Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
30-04-2021 18:49
Static task
static1
Behavioral task
behavioral1
Sample
c2498845ed4b287fd0f95528926c8ee620ef0cbb5b27865b2007d6379ffe4323.bin.sample.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
c2498845ed4b287fd0f95528926c8ee620ef0cbb5b27865b2007d6379ffe4323.bin.sample.exe
Resource
win10v20210408
General
-
Target
c2498845ed4b287fd0f95528926c8ee620ef0cbb5b27865b2007d6379ffe4323.bin.sample.exe
-
Size
142KB
-
MD5
f568229e696c0e82abb35ec73d162d5e
-
SHA1
71889fdf2d7616f366c38072ef3d24b021068ab8
-
SHA256
c2498845ed4b287fd0f95528926c8ee620ef0cbb5b27865b2007d6379ffe4323
-
SHA512
7dabdd3526e9b5d5ba4055e15455ed7a87706c534be2784cf85e70e89249aeada3a3e4480c6896220431fb131aa85a5538100d928087bacb3ae64f3643cea23e
Malware Config
Extracted
C:\MSOCache\DECRYPT_NOTE.txt
http://decrypts3nln3tic.onion/secret/53102f60dbbcb5765639504eab5da0341cbfd232e31d00a639adf9512bc1c487
Signatures
-
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
c2498845ed4b287fd0f95528926c8ee620ef0cbb5b27865b2007d6379ffe4323.bin.sample.exedescription ioc process File renamed C:\Users\Admin\Pictures\PushDebug.tif => C:\Users\Admin\Pictures\PushDebug.tif.crypt c2498845ed4b287fd0f95528926c8ee620ef0cbb5b27865b2007d6379ffe4323.bin.sample.exe File renamed C:\Users\Admin\Pictures\RepairProtect.png => C:\Users\Admin\Pictures\RepairProtect.png.crypt c2498845ed4b287fd0f95528926c8ee620ef0cbb5b27865b2007d6379ffe4323.bin.sample.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 2 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache rundll32.exe -
Opens file in notepad (likely ransom note) 5 IoCs
Processes:
NOTEPAD.EXENOTEPAD.EXENOTEPAD.EXENOTEPAD.EXENOTEPAD.EXEpid process 472 NOTEPAD.EXE 752 NOTEPAD.EXE 1644 NOTEPAD.EXE 1596 NOTEPAD.EXE 1340 NOTEPAD.EXE -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1232 vssvc.exe Token: SeRestorePrivilege 1232 vssvc.exe Token: SeAuditPrivilege 1232 vssvc.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 1424 wrote to memory of 1596 1424 rundll32.exe NOTEPAD.EXE PID 1424 wrote to memory of 1596 1424 rundll32.exe NOTEPAD.EXE PID 1424 wrote to memory of 1596 1424 rundll32.exe NOTEPAD.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\c2498845ed4b287fd0f95528926c8ee620ef0cbb5b27865b2007d6379ffe4323.bin.sample.exe"C:\Users\Admin\AppData\Local\Temp\c2498845ed4b287fd0f95528926c8ee620ef0cbb5b27865b2007d6379ffe4323.bin.sample.exe"1⤵
- Modifies extensions of user files
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\WriteInstall.wmf.crypt1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\WriteInstall.wmf.crypt2⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\DECRYPT_NOTE.txt1⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Documents\DECRYPT_NOTE.txt1⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Documents\DECRYPT_NOTE.txt1⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Documents\DECRYPT_NOTE.txt1⤵
- Opens file in notepad (likely ransom note)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\DECRYPT_NOTE.txtMD5
5558878edca8b3206ab6ee5fe57f6865
SHA1de18444b65432f299d87c2a3951e0ecc3aa52427
SHA256df20c9f2101bbc0512cbedf1f0e93c25263dc97562a2bccb6677523ffd3dedc0
SHA512f8a330f63e8c797ae67f2a5aa2c247cca08c688143f450bea732cad797c8d929c3a02c210c7b200aa597b3677fc9916aca6a3ca0070e28acc3747b39d693cf9c
-
C:\Users\Admin\Desktop\WriteInstall.wmf.cryptMD5
8483aafbd165440419e9aabd114da5ed
SHA10b2f8b1b36d56295ac374482ebd9d2775f9aadc6
SHA256b0e2fd938bd367da5ef3ac07487135c520b661503c6a28b97918b35ac93beb60
SHA512d3f8907810f6af83710776b2ac82a40674c3fe8a742f3a24e67f435328f95396ca3a8b54a8385fc24fa35cf48976126e5bb07f109aa52d83510523dd0d0110e6
-
C:\Users\Admin\Documents\DECRYPT_NOTE.txtMD5
5558878edca8b3206ab6ee5fe57f6865
SHA1de18444b65432f299d87c2a3951e0ecc3aa52427
SHA256df20c9f2101bbc0512cbedf1f0e93c25263dc97562a2bccb6677523ffd3dedc0
SHA512f8a330f63e8c797ae67f2a5aa2c247cca08c688143f450bea732cad797c8d929c3a02c210c7b200aa597b3677fc9916aca6a3ca0070e28acc3747b39d693cf9c
-
C:\Users\Public\Documents\DECRYPT_NOTE.txtMD5
5558878edca8b3206ab6ee5fe57f6865
SHA1de18444b65432f299d87c2a3951e0ecc3aa52427
SHA256df20c9f2101bbc0512cbedf1f0e93c25263dc97562a2bccb6677523ffd3dedc0
SHA512f8a330f63e8c797ae67f2a5aa2c247cca08c688143f450bea732cad797c8d929c3a02c210c7b200aa597b3677fc9916aca6a3ca0070e28acc3747b39d693cf9c
-
memory/368-59-0x0000000076661000-0x0000000076663000-memory.dmpFilesize
8KB
-
memory/1424-60-0x000007FEFBDC1000-0x000007FEFBDC3000-memory.dmpFilesize
8KB
-
memory/1596-61-0x0000000000000000-mapping.dmp