Analysis
-
max time kernel
151s -
max time network
93s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
22-01-2021 07:41
General
-
Target
invoice_NQ_Supply.xls
-
Size
83KB
-
MD5
50fecec126570e4b8fcd531d6711879a
-
SHA1
9166aee4a6815e4f67e0ae43344d8ca144958d47
-
SHA256
c7e40628fb6beb52d9d73a3b3afd1dca5d2335713593b698637e1a47b42bfc71
-
SHA512
5f6d88626024811fd05af98d35a2e54a87ce5c8929d56c8bc49d718417b3370af7aa9a66c46007c600c5ec608a0f91f1e952738ee35cd3aebe28b4db46a2c042
Score
10/10
Malware Config
Extracted
Path
C:\Users\Admin\AppData\Local\Temp\RESTORE_FILES_INFO.txt
Ransom Note
Don't worry, you can return all your files!
All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
We also downloaded your corporate files (databases, tables, accounting information, etc.) and we will have to publish them if you do not agree to cooperation.
To get this software you need write on our e-mail: workplus111@protonmail.com
Reserve e-mail address to contact us: worker400@airmail.cc
Key Identifier:
MrdspKpEvSZKY8uLASEE5yMvxwD7P4ziTOK9r5PffokBqapJBEBgD84xDzSY16f7pDxYlK2w4nSJdL+Lj5mLGG/YBcqY+yN4UBjlWNgX/P4FMpNKXAFwfDn/+oxLntKrr86lkqUpY1geXHigIHd6EHyQZjepy0XmU01FMToV6iBSvP08bXHL63DGRHNFHtwUdCHt5Zo4jFaiWM+FSs8PuJ7SPPmZb9QBcHdrCRkCSqQ0oVnKLX9VtVQsONKPXQIoEjOAHPIuuL+U0oexM3febm7VyohuBQXDFylwK8I5NGPBLncu/IOCShNBz9faoN+q10aliTaOQ3YxtnTU8QAG1WVzOFGWSsiK3J/wIFVxT0XkNrE5HrHXPOghu06YIxH3GNK2G38WVmEJ6KuYHkjkcwgYp89D6L1cRRd5Dl3or3ELyTKt27mpfxyhMWM+aFb19W4/gpFIQB6OxXdY+tPj1KEj3XU1ldXLM+C4q6OzZ9njxZsB3kefIuIpci3KGE17WDfC3wYTgHS03NgPXrcphbtA8UPUUG+deK360Dw49CLRjj8gMy6K5fS8tXY7ZQGVndtM9/2OwhTVCrvfpOaWkm8U7kyAaa2MVnIQ9QMR53OVDswc6sntkL6NnOfHUVWWqby3SmvPWZDpu+jqhsU7ws6RWFS50PgkijJuua+aDbk=
Emails
workplus111@protonmail.com
worker400@airmail.cc
Extracted
Language
xlm4.0
Source
URLs
xlm40.dropper
https://iffusedtrac.xyz/3/bbc.exe
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Executes dropped EXE 2 IoCs
-
Modifies Windows Firewall 1 TTPs
-
Drops startup file 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Windows security modification 2 TTPs 2 IoCs
-
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 6 IoCs
-
Enumerates system info in registry 2 TTPs 1 IoCs
-
Kills process with taskkill 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 9 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SendNotifyMessage 1 IoCs
-
Suspicious use of SetWindowsHookEx 9 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\invoice_NQ_Supply.xls1⤵
- Loads dropped DLL
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\wCmfmRe\dtwzrQf\GZTJoxx.exe"C:\wCmfmRe\dtwzrQf\GZTJoxx.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Programs\Temp\wqm58yk7.exe"C:\Users\Admin\AppData\Local\Programs\Temp\wqm58yk7.exe"3⤵
- Executes dropped EXE
- Drops startup file
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exe"taskkill" /F /IM RaccineSettings.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\reg.exe"reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F4⤵
-
C:\Windows\SysWOW64\reg.exe"reg" delete HKCU\Software\Raccine /F4⤵
- Modifies registry key
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /DELETE /TN "Raccine Rules Updater" /F4⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin4⤵
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config Dnscache start= auto4⤵
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SQLTELEMETRY start= disabled4⤵
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled4⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c rd /s /q D:\\$Recycle.bin4⤵
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config FDResPub start= auto4⤵
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SstpSvc start= disabled4⤵
-
C:\Windows\SysWOW64\netsh.exe"netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes4⤵
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config upnphost start= auto4⤵
-
C:\Windows\SysWOW64\netsh.exe"netsh" advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes4⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" start Dnscache /y4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start Dnscache /y5⤵
