Overview

overview

10

Static

static

9695fc65d5...le.exe

windows7_x64

10

9695fc65d5...le.exe

windows10_x64

10

Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    26-07-2021 13:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9695fc65d51d6045eb80bbda94d1971934f96f0641ad2ee260b0a26d124edaec.sample.exe

  • Size

    854KB

  • MD5

    1e27184759cc4099c0da73b152408281

  • SHA1

    cf71196d88354a8324fdaa12013a4d80aa3b7c55

  • SHA256

    9695fc65d51d6045eb80bbda94d1971934f96f0641ad2ee260b0a26d124edaec

  • SHA512

    f74da0c39a57b612c1e7cc3c6079b3ddd1f3393728ad4e375e5bb116229d66db2811e948008447a29c1c738cf9a707b5e8d4c8ec69cccf47af2e4c8d2373e5cf

Score
10/10
discoverypersistenceransomwarespywarestealerupx

Malware Config

Extracted

Path

C:\README1.txt

Ransom Note
Baши фaйлы были зaшифpoBaHы. ЧToбы pacшифpoBaTb иx, BaM HeoбxoдиMo oTпpaBиTb кoд: 27B20B4D5F1B4A15D017|540|3|8 Ha элeкTpoHHый aдpec VladimirScherbinin1991@gmail.com . Дaлee Bы пoлyчиTe Bce HeoбxoдиMыe иHcTpyкции. ПoпыTки pacшифpoBaTb caMocToяTeлbHo He пpиBeдyT Hи к чeMy, кpoMe бeзBoзBpaTHoй пoTepи иHфopMaции. Ecли Bы Bcё жe xoTиTe пoпыTaTbcя, To пpeдBapиTeлbHo cдeлaйTe peзepBHыe кoпии фaйлoB, иHaчe B cлyчae иx изMeHeHия pacшифpoBкa cTaHeT HeBoзMoжHoй Hи пpи кaкиx ycлoBияx. Ecли Bы He пoлyчили oTBeTa пo BышeyкaзaHHoMy aдpecy B TeчeHиe 48 чacoB (и Toлbкo B эToM cлyчae!), BocпoлbзyйTecb фopMoй oбpaTHoй cBязи. ЭTo MoжHo cдeлaTb дByMя cпocoбaMи: 1) CкaчaйTe и ycTaHoBиTe Tor Browser пo ccылкe: https://www.torproject.org/download/download-easy.html.en B aдpecHoй cTpoкe Tor Browser-a BBeдиTe aдpec: http://cryptsen7fo43rr6.onion/ и HaжMиTe Enter. ЗaгpyзиTcя cTpaHицa c фopMoй oбpaTHoй cBязи. 2) B любoM бpayзepe пepeйдиTe пo oдHoMy из aдpecoB: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/ All the important files on your computer were encrypted. To decrypt the files you should send the following code: 27B20B4D5F1B4A15D017|540|3|8 to e-mail address VladimirScherbinin1991@gmail.com . Then you will receive all necessary instructions. All the attempts of decryption by yourself will result only in irrevocable loss of your data. If you still want to try to decrypt them by yourself please make a backup at first because the decryption will become impossible in case of any changes inside the files. If you did not receive the answer from the aforecited email for more than 48 hours (and only in this case!), use the feedback form. You can do it by two ways: 1) Download Tor Browser from here: https://www.torproject.org/download/download-easy.html.en Install it and type the following address into the address bar: http://cryptsen7fo43rr6.onion/ Press Enter and then the page with feedback form will be loaded. 2) Go to the one of the following addresses in any browser: http://cryptsen7fo43rr6.onion.to/ http://cryptsen7fo43rr6.onion.cab/
Emails

VladimirScherbinin1991@gmail.com

URLs

http://cryptsen7fo43rr6.onion/

http://cryptsen7fo43rr6.onion.to/

http://cryptsen7fo43rr6.onion.cab/

Signatures

  • Modifies extensions of user files 1 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops desktop.ini file(s) 12 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9695fc65d51d6045eb80bbda94d1971934f96f0641ad2ee260b0a26d124edaec.sample.exe
    "C:\Users\Admin\AppData\Local\Temp\9695fc65d51d6045eb80bbda94d1971934f96f0641ad2ee260b0a26d124edaec.sample.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2000
    • C:\Users\Admin\AppData\Local\Temp\9695fc65d51d6045eb80bbda94d1971934f96f0641ad2ee260b0a26d124edaec.sample.exe
      "C:\Users\Admin\AppData\Local\Temp\9695fc65d51d6045eb80bbda94d1971934f96f0641ad2ee260b0a26d124edaec.sample.exe"
      2⤵
      • Modifies extensions of user files
      • Adds Run key to start application
      • Drops desktop.ini file(s)
      • Sets desktop wallpaper using registry
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      PID:1972
  • C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 1256 -s 3000
    1⤵
    • Program crash
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    PID:1896

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1896-65-0x000007FEFC411000-0x000007FEFC413000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1896-66-0x0000000002340000-0x0000000002341000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1972-61-0x0000000000400000-0x00000000005D5000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/1972-62-0x00000000005D2A80-mapping.dmp
    Download
  • memory/1972-63-0x00000000765F1000-0x00000000765F3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1972-64-0x0000000000400000-0x00000000005D5000-memory.dmp
    Filesize

    1.8MB

    Download