Overview

overview

10

Static

static

data.cmp.exe

windows7_x64

10

data.cmp.exe

windows10_x64

10

Analysis

  • max time kernel
    146s
  • max time network
    111s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    18/05/2021, 13:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    data.cmp.exe

  • Size

    281KB

  • MD5

    0e61e496fc218c1c6dc1f5640a3ac7e5

  • SHA1

    aae1b11aa9f2b0a2e32577db8026b843dc16a79d

  • SHA256

    a0070951284e17ec843b498d0a11f4a2ebb8ce64c9f27faf7af96124fd691b1e

  • SHA512

    7b7d6acf3a8f1f2c948cdac035543715d0dc235a169f01127579685f54c7851b06130d5ac4db9345cdb2a6fedfec0395fe306d2f2f2a2bfa45847e325e0c49fd

Score
10/10
evasionransomwaretrojan

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\FILES ENCRYPTED.txt

Ransom Note
Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .4E2840E1 The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: 7puh3g2lpzut32wetfpohiireazmhoyrkllqescem2jd567rdur2ojyd.onion/contact/4E2840E1 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- If your country have blocked the TOR network.You can get there by the following ways: ---------------------------------------------------------------------------------------- | 1. Open link in any browser: decryptmyfiles.top/contact/4E2840E1 | 2. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN KEY--- KR8fSB0QHkwdHEofS0sQHxFMHExKSB0RTRtPGh8ZTRkfHx9IHRAeTB0cSh9LSxAfEUwcTEpIHRFNSBoZGxFNSxhLSE9PShkcHhEdGx5PEUwdHRoRERBIHSk4jQWred91ml6zpMrAuPL/u53vtMML6uqEc17emfyEFgN8V7PRsQU+qGYwwsg5j1k9BlzXqfyJVuTRTUtukHf62kYCBlAZS+I6H8efD35IT9DfoOKpQkfi0N+g4qlCR+KpXUo/PbutIP6sW1V41LbOlKo9MC19uFpvyFGS12HJjbUrndbS/WIlrVybi9Gxwti2Ob1sO7dz+KZ9hoFnjixtwAHub+ALWrqBiE9plZNjFV6l4WW8ZWpQDxmriSHFJKkzg6Fepyhww4kNXrIaeHIt3oO5f5xC2OUWjzmchRACkWznWJsqDeCDTNW5gfySyO6EgLXmgv59ooSAteaC/n2i� ---END KEY---
URLs

http://7puh3g2lpzut32wetfpohiireazmhoyrkllqescem2jd567rdur2ojyd.onion/contact/4E2840E1

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\info.hta

Ransom Note
All your files have been encrypted! All your files, documents, photos, databases and other important files are encrypted and have the extension: .4E2840E1 The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. Free decryption as guarantee Before paying you can decrypt 1 file for free on our site. The size of file must be less than 2Mb (non archived), and the file should not contain valuable information. (databases,backups, large excel sheets, etc.) The server with your key is in a closed network Tor. You can get there by the following ways: Download Tor browser - https://www.torproject.org/ Install Tor browser Open link in Tor browser: http://7puh3g2lpzut32wetfpohiireazmhoyrkllqescem2jd567rdur2ojyd.onion/contact/4E2840E1 Follow the instructions on this page If your country have blocked the Tor network.You can get there by the following ways: Open link in any browser: http://decryptmyfiles.top/contact/4E2840E1 Follow the instructions on this page Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
URLs

http://7puh3g2lpzut32wetfpohiireazmhoyrkllqescem2jd567rdur2ojyd.onion/contact/4E2840E1

http://decryptmyfiles.top/contact/4E2840E1

Extracted

Path

C:\Users\Admin\Desktop\FILES ENCRYPTED.txt

Ransom Note
Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .4E2840E1 The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: 7puh3g2lpzut32wetfpohiireazmhoyrkllqescem2jd567rdur2ojyd.onion/contact/4E2840E1 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- If your country have blocked the TOR network.You can get there by the following ways: ---------------------------------------------------------------------------------------- | 1. Open link in any browser: decryptmyfiles.top/contact/4E2840E1 | 2. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN KEY--- a11dCl9SXA5fXghdCQlSXVMOXg4ICl9TD1kNWF1bD1tdXV0KX1JcDl9eCF0JCVJdUw5eDggKX1MPClhbWVMPCVoJCg0NCFteXFNfWVwNUw5fX1hTU1IKX0I4jQWred91ml6zpMrAuPL/u53vtMML6uqEc17emfyEFgN8V7PRsQU+qGYwwsg5j1k9BlzXqfyJVuTRTUtukHf62kYCBlAZS+I6H8efD35ITxs7wy332yq03U8qVsTwVgR+89AaJivMDPoiVu+J4WNq+dBIoH0/EkIvs91lIZgLlwzhBbt7ywNA5OXlOIRaTWI7DYhybtPYiL7f1wcvPmzFFHMRk5p7BdBNALrqqcjGiGt1KmEexY/9XRARWgU4wrHrP4ShICZOr45A/iodUCZ+6xX5YxJMq/bQWw5Vdz75djcFN+aHxjBGsQfwd7tMT+sVEI9F/xZ14S/OWa6iHKqR� ---END KEY---
URLs

http://7puh3g2lpzut32wetfpohiireazmhoyrkllqescem2jd567rdur2ojyd.onion/contact/4E2840E1

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Drops startup file 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Internet Explorer settings 1 TTPs 37 IoCs
    adwarespyware
  • Modifies system certificate store 2 TTPs 3 IoCs
    evasionspywaretrojan
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\data.cmp.exe
    "C:\Users\Admin\AppData\Local\Temp\data.cmp.exe"
    1⤵
    • Drops startup file
    • Modifies system certificate store
    • Suspicious use of WriteProcessMemory
    PID:452
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c start "" "explorer.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\info.hta
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1572
      • C:\Windows\SysWOW64\explorer.exe
        "explorer.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\info.hta
        3⤵
          PID:1732
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1812
        • C:\Windows\SysWOW64\vssadmin.exe
          vssadmin.exe Delete Shadows /All /Quiet
          3⤵
          • Interacts with shadow copies
          PID:760
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} recoveryenabled No
        2⤵
          PID:408
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
          2⤵
            PID:676
        • C:\Windows\system32\vssvc.exe
          C:\Windows\system32\vssvc.exe
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1056
        • C:\Windows\explorer.exe
          C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
          1⤵
          • Suspicious use of WriteProcessMemory
          PID:960
          • C:\Windows\SysWOW64\mshta.exe
            "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\info.hta"
            2⤵
            • Checks whether UAC is enabled
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            PID:432
        • C:\Windows\system32\NOTEPAD.EXE
          "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\FILES ENCRYPTED.txt
          1⤵
            PID:1384
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
            1⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1640
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1640 CREDAT:275457 /prefetch:2
              2⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:652
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1640 CREDAT:472068 /prefetch:2
              2⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:1644

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/452-60-0x00000000753E1000-0x00000000753E3000-memory.dmp

            Filesize

            8KB

            Download

          • memory/960-69-0x000007FEFBEF1000-0x000007FEFBEF3000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1644-78-0x00000000009F0000-0x00000000009F2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1732-67-0x00000000746E1000-0x00000000746E3000-memory.dmp

            Filesize

            8KB

            Download