Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    01-07-2021 04:38

General

  • Target

    155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe

  • Size

    4MB

  • MD5

    568db4e58977f0795730755b16c80b07

  • SHA1

    23231aea7dcc02eaab9c2f248bbd949d1770db8c

  • SHA256

    155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23

  • SHA512

    a426b5e9a4786af6558c28a577b5197704cbe224818daf2519f36a9b0f65e2f0d55e7b49f5a5ea177784fb27a4d54f0cca7125b51180b2ccf7d431375ef32c88

Malware Config

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-1594587808-2047097707-2163810515-1000\HOW TO DECRYPT FILES.txt

Ransom Note Hi, as you can see, all your files are encrypted. Don't panic, you can decrypt them, you just have to pay me for the ransom. Payment is made only by bitcoin, and the amount you have to pay is 0.03 BITCOIN You can buy very easily from these sites: www.localbitcoins.com www.paxful.com A list of several sites where you can buy bitcoin can be found here: https://bitcoin.org/en/exchanges Make sure the address where you will send the bitcoin is: 1DENGvxJZofU9BVfiScrgZHhhntJ3sAPSd After sending, contact us at this email address: zucano@tuta.io With this subject: ZUCANO03TUTA394821 After confirming the payment, you will receive a tutorial and the keys for decrypting the files.
Emails

zucano@tuta.io

Wallets

1DENGvxJZofU9BVfiScrgZHhhntJ3sAPSd

Signatures

  • Drops file in Drivers directory ⋅ 7 IoCs
  • Modifies extensions of user files ⋅ 4 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Drops startup file ⋅ 2 IoCs
  • Reads user/profile data of web browsers ⋅ 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application ⋅ 2 TTPs 2 IoCs
  • Drops desktop.ini file(s) ⋅ 64 IoCs
  • Drops file in System32 directory ⋅ 64 IoCs
  • Drops file in Program Files directory ⋅ 64 IoCs
  • Drops file in Windows directory ⋅ 64 IoCs
  • Modifies registry class ⋅ 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    "C:\Users\Admin\AppData\Local\Temp\155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe"
    Drops file in Drivers directory
    Modifies extensions of user files
    Drops startup file
    Adds Run key to start application
    Drops desktop.ini file(s)
    Drops file in System32 directory
    Drops file in Program Files directory
    Drops file in Windows directory
    Modifies registry class
    PID:3920

Network

MITRE ATT&CK Matrix

Command and Control

    Credential Access

    Defense Evasion

    Discovery

      Execution

        Exfiltration

          Impact

            Initial Access

              Lateral Movement

                Privilege Escalation

                  Replay Monitor

                  00:00 00:00

                  Downloads

                  • C:\$Recycle.Bin\S-1-5-21-1594587808-2047097707-2163810515-1000\desktop.ini
                    MD5

                    ae826693a0ca88e37b7052d458249fe1

                    SHA1

                    7929f30c5e5dd96292be1c13e93cf838f47e4dcc

                    SHA256

                    e20d5d5e3c94e52b29d16162c0c7f96f3bebe443ed88e4f35159ae7055017661

                    SHA512

                    7133d36f2dbd2cfb1c74f09a86033ae91d9d8a52dc4535c78953ab128973332a2ecb3a69446dee8dff8bbcb80985236050520580799fe2106a4fa6318a4665df