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SQLWriter start= disabled4⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" start FDResPub /y4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start FDResPub /y5⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" start SSDPSRV /y4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start SSDPSRV /y5⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop mfewc /y4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop mfewc /y5⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop McAfeeDLPAgentService /y4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop McAfeeDLPAgentService /y5⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop avpsus /y4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop avpsus /y5⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop bedbg /y4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop bedbg /y5⤵
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SSDPSRV start= auto4⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop MSSQL$SQL_2008 /y4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$SQL_2008 /y5⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop EhttpSrv /y4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop EhttpSrv /y5⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BMR Boot Service /y4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BMR Boot Service /y5⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" start upnphost /y4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start upnphost /y5⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop ccEvtMgr /y4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ccEvtMgr /y5⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop ccSetMgr /y4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ccSetMgr /y5⤵
-
C:\Windows\SysWOW64\net.exe"net.exe" stop NetBackup BMR MTFTP Service /y4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Programs\Temp\wqm58yk7.exeMD5
48ea3794091a9f17e12f5c1a90e1f7d7
SHA11bb17eef59764e84f95b7a5c0aad649b8517ee43
SHA256dcd725c415cebc7df170edf49af18d6f86e76ef75185737de5959405f4aecc56
SHA5120355be6a2b2cf58d4ca5b11de5f84803240587937cd28d064df20ac38c945352e14c78e21006824114f67ede71be3ab27cc27b05759fc23a1fb8dcfa31a7244f
-
C:\Users\Admin\AppData\Local\Programs\Temp\wqm58yk7.exeMD5
48ea3794091a9f17e12f5c1a90e1f7d7
SHA11bb17eef59764e84f95b7a5c0aad649b8517ee43
SHA256dcd725c415cebc7df170edf49af18d6f86e76ef75185737de5959405f4aecc56
SHA5120355be6a2b2cf58d4ca5b11de5f84803240587937cd28d064df20ac38c945352e14c78e21006824114f67ede71be3ab27cc27b05759fc23a1fb8dcfa31a7244f
-
C:\wCmfmRe\dtwzrQf\GZTJoxx.exeMD5
19f207b20b1d2a05aba1a1eb59da54d2
SHA18d75108ec34fd79f8336041d5ff31443cc527add
SHA2568e775324fc69a677394cf6d079d1d45bf53af10acd683bda53e5f86a8a192393
SHA5126a6b97e5f4543437270628af70a67e51a32d1ad9afbc0f19611d0131d9e84154f8525e3aeeb41c82f1c4437694be898b7ef520ac8eddf9b227f3d1013e57f749
-
C:\wCmfmRe\dtwzrQf\GZTJoxx.exeMD5
19f207b20b1d2a05aba1a1eb59da54d2
SHA18d75108ec34fd79f8336041d5ff31443cc527add
SHA2568e775324fc69a677394cf6d079d1d45bf53af10acd683bda53e5f86a8a192393
SHA5126a6b97e5f4543437270628af70a67e51a32d1ad9afbc0f19611d0131d9e84154f8525e3aeeb41c82f1c4437694be898b7ef520ac8eddf9b227f3d1013e57f749
-
\Users\Admin\AppData\Local\Programs\Temp\wqm58yk7.exeMD5
48ea3794091a9f17e12f5c1a90e1f7d7
SHA11bb17eef59764e84f95b7a5c0aad649b8517ee43
SHA256dcd725c415cebc7df170edf49af18d6f86e76ef75185737de5959405f4aecc56
SHA5120355be6a2b2cf58d4ca5b11de5f84803240587937cd28d064df20ac38c945352e14c78e21006824114f67ede71be3ab27cc27b05759fc23a1fb8dcfa31a7244f
-
\wCmfmRe\dtwzrQf\GZTJoxx.exeMD5
19f207b20b1d2a05aba1a1eb59da54d2
SHA18d75108ec34fd79f8336041d5ff31443cc527add
SHA2568e775324fc69a677394cf6d079d1d45bf53af10acd683bda53e5f86a8a192393
SHA5126a6b97e5f4543437270628af70a67e51a32d1ad9afbc0f19611d0131d9e84154f8525e3aeeb41c82f1c4437694be898b7ef520ac8eddf9b227f3d1013e57f749
-
