Overview

overview

10

Static

static

8

2.exe

windows7_x64

10

2.exe

windows10_x64

10

Analysis

  • max time kernel
    2s
  • max time network
    123s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    14-07-2021 19:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2.exe

  • Size

    2.4MB

  • MD5

    a1d45a1dfcf0c7b28819d2f3d9f8bd35

  • SHA1

    48b754be9094106fa3813c27e0a5e928c006f7ab

  • SHA256

    79b9e821bd34d0f1e5572eceb741caca3302cfaa4cfdf97c5ed78450355c4cbf

  • SHA512

    6c250f3530d7d246dc656fd1bbac203bb98b3fda83691bb67f95bd99d716a13fb867cebea638578fb9cb1ad482388fe0bfb80f5949b7fb9ac78d354ad72a322b

Score
10/10
ransomware

Malware Config

Extracted

Path

C:\Boot\Fonts\HOW TO RESTORE YOUR FILES.TXT

Ransom Note
Hello! Dear, Die Stambula Fahrservice GmbH! All your files are encrypted! We have downloaded more that 1.5TB of sensitive data from your company servers. Email me if you want to get your files back - I will do it very quickly! Contact me by email: aid.keepcalm@seznam.cz or aid.keepcalm@protonmail.com The subject line must contain an encryption extension or the name of your company! Do not rename encrypted files, you may lose them forever. You may be a victim of fraud. Free decryption as a guarantee. Send us up to 3 files for free decryption. The total file size should be no more than 1 MB! (not in the archive), and the files should not contain valuable information. (databases, backups, large Excel spreadsheets, etc.) !!! Do not turn off or restart the NAS equipment. This will lead to data loss !!! To contact us, we recommend that you create an email address at protonmail.com or tutanota.com Because gmail and other public email programs can block our messages! If you do not receive a response from us for a long time, check your spam folder. Additional ways to communicate in tox chat https://tox.chat/ contact our tox id: 7229828E766B9058D329B2B4BC0EDDD11612CBCCFA4811532CABC76ACF703074E0D1501F8418
Emails

aid.keepcalm@seznam.cz

aid.keepcalm@protonmail.com
URLs

https://tox.chat/

Signatures

  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2.exe
    "C:\Users\Admin\AppData\Local\Temp\2.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:568
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\esuiuotu.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:996
      • C:\Windows\system32\sc.exe
        SC QUERY
        3⤵
          PID:1768
        • C:\Windows\system32\findstr.exe
          FINDSTR SERVICE_NAME
          3⤵
            PID:1496
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tlfegvlqgwwhn.bat
          2⤵
            PID:2884

        Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\esuiuotu.bat
          MD5

          55310bb774fff38cca265dbc70ad6705

          SHA1

          cb8d76e9fd38a0b253056e5f204dab5441fe932b

          SHA256

          1fbdb97893d09d59575c3ef95df3c929fe6b6ddf1b273283e4efadf94cdc802d

          SHA512

          40e5a5e8454ca3eaac36d732550e2c5d869a235e3bbc4d31c4afa038fe4e06f782fa0885e876ad8119be766477fdcc12c1d5d04d53cf6b324e366b5351fc7cd4

          Download Submit
        • memory/996-114-0x0000000000000000-mapping.dmp
          Download
        • memory/1496-117-0x0000000000000000-mapping.dmp
          Download
        • memory/1768-116-0x0000000000000000-mapping.dmp
          Download
        • memory/2884-118-0x0000000000000000-mapping.dmp
          Download