Analysis
-
max time kernel
144s -
max time network
121s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
25/05/2021, 17:46
General
-
Target
a653a4d7a1dd36b965591b6f55584ba3d73124eccc92e94ce28a71a0f0415f5a.exe
-
Size
126KB
-
MD5
e1ff64f0910b1e31a12a17ecc9173250
-
SHA1
edee8ab5e9edae3c6f7fbff32151c9d9e2c7f360
-
SHA256
a653a4d7a1dd36b965591b6f55584ba3d73124eccc92e94ce28a71a0f0415f5a
-
SHA512
10364700d1dd533bbf2345908067129386e119cb434ceaff55282a2ee2cc58fc9ddfca40fbc3e333dd4394436eabeb5c29268c088f94eec95abc69921af48428
Score
10/10
Malware Config
Extracted
Path
C:\Users\Admin\Desktop\READ_ME.crypted.txt
Ransom Note
Your files are encrypted.
If you want to unlock them send 50$ worth of bitcoin to this address: 36yFAmBGNDowqjXxbaPA2F3byPUoxWfZyz
After that email your transaction ID, pc code and username to: [email protected]
After that wait for our response and we will send you your unique password and decryptor.
Encrypted files:
C:\Users\Admin\Desktop\CompareDebug.jfif
C:\Users\Admin\Desktop\CompareSend.wvx
C:\Users\Admin\Desktop\desktop.ini
C:\Users\Admin\Desktop\DisconnectReceive.lock
C:\Users\Admin\Desktop\ExportWait.eps
C:\Users\Admin\Desktop\GroupSave.mpa
C:\Users\Admin\Desktop\MountRestore.mht
C:\Users\Admin\Desktop\MountWait.ADT
C:\Users\Admin\Desktop\NewWait.aif
C:\Users\Admin\Desktop\OpenExit.mp3
C:\Users\Admin\Desktop\PublishRedo.js
C:\Users\Admin\Desktop\RedoImport.au3
C:\Users\Admin\Desktop\RedoStop.ini
C:\Users\Admin\Desktop\RemoveRestore.emf
C:\Users\Admin\Desktop\RenameConvertTo.dll
C:\Users\Admin\Desktop\RepairHide.wmf
C:\Users\Admin\Desktop\RequestEnable.htm
C:\Users\Admin\Desktop\RevokeFind.vdw
C:\Users\Admin\Desktop\SendStart.wpl
C:\Users\Admin\Desktop\SyncBlock.mhtml
C:\Users\Admin\Desktop\UninstallComplete.vsdm
C:\Users\Admin\Desktop\UnprotectComplete.jtx
C:\Users\Admin\Desktop\UseConvertFrom.wma
C:\Users\Admin\Desktop\WatchEnable.cfg
C:\Users\Admin\Pictures\ConvertToClear.crw
C:\Users\Admin\Pictures\desktop.ini
C:\Users\Admin\Pictures\DismountUnlock.pcx
C:\Users\Admin\Pictures\GetEdit.dib
C:\Users\Admin\Pictures\OpenSearch.pcx
C:\Users\Admin\Pictures\OptimizeConvertTo.gif
C:\Users\Admin\Pictures\RegisterCheckpoint.dxf
C:\Users\Admin\Pictures\ResizeCheckpoint.wmf
C:\Users\Admin\Pictures\RestoreGroup.eps
C:\Users\Admin\Pictures\SplitConvertTo.pcx
C:\Users\Admin\Pictures\TraceMerge.jpg
C:\Users\Admin\Pictures\UnlockCompress.dxf
C:\Users\Admin\Pictures\Wallpaper.jpg
C:\Users\Admin\Documents\AddOpen.vsd
C:\Users\Admin\Documents\Are.docx
C:\Users\Admin\Documents\DenyAdd.vsx
C:\Users\Admin\Documents\desktop.ini
C:\Users\Admin\Documents\DismountInvoke.pot
C:\Users\Admin\Documents\ExportPing.xps
C:\Users\Admin\Documents\Files.docx
C:\Users\Admin\Documents\FindJoin.pdf
C:\Users\Admin\Documents\GroupComplete.vstx
C:\Users\Admin\Documents\InstallSave.vdx
C:\Users\Admin\Documents\InvokeUnprotect.xps
C:\Users\Admin\Documents\MeasurePublish.docx
C:\Users\Admin\Documents\MoveFormat.xlt
C:\Users\Admin\Documents\Opened.docx
C:\Users\Admin\Documents\OpenRegister.ppt
C:\Users\Admin\Documents\ProtectDisconnect.pptm
C:\Users\Admin\Documents\ProtectUnlock.vsw
C:\Users\Admin\Documents\PushRedo.dotm
C:\Users\Admin\Documents\Recently.docx
C:\Users\Admin\Documents\RepairLimit.xla
C:\Users\Admin\Documents\RequestSet.vsdx
C:\Users\Admin\Documents\ResolvePublish.xps
C:\Users\Admin\Documents\RestartPop.vdw
C:\Users\Admin\Documents\RevokeSend.vsdx
C:\Users\Admin\Documents\SearchStart.vssx
C:\Users\Admin\Documents\SkipGrant.docx
C:\Users\Admin\Documents\These.docx
C:\Users\Admin\Documents\UnprotectAssert.txt
C:\Users\Admin\Documents\UnprotectResize.xlt
C:\Users\Admin\Documents\WaitBackup.mhtml
C:\Users\Admin\Documents\WriteInvoke.pub
Emails
Wallets
36yFAmBGNDowqjXxbaPA2F3byPUoxWfZyz
Signatures
-
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
-
Drops desktop.ini file(s) 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
-
Opens file in notepad (likely ransom note) 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\a653a4d7a1dd36b965591b6f55584ba3d73124eccc92e94ce28a71a0f0415f5a.exe"C:\Users\Admin\AppData\Local\Temp\a653a4d7a1dd36b965591b6f55584ba3d73124eccc92e94ce28a71a0f0415f5a.exe"1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\READ_ME.crypted.txt1⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\READ_ME.crypted.txt1⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\READ_ME.crypted.txt1⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\WatchEnable.cfg.crypted1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\WatchEnable.cfg.crypted2⤵
- Opens file in notepad (likely ransom note)
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
68KB