Overview

overview

10

Static

static

c2498845ed...le.exe

windows7_x64

10

c2498845ed...le.exe

windows10_x64

10

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    30-04-2021 18:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c2498845ed4b287fd0f95528926c8ee620ef0cbb5b27865b2007d6379ffe4323.bin.sample.exe

  • Size

    142KB

  • MD5

    f568229e696c0e82abb35ec73d162d5e

  • SHA1

    71889fdf2d7616f366c38072ef3d24b021068ab8

  • SHA256

    c2498845ed4b287fd0f95528926c8ee620ef0cbb5b27865b2007d6379ffe4323

  • SHA512

    7dabdd3526e9b5d5ba4055e15455ed7a87706c534be2784cf85e70e89249aeada3a3e4480c6896220431fb131aa85a5538100d928087bacb3ae64f3643cea23e

Score
10/10
ransomware

Malware Config

Extracted

Path

C:\MSOCache\DECRYPT_NOTE.txt

Ransom Note
Hello THE AKA GROUP Your network was hacked! Files are encrypted by HellKitty! Data from your servers was dumped! At now this incident is a secret! To resolve this situation and decrypt files please contact us using TOR browser (https://www.torproject.org/) and your personal contact link in TOR network below. We will wait contact us within the next 3 days. In case of your disregard, we reserve the right to dispose of the dumped data at our discretion including publishing. IMPORTANT: Don't modify encrypted files or you can damage them and decryption will be impossible! Sorry for the inconvenience, it just business. Best Regards. Personal contact link: http://decrypts3nln3tic.onion/secret/53102f60dbbcb5765639504eab5da0341cbfd232e31d00a639adf9512bc1c487
URLs

http://decrypts3nln3tic.onion/secret/53102f60dbbcb5765639504eab5da0341cbfd232e31d00a639adf9512bc1c487

Signatures

  • Modifies extensions of user files 2 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 2 IoCs
  • Opens file in notepad (likely ransom note) 5 IoCs
    ransomware
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c2498845ed4b287fd0f95528926c8ee620ef0cbb5b27865b2007d6379ffe4323.bin.sample.exe
    "C:\Users\Admin\AppData\Local\Temp\c2498845ed4b287fd0f95528926c8ee620ef0cbb5b27865b2007d6379ffe4323.bin.sample.exe"
    1⤵
    • Modifies extensions of user files
    PID:368
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1232
  • C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\WriteInstall.wmf.crypt
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1424
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\WriteInstall.wmf.crypt
      2⤵
      • Opens file in notepad (likely ransom note)
      PID:1596
  • C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\DECRYPT_NOTE.txt
    1⤵
    • Opens file in notepad (likely ransom note)
    PID:1340
  • C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Documents\DECRYPT_NOTE.txt
    1⤵
    • Opens file in notepad (likely ransom note)
    PID:472
  • C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Documents\DECRYPT_NOTE.txt
    1⤵
    • Opens file in notepad (likely ransom note)
    PID:752
  • C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Documents\DECRYPT_NOTE.txt
    1⤵
    • Opens file in notepad (likely ransom note)
    PID:1644

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\Desktop\DECRYPT_NOTE.txt
    MD5

    5558878edca8b3206ab6ee5fe57f6865

    SHA1

    de18444b65432f299d87c2a3951e0ecc3aa52427

    SHA256

    df20c9f2101bbc0512cbedf1f0e93c25263dc97562a2bccb6677523ffd3dedc0

    SHA512

    f8a330f63e8c797ae67f2a5aa2c247cca08c688143f450bea732cad797c8d929c3a02c210c7b200aa597b3677fc9916aca6a3ca0070e28acc3747b39d693cf9c

    Download Submit
  • C:\Users\Admin\Desktop\WriteInstall.wmf.crypt
    MD5

    8483aafbd165440419e9aabd114da5ed

    SHA1

    0b2f8b1b36d56295ac374482ebd9d2775f9aadc6

    SHA256

    b0e2fd938bd367da5ef3ac07487135c520b661503c6a28b97918b35ac93beb60

    SHA512

    d3f8907810f6af83710776b2ac82a40674c3fe8a742f3a24e67f435328f95396ca3a8b54a8385fc24fa35cf48976126e5bb07f109aa52d83510523dd0d0110e6

    Download Submit
  • C:\Users\Admin\Documents\DECRYPT_NOTE.txt
    MD5

    5558878edca8b3206ab6ee5fe57f6865

    SHA1

    de18444b65432f299d87c2a3951e0ecc3aa52427

    SHA256

    df20c9f2101bbc0512cbedf1f0e93c25263dc97562a2bccb6677523ffd3dedc0

    SHA512

    f8a330f63e8c797ae67f2a5aa2c247cca08c688143f450bea732cad797c8d929c3a02c210c7b200aa597b3677fc9916aca6a3ca0070e28acc3747b39d693cf9c

    Download Submit
  • C:\Users\Public\Documents\DECRYPT_NOTE.txt
    MD5

    5558878edca8b3206ab6ee5fe57f6865

    SHA1

    de18444b65432f299d87c2a3951e0ecc3aa52427

    SHA256

    df20c9f2101bbc0512cbedf1f0e93c25263dc97562a2bccb6677523ffd3dedc0

    SHA512

    f8a330f63e8c797ae67f2a5aa2c247cca08c688143f450bea732cad797c8d929c3a02c210c7b200aa597b3677fc9916aca6a3ca0070e28acc3747b39d693cf9c

    Download Submit
  • memory/368-59-0x0000000076661000-0x0000000076663000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1424-60-0x000007FEFBDC1000-0x000007FEFBDC3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1596-61-0x0000000000000000-mapping.dmp
    Download