Overview

overview

10

Static

static

2.exe

windows7_x64

10

2.exe

windows10_x64

10

Resubmissions

17/02/2021, 18:00

210217-6k9bf8hnla 10

02/02/2021, 09:28

210202-6r27d31vxn 10

Analysis

  • max time kernel
    28s
  • max time network
    118s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    02/02/2021, 09:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2.exe

  • Size

    2.5MB

  • MD5

    e63e41e15e86489a98dbeb2e6cb44e8a

  • SHA1

    5815d349a375f5cdf090ababcff86b3946ed6c07

  • SHA256

    0dd34e1326f18ab113be5ec91003577845f62ce25bbed8f92bff0b4077fe45da

  • SHA512

    749d9580ac631916fbc1db207f0f48ed2ff9979f0cd8e352633cd86edfe7bd5bbb6da90b014e0b8ad639f8b9e567498f07353ef907ce2bd6dfa5536d3079991e

Score
10/10
evasionpersistenceransomwarespywaretrojan

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\Recovery_Instructions.txt

Ransom Note
## YOUR NETWORK HAS BEEN COMPROMISED ## ------------------------------------------ All your important files have been encrypted! ------------------------------------------------- Your files are safe! Only modified. ANY ATTEMPT TO RESTORE A FILE WITH THIRD-PARTY SOFTWARE WILL PERMANENTLY CORRUPT IT. DO NOT MODIFY ENCRYPTED FILES. DO NOT RENAME ENCRYPTED FILES. No software available on internet can help you. We are the only ones able to solve your problem. We gathered data from different segment of your network. These data are currently stored on a private server and will be immediately destroyed after your payment. If you decide to not pay, we will keep your data stored and contact press or re-seller or expose it on our partner's website. We only seek money and do not want to damage your reputation or prevent your business from running. If you take wise choice to pay, all of this will be solved very soon and smoothly. You will can send us 2-3 non-important files and we will decrypt it for free to prove we are able to give your files back. --------------------------------------------------------- Contact us for price. [email protected] ---------------------------------------------------------- Make contact as soon as possible. If you don't contact us within 72 hours, price will be higher.

Extracted

Path

C:\Recovery_Instructions.txt

Ransom Note
##### YOUR NETWORK HAS BEEN COMPROMISED ##### --------------------------------------------- All your important files have been encrypted! --------------------------------------------- Your files are safe! Only modified. ANY ATTEMPT TO RESTORE A FILE WITH THIRD-PARTY SOFTWARE WILL PERMANENTLY CORRUPT IT. DO NOT MODIFY ENCRYPTED FILES. DO NOT RENAME ENCRYPTED FILES. No software available on internet can help you. We are the only ones able to solve your problem. We gathered data from different segment of your network. These data are currently stored on a private server and will be immediately destroyed after your payment. If you decide to not pay, we will keep your data stored and contact press or re-seller or expose it on our partner's website. We only seek money and do not want to damage your reputation or prevent your business from running. If you take wise choice to pay, all of this will be solved very soon and smoothly. You will can send us 2-3 non-important files and we will decrypt it for free to prove we are able to give your files back. ----------------------------------------------------------- Contact us for price: [email protected] ----------------------------------------------------------- Make contact as soon as possible. If you don't contact us within 72 hours, price will be higher.

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
    evasion
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Deletes System State backups 3 TTPs 2 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Drops file in Drivers directory 12 IoCs
  • Modifies extensions of user files 30 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops desktop.ini file(s) 1 IoCs
  • Enumerates connected drives 3 TTPs 41 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 100 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Drops file in Program Files directory 49 IoCs
  • Drops file in Windows directory 68 IoCs
  • Interacts with shadow copies 2 TTPs 13 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 2044 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\2.exe
    "C:\Users\Admin\AppData\Local\Temp\2.exe"
    1⤵
    • Drops file in Drivers directory
    • Modifies extensions of user files
    • Checks BIOS information in registry
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in System32 directory
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:3912
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=401MB
      2⤵
      • Interacts with shadow copies
      PID:1116
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=unbounded
      2⤵
      • Interacts with shadow copies
      PID:2476
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=401MB
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:188
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=unbounded
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:3504
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=401MB
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:1576
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=unbounded
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:3156
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=401MB
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:3908
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=unbounded
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:272
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=401MB
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:3928
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=unbounded
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:3960
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=401MB
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:3948
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=unbounded
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:3504
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      2⤵
      • Interacts with shadow copies
      PID:4048
    • C:\Windows\SYSTEM32\bcdedit.exe
      bcdedit.exe /set {default} recoveryenabled No
      2⤵
      • Modifies boot configuration data using bcdedit
      PID:3844
    • C:\Windows\SYSTEM32\bcdedit.exe
      bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
      2⤵
      • Modifies boot configuration data using bcdedit
      PID:3852
    • C:\Windows\SYSTEM32\wbadmin.exe
      wbadmin DELETE SYSTEMSTATEBACKUP
      2⤵
      • Deletes System State backups
      • Drops file in Windows directory
      PID:3684
    • C:\Windows\SYSTEM32\wbadmin.exe
      wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
      2⤵
      • Deletes System State backups
      • Drops file in Windows directory
      PID:276
    • C:\Windows\System32\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2816
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\2.exe >> NUL
      2⤵
        PID:1116
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2060

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/3912-4-0x00007FF6237C1000-0x00007FF623879000-memory.dmp

      Filesize

      736KB

      Download

    • memory/3912-2-0x00007FF6237C0000-0x00007FF624001000-memory.dmp

      Filesize

      8.3MB

      Download

    • memory/3912-3-0x00007FF6237C0000-0x00007FF624001000-memory.dmp

      Filesize

      8.3MB

      Download