Resubmissions
14-01-2022 07:24
220114-h8pfvsehf8 1012-05-2021 05:57
210512-aqe1a5ra6a 1012-05-2021 04:08
210512-1jz67cazwa 10Analysis
-
max time kernel
123s -
max time network
125s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
12-05-2021 04:08
Static task
static1
Behavioral task
behavioral1
Sample
c4da0137cbb99626fd44da707ae1bca8.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
c4da0137cbb99626fd44da707ae1bca8.exe
Resource
win10v20210410
General
-
Target
c4da0137cbb99626fd44da707ae1bca8.exe
-
Size
60KB
-
MD5
c4da0137cbb99626fd44da707ae1bca8
-
SHA1
a38e9891152755d9e7fff7386bb5a1bca375bd91
-
SHA256
1d4c0b32aea68056755daf70689699200ffa09688495ccd65a0907cade18bd2a
-
SHA512
dd8212ff73522c6590ff8d8a3a48276fd872649eada2315b045c8c9f6cf054c3fe6cd741a16744eb82eff763acb745f07336c44db8f0c693770180cf7fd90645
Malware Config
Extracted
C:\\README.949640ab.TXT
http://darksidedxcftmqa.onion/blog/article/id/6/dQDclB_6Kg-c-6fJesONyHoaKh9BtI8j9Wkw2inG8O72jWaOcKbrxMWbPfKrUbHC
http://darksidfqzcuhtk2.onion/K71D6P88YTX04R3ISCJZHMD5IYV55V9247QHJY0HJYUXX68H2P05XPRIR5SP2U68
Signatures
-
Modifies extensions of user files 5 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
c4da0137cbb99626fd44da707ae1bca8.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\UnprotectPush.crw.949640ab c4da0137cbb99626fd44da707ae1bca8.exe File opened for modification C:\Users\Admin\Pictures\ClearRename.tif.949640ab c4da0137cbb99626fd44da707ae1bca8.exe File opened for modification C:\Users\Admin\Pictures\GrantSave.png.949640ab c4da0137cbb99626fd44da707ae1bca8.exe File opened for modification C:\Users\Admin\Pictures\JoinEdit.png.949640ab c4da0137cbb99626fd44da707ae1bca8.exe File opened for modification C:\Users\Admin\Pictures\TestUnprotect.png.949640ab c4da0137cbb99626fd44da707ae1bca8.exe -
Drops startup file 2 IoCs
Processes:
c4da0137cbb99626fd44da707ae1bca8.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\README.949640ab.TXT c4da0137cbb99626fd44da707ae1bca8.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\README.949640ab.TXT c4da0137cbb99626fd44da707ae1bca8.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
c4da0137cbb99626fd44da707ae1bca8.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\949640ab.BMP" c4da0137cbb99626fd44da707ae1bca8.exe -
Modifies Control Panel 2 IoCs
Processes:
c4da0137cbb99626fd44da707ae1bca8.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\WallpaperStyle = "10" c4da0137cbb99626fd44da707ae1bca8.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop c4da0137cbb99626fd44da707ae1bca8.exe -
Modifies data under HKEY_USERS 1 IoCs
Processes:
c4da0137cbb99626fd44da707ae1bca8.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\949640ab.BMP" c4da0137cbb99626fd44da707ae1bca8.exe -
Modifies registry class 5 IoCs
Processes:
c4da0137cbb99626fd44da707ae1bca8.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\949640ab\DefaultIcon\ = "C:\\ProgramData\\949640ab.ico" c4da0137cbb99626fd44da707ae1bca8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.949640ab c4da0137cbb99626fd44da707ae1bca8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.949640ab\ = "949640ab" c4da0137cbb99626fd44da707ae1bca8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\949640ab\DefaultIcon c4da0137cbb99626fd44da707ae1bca8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\949640ab c4da0137cbb99626fd44da707ae1bca8.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
c4da0137cbb99626fd44da707ae1bca8.exec4da0137cbb99626fd44da707ae1bca8.exedescription pid process target process PID 2040 wrote to memory of 1232 2040 c4da0137cbb99626fd44da707ae1bca8.exe c4da0137cbb99626fd44da707ae1bca8.exe PID 2040 wrote to memory of 1232 2040 c4da0137cbb99626fd44da707ae1bca8.exe c4da0137cbb99626fd44da707ae1bca8.exe PID 2040 wrote to memory of 1232 2040 c4da0137cbb99626fd44da707ae1bca8.exe c4da0137cbb99626fd44da707ae1bca8.exe PID 2040 wrote to memory of 1232 2040 c4da0137cbb99626fd44da707ae1bca8.exe c4da0137cbb99626fd44da707ae1bca8.exe PID 1232 wrote to memory of 1772 1232 c4da0137cbb99626fd44da707ae1bca8.exe c4da0137cbb99626fd44da707ae1bca8.exe PID 1232 wrote to memory of 1772 1232 c4da0137cbb99626fd44da707ae1bca8.exe c4da0137cbb99626fd44da707ae1bca8.exe PID 1232 wrote to memory of 1772 1232 c4da0137cbb99626fd44da707ae1bca8.exe c4da0137cbb99626fd44da707ae1bca8.exe PID 1232 wrote to memory of 1772 1232 c4da0137cbb99626fd44da707ae1bca8.exe c4da0137cbb99626fd44da707ae1bca8.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c4da0137cbb99626fd44da707ae1bca8.exe"C:\Users\Admin\AppData\Local\Temp\c4da0137cbb99626fd44da707ae1bca8.exe"1⤵PID:1268
-
C:\Users\Admin\AppData\Local\Temp\c4da0137cbb99626fd44da707ae1bca8.exe"C:\Users\Admin\AppData\Local\Temp\c4da0137cbb99626fd44da707ae1bca8.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Users\Admin\AppData\Local\Temp\c4da0137cbb99626fd44da707ae1bca8.exe"C:\Users\Admin\AppData\Local\Temp\c4da0137cbb99626fd44da707ae1bca8.exe"2⤵
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1232 -
C:\Users\Admin\AppData\Local\Temp\c4da0137cbb99626fd44da707ae1bca8.exeC:\Users\Admin\AppData\Local\Temp\c4da0137cbb99626fd44da707ae1bca8.exe -work worker0 -path \\?\C:\3⤵
- Modifies extensions of user files
- Drops startup file
PID:1772