execution

                  Persistence

                  Registry Run Keys / Startup Folder

                  1
                  T1060

                  Privilege Escalation

                  Defense Evasion

                  File Deletion

                  2
                  T1107

                  Modify Registry

                  1
                  T1112

                  Credential Access

                  Credentials in Files

                  1
                  T1081

                  Discovery

                  Lateral Movement

                  Collection

                  Data from Local System

                  1
                  T1005

                  Exfiltration

                  Command and Control

                  Impact

                  Inhibit System Recovery

                  2
                  T1490

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Temp\TaskHostHelper.exe
                    MD5

                    c6ec91aaa2bba2deb31fb645a2f9b9e4

                    SHA1

                    a921f8a827897250ebbc9847ea113f56dbb1c18d

                    SHA256

                    b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0

                    SHA512

                    13571cf45881b5d4ef0904f2aa0e091e9fe895bf038b71075f09a051318cf052e0737ad1fab5549e5143e866fda816ce282a2330dea128357e201948b8ce7019

                    Download Submit
                  • C:\Users\Admin\AppData\Local\Temp\TaskHostHelper.exe
                    MD5

                    c6ec91aaa2bba2deb31fb645a2f9b9e4

                    SHA1

                    a921f8a827897250ebbc9847ea113f56dbb1c18d

                    SHA256

                    b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0

                    SHA512

                    13571cf45881b5d4ef0904f2aa0e091e9fe895bf038b71075f09a051318cf052e0737ad1fab5549e5143e866fda816ce282a2330dea128357e201948b8ce7019

                    Download Submit
                  • C:\Users\Admin\Desktop\READ_ME.hta
                    MD5

                    a076b2df780ea7d573ffd70ce0c603ea

                    SHA1

                    226531b08d9cdccf6de988172ed1e144b1d0be57

                    SHA256

                    6d5c611b01516055bbc4a56e992e7d90fcab562448d5b56a179d0f286c4b356a

                    SHA512

                    aa610f6f9c1b7cefe0f4bffe6acaae668b33e19430e137523193a51f30dd89b096b9fd29f323e9c1f71da0e6d99b8d8cb2eb334275db5ac02375af447a0e7fdd

                    Download Submit
                  • C:\Windows\SysWOW64\RNSNKMA6.vbs
                    MD5

                    07641762ad9c0d4b5983babccecb071b

                    SHA1

                    84afb077fccaa75f82338c30c5d03f4b67e39c62

                    SHA256

                    c65ff4443a32b8144455278a1fd98d442e1ad76f738a82668b2229acd7a2a117

                    SHA512

                    4be951540e9ad6c0eba31a1c31899ee1b327b4f37410cfc1f8a2fa8b27d705a265053f4ace0e8997b2ba337d293adb8d122860a85b775c41dfea5e1f252977ff

                    Download Submit
                  • C:\Windows\Temp\0xy5pqal.exe
                    MD5

                    f3d78f15bf85aa14f71979585d310ae7

                    SHA1

                    1e73b89abd5e0e0e74291d5ebb4f10574a9ef2e2

                    SHA256

                    bb1b5b72a867a401876a6ad6a9bcc1f4af9f4e4fdb568ef7ce2b812796b48c7a

                    SHA512

                    ef251e35c6047df225d937b568ded6ad9ee8e72235fac6ce6c04e9287f01aad65c63ada7e65e304ac094029f0a768d2697c3960dde818f7cf0f73cd81283e087

                    Download Submit
                  • C:\Windows\temp\0xy5pqal.exe
                    MD5

                    f3d78f15bf85aa14f71979585d310ae7

                    SHA1

                    1e73b89abd5e0e0e74291d5ebb4f10574a9ef2e2

                    SHA256

                    bb1b5b72a867a401876a6ad6a9bcc1f4af9f4e4fdb568ef7ce2b812796b48c7a

                    SHA512

                    ef251e35c6047df225d937b568ded6ad9ee8e72235fac6ce6c04e9287f01aad65c63ada7e65e304ac094029f0a768d2697c3960dde818f7cf0f73cd81283e087

                    Download Submit
                  • C:\Windows\temp\q3ppw5jw.inf
                    MD5

                    ad64686d8e7e318b7bf2597ca54ef669

                    SHA1

                    2da9ff5aefe90c319dea0e933bdf360976682c63

                    SHA256

                    09ef9046fb40d5623b5f8b82aae4877b7327667b8fc61cd7a4bc6ea4fccab320

                    SHA512

                    21b67e773578153b54d7058a08e7cb945c9d07f9bf42b4426d71dea31763625db18c5992c1b5e80e4f34935dd9f130e75442d890d254f08b2ad06786d6d281f5

