Analysis

  • max time kernel
    150s
  • max time network
    133s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    01-07-2021 04:38

General

  • Target

    8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe

  • Size

    208KB

  • MD5

    7ee92bcaa1305c7964a993e7f1c3761c

  • SHA1

    6351e156b5fe1d3ae91fec6eb367782b1373111c

  • SHA256

    8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97

  • SHA512

    3b5114e9b3e53ac7711df9fa5ad3dc66ce309ade04768cd334f1e1f1b311a9c36f43e6cf167d338e94116ee08dc686c0a000064a40bb2913e1e8b6b8b143c387

Malware Config

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-1594587808-2047097707-2163810515-1000\HOW TO DECRYPT FILES.txt

Ransom Note Hi, as you can see, all your files are encrypted. Don't panic, you can decrypt them, you just have to pay me for the ransom. Payment is made only by bitcoin, and the amount you have to pay is 0.03 BITCOIN You can buy very easily from these sites: www.localbitcoins.com www.paxful.com A list of several sites where you can buy bitcoin can be found here: https://bitcoin.org/en/exchanges Make sure the address where you will send the bitcoin is: 1DENGvxJZofU9BVfiScrgZHhhntJ3sAPSd After sending, contact us at this email address: zucano@tuta.io With this subject: ZUCANO03TUTA394821 After confirming the payment, you will receive a tutorial and the keys for decrypting the files.
Emails

zucano@tuta.io

Wallets

1DENGvxJZofU9BVfiScrgZHhhntJ3sAPSd

Signatures

  • Drops file in Drivers directory ⋅ 7 IoCs
  • Modifies extensions of user files ⋅ 2 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Drops startup file ⋅ 2 IoCs
  • Reads user/profile data of web browsers ⋅ 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application ⋅ 2 TTPs 2 IoCs
  • Drops desktop.ini file(s) ⋅ 64 IoCs
  • Drops file in System32 directory ⋅ 64 IoCs
  • Drops file in Program Files directory ⋅ 64 IoCs
  • Drops file in Windows directory ⋅ 64 IoCs
  • Modifies registry class ⋅ 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe
    "C:\Users\Admin\AppData\Local\Temp\8a68388787a97c83448898eedb045f620f225538992467bae0ee5c1a1ca4dc97.exe"
    Drops file in Drivers directory
    Modifies extensions of user files
    Drops startup file
    Adds Run key to start application
    Drops desktop.ini file(s)
    Drops file in System32 directory
    Drops file in Program Files directory
    Drops file in Windows directory
    Modifies registry class
    PID:1404

Network

MITRE ATT&CK Matrix

Command and Control

    Credential Access

    Defense Evasion

    Discovery

      Execution

        Exfiltration

          Impact

            Initial Access

              Lateral Movement

                Privilege Escalation

                  Replay Monitor

                  00:00 00:00

                  Downloads

                  • C:\$Recycle.Bin\S-1-5-21-1594587808-2047097707-2163810515-1000\desktop.ini
                    MD5

                    ae826693a0ca88e37b7052d458249fe1

                    SHA1

                    7929f30c5e5dd96292be1c13e93cf838f47e4dcc

                    SHA256

                    e20d5d5e3c94e52b29d16162c0c7f96f3bebe443ed88e4f35159ae7055017661

                    SHA512

                    7133d36f2dbd2cfb1c74f09a86033ae91d9d8a52dc4535c78953ab128973332a2ecb3a69446dee8dff8bbcb80985236050520580799fe2106a4fa6318a4665df