Overview

overview

10

Static

static

updated.exe

windows7_x64

1

updated.exe

windows10_x64

10

Resubmissions

06-04-2021 16:38

210406-pa5tpj4bra 8

05-04-2021 09:13

210405-ald3l915jn 10

Analysis

  • max time kernel
    144s
  • max time network
    69s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    05-04-2021 09:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    updated.exe

  • Size

    5.1MB

  • MD5

    e3749a1c5284b28ad7ded54ed747b6e0

  • SHA1

    c516f5af4ab59ec6750ac86d11f06ee1dd47a1dd

  • SHA256

    430039aeee4362784600b6b6994b72395c2666aa6d1ad30e6cbf1ed89ecbeaa9

  • SHA512

    acd1911e755d715b7c96ea278a6f4ea039884a85ac230913b1bd85b3f1ab6e322d9cbe9e9869a4c9eeeb5460ebeca9591b5e64d48789ded45d8bc0168ec22bb4

Score
10/10
jormungandransomwarespywarestealer

Malware Config

Extracted

Path

C:\READ-ME-NOW.txt

Family

jormungand

Ransom Note
Attention! infortrend!!!!!!! --------------------------------- What happened? We are Jormungand ransomware Your project source code and customer information. Important information has been downloaded. If you do not redeem it as soon as possible, it will be exposed and you will be responsible for the consequences. --------------------------------- How to get my files back? --------------------------------- The only way to recover the file is to contact us to buy the private key. Please contact us with your Unique Identifiler Key --------------------------------- What about guarantees? --------------------------------- We understand your stress and worry. So you have a FREE opportunity to test a service by instantly decrypting for free three files on your computer ! --------------------------------- Our email address: DYAQrvHmy@protonmail.com ----------------- Your Unique Identifiler Key: F+uF3xzMWQ+x5N6VatsrzEXEwkD3azstMMoi1LkueA2kDHmIwyDYufNzBzuR0bZznbZJ9zmP61AjwgSaa4CrDm/VOttbpSU4vUcNPpP+FQT4Uarabq1TdlJ+AmI8jFNhelKn3tufUx0dyb8jMEENI4f8glBSJiv5pfxh5dll13Q=
Emails

DYAQrvHmy@protonmail.com

Signatures

  • Jormungand Ransomware

    Ransomware family first observed in March 2021.

    ransomwarejormungand
  • Drops file in Drivers directory 4 IoCs
  • Modifies extensions of user files 8 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Drops startup file 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 27 IoCs
  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • GoLang User-Agent 1 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Kills process with taskkill 41 IoCs
    evasion
  • Suspicious use of AdjustPrivilegeToken 41 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\updated.exe
    "C:\Users\Admin\AppData\Local\Temp\updated.exe"
    1⤵
    • Drops file in Drivers directory
    • Modifies extensions of user files
    • Drops startup file
    • Drops desktop.ini file(s)
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:1152
    • C:\Windows\SysWOW64\mode.com
      mode con cp select=125 vssadmin delete shadows /all
      2⤵
        PID:488
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill.exe /f /im msaccess.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1296
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill.exe /f /im mspub.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:640
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill.exe /f /im sqlagent.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:852
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill.exe /f /im tbirdconfig.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1772
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill.exe /f /im sqlbrowser.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3980
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill.exe /f /im mydesktopqos.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2832
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill.exe /f /im dbsnmp.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:188
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill.exe /f /im thebat64.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2248
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill.exe /f /im sqbcoreservice.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1956
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill.exe /f /im encsvc.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3924
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill.exe /f /im dbeng50.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2200
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill.exe /f /im winword.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3960
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill.exe /f /im ocautoupds.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1660
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill.exe /f /im firefoxconfig.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3848
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill.exe /f /im sqlservr.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3916
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill.exe /f /im infopath.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3984
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill.exe /f /im thebat.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4148
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill.exe /f /im outlook.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4220
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill.exe /f /im notepad.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4360
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill.exe /f /im sqlserver.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4400
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill.exe /f /im mysqld.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4296
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill.exe /f /im excel.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4172
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill.exe /f /im visio.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2272
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill.exe /f /im powerpnt.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4492
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill.exe /f /im msftesql.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4596
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill.exe /f /im xfsssvccon.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4636
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill.exe /f /im onenote.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4680
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill.exe /f /im notepad++.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4740
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill.exe /f /im synctime.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4812
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill.exe /f /im agntsvc.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4868
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill.exe /f /im sqlwriter.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4944
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill.exe /f /im mysql-nt.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:5016
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill.exe /f /im isqlplussvc.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:5112
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill.exe /f /im wordpad.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:5072
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill.exe /f /im mydesktopservice.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1748
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill.exe /f /im oracle.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4604
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill.exe /f /im steam.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:5004
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill.exe /f /im mysql-opt.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:5156
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill.exe /f /im ocomm.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3464
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill.exe /f /im thunderdird.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3024
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill.exe /f /im ocssd.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3148
      • C:\Windows\SysWOW64\mode.com
        mode con cp select=125 vssadmin delete shadows /all
        2⤵
          PID:6688
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\READ-ME-NOW.txt
        1⤵
        • Suspicious use of FindShellTrayWindow
        PID:6892

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Credential Access

      Credentials in Files

      1
      T1081

      Discovery

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Public\Desktop\READ-ME-NOW.txt
        MD5

        80f5783486fa96c294b1c04105468093

        SHA1

        94e76e300ceace5d7bea7856894d91d003dccde9

        SHA256

        c9cc8a2c05f78dd4af4a798ee7b0665f73ae5f8ffeb92091fea842f4b3d62fa7

        SHA512

        dc99b897181e5a45a4f63e189e2e762c8e729c37ddd7f7d159c8760662aa8854900e04322be4975c942d9e01c2aaaf722a565970d7d57a6eb9295889f9d5e31b

        Download Submit
      • memory/188-17-0x0000000000000000-mapping.dmp
        Download
      • memory/488-9-0x0000000000000000-mapping.dmp
        Download
      • memory/640-12-0x0000000000000000-mapping.dmp
        Download
      • memory/852-11-0x0000000000000000-mapping.dmp
        Download
      • memory/1152-2-0x0000000000400000-0x000000000092D000-memory.dmp
        Filesize

        5.2MB

        Download
      • memory/1296-10-0x0000000000000000-mapping.dmp
        Download
      • memory/1660-25-0x0000000000000000-mapping.dmp
        Download
      • memory/1748-47-0x0000000000000000-mapping.dmp
        Download
      • memory/1772-14-0x0000000000000000-mapping.dmp
        Download
      • memory/1956-20-0x0000000000000000-mapping.dmp
        Download
      • memory/2200-23-0x0000000000000000-mapping.dmp
        Download
      • memory/2248-18-0x0000000000000000-mapping.dmp
        Download
      • memory/2272-26-0x0000000000000000-mapping.dmp
        Download
      • memory/2832-16-0x0000000000000000-mapping.dmp
        Download
      • memory/3024-19-0x0000000000000000-mapping.dmp
        Download
      • memory/3148-13-0x0000000000000000-mapping.dmp
        Download
      • memory/3464-24-0x0000000000000000-mapping.dmp
        Download
      • memory/3848-27-0x0000000000000000-mapping.dmp
        Download
      • memory/3916-28-0x0000000000000000-mapping.dmp
        Download
      • memory/3924-21-0x0000000000000000-mapping.dmp
        Download
      • memory/3960-22-0x0000000000000000-mapping.dmp
        Download
      • memory/3980-15-0x0000000000000000-mapping.dmp
        Download
      • memory/3984-29-0x0000000000000000-mapping.dmp
        Download
      • memory/4148-30-0x0000000000000000-mapping.dmp
        Download
      • memory/4172-31-0x0000000000000000-mapping.dmp
        Download
      • memory/4220-32-0x0000000000000000-mapping.dmp
        Download
      • memory/4296-33-0x0000000000000000-mapping.dmp
        Download
      • memory/4360-34-0x0000000000000000-mapping.dmp
        Download
      • memory/4400-35-0x0000000000000000-mapping.dmp
        Download
      • memory/4492-36-0x0000000000000000-mapping.dmp
        Download
      • memory/4596-37-0x0000000000000000-mapping.dmp
        Download
      • memory/4604-48-0x0000000000000000-mapping.dmp
        Download
      • memory/4636-38-0x0000000000000000-mapping.dmp
        Download
      • memory/4680-39-0x0000000000000000-mapping.dmp
        Download
      • memory/4740-40-0x0000000000000000-mapping.dmp
        Download
      • memory/4812-41-0x0000000000000000-mapping.dmp
        Download
      • memory/4868-42-0x0000000000000000-mapping.dmp
        Download
      • memory/4944-43-0x0000000000000000-mapping.dmp
        Download
      • memory/5004-49-0x0000000000000000-mapping.dmp
        Download
      • memory/5016-44-0x0000000000000000-mapping.dmp
        Download
      • memory/5072-45-0x0000000000000000-mapping.dmp
        Download
      • memory/5112-46-0x0000000000000000-mapping.dmp
        Download
      • memory/5156-50-0x0000000000000000-mapping.dmp
        Download
      • memory/6688-51-0x0000000000000000-mapping.dmp
        Download