Overview

overview

10

Static

static

8

cadbbf76fd...le.exe

windows7_x64

10

cadbbf76fd...le.exe

windows10_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    121s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    18/02/2021, 17:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe

  • Size

    369KB

  • MD5

    df919a46da2377f913e99fa5d4997ae9

  • SHA1

    03cd2235f0e68f297020dd40ad48395fad78bd8d

  • SHA256

    cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536

  • SHA512

    22870750ef402c958353faefaaa77d4549c3d3a6f1f0bf36da77d881db0d0f5ebdb758e5cef21629f407d80e155dad62de747c472624424436125ba3835e9a61

Score
10/10
evasionpersistenceransomwarespyware

Malware Config

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-1985363256-3005190890-1182679451-1000\HOW_TO_RETURN_FILES.txt

Ransom Note
Dear manager, your database server has been locked, your databases files are encrypted and you have unfortunately "lost" all your data, Encryption was produced using unique key AES-256 generated for this server. To decrypt files you need to obtain the decryption key and tool. All encrypted files ends with .charm To obtain the program for this server, which will decrypt all files, you need to write me to email: "[email protected]" Before payment you can send us one small file (100..500 kilobytes) and we will decrypt it - it's your guarantee that we have decryption tool. And send us your userkey We don't know who are you, All what we need is some money. Don't panic if we don't answer you during 24 hours. It means that we didn't received your letter and write us again. You can use one of that bitcoin exchangers for transfering bitcoin: https://localbitcoins.com https://www.kraken.com You dont need install bitcoin programs - you need only use one of this exchangers or other exchanger that you can find in www.google.com for your country. Please use english language in your letters. If you don't speak english then use https://translate.google.com to translate your letter on english language. You don't have enough time to think each day payment will increase and after one week your key will be deleted and your files will be locked forever. USERKEY: j92xYyLZ2hUU4FwOF2bixUvmJPUjvO2WMwwGDR2xsEv9MNpLR9wqdF2IxUteHr+w2oqSAiWToKT942Dv87697KAyfZEsxFnudxWoee+5NpNcIlPdQT3pgWi7ZDHnRkGjKZDbiOuOXzdGeKwOFxPCZUOKFpdOfRMtl2PrU6W+8PyCEUygNbIilpl3NQy2XMiIM29UtLmNSBDmaRuinTJy9pwqTeCBl9lOtGVpYwkMeHScorY/sTEW0siEHNemhKIi/DbQa7tU6CkDTmZzLmygAbR/XUO0zRloCWjdGpqO730OH+EbLK54Q61TM0gYZ0MYmEl5z4SXK3pnltfYzULF5g==

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies Installed Components in the registry 2 TTPs
    persistence
  • Modifies extensions of user files 5 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Stops running service(s) 3 TTPs
    evasion
  • Drops startup file 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Drops desktop.ini file(s) 1 IoCs
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Program crash 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 24 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Kills process with taskkill 4 IoCs
    evasion
  • Modifies Control Panel 10 IoCs
    evasion
  • Modifies registry class 63 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 55 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe
    "C:\Users\Admin\AppData\Local\Temp\cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe"
    1⤵
    • Modifies extensions of user files
    • Drops startup file
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:412
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c NET stop MSSQLSERVER /Y
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3952
      • C:\Windows\SysWOW64\net.exe
        NET stop MSSQLSERVER /Y
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1360
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop MSSQLSERVER /Y
          4⤵
            PID:2896
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c NET stop MSSQL$SQLEXPRESS /Y
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3520
        • C:\Windows\SysWOW64\net.exe
          NET stop MSSQL$SQLEXPRESS /Y
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1116
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS /Y
            4⤵
              PID:2136
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c NET STOP acrsch2svc /Y
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1112
          • C:\Windows\SysWOW64\net.exe
            NET STOP acrsch2svc /Y
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:408
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 STOP acrsch2svc /Y
              4⤵
                PID:2268
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c NET STOP acronisagent /Y
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:3916
            • C:\Windows\SysWOW64\net.exe
              NET STOP acronisagent /Y
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:2704
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 STOP acronisagent /Y
                4⤵
                  PID:3592
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c NET STOP arsm /Y
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:2220
              • C:\Windows\SysWOW64\net.exe
                NET STOP arsm /Y
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:3360
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 STOP arsm /Y
                  4⤵
                    PID:4056
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c NET STOP FirebirdServerDefaultInstance /Y
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:4032
                • C:\Windows\SysWOW64\net.exe
                  NET STOP FirebirdServerDefaultInstance /Y
                  3⤵
                  • Suspicious use of WriteProcessMemory
                  PID:3300
                  • C:\Windows\SysWOW64\net1.exe
                    C:\Windows\system32\net1 STOP FirebirdServerDefaultInstance /Y
                    4⤵
                      PID:3864
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c NET STOP FirebirdGuardianDefaultInstance /Y
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:3608
                  • C:\Windows\SysWOW64\net.exe
                    NET STOP FirebirdGuardianDefaultInstance /Y
                    3⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2052
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 STOP FirebirdGuardianDefaultInstance /Y
                      4⤵
                        PID:2192
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c NET STOP MuzzleServer /Y
                    2⤵
                      PID:2280
                      • C:\Windows\SysWOW64\net.exe
                        NET STOP MuzzleServer /Y
                        3⤵
                          PID:800
                          • C:\Windows\SysWOW64\net1.exe
                            C:\Windows\system32\net1 STOP MuzzleServer /Y
                            4⤵
                              PID:796
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c taskkill /im 1cv7s.exe /T /F
                          2⤵
                            PID:844
                            • C:\Windows\SysWOW64\taskkill.exe
                              taskkill /im 1cv7s.exe /T /F
                              3⤵
                              • Kills process with taskkill
                              • Suspicious use of AdjustPrivilegeToken
                              PID:2312
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c taskkill /im 1cv8s.exe /T /F
                            2⤵
                              PID:4052
                              • C:\Windows\SysWOW64\taskkill.exe
                                taskkill /im 1cv8s.exe /T /F
                                3⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:492
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c taskkill /im 1cv7.exe /T /F
                              2⤵
                                PID:3124
                                • C:\Windows\SysWOW64\taskkill.exe
                                  taskkill /im 1cv7.exe /T /F
                                  3⤵
                                  • Kills process with taskkill
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:2656
                              • C:\Windows\SysWOW64\cmd.exe
                                C:\Windows\system32\cmd.exe /c taskkill /im 1cv8.exe /T /F
                                2⤵
                                  PID:636
                                  • C:\Windows\SysWOW64\taskkill.exe
                                    taskkill /im 1cv8.exe /T /F
                                    3⤵
                                    • Kills process with taskkill
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:3760
                                • C:\Windows\SysWOW64\cmd.exe
                                  C:\Windows\system32\cmd.exe /c wmic shadowcopy delete
                                  2⤵
                                    PID:4008
                                    • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                      wmic shadowcopy delete
                                      3⤵
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:1776
                                  • C:\Windows\SysWOW64\cmd.exe
                                    C:\Windows\system32\cmd.exe /c sc stop "Acronis VSS Provider" /y
                                    2⤵
                                      PID:2380
                                      • C:\Windows\SysWOW64\sc.exe
                                        sc stop "Acronis VSS Provider" /y
                                        3⤵
                                          PID:3816
                                      • C:\Windows\SysWOW64\cmd.exe
                                        C:\Windows\system32\cmd.exe /c sc stop "Enterprise Client Service" /y
                                        2⤵
                                          PID:212
                                          • C:\Windows\SysWOW64\sc.exe
                                            sc stop "Enterprise Client Service" /y
                                            3⤵
                                              PID:3580
                                          • C:\Windows\SysWOW64\cmd.exe
                                            C:\Windows\system32\cmd.exe /c sc stop "Sophos Agent" /y
                                            2⤵
                                              PID:632
                                              • C:\Windows\SysWOW64\sc.exe
                                                sc stop "Sophos Agent" /y
                                                3⤵
                                                  PID:3108
                                              • C:\Windows\SysWOW64\cmd.exe
                                                C:\Windows\system32\cmd.exe /c sc stop "Sophos AutoUpdate Service" /y
                                                2⤵
                                                  PID:3900
                                                  • C:\Windows\SysWOW64\sc.exe
                                                    sc stop "Sophos AutoUpdate Service" /y
                                                    3⤵
                                                      PID:2224
                                                  • C:\Windows\SysWOW64\cmd.exe
                                                    C:\Windows\system32\cmd.exe /c sc stop "Sophos Clean Service" /y
                                                    2⤵
                                                      PID:3992
                                                      • C:\Windows\SysWOW64\sc.exe
                                                        sc stop "Sophos Clean Service" /y
                                                        3⤵
                                                          PID:4088
                                                      • C:\Windows\SysWOW64\cmd.exe
                                                        C:\Windows\system32\cmd.exe /c sc stop "Sophos Device Control Service" /y
                                                        2⤵
                                                          PID:3612
                                                          • C:\Windows\SysWOW64\sc.exe
                                                            sc stop "Sophos Device Control Service" /y
                                                            3⤵
                                                              PID:3560
                                                          • C:\Windows\SysWOW64\cmd.exe
                                                            C:\Windows\system32\cmd.exe /c sc stop "Sophos File Scanner Service" /y
                                                            2⤵
                                                              PID:4080
                                                              • C:\Windows\SysWOW64\sc.exe
                                                                sc stop "Sophos File Scanner Service" /y
                                                                3⤵
                                                                  PID:3100
                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                C:\Windows\system32\cmd.exe /c sc stop "Sophos Health Service" /y
                                                                2⤵
                                                                  PID:200
                                                                  • C:\Windows\SysWOW64\sc.exe
                                                                    sc stop "Sophos Health Service" /y
                                                                    3⤵
                                                                      PID:3616
                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                    C:\Windows\system32\cmd.exe /c sc stop "Sophos MCS Agent" /y
                                                                    2⤵
                                                                      PID:2172
                                                                      • C:\Windows\SysWOW64\sc.exe
                                                                        sc stop "Sophos MCS Agent" /y
                                                                        3⤵
                                                                          PID:736
                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                        C:\Windows\system32\cmd.exe /c sc stop "Sophos MCS Client" /y
                                                                        2⤵
                                                                          PID:2320
                                                                          • C:\Windows\SysWOW64\sc.exe
                                                                            sc stop "Sophos MCS Client" /y
                                                                            3⤵
                                                                              PID:2676
                                                                        • C:\Windows\system32\vssvc.exe
                                                                          C:\Windows\system32\vssvc.exe
                                                                          1⤵
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          PID:3456
                                                                        • C:\Windows\system32\WerFault.exe
                                                                          C:\Windows\system32\WerFault.exe -u -p 1680 -s 5768
                                                                          1⤵
                                                                          • Program crash
                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          PID:2584
                                                                        • C:\Windows\explorer.exe
                                                                          explorer.exe
                                                                          1⤵
                                                                          • Enumerates connected drives
                                                                          • Checks SCSI registry key(s)
                                                                          • Modifies Control Panel
                                                                          • Modifies registry class
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          • Suspicious use of FindShellTrayWindow
                                                                          • Suspicious use of SendNotifyMessage
                                                                          PID:808
                                                                          • C:\Windows\system32\WerFault.exe
                                                                            C:\Windows\system32\WerFault.exe -u -p 808 -s 7516
                                                                            2⤵
                                                                            • Program crash
                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                            PID:3356
                                                                        • C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                                                                          "C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
                                                                          1⤵
                                                                          • Enumerates system info in registry
                                                                          • Modifies Control Panel
                                                                          • Modifies registry class
                                                                          • Suspicious use of SetWindowsHookEx
                                                                          PID:4012
                                                                        • C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
                                                                          "C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
                                                                          1⤵
                                                                          • Modifies Control Panel
                                                                          • Suspicious use of SetWindowsHookEx
                                                                          PID:2420
                                                                        • C:\Windows\explorer.exe
                                                                          explorer.exe
                                                                          1⤵
                                                                          • Enumerates connected drives
                                                                          • Checks SCSI registry key(s)
                                                                          • Modifies Control Panel
                                                                          • Modifies registry class
                                                                          • Suspicious use of FindShellTrayWindow
                                                                          • Suspicious use of SendNotifyMessage
                                                                          PID:3932
                                                                        • C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
                                                                          "C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
                                                                          1⤵
                                                                          • Enumerates system info in registry
                                                                          • Modifies Control Panel
                                                                          • Modifies registry class
                                                                          • Suspicious use of SetWindowsHookEx
                                                                          PID:1316
                                                                        • C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
                                                                          "C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
                                                                          1⤵
                                                                          • Modifies Control Panel
                                                                          • Suspicious use of SetWindowsHookEx
                                                                          PID:3168