                    Download Submit
                  • memory/412-41-0x0000000000000000-mapping.dmp
                    Download
                  • memory/508-46-0x0000000000000000-mapping.dmp
                    Download
                  • memory/1456-44-0x0000000000000000-mapping.dmp
                    Download
                  • memory/1648-9-0x000001AC52A20000-0x000001AC52A21000-memory.dmp
                    Filesize

                    4KB

                    Download
                  • memory/1648-15-0x000001AC52A20000-0x000001AC52B21000-memory.dmp
                    Filesize

                    1.0MB

                    Download
                  • memory/1648-7-0x000001AC52A20000-0x000001AC52A21000-memory.dmp
                    Filesize

                    4KB

                    Download
                  • memory/1648-5-0x0000000000000000-mapping.dmp
                    Download
                  • memory/2068-43-0x0000000000000000-mapping.dmp
                    Download
                  • memory/2168-49-0x0000000000000000-mapping.dmp
                    Download
                  • memory/2172-37-0x0000000000000000-mapping.dmp
                    Download
                  • memory/2272-51-0x0000000000000000-mapping.dmp
                    Download
                  • memory/2276-36-0x0000000000000000-mapping.dmp
                    Download
                  • memory/2400-48-0x0000000000000000-mapping.dmp
                    Download
                  • memory/2916-39-0x0000000000000000-mapping.dmp
                    Download
                  • memory/3116-16-0x0000000000000000-mapping.dmp
                    Download
                  • memory/3116-19-0x0000000073BA0000-0x000000007428E000-memory.dmp
                    Filesize

                    6.9MB

                    Download
                  • memory/3116-22-0x0000000004E10000-0x0000000004E11000-memory.dmp
                    Filesize

                    4KB

                    Download
                  • memory/3116-20-0x00000000004E0000-0x00000000004E1000-memory.dmp
                    Filesize

                    4KB

                    Download
                  • memory/3156-23-0x0000000000000000-mapping.dmp
                    Download
                  • memory/3156-31-0x0000000005720000-0x0000000005721000-memory.dmp
                    Filesize

                    4KB

                    Download
                  • memory/3156-32-0x0000000005940000-0x0000000005941000-memory.dmp
                    Filesize

                    4KB

                    Download
                  • memory/3156-33-0x0000000005943000-0x0000000005945000-memory.dmp
                    Filesize

                    8KB

                    Download
                  • memory/3156-29-0x0000000005BD0000-0x0000000005BD1000-memory.dmp
                    Filesize

                    4KB

                    Download
                  • memory/3156-27-0x0000000000EF0000-0x0000000000EF1000-memory.dmp
                    Filesize

                    4KB

                    Download
                  • memory/3156-26-0x0000000073BA0000-0x000000007428E000-memory.dmp
                    Filesize

                    6.9MB

                    Download
                  • memory/3156-30-0x0000000005770000-0x0000000005771000-memory.dmp
                    Filesize

                    4KB

                    Download
                  • memory/3260-50-0x0000000000000000-mapping.dmp
                    Download
                  • memory/3432-45-0x0000000000000000-mapping.dmp
                    Download
                  • memory/3572-52-0x0000000000000000-mapping.dmp
                    Download
                  • memory/3896-42-0x0000000000000000-mapping.dmp
                    Download
                  • memory/3912-35-0x0000000000000000-mapping.dmp
                    Download
                  • memory/3940-13-0x0000000002D82000-0x0000000002D84000-memory.dmp
                    Filesize

                    8KB

                    Download
                  • memory/3940-2-0x00007FF8EA2B0000-0x00007FF8EAC9C000-memory.dmp
                    Filesize

                    9.9MB

                    Download
                  • memory/3940-14-0x0000000002D84000-0x0000000002D86000-memory.dmp
                    Filesize

                    8KB

                    Download
                  • memory/3940-3-0x0000000000D40000-0x0000000000D41000-memory.dmp
                    Filesize

                    4KB

                    Download
                  • memory/3940-12-0x0000000002D80000-0x0000000002D82000-memory.dmp
                    Filesize

                    8KB

                    Download
                  • memory/3972-47-0x0000000000000000-mapping.dmp
                    Download
                  • memory/4032-34-0x0000000000000000-mapping.dmp
                    Download