68ea179770a48ab47976303c9b6db79df2a5213b505fa913201ee6ceabf63a76

General

Target

lsass.exe
Size

115KB
MD5

5a73d01f81ff11ec92dbc2233c05e15f
SHA1

1a05f691f72406155136ecfdf5ddee8e9bfa20ce
SHA256

68ea179770a48ab47976303c9b6db79df2a5213b505fa913201ee6ceabf63a76
SHA512

b58097ddc44ef98d7db107634c1fc8db18b0e1828096e8304aa5864bc14fda3fdc82d69c631c8af39cfbc32a23d6795b3a9d4b717f99860fa7b6bb048fcaecf1

Score

10^/10

ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\DecryptGuide.txt

Ransom Note

[ATTENTION] All of your files are encrypted with RSA-2048 and AES-128 ciphers. Decrypting of your files is only possible with the private key and decrypt program. Backups were either encrypted. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation. No decryption software is available in the public. DO NOT RESET OR SHUTDOWN -files may be damaged. DO NOT DELETE this file. To confirm your decryption software, please send 2 or 3 different random files and you will get them decrypted. To get decryption, please contact us. ha7medtit@tutanota.com or araujosantos@protonmail.com You will receive btc address for payment in the reply letter. !!!Your CODE is : AAABAFxXlqBiGEoIVCFtKr20ZRvXxz

Emails

ha7medtit@tutanota.com

araujosantos@protonmail.com

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

lsass.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\MergeFormat.raw => C:\Users\Admin\Pictures\MergeFormat.raw.beaf	lsass.exe
File renamed	C:\Users\Admin\Pictures\UpdateGrant.crw => C:\Users\Admin\Pictures\UpdateGrant.crw.beaf	lsass.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Drops desktop.ini file(s) 1 IoCs

Processes:

lsass.exe

description ioc process

File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI lsass.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	lsass.exe

Drops file in Program Files directory 64 IoCs

Processes:

lsass.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	lsass.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationRight_ButtonGraphic.png	lsass.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\bear_formatted_rgb6.wmv	lsass.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateComRegisterShell64.exe	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\TipsImage.jpg	lsass.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_INTRO_BG.wmv	lsass.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\AddInViews\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\MST7	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Origin.xml	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21548_.GIF	lsass.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_cloudy.png	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\java.security	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\conticon.gif	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\1033\DADSHIRT.HTM	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0285792.WMF	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\CONFLICT.ICO	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SMIMEE.CFG	lsass.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\cronometer_dot.png	lsass.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libmod_plugin.dll	lsass.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Glace_Bay	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-progress-ui.xml	lsass.exe
File opened for modification	C:\Program Files\Java\jre7\bin\verify.dll	lsass.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECHO\ECHO.ELM	lsass.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\TitleButtonIcon.png	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\sound.properties	lsass.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libsamplerate_plugin.dll	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS01639_.WMF	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0106958.WMF	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00737_.WMF	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Waveform.xml	lsass.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Helsinki	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01126_.WMF	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Grid.xml	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\REPTWIZ.POC	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\derby_common.bat	lsass.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_right.png	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\button_left.gif	lsass.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\webcompat@mozilla.org.xpi	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGCHKBRD.XML	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\MSPUB6.BDR	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115841.GIF	lsass.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\cronometer_m.png	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\UrbanPhotoAlbum.potx	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.equinox.nl_ja_4.4.0.v20140623020002.jar	lsass.exe
File opened for modification	C:\Program Files\7-Zip\Lang\de.txt	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	lsass.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToScenesBackground.wmv	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.httpcomponents.httpclient_4.2.6.v201311072007.jar	lsass.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT+8	lsass.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.VisualElementsManifest.xml	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00098_.WMF	lsass.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu.xml	lsass.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_output\libdrawable_plugin.dll	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.provider.filetransfer.ssl_1.0.0.v20140827-1444.jar	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSHY7ES.LEX	lsass.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Abstractions.dll	lsass.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libscene_plugin.dll	lsass.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Pitcairn	lsass.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\photograph.png	lsass.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\(144DPI)redStateIcon.png	lsass.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ka\LC_MESSAGES\vlc.mo	lsass.exe
File opened for modification	C:\Program Files\StartSave.cmd	lsass.exe
File opened for modification	C:\Program Files\Windows Journal\jnwppr.dll	lsass.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02041_.WMF	lsass.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1200 vssadmin.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

1776 NOTEPAD.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

lsass.exe

pid process

1904 lsass.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 316 vssvc.exe
Token: SeRestorePrivilege 316 vssvc.exe
Token: SeAuditPrivilege 316 vssvc.exe

pid	process
1200	vssadmin.exe

pid	process
1776	NOTEPAD.EXE

pid	process
1904	lsass.exe

description	pid	process
Token: SeBackupPrivilege	316	vssvc.exe
Token: SeRestorePrivilege	316	vssvc.exe
Token: SeAuditPrivilege	316	vssvc.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

lsass.exe

description	pid	process	target process
PID 1904 wrote to memory of 1200	1904	lsass.exe	vssadmin.exe
PID 1904 wrote to memory of 1200	1904	lsass.exe	vssadmin.exe
PID 1904 wrote to memory of 1200	1904	lsass.exe	vssadmin.exe
PID 1904 wrote to memory of 1200	1904	lsass.exe	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\lsass.exe
"C:\Users\Admin\AppData\Local\Temp\lsass.exe"
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1904

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
2⤵
- Interacts with shadow copies
PID:1200

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:316

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1192

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\DecryptGuide.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1776

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\DecryptGuide.txt
MD5
d599019c35bcad72f7b8694d4eeafcc9

SHA1
4e641bcdc69cdf65e7f0f6ce715068580f743a3d

SHA256
904b1783e38a288962e7d10f1d242c88250ca0843925abefc8d8f4851f4d96dc

SHA512
45176b6c7f00ad3f9e7dde74ed856289f49f74a13589e7f2dc5e966ca0c1007eb144a0d39d9f090f161e138e02f37b637abc9a522500858e58e1f3e7a1501f6d

Download Submit
memory/932-7-0x000007FEF63D0000-0x000007FEF664A000-memory.dmp

Filesize
2.5MB

Download
memory/1192-4-0x000007FEFBDE1000-0x000007FEFBDE3000-memory.dmp

Filesize
8KB

Download
memory/1200-3-0x0000000000000000-mapping.dmp

Download
memory/1904-2-0x00000000766F1000-0x00000000766F3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads