Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    01-07-2021 04:38

General

  • Target

    155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe

  • Size

    4MB

  • MD5

    568db4e58977f0795730755b16c80b07

  • SHA1

    23231aea7dcc02eaab9c2f248bbd949d1770db8c

  • SHA256

    155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23

  • SHA512

    a426b5e9a4786af6558c28a577b5197704cbe224818daf2519f36a9b0f65e2f0d55e7b49f5a5ea177784fb27a4d54f0cca7125b51180b2ccf7d431375ef32c88

Malware Config

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-1594587808-2047097707-2163810515-1000\HOW TO DECRYPT FILES.txt

Ransom Note
Hi, as you can see, all your files are encrypted. Don't panic, you can decrypt them, you just have to pay me for the ransom. Payment is made only by bitcoin, and the amount you have to pay is 0.03 BITCOIN You can buy very easily from these sites: www.localbitcoins.com www.paxful.com A list of several sites where you can buy bitcoin can be found here: https://bitcoin.org/en/exchanges Make sure the address where you will send the bitcoin is: 1DENGvxJZofU9BVfiScrgZHhhntJ3sAPSd After sending, contact us at this email address: zucano@tuta.io With this subject: ZUCANO03TUTA394821 After confirming the payment, you will receive a tutorial and the keys for decrypting the files.
Emails

zucano@tuta.io

Wallets

1DENGvxJZofU9BVfiScrgZHhhntJ3sAPSd

Signatures

  • Drops file in Drivers directory 7 IoCs
  • Modifies extensions of user files 4 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Drops startup file 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops desktop.ini file(s) 64 IoCs
  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Modifies registry class 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe
    "C:\Users\Admin\AppData\Local\Temp\155eaec829906d3b03ce5f8064200bcdb4023886816550dfd91bb5d20571df23.exe"
    1⤵
    • Drops file in Drivers directory
    • Modifies extensions of user files
    • Drops startup file
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    PID:3920

Network

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Collection

Data from Local System

1
T1005

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-1594587808-2047097707-2163810515-1000\desktop.ini
    MD5

    ae826693a0ca88e37b7052d458249fe1

    SHA1

    7929f30c5e5dd96292be1c13e93cf838f47e4dcc

    SHA256

    e20d5d5e3c94e52b29d16162c0c7f96f3bebe443ed88e4f35159ae7055017661

    SHA512

    7133d36f2dbd2cfb1c74f09a86033ae91d9d8a52dc4535c78953ab128973332a2ecb3a69446dee8dff8bbcb80985236050520580799fe2106a4fa6318a4665df