Overview

overview

10

Static

static

06d370217a...f6.exe

windows7_x64

10

06d370217a...f6.exe

windows10_x64

10

Analysis

  • max time kernel
    39s
  • max time network
    112s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    20-01-2021 09:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.exe

  • Size

    27KB

  • MD5

    015e93d82958f4edbc4c8807eeefc430

  • SHA1

    9517634369b86197f14ae25ffa69a138ab6fe446

  • SHA256

    06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6

  • SHA512

    fa9fc3f5565eb6f84331fb068b70b110aefd87d73ec5c9fabda0819886dca3617dbe4b712eda1a68254352f931cd6bca6c4878d515a793697ae410e19884ebbd

Score
10/10
ransomware

Malware Config

Extracted

Path

\??\M:\DECR.TXT

Ransom Note
----------- [ Hello! ] -------------> ******BY VASA LOCKER****** What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted from your network and copied. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - a universal decoder. This program will restore your entire network. Follow our instructions below and you will recover all your data. If you continue to ignore this for a long time, we will start reporting the hack to mainstream media and posting your data to the dark web. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. Go to the site and contact us. How to contact us? ---------------------------------------------- Using EMAIL: 1) Open your mail 2) Write us: [email protected] YOUR PERSONAL ID, ATTACH IT: 76aeabd3ac86093455b0158b5ee87436360a456d0edf0775e6fd9e555271891c27c6d1a1873241f27c2eb90356fedcd6bf213fc92334c2346d13fceb53ddaa4ad0792a92663e33078fc8ad007e46b594bcbd1fa6fb2b9ce31ddf302dc041aa6dff3d7fece77d0cce5775c7c46ef24b46bf78faceeec4eefb99d874ad59921eb58727b89ef11bfbfec942bbe660987105 !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !

Signatures

  • Modifies extensions of user files 11 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Drops startup file 1 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies Control Panel 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 276 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.exe
    "C:\Users\Admin\AppData\Local\Temp\06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.exe"
    1⤵
    • Modifies extensions of user files
    • Drops startup file
    • Enumerates connected drives
    • Suspicious behavior: EnumeratesProcesses
    PID:1064
  • C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
    "C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
    1⤵
    • Modifies Control Panel
    • Suspicious use of SetWindowsHookEx
    PID:3332

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads