02a08b994265901a649f1bcf6772bc06df2eb51eb09906af9fd0f4a8103e9851

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7v20201028
submitted
09-02-2021 22:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

02a08b994265901a649f1bcf6772bc06df2eb51eb09906af9fd0f4a8103e9851.exe
Size

142KB
MD5

39ea2394a6e6c39c5d7722dc996daf05
SHA1

ca010ca1e7d5104049c09eefca128cc0e50729e1
SHA256

02a08b994265901a649f1bcf6772bc06df2eb51eb09906af9fd0f4a8103e9851
SHA512

90df3cd613c83a3aed88183e3b67ee6affc76690b47ff819fc147191d60a03e720aeb371bc1c3d96954699c01fe1b79084cda4369f89f805ea5501e4d86a3974

Score

10^/10

ransomware

Malware Config

Extracted

Path

C:\MSOCache\DECRYPT_NOTE.txt

Ransom Note

Hello i-online.fr Congratulations! This PC hacked. Some data has been stored in our servers and ready for publish. Content of your files has been successfully encrypted with unique public key. To restore your files you need buy official decryptor with unique private decription key. Contact with us to get decryptor using TOR browser (https://www.torproject.org/) and your personal contact link in TOR network below. IMPORTANT: Don't modify encrypted files or you can damage them and decryption will be impossible! To contact with us you have ONE week from the encryption time, after decryption keys and your personal contact link will be deleted automaticaly. Stored information can be publish. Thanks for undestanding. Best regards. Your personal contact link: http://decrypts3nln3tic.onion/secret/18ebdc51148b7c55b451a7d070d706078293f4df2ca6d4f3a485367156f2ac43

URLs

http://decrypts3nln3tic.onion/secret/18ebdc51148b7c55b451a7d070d706078293f4df2ca6d4f3a485367156f2ac43

Signatures

Modifies extensions of user files 3 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

02a08b994265901a649f1bcf6772bc06df2eb51eb09906af9fd0f4a8103e9851.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\BlockSave.tiff => C:\Users\Admin\Pictures\BlockSave.tiff.crypt	02a08b994265901a649f1bcf6772bc06df2eb51eb09906af9fd0f4a8103e9851.exe
File renamed	C:\Users\Admin\Pictures\UseInstall.tif => C:\Users\Admin\Pictures\UseInstall.tif.crypt	02a08b994265901a649f1bcf6772bc06df2eb51eb09906af9fd0f4a8103e9851.exe
File opened for modification	C:\Users\Admin\Pictures\BlockSave.tiff	02a08b994265901a649f1bcf6772bc06df2eb51eb09906af9fd0f4a8103e9851.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
ransomware

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 1560 vssvc.exe
Token: SeRestorePrivilege 1560 vssvc.exe
Token: SeAuditPrivilege 1560 vssvc.exe

description	pid	process
Token: SeBackupPrivilege	1560	vssvc.exe
Token: SeRestorePrivilege	1560	vssvc.exe
Token: SeAuditPrivilege	1560	vssvc.exe

C:\Users\Admin\AppData\Local\Temp\02a08b994265901a649f1bcf6772bc06df2eb51eb09906af9fd0f4a8103e9851.exe
"C:\Users\Admin\AppData\Local\Temp\02a08b994265901a649f1bcf6772bc06df2eb51eb09906af9fd0f4a8103e9851.exe"
1⤵
- Modifies extensions of user files
PID:1184

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1560

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1184-2-0x00000000759F1000-0x00000000759F3000-memory.dmp

Filesize
8KB

Download