                                                                        Network

                                                                        MITRE ATT&CK Enterprise v6

                                                                        Replay Monitor

                                                                        Loading Replay Monitor...

                                                                        Downloads

                                                                        • memory/412-93-0x0000000002750000-0x0000000002751000-memory.dmp

                                                                          Filesize

                                                                          4KB

                                                                          Download

                                                                        • memory/412-58-0x0000000002750000-0x0000000002751000-memory.dmp

                                                                          Filesize

                                                                          4KB

                                                                          Download

                                                                        • memory/412-56-0x0000000002750000-0x0000000002751000-memory.dmp

                                                                          Filesize

                                                                          4KB

                                                                          Download

                                                                        • memory/412-57-0x0000000002F50000-0x0000000002F51000-memory.dmp

                                                                          Filesize

                                                                          4KB

                                                                          Download

                                                                        • memory/2584-152-0x000001CC32930000-0x000001CC32931000-memory.dmp

                                                                          Filesize

                                                                          4KB

                                                                          Download

                                                                        • memory/2584-153-0x000001CC32930000-0x000001CC32931000-memory.dmp

                                                                          Filesize

                                                                          4KB

                                                                          Download

                                                                        • memory/3356-183-0x00000205D8F30000-0x00000205D8F31000-memory.dmp

                                                                          Filesize

                                                                          4KB

                                                                          Download