memory/324-80-0x0000000000000000-mapping.dmp
-
memory/436-84-0x0000000000000000-mapping.dmp
-
memory/560-15-0x000000006C110000-0x000000006C7FE000-memory.dmpFilesize
6.9MB
-
memory/560-18-0x0000000004760000-0x0000000004761000-memory.dmpFilesize
4KB
-
memory/560-12-0x0000000000000000-mapping.dmp
-
memory/560-16-0x0000000001150000-0x0000000001151000-memory.dmpFilesize
4KB
-
memory/660-70-0x0000000000000000-mapping.dmp
-
memory/800-87-0x0000000000000000-mapping.dmp
-
memory/820-78-0x0000000000000000-mapping.dmp
-
memory/924-61-0x0000000000000000-mapping.dmp
-
memory/936-75-0x0000000000000000-mapping.dmp
-
memory/956-86-0x0000000000000000-mapping.dmp
-
memory/1044-73-0x0000000000000000-mapping.dmp
-
memory/1052-9-0x00000000767E1000-0x00000000767E3000-memory.dmpFilesize
8KB
-
memory/1052-7-0x0000000000000000-mapping.dmp
-
memory/1096-5-0x000007FEF7F70000-0x000007FEF81EA000-memory.dmpFilesize
2.5MB
-
memory/1136-69-0x0000000000000000-mapping.dmp
-
memory/1156-62-0x0000000000000000-mapping.dmp
-
memory/1264-76-0x0000000000000000-mapping.dmp
-
memory/1356-68-0x0000000000000000-mapping.dmp
-
memory/1376-77-0x0000000000000000-mapping.dmp
-
memory/1380-82-0x0000000000000000-mapping.dmp
-
memory/1548-74-0x0000000000000000-mapping.dmp
-
memory/1552-71-0x0000000000000000-mapping.dmp
-
memory/1580-23-0x0000000004770000-0x0000000004771000-memory.dmpFilesize
4KB
-
memory/1580-44-0x00000000062A0000-0x00000000062A1000-memory.dmpFilesize
4KB
-
memory/1580-59-0x0000000006320000-0x0000000006321000-memory.dmpFilesize
4KB
-
memory/1580-45-0x00000000055F0000-0x00000000055F1000-memory.dmpFilesize
4KB
-
memory/1580-25-0x0000000002572000-0x0000000002573000-memory.dmpFilesize
4KB
-
memory/1580-19-0x0000000000000000-mapping.dmp
-
memory/1580-60-0x0000000006330000-0x0000000006331000-memory.dmpFilesize
4KB
-
memory/1580-21-0x000000006C110000-0x000000006C7FE000-memory.dmpFilesize
6.9MB
-
memory/1580-22-0x0000000000480000-0x0000000000481000-memory.dmpFilesize
4KB
-
memory/1580-24-0x0000000002570000-0x0000000002571000-memory.dmpFilesize
4KB
-
memory/1580-37-0x0000000006100000-0x0000000006101000-memory.dmpFilesize
4KB
-
memory/1580-36-0x000000007EF30000-0x000000007EF31000-memory.dmpFilesize
4KB
-
memory/1580-35-0x00000000060B0000-0x00000000060B1000-memory.dmpFilesize
4KB
-
memory/1580-30-0x00000000056D0000-0x00000000056D1000-memory.dmpFilesize
4KB
-
memory/1580-27-0x00000000052A0000-0x00000000052A1000-memory.dmpFilesize
4KB
-
memory/1580-26-0x0000000002010000-0x0000000002011000-memory.dmpFilesize
4KB
-
memory/1620-63-0x0000000000000000-mapping.dmp
-
memory/1624-72-0x0000000000000000-mapping.dmp
-
memory/1664-83-0x0000000000000000-mapping.dmp
-
memory/1684-79-0x0000000000000000-mapping.dmp
-
memory/1752-66-0x0000000000000000-mapping.dmp
-
memory/1856-4-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1856-106-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1856-2-0x000000002F621000-0x000000002F624000-memory.dmpFilesize
12KB
-
memory/1856-3-0x00000000719D1000-0x00000000719D3000-memory.dmpFilesize
8KB
-
memory/1868-67-0x0000000000000000-mapping.dmp
-
memory/1900-85-0x0000000000000000-mapping.dmp
-
memory/2016-64-0x0000000000000000-mapping.dmp
-
memory/2020-65-0x0000000000000000-mapping.dmp
-
memory/2024-81-0x0000000000000000-mapping.dmp
-
memory/2056-88-0x0000000000000000-mapping.dmp
-
memory/2084-89-0x0000000000000000-mapping.dmp
-
memory/2112-90-0x0000000000000000-mapping.dmp
-
memory/2148-91-0x0000000000000000-mapping.dmp
-
memory/2156-93-0x0000000000000000-mapping.dmp
-
memory/2164-92-0x0000000000000000-mapping.dmp
-
memory/2184-94-0x0000000000000000-mapping.dmp
-
memory/2208-101-0x0000000000000000-mapping.dmp
-
memory/2216-97-0x0000000000000000-mapping.dmp
-
memory/2224-98-0x0000000000000000-mapping.dmp
-
memory/2232-99-0x0000000000000000-mapping.dmp
-
memory/2240-100-0x0000000000000000-mapping.dmp
-
memory/2248-102-0x0000000000000000-mapping.dmp
-
memory/2256-103-0x0000000000000000-mapping.dmp
-
memory/2268-104-0x0000000000000000-mapping.dmp
-
memory/2276-105-0x0000000000000000-mapping.dmp