Overview

overview

10

Static

static

c2498845ed...le.exe

windows7_x64

10

c2498845ed...le.exe

windows10_x64

10

Analysis

  • max time kernel
    20s
  • max time network
    112s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    30-04-2021 18:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c2498845ed4b287fd0f95528926c8ee620ef0cbb5b27865b2007d6379ffe4323.bin.sample.exe

  • Size

    142KB

  • MD5

    f568229e696c0e82abb35ec73d162d5e

  • SHA1

    71889fdf2d7616f366c38072ef3d24b021068ab8

  • SHA256

    c2498845ed4b287fd0f95528926c8ee620ef0cbb5b27865b2007d6379ffe4323

  • SHA512

    7dabdd3526e9b5d5ba4055e15455ed7a87706c534be2784cf85e70e89249aeada3a3e4480c6896220431fb131aa85a5538100d928087bacb3ae64f3643cea23e

Score
10/10
ransomware

Malware Config

Extracted

Path

C:\odt\DECRYPT_NOTE.txt

Ransom Note
Hello THE AKA GROUP Your network was hacked! Files are encrypted by HellKitty! Data from your servers was dumped! At now this incident is a secret! To resolve this situation and decrypt files please contact us using TOR browser (https://www.torproject.org/) and your personal contact link in TOR network below. We will wait contact us within the next 3 days. In case of your disregard, we reserve the right to dispose of the dumped data at our discretion including publishing. IMPORTANT: Don't modify encrypted files or you can damage them and decryption will be impossible! Sorry for the inconvenience, it just business. Best Regards. Personal contact link: http://decrypts3nln3tic.onion/secret/53102f60dbbcb5765639504eab5da0341cbfd232e31d00a639adf9512bc1c487
URLs

http://decrypts3nln3tic.onion/secret/53102f60dbbcb5765639504eab5da0341cbfd232e31d00a639adf9512bc1c487

Signatures

  • Modifies extensions of user files 13 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c2498845ed4b287fd0f95528926c8ee620ef0cbb5b27865b2007d6379ffe4323.bin.sample.exe
    "C:\Users\Admin\AppData\Local\Temp\c2498845ed4b287fd0f95528926c8ee620ef0cbb5b27865b2007d6379ffe4323.bin.sample.exe"
    1⤵
    • Modifies extensions of user files
    • Suspicious behavior: EnumeratesProcesses
    PID:624
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3212

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads