Resubmissions

06-04-2021 16:38

210406-pa5tpj4bra 8

05-04-2021 09:13

210405-ald3l915jn 10

Analysis

  • max time kernel
    144s
  • max time network
    69s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    05-04-2021 09:13

General

  • Target

    updated.exe

  • Size

    5.1MB

  • MD5

    e3749a1c5284b28ad7ded54ed747b6e0

  • SHA1

    c516f5af4ab59ec6750ac86d11f06ee1dd47a1dd

  • SHA256

    430039aeee4362784600b6b6994b72395c2666aa6d1ad30e6cbf1ed89ecbeaa9

  • SHA512

    acd1911e755d715b7c96ea278a6f4ea039884a85ac230913b1bd85b3f1ab6e322d9cbe9e9869a4c9eeeb5460ebeca9591b5e64d48789ded45d8bc0168ec22bb4

Malware Config

Extracted

Path

C:\READ-ME-NOW.txt

Family

jormungand

Ransom Note
Attention! infortrend!!!!!!! --------------------------------- What happened? We are Jormungand ransomware Your project source code and customer information. Important information has been downloaded. If you do not redeem it as soon as possible, it will be exposed and you will be responsible for the consequences. --------------------------------- How to get my files back? --------------------------------- The only way to recover the file is to contact us to buy the private key. Please contact us with your Unique Identifiler Key --------------------------------- What about guarantees? --------------------------------- We understand your stress and worry. So you have a FREE opportunity to test a service by instantly decrypting for free three files on your computer ! --------------------------------- Our email address: [email protected] ----------------- Your Unique Identifiler Key: F+uF3xzMWQ+x5N6VatsrzEXEwkD3azstMMoi1LkueA2kDHmIwyDYufNzBzuR0bZznbZJ9zmP61AjwgSaa4CrDm/VOttbpSU4vUcNPpP+FQT4Uarabq1TdlJ+AmI8jFNhelKn3tufUx0dyb8jMEENI4f8glBSJiv5pfxh5dll13Q=

Signatures

  • Jormungand Ransomware

    Ransomware family first observed in March 2021.

  • Drops file in Drivers directory 4 IoCs
  • Modifies extensions of user files 8 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Drops startup file 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 27 IoCs
  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • GoLang User-Agent 1 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Kills process with taskkill 41 IoCs
  • Suspicious use of AdjustPrivilegeToken 41 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\updated.exe
    "C:\Users\Admin\AppData\Local\Temp\updated.exe"
    1⤵
    • Drops file in Drivers directory
    • Modifies extensions of user files
    • Drops startup file
    • Drops desktop.ini file(s)
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:1152
    • C:\Windows\SysWOW64\mode.com
      mode con cp select=125 vssadmin delete shadows /all
      2⤵
        PID:488
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill.exe /f /im msaccess.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1296
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill.exe /f /im mspub.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:640
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill.exe /f /im sqlagent.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:852
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill.exe /f /im tbirdconfig.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1772
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill.exe /f /im sqlbrowser.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3980
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill.exe /f /im mydesktopqos.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2832
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill.exe /f /im dbsnmp.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:188
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill.exe /f /im thebat64.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2248
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill.exe /f /im sqbcoreservice.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1956
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill.exe /f /im encsvc.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3924
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill.exe /f /im dbeng50.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2200
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill.exe /f /im winword.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3960
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill.exe /f /im ocautoupds.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1660
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill.exe /f /im firefoxconfig.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3848
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill.exe /f /im sqlservr.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3916
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill.exe /f /im infopath.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3984
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill.exe /f /im thebat.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4148
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill.exe /f /im outlook.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4220
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill.exe /f /im notepad.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4360
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill.exe /f /im sqlserver.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4400
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill.exe /f /im mysqld.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4296
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill.exe /f /im excel.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4172
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill.exe /f /im visio.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2272
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill.exe /f /im powerpnt.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4492
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill.exe /f /im msftesql.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4596
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill.exe /f /im xfsssvccon.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4636
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill.exe /f /im onenote.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4680
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill.exe /f /im notepad++.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4740
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill.exe /f /im synctime.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4812
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill.exe /f /im agntsvc.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4868
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill.exe /f /im sqlwriter.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4944
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill.exe /f /im mysql-nt.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:5016
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill.exe /f /im isqlplussvc.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:5112
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill.exe /f /im wordpad.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:5072
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill.exe /f /im mydesktopservice.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1748
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill.exe /f /im oracle.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4604
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill.exe /f /im steam.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:5004
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill.exe /f /im mysql-opt.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:5156
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill.exe /f /im ocomm.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3464
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill.exe /f /im thunderdird.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3024
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill.exe /f /im ocssd.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3148
      • C:\Windows\SysWOW64\mode.com
        mode con cp select=125 vssadmin delete shadows /all
        2⤵
          PID:6688
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\READ-ME-NOW.txt
        1⤵
        • Suspicious use of FindShellTrayWindow
        PID:6892

