863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1

Analysis

max time kernel
145s
max time network
123s
platform
windows7_x64
resource
win7v20210410
submitted
17/06/2021, 04:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e1.bin.exe
Size

128KB
MD5

d687eb9fea18e6836bd572b2d180b144
SHA1

0e7f076d59ab24ab04200415cb35037c619d0bae
SHA256

863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1
SHA512

16aed099d7d1131facb76591176566a9de9a140948f467b7a43d7518215ce24490956b0996d0f7638cf0d313947f12d91d145ebe4d584779e119707d59463684

Score

10^/10

evasion ransomware

Malware Config

Extracted

Path

C:\Users\Admin\How to decrypt files.txt

Ransom Note

Your personal identifier: 07B8AC198CFD All files on TOHNICHI network have been encrypted due to insufficient security. The only way to quickly and reliably regain access to your files is to contact us. The price depends on how fast you write to us. In other cases, you risk losing your time and access to data. Usually time is much more valuable than money. FAQ Q: How to contact us A: * Download Tor Browser - https://www.torproject.org/ * Open link in Tor Browser http://eghv5cpdsmuj5e6tpyjk5icgq642hqubildf6yrfnqlq3rmsqk2zanid.onion/contact * Follow the instructions on the website. Q: What guarantees? A: Before paying, we can decrypt several of your test files. Files should not contain valuable information. Q: Can I decrypt my data for free or through intermediaries? A: Use third party programs and intermediaries at your own risk. Third party software may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price or you can become a victim of a scam.�

URLs

http://eghv5cpdsmuj5e6tpyjk5icgq642hqubildf6yrfnqlq3rmsqk2zanid.onion/contact

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
1696	bcdedit.exe
1280	bcdedit.exe

Modifies extensions of user files 1 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\OptimizeUninstall.crw => C:\Users\Admin\Pictures\OptimizeUninstall.crw.tohnichi	e1.bin.exe

Deletes itself 1 IoCs

pid	Process
1720	cmd.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	e1.bin.exe
File opened (read-only)	\??\A:	e1.bin.exe
File opened (read-only)	\??\H:	e1.bin.exe
File opened (read-only)	\??\S:	e1.bin.exe
File opened (read-only)	\??\T:	e1.bin.exe
File opened (read-only)	\??\X:	e1.bin.exe
File opened (read-only)	\??\F:	e1.bin.exe
File opened (read-only)	\??\M:	e1.bin.exe
File opened (read-only)	\??\O:	e1.bin.exe
File opened (read-only)	\??\V:	e1.bin.exe
File opened (read-only)	\??\W:	e1.bin.exe
File opened (read-only)	\??\P:	e1.bin.exe
File opened (read-only)	\??\Q:	e1.bin.exe
File opened (read-only)	\??\R:	e1.bin.exe
File opened (read-only)	\??\U:	e1.bin.exe
File opened (read-only)	\??\K:	e1.bin.exe
File opened (read-only)	\??\L:	e1.bin.exe
File opened (read-only)	\??\N:	e1.bin.exe
File opened (read-only)	\??\B:	e1.bin.exe
File opened (read-only)	\??\E:	e1.bin.exe
File opened (read-only)	\??\G:	e1.bin.exe
File opened (read-only)	\??\I:	e1.bin.exe
File opened (read-only)	\??\J:	e1.bin.exe
File opened (read-only)	\??\Z:	e1.bin.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\jvm.lib	e1.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Volgograd	e1.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR48B.GIF	e1.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HM00116_.WMF	e1.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0315580.JPG	e1.bin.exe
File created	C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\How to decrypt files.txt	e1.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Martinique	e1.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-actions.xml	e1.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-snaptracer.xml	e1.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\PABR.SAM	e1.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309585.JPG	e1.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ExecutiveNewsletter.dotx	e1.bin.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\batch_window.html	e1.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\access-bridge-64.jar	e1.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-snaptracer.jar	e1.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR18F.GIF	e1.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO01905_.WMF	e1.bin.exe
File created	C:\Program Files\VideoLAN\VLC\locale\co\LC_MESSAGES\How to decrypt files.txt	e1.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Bold.otf	e1.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\CST6CDT	e1.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00241_.WMF	e1.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01141_.WMF	e1.bin.exe
File created	C:\Program Files\VideoLAN\VLC\locale\bg\How to decrypt files.txt	e1.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Santarem	e1.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Australia\Brisbane	e1.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\EST5EDT	e1.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\about.html	e1.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0217302.WMF	e1.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10298_.GIF	e1.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_winxp_olv.css	e1.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SoftBlue\TAB_OFF.GIF	e1.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00806_.WMF	e1.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\FLY98SP.POC	e1.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\J0115876.GIF	e1.bin.exe
File created	C:\Program Files\VideoLAN\VLC\skins\How to decrypt files.txt	e1.bin.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightOrange\How to decrypt files.txt	e1.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\1033\JUNGLE.GIF	e1.bin.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\How to decrypt files.txt	e1.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\WET	e1.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-openide-execution.xml_hidden	e1.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\SplashScreen.zip	e1.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\OriginMergeFax.Dotx	e1.bin.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\uz\LC_MESSAGES\vlc.mo	e1.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FORM.JS	e1.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Sakhalin	e1.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Gambier	e1.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02753U.BMP	e1.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Clarity.thmx	e1.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Macau	e1.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\PRODIGY.NET.XML	e1.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145361.JPG	e1.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Jayapura	e1.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-netbeans-modules-options-api.xml	e1.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Qatar	e1.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Teal.css	e1.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSTH7FR.LEX	e1.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21344_.GIF	e1.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-output2.xml	e1.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\release	e1.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Port_of_Spain	e1.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02106_.GIF	e1.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Dawson_Creek	e1.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Antarctica\DumontDUrville	e1.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\SystemV\MST7MDT	e1.bin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1984	vssadmin.exe

Modifies registry class 14 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\tohnichi_auto_file\shell\open\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\tohnichi_auto_file\shell\open\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\tohnichi_auto_file	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\.tohnichi	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\tohnichi_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\tohnichi_auto_file\shell\edit\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\.tohnichi\ = "tohnichi_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\tohnichi_auto_file\shell\edit	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_Classes\Local Settings	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\tohnichi_auto_file\	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\tohnichi_auto_file\shell\edit\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\tohnichi_auto_file\shell\open	rundll32.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
900	NOTEPAD.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1556	PING.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1080	e1.bin.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1080	e1.bin.exe
Token: SeDebugPrivilege	1080	e1.bin.exe
Token: SeBackupPrivilege	836	vssvc.exe
Token: SeRestorePrivilege	836	vssvc.exe
Token: SeAuditPrivilege	836	vssvc.exe
Token: 33	1392	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1392	AUDIODG.EXE
Token: 33	1392	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1392	AUDIODG.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1080 wrote to memory of 1984	1080	e1.bin.exe	27
PID 1080 wrote to memory of 1984	1080	e1.bin.exe	27
PID 1080 wrote to memory of 1984	1080	e1.bin.exe	27
PID 1080 wrote to memory of 1984	1080	e1.bin.exe	27
PID 1080 wrote to memory of 1204	1080	e1.bin.exe	29
PID 1080 wrote to memory of 1204	1080	e1.bin.exe	29
PID 1080 wrote to memory of 1204	1080	e1.bin.exe	29
PID 1080 wrote to memory of 1204	1080	e1.bin.exe	29
PID 1080 wrote to memory of 1788	1080	e1.bin.exe	31
PID 1080 wrote to memory of 1788	1080	e1.bin.exe	31
PID 1080 wrote to memory of 1788	1080	e1.bin.exe	31
PID 1080 wrote to memory of 1788	1080	e1.bin.exe	31
PID 1204 wrote to memory of 1696	1204	cmd.exe	33
PID 1204 wrote to memory of 1696	1204	cmd.exe	33
PID 1204 wrote to memory of 1696	1204	cmd.exe	33
PID 1788 wrote to memory of 1280	1788	cmd.exe	34
PID 1788 wrote to memory of 1280	1788	cmd.exe	34
PID 1788 wrote to memory of 1280	1788	cmd.exe	34
PID 960 wrote to memory of 900	960	rundll32.exe	51
PID 960 wrote to memory of 900	960	rundll32.exe	51
PID 960 wrote to memory of 900	960	rundll32.exe	51
PID 1080 wrote to memory of 1720	1080	e1.bin.exe	55
PID 1080 wrote to memory of 1720	1080	e1.bin.exe	55
PID 1080 wrote to memory of 1720	1080	e1.bin.exe	55
PID 1080 wrote to memory of 1720	1080	e1.bin.exe	55
PID 1720 wrote to memory of 1556	1720	cmd.exe	57
PID 1720 wrote to memory of 1556	1720	cmd.exe	57
PID 1720 wrote to memory of 1556	1720	cmd.exe	57

C:\Users\Admin\AppData\Local\Temp\e1.bin.exe
"C:\Users\Admin\AppData\Local\Temp\e1.bin.exe"
1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1080
- C:\Windows\system32\vssadmin.exe
  "C:\Windows\sysnative\vssadmin.exe" delete shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:1984
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c bcdedit /set {current} bootstatuspolicy ignoreallfailures
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1204
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {current} bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1696
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c bcdedit /set {current} recoveryenabled no
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1788
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {current} recoveryenabled no
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1280
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\e1.bin.exe" >> NUL
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:1720
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:1556

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:836

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0xc8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1392

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Pictures\HideResolve.svgz.tohnichi
1⤵
- Modifies registry class
PID:1500

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Documents\How to decrypt files.txt
1⤵
PID:1928

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Documents\How to decrypt files.txt
1⤵
PID:220

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Documents\Opened.docx.tohnichi
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:960
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Documents\Opened.docx.tohnichi
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:900

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\How to decrypt files.txt
1⤵
PID:1056

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:1924

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1080-59-0x00000000752F1000-0x00000000752F3000-memory.dmp

Filesize
8KB

Download
memory/1500-65-0x000007FEFBD91000-0x000007FEFBD93000-memory.dmp

Filesize
8KB

Download
memory/1924-77-0x0000000072941000-0x0000000072943000-memory.dmp

Filesize
8KB

Download