a653a4d7a1dd36b965591b6f55584ba3d73124eccc92e94ce28a71a0f0415f5a

General

Target

a653a4d7a1dd36b965591b6f55584ba3d73124eccc92e94ce28a71a0f0415f5a.exe
Size

126KB
MD5

e1ff64f0910b1e31a12a17ecc9173250
SHA1

edee8ab5e9edae3c6f7fbff32151c9d9e2c7f360
SHA256

a653a4d7a1dd36b965591b6f55584ba3d73124eccc92e94ce28a71a0f0415f5a
SHA512

10364700d1dd533bbf2345908067129386e119cb434ceaff55282a2ee2cc58fc9ddfca40fbc3e333dd4394436eabeb5c29268c088f94eec95abc69921af48428

Score

10^/10

ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\READ_ME.crypted.txt

Ransom Note

Your files are encrypted. If you want to unlock them send 50$ worth of bitcoin to this address: 36yFAmBGNDowqjXxbaPA2F3byPUoxWfZyz After that email your transaction ID, pc code and username to: kabayaboo@protonmail.com After that wait for our response and we will send you your unique password and decryptor. Encrypted files: C:\Users\Admin\Desktop\CompareDebug.jfif C:\Users\Admin\Desktop\CompareSend.wvx C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\Desktop\DisconnectReceive.lock C:\Users\Admin\Desktop\ExportWait.eps C:\Users\Admin\Desktop\GroupSave.mpa C:\Users\Admin\Desktop\MountRestore.mht C:\Users\Admin\Desktop\MountWait.ADT C:\Users\Admin\Desktop\NewWait.aif C:\Users\Admin\Desktop\OpenExit.mp3 C:\Users\Admin\Desktop\PublishRedo.js C:\Users\Admin\Desktop\RedoImport.au3 C:\Users\Admin\Desktop\RedoStop.ini C:\Users\Admin\Desktop\RemoveRestore.emf C:\Users\Admin\Desktop\RenameConvertTo.dll C:\Users\Admin\Desktop\RepairHide.wmf C:\Users\Admin\Desktop\RequestEnable.htm C:\Users\Admin\Desktop\RevokeFind.vdw C:\Users\Admin\Desktop\SendStart.wpl C:\Users\Admin\Desktop\SyncBlock.mhtml C:\Users\Admin\Desktop\UninstallComplete.vsdm C:\Users\Admin\Desktop\UnprotectComplete.jtx C:\Users\Admin\Desktop\UseConvertFrom.wma C:\Users\Admin\Desktop\WatchEnable.cfg C:\Users\Admin\Pictures\ConvertToClear.crw C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\Pictures\DismountUnlock.pcx C:\Users\Admin\Pictures\GetEdit.dib C:\Users\Admin\Pictures\OpenSearch.pcx C:\Users\Admin\Pictures\OptimizeConvertTo.gif C:\Users\Admin\Pictures\RegisterCheckpoint.dxf C:\Users\Admin\Pictures\ResizeCheckpoint.wmf C:\Users\Admin\Pictures\RestoreGroup.eps C:\Users\Admin\Pictures\SplitConvertTo.pcx C:\Users\Admin\Pictures\TraceMerge.jpg C:\Users\Admin\Pictures\UnlockCompress.dxf C:\Users\Admin\Pictures\Wallpaper.jpg C:\Users\Admin\Documents\AddOpen.vsd C:\Users\Admin\Documents\Are.docx C:\Users\Admin\Documents\DenyAdd.vsx C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\Documents\DismountInvoke.pot C:\Users\Admin\Documents\ExportPing.xps C:\Users\Admin\Documents\Files.docx C:\Users\Admin\Documents\FindJoin.pdf C:\Users\Admin\Documents\GroupComplete.vstx C:\Users\Admin\Documents\InstallSave.vdx C:\Users\Admin\Documents\InvokeUnprotect.xps C:\Users\Admin\Documents\MeasurePublish.docx C:\Users\Admin\Documents\MoveFormat.xlt C:\Users\Admin\Documents\Opened.docx C:\Users\Admin\Documents\OpenRegister.ppt C:\Users\Admin\Documents\ProtectDisconnect.pptm C:\Users\Admin\Documents\ProtectUnlock.vsw C:\Users\Admin\Documents\PushRedo.dotm C:\Users\Admin\Documents\Recently.docx C:\Users\Admin\Documents\RepairLimit.xla C:\Users\Admin\Documents\RequestSet.vsdx C:\Users\Admin\Documents\ResolvePublish.xps C:\Users\Admin\Documents\RestartPop.vdw C:\Users\Admin\Documents\RevokeSend.vsdx C:\Users\Admin\Documents\SearchStart.vssx C:\Users\Admin\Documents\SkipGrant.docx C:\Users\Admin\Documents\These.docx C:\Users\Admin\Documents\UnprotectAssert.txt C:\Users\Admin\Documents\UnprotectResize.xlt C:\Users\Admin\Documents\WaitBackup.mhtml C:\Users\Admin\Documents\WriteInvoke.pub