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Public\Desktop\READ-ME-NOW.txt

        MD5

        80f5783486fa96c294b1c04105468093

        SHA1

        94e76e300ceace5d7bea7856894d91d003dccde9

        SHA256

        c9cc8a2c05f78dd4af4a798ee7b0665f73ae5f8ffeb92091fea842f4b3d62fa7

        SHA512

        dc99b897181e5a45a4f63e189e2e762c8e729c37ddd7f7d159c8760662aa8854900e04322be4975c942d9e01c2aaaf722a565970d7d57a6eb9295889f9d5e31b

      • memory/188-17-0x0000000000000000-mapping.dmp

      • memory/488-9-0x0000000000000000-mapping.dmp

      • memory/640-12-0x0000000000000000-mapping.dmp

      • memory/852-11-0x0000000000000000-mapping.dmp

      • memory/1152-2-0x0000000000400000-0x000000000092D000-memory.dmp

        Filesize

        5.2MB

      • memory/1296-10-0x0000000000000000-mapping.dmp

      • memory/1660-25-0x0000000000000000-mapping.dmp

      • memory/1748-47-0x0000000000000000-mapping.dmp

      • memory/1772-14-0x0000000000000000-mapping.dmp

      • memory/1956-20-0x0000000000000000-mapping.dmp

      • memory/2200-23-0x0000000000000000-mapping.dmp

      • memory/2248-18-0x0000000000000000-mapping.dmp

      • memory/2272-26-0x0000000000000000-mapping.dmp

      • memory/2832-16-0x0000000000000000-mapping.dmp

      • memory/3024-19-0x0000000000000000-mapping.dmp

      • memory/3148-13-0x0000000000000000-mapping.dmp

      • memory/3464-24-0x0000000000000000-mapping.dmp

      • memory/3848-27-0x0000000000000000-mapping.dmp

      • memory/3916-28-0x0000000000000000-mapping.dmp

      • memory/3924-21-0x0000000000000000-mapping.dmp

      • memory/3960-22-0x0000000000000000-mapping.dmp

      • memory/3980-15-0x0000000000000000-mapping.dmp

      • memory/3984-29-0x0000000000000000-mapping.dmp

      • memory/4148-30-0x0000000000000000-mapping.dmp

      • memory/4172-31-0x0000000000000000-mapping.dmp

      • memory/4220-32-0x0000000000000000-mapping.dmp

      • memory/4296-33-0x0000000000000000-mapping.dmp

      • memory/4360-34-0x0000000000000000-mapping.dmp

      • memory/4400-35-0x0000000000000000-mapping.dmp

      • memory/4492-36-0x0000000000000000-mapping.dmp

      • memory/4596-37-0x0000000000000000-mapping.dmp

      • memory/4604-48-0x0000000000000000-mapping.dmp

      • memory/4636-38-0x0000000000000000-mapping.dmp

      • memory/4680-39-0x0000000000000000-mapping.dmp

      • memory/4740-40-0x0000000000000000-mapping.dmp

      • memory/4812-41-0x0000000000000000-mapping.dmp

      • memory/4868-42-0x0000000000000000-mapping.dmp

      • memory/4944-43-0x0000000000000000-mapping.dmp

      • memory/5004-49-0x0000000000000000-mapping.dmp

      • memory/5016-44-0x0000000000000000-mapping.dmp

      • memory/5072-45-0x0000000000000000-mapping.dmp

      • memory/5112-46-0x0000000000000000-mapping.dmp

      • memory/5156-50-0x0000000000000000-mapping.dmp

      • memory/6688-51-0x0000000000000000-mapping.dmp