mod_c.exe

General
Target

mod_c.exe

Filesize

1MB

Completed

26-03-2021 16:28

Score
10 /10
MD5

be4c5e4713009e5446ee042ba7c33fe0

SHA1

f8e52380b6f3668d4de6df416c8da389c0d98fe8

SHA256

7272457bac023e7ab635fc3d82212a89918de36d5433dd389e6151805e47b0cd

Malware Config

Extracted

Path C:\HOW-TO-DECRYPT-dvxr9.txt
Ransom Note
[+] What happened? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has extension *.dvxr9 By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant get back your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] Using a TOR browser! - Download and install TOR browser from this site: https://torproject.org/ - Open our website: http://o76s3m7l5ogig4u5.onion - Follow the on-screen instructions Extension name: *.dvxr9 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) will make everything possible for restoring, but please do not interfere.��
URLs

http://o76s3m7l5ogig4u5.onion

Signatures 5

Filter: none

Defense Evasion
  • CryptOne packer

    Description

    Detects CryptOne packer defined in NCC blogpost.

    Reported IOCs

    resourceyara_rule
    behavioral2/files/0x000400000001ab5a-4.datcryptone
    behavioral2/files/0x000400000001ab5a-5.datcryptone
  • Executes dropped EXE
    Method

    Reported IOCs

    pidprocess
    4148Method
  • Modifies extensions of user files
    Method

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Users\Admin\Pictures\CloseComplete.crw.dvxr9Method
    File opened for modificationC:\Users\Admin\Pictures\DisconnectCompress.tif.dvxr9Method
    File renamedC:\Users\Admin\Pictures\ExitEnable.raw => C:\Users\Admin\Pictures\ExitEnable.raw.dvxr9Method
    File opened for modificationC:\Users\Admin\Pictures\ExitEnable.raw.dvxr9Method
    File renamedC:\Users\Admin\Pictures\AssertShow.tif => C:\Users\Admin\Pictures\AssertShow.tif.dvxr9Method
    File opened for modificationC:\Users\Admin\Pictures\AddProtect.raw.dvxr9Method
    File opened for modificationC:\Users\Admin\Pictures\AssertShow.tif.dvxr9Method
    File renamedC:\Users\Admin\Pictures\CloseComplete.crw => C:\Users\Admin\Pictures\CloseComplete.crw.dvxr9Method
    File renamedC:\Users\Admin\Pictures\DisconnectCompress.tif => C:\Users\Admin\Pictures\DisconnectCompress.tif.dvxr9Method
    File renamedC:\Users\Admin\Pictures\RevokeMove.png => C:\Users\Admin\Pictures\RevokeMove.png.dvxr9Method
    File opened for modificationC:\Users\Admin\Pictures\RevokeMove.png.dvxr9Method
    File renamedC:\Users\Admin\Pictures\AddProtect.raw => C:\Users\Admin\Pictures\AddProtect.raw.dvxr9Method
  • Suspicious use of WriteProcessMemory
    mod_c.exeMethodcmd.execmd.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 4768 wrote to memory of 41484768mod_c.exeMethod
    PID 4768 wrote to memory of 41484768mod_c.exeMethod
    PID 4148 wrote to memory of 5564148Methodcmd.exe
    PID 4148 wrote to memory of 5564148Methodcmd.exe
    PID 4768 wrote to memory of 9804768mod_c.execmd.exe
    PID 4768 wrote to memory of 9804768mod_c.execmd.exe
    PID 556 wrote to memory of 944556cmd.exewaitfor.exe
    PID 556 wrote to memory of 944556cmd.exewaitfor.exe
    PID 556 wrote to memory of 1156556cmd.exeattrib.exe
    PID 556 wrote to memory of 1156556cmd.exeattrib.exe
    PID 980 wrote to memory of 1304980cmd.exewaitfor.exe
    PID 980 wrote to memory of 1304980cmd.exewaitfor.exe
    PID 980 wrote to memory of 1396980cmd.exeattrib.exe
    PID 980 wrote to memory of 1396980cmd.exeattrib.exe
  • Views/modifies file attributes
    attrib.exeattrib.exe

    Tags

    TTPs

    Hidden Files and Directories

    Reported IOCs

    pidprocess
    1156attrib.exe
    1396attrib.exe
Processes 8
  • C:\Users\Admin\AppData\Local\Temp\mod_c.exe
    "C:\Users\Admin\AppData\Local\Temp\mod_c.exe"
    Suspicious use of WriteProcessMemory
    PID:4768
    • C:\Users\Admin\AppData\Roaming\MsimeReceiver\Method
      C:\Users\Admin\AppData\Roaming\MsimeReceiver\Method /go
      Executes dropped EXE
      Modifies extensions of user files
      Suspicious use of WriteProcessMemory
      PID:4148
      • C:\Windows\SYSTEM32\cmd.exe
        cmd /c waitfor /t 10 pause /d y & attrib -h "C:\Users\Admin\AppData\Roaming\MsimeReceiver\Method" & del "C:\Users\Admin\AppData\Roaming\MsimeReceiver\Method" & rd "C:\Users\Admin\AppData\Roaming\MsimeReceiver\"
        Suspicious use of WriteProcessMemory
        PID:556
        • C:\Windows\system32\waitfor.exe
          waitfor /t 10 pause /d y
          PID:944
        • C:\Windows\system32\attrib.exe
          attrib -h "C:\Users\Admin\AppData\Roaming\MsimeReceiver\Method"
          Views/modifies file attributes
          PID:1156
    • C:\Windows\SYSTEM32\cmd.exe
      cmd /c waitfor /t 10 pause /d y & attrib -h "C:\Users\Admin\AppData\Local\Temp\mod_c.exe" & del "C:\Users\Admin\AppData\Local\Temp\mod_c.exe" & rd "C:\Users\Admin\AppData\Local\Temp\"
      Suspicious use of WriteProcessMemory
      PID:980
      • C:\Windows\system32\waitfor.exe
        waitfor /t 10 pause /d y
        PID:1304
      • C:\Windows\system32\attrib.exe
        attrib -h "C:\Users\Admin\AppData\Local\Temp\mod_c.exe"
        Views/modifies file attributes
        PID:1396
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Discovery
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                      Privilege Escalation
                        Replay Monitor
                        00:00 00:00
                        Downloads
                        • C:\Users\Admin\AppData\Roaming\MsimeReceiver\Method

                          MD5

                          be4c5e4713009e5446ee042ba7c33fe0

                          SHA1

                          f8e52380b6f3668d4de6df416c8da389c0d98fe8

                          SHA256

                          7272457bac023e7ab635fc3d82212a89918de36d5433dd389e6151805e47b0cd

                          SHA512

                          96612ab271e5adbfc911d65abc5ed56973d3539ff98c10e13daac782dcbfa43606ed89fa8efa0b203fd000cbbf76fea04d3844723c9dc075ba9a4fe55cb78e4d

                        • C:\Users\Admin\AppData\Roaming\MsimeReceiver\Method

                          MD5

                          be4c5e4713009e5446ee042ba7c33fe0

                          SHA1

                          f8e52380b6f3668d4de6df416c8da389c0d98fe8

                          SHA256

                          7272457bac023e7ab635fc3d82212a89918de36d5433dd389e6151805e47b0cd

                          SHA512

                          96612ab271e5adbfc911d65abc5ed56973d3539ff98c10e13daac782dcbfa43606ed89fa8efa0b203fd000cbbf76fea04d3844723c9dc075ba9a4fe55cb78e4d

                        • memory/556-7-0x0000000000000000-mapping.dmp

                        • memory/944-9-0x0000000000000000-mapping.dmp

                        • memory/980-8-0x0000000000000000-mapping.dmp

                        • memory/1156-10-0x0000000000000000-mapping.dmp

                        • memory/1304-11-0x0000000000000000-mapping.dmp

                        • memory/1396-12-0x0000000000000000-mapping.dmp

                        • memory/4148-3-0x0000000000000000-mapping.dmp

                        • memory/4768-2-0x0000000002050000-0x0000000002214000-memory.dmp