Emails

kabayaboo@protonmail.com

Wallets

36yFAmBGNDowqjXxbaPA2F3byPUoxWfZyz

Signatures

Modifies extensions of user files 1 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

a653a4d7a1dd36b965591b6f55584ba3d73124eccc92e94ce28a71a0f0415f5a.exe

description	ioc	process
File created	C:\Users\Admin\Pictures\ConvertToClear.crw.crypted	a653a4d7a1dd36b965591b6f55584ba3d73124eccc92e94ce28a71a0f0415f5a.exe

Drops desktop.ini file(s) 3 IoCs

Processes:

a653a4d7a1dd36b965591b6f55584ba3d73124eccc92e94ce28a71a0f0415f5a.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	a653a4d7a1dd36b965591b6f55584ba3d73124eccc92e94ce28a71a0f0415f5a.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	a653a4d7a1dd36b965591b6f55584ba3d73124eccc92e94ce28a71a0f0415f5a.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	a653a4d7a1dd36b965591b6f55584ba3d73124eccc92e94ce28a71a0f0415f5a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

rundll32.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_Classes\Local Settings rundll32.exe
Opens file in notepad (likely ransom note) 4 IoCs
ransomware

Processes:

NOTEPAD.EXENOTEPAD.EXENOTEPAD.EXENOTEPAD.EXE

pid process

916 NOTEPAD.EXE
1740 NOTEPAD.EXE
1104 NOTEPAD.EXE
1388 NOTEPAD.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

a653a4d7a1dd36b965591b6f55584ba3d73124eccc92e94ce28a71a0f0415f5a.exe

description pid process

Token: SeDebugPrivilege 1748 a653a4d7a1dd36b965591b6f55584ba3d73124eccc92e94ce28a71a0f0415f5a.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

a653a4d7a1dd36b965591b6f55584ba3d73124eccc92e94ce28a71a0f0415f5a.exe

pid process

1748 a653a4d7a1dd36b965591b6f55584ba3d73124eccc92e94ce28a71a0f0415f5a.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_Classes\Local Settings	rundll32.exe

pid	process
916	NOTEPAD.EXE
1740	NOTEPAD.EXE
1104	NOTEPAD.EXE
1388	NOTEPAD.EXE

description	pid	process
Token: SeDebugPrivilege	1748	a653a4d7a1dd36b965591b6f55584ba3d73124eccc92e94ce28a71a0f0415f5a.exe

pid	process
1748	a653a4d7a1dd36b965591b6f55584ba3d73124eccc92e94ce28a71a0f0415f5a.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1960 wrote to memory of 1388	1960	rundll32.exe	NOTEPAD.EXE
PID 1960 wrote to memory of 1388	1960	rundll32.exe	NOTEPAD.EXE
PID 1960 wrote to memory of 1388	1960	rundll32.exe	NOTEPAD.EXE

C:\Users\Admin\AppData\Local\Temp\a653a4d7a1dd36b965591b6f55584ba3d73124eccc92e94ce28a71a0f0415f5a.exe
"C:\Users\Admin\AppData\Local\Temp\a653a4d7a1dd36b965591b6f55584ba3d73124eccc92e94ce28a71a0f0415f5a.exe"
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1748

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\READ_ME.crypted.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:916

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\READ_ME.crypted.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1740

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\READ_ME.crypted.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1104

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\WatchEnable.cfg.crypted
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1960

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\WatchEnable.cfg.crypted
2⤵
- Opens file in notepad (likely ransom note)
PID:1388

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\READ_ME.crypted.txt
MD5
2501d4102b74c5618996c57ea4376765

SHA1
6288d7898ccaee948a3951a94923d6872720a928

SHA256
30c921614d1b4495a48aea880e4b58f15ae0de076722d8fed20cc1f3bf66d732

SHA512
08de352e9cec73109cb2bb94b93a3a868907eb249ef60a632a5044bc24411aec14053946e8f6c5919596ab2554ea03fe814b01ad3d257c62c1a8b4c2945f5cbc

Download Submit
C:\Users\Admin\Desktop\WatchEnable.cfg.crypted
MD5
7567159e9939cbefc75ed8328c66d0c6

SHA1
ade3cb6877cc26e48a6d0a184fa012537557e693

SHA256
9a43a9c87757993ef6d616d75a41fbaff7b52db1f8dbeadeca2fa782edf81dfc

SHA512
f50e2ff913d08b14d2c980e74dd70b0505e824860dbe18800fddaa36c8518c9bd34bd7d6b1255ac6c980c5d71d83dcda136ba2d8df5e945719d0c3b860bbe1b1

Download Submit
memory/916-63-0x000007FEFB8F1000-0x000007FEFB8F3000-memory.dmp

Filesize
8KB

Download
memory/1388-68-0x0000000000000000-mapping.dmp

Download
memory/1748-59-0x0000000000010000-0x0000000000011000-memory.dmp

Filesize
4KB

Download
memory/1748-61-0x0000000004C70000-0x0000000004C71000-memory.dmp

Filesize
4KB

Download
memory/1748-62-0x0000000004C75000-0x0000000004C86000-memory.dmp

Filesize
68KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads