Overview

overview

10

Static

static

___________.exe

windows7_x64

10

___________.exe

windows10_x64

10

Analysis

  • max time kernel
    60s
  • max time network
    13s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    12/02/2021, 08:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ___________.exe

  • Size

    48KB

  • MD5

    221f1b97cd8e9766bebd001960b31dc4

  • SHA1

    4c3367638ffca90ae5eb5a644a9beaec1853f36c

  • SHA256

    a5f47b1b2efcf8bd7e36a072941fb9ee0ce780e6f410d6c85c503ccea24d29e6

  • SHA512

    7e86b0fc428b8fc97251eb0bf2639b2c780d7a45b730b475794107312e6edd963355aca59c8eee34380800006531a8dbeae152f3542291f0c3154c0d1fbb96d6

Score
10/10
ransomwarespyware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\info.hta

Ransom Note
🔒 ALL YOUR DATA TURNED TO USELESS BINARY CODE 🔒 Your computer is infected with a virus. Send an email [email protected] , specify in the subject your unique identifier VL6CGPIC and you will definitly be helped to recover. NOTE: You can send 2 files as proof that we can return all your data. If the provided email doesn't work, please contact us at [email protected] Algorithms used are AES and RSA. IMPORTANT: 1. The infection was due to vulnerabilities in your software. 2. If you want to make sure that it is impossible to recover files using third-party software, do this not on all files, otherwise you may lose all data. 3. Only communication through our email can guarantee file recover for you. We are not responsible for the actions of third parties who promise to help you - most often they are scammers. 4. Please, do not try to rename encrypted files. 5. Our goal is to return your data, but if you don't contact us, we will not succeed.

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Drops file in System32 directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Interacts with shadow copies 2 TTPs 3 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\___________.exe
    "C:\Users\Admin\AppData\Local\Temp\___________.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:644
    • \??\c:\windows\system32\cmstp.exe
      "c:\windows\system32\cmstp.exe" /au C:\Windows\temp\gcccwpi4.inf
      2⤵
        PID:2044
    • C:\Windows\system32\cmd.exe
      cmd /c start C:\Windows\temp\3dcgfq5j.exe
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1740
      • C:\Windows\temp\3dcgfq5j.exe
        C:\Windows\temp\3dcgfq5j.exe
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious behavior: CmdExeWriteProcessMemorySpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1696
        • C:\Users\Admin\AppData\Roaming\91.exe
          "C:\Users\Admin\AppData\Roaming\91.exe"
          3⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1396
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /C vssadmin.exe delete shadows /all /quiet
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1416
            • C:\Windows\SysWOW64\vssadmin.exe
              vssadmin.exe delete shadows /all /quiet
              5⤵
              • Interacts with shadow copies
              PID:900
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1972
            • C:\Windows\SysWOW64\Wbem\WMIC.exe
              wmic shadowcopy delete
              5⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:1256
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
            4⤵
              PID:1980
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /C vssadmin.exe delete shadows /all /quiet
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:996
              • C:\Windows\SysWOW64\vssadmin.exe
                vssadmin.exe delete shadows /all /quiet
                5⤵
                • Interacts with shadow copies
                PID:1456
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:1740
              • C:\Windows\SysWOW64\Wbem\WMIC.exe
                wmic shadowcopy delete
                5⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:1436
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
              4⤵
                PID:1996
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /C vssadmin.exe delete shadows /all /quiet
                4⤵
                  PID:1896
                  • C:\Windows\SysWOW64\vssadmin.exe
                    vssadmin.exe delete shadows /all /quiet
                    5⤵
                    • Interacts with shadow copies
                    PID:1892
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete
                  4⤵
                    PID:1308
                    • C:\Windows\SysWOW64\Wbem\WMIC.exe
                      wmic shadowcopy delete
                      5⤵
                        PID:1792
                    • C:\Windows\SysWOW64\cmd.exe
                      "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
                      4⤵
                        PID:876
                      • C:\Windows\SysWOW64\mshta.exe
                        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta"
                        4⤵
                        • Modifies Internet Explorer settings
                        PID:976
                      • C:\Windows\SysWOW64\cmd.exe
                        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 1 & Del "C:\Users\Admin\AppData\Roaming\91.exe"
                        4⤵
                          PID:508
                          • C:\Windows\SysWOW64\choice.exe
                            choice /C Y /N /D Y /T 1
                            5⤵
                              PID:1976
                        • C:\Windows\SysWOW64\cmd.exe
                          "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 1 & Del "C:\Windows\temp\3dcgfq5j.exe"
                          3⤵
                          • Suspicious use of WriteProcessMemory
                          PID:1712
                          • C:\Windows\SysWOW64\choice.exe
                            choice /C Y /N /D Y /T 1
                            4⤵
                              PID:1732
                      • C:\Windows\system32\taskkill.exe
                        taskkill /IM cmstp.exe /F
                        1⤵
                        • Kills process with taskkill
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1768
                      • C:\Windows\system32\vssvc.exe
                        C:\Windows\system32\vssvc.exe
                        1⤵
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1180

                      Network

                      MITRE ATT&CK Enterprise v6

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • memory/644-3-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/644-11-0x000000001AF76000-0x000000001AF77000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/644-12-0x000000001AF77000-0x000000001AF78000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/644-2-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp

                        Filesize

                        9.9MB

                        Download

                      • memory/644-9-0x000000001AF56000-0x000000001AF75000-memory.dmp

                        Filesize

                        124KB

                        Download

                      • memory/644-10-0x000000001AF75000-0x000000001AF76000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/644-8-0x000000001AF50000-0x000000001AF52000-memory.dmp

                        Filesize

                        8KB

                        Download

                      • memory/1396-24-0x0000000074090000-0x000000007477E000-memory.dmp

                        Filesize

                        6.9MB

                        Download

                      • memory/1396-26-0x00000000001B0000-0x00000000001B1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1396-29-0x0000000004890000-0x0000000004891000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1696-19-0x00000000765E1000-0x00000000765E3000-memory.dmp

                        Filesize

                        8KB

                        Download

                      • memory/1696-17-0x0000000000D10000-0x0000000000D11000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1696-16-0x0000000074090000-0x000000007477E000-memory.dmp

                        Filesize

                        6.9MB

                        Download

                      • memory/1708-49-0x000007FEF7790000-0x000007FEF7A0A000-memory.dmp

                        Filesize

                        2.5MB

                        Download

                      • memory/2044-7-0x000007FEFBCD1000-0x000007FEFBCD3000-memory.dmp

                        Filesize

                        8KB

                        Download