Overview

overview

10

Static

static

10

863e4557e5...e1.exe

windows7_x64

10

863e4557e5...e1.exe

windows10_x64

10

Resubmissions

17-06-2021 13:31

210617-t6kkx9hs4j 10

Analysis

  • max time kernel
    144s
  • max time network
    47s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    17-06-2021 13:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe

  • Size

    128KB

  • MD5

    d687eb9fea18e6836bd572b2d180b144

  • SHA1

    0e7f076d59ab24ab04200415cb35037c619d0bae

  • SHA256

    863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1

  • SHA512

    16aed099d7d1131facb76591176566a9de9a140948f467b7a43d7518215ce24490956b0996d0f7638cf0d313947f12d91d145ebe4d584779e119707d59463684

Score
10/10
targetcompanyevasionransomware

Malware Config

Extracted

Path

C:\Users\Admin\How to decrypt files.txt

Family

targetcompany

Ransom Note
Your personal identifier: FBB809859CB0 All files on TOHNICHI network have been encrypted due to insufficient security. The only way to quickly and reliably regain access to your files is to contact us. The price depends on how fast you write to us. In other cases, you risk losing your time and access to data. Usually time is much more valuable than money. FAQ Q: How to contact us A: * Download Tor Browser - https://www.torproject.org/ * Open link in Tor Browser http://eghv5cpdsmuj5e6tpyjk5icgq642hqubildf6yrfnqlq3rmsqk2zanid.onion/contact * Follow the instructions on the website. Q: What guarantees? A: Before paying, we can decrypt several of your test files. Files should not contain valuable information. Q: Can I decrypt my data for free or through intermediaries? A: Use third party programs and intermediaries at your own risk. Third party software may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price or you can become a victim of a scam.�
URLs

http://eghv5cpdsmuj5e6tpyjk5icgq642hqubildf6yrfnqlq3rmsqk2zanid.onion/contact

Signatures

  • TargetCompany

    Ransomware which encrypts files using a combination of ChaCha20, AES-128, and Curve25519, first seen in June 2021.

    ransomwaretargetcompany
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Modifies extensions of user files 4 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Deletes itself 1 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Generic Ransomware Note 64 IoCs

    Ransomware often writes a note containing information on how to pay the ransom.

  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe
    "C:\Users\Admin\AppData\Local\Temp\863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe"
    1⤵
    • Modifies extensions of user files
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1036
    • C:\Windows\system32\vssadmin.exe
      "C:\Windows\sysnative\vssadmin.exe" delete shadows /all /quiet
      2⤵
      • Interacts with shadow copies
      PID:1992
    • C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd.exe" /c bcdedit /set {current} bootstatuspolicy ignoreallfailures
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1424
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set {current} bootstatuspolicy ignoreallfailures
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:1708
    • C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd.exe" /c bcdedit /set {current} recoveryenabled no
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1900
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set {current} recoveryenabled no
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:1720
    • C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1.exe" >> NUL
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:1732
      • C:\Windows\system32\PING.EXE
        ping 127.0.0.1
        3⤵
        • Runs ping.exe
        PID:1384
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1428

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1036-59-0x0000000075721000-0x0000000075723000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1384-66-0x0000000000000000-mapping.dmp

    Download

  • memory/1424-61-0x0000000000000000-mapping.dmp

    Download

  • memory/1708-63-0x0000000000000000-mapping.dmp

    Download

  • memory/1720-64-0x0000000000000000-mapping.dmp

    Download

  • memory/1732-65-0x0000000000000000-mapping.dmp

    Download

  • memory/1900-62-0x0000000000000000-mapping.dmp

    Download

  • memory/1992-60-0x0000000000000000-mapping.dmp

    Download