Analysis
-
max time kernel
158s -
max time network
161s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
28-08-2021 21:06
General
-
Target
b8f76d9cd83557379f3fe8b5dd080f9a.exe
-
Size
274KB
-
MD5
b8f76d9cd83557379f3fe8b5dd080f9a
-
SHA1
5420b910b3230a670a79a6193fc76a7864a51967
-
SHA256
a92eb964d56ff8dccb926598aca597a6244d10334f264aafcba9752a30dbe9b3
-
SHA512
bab66ea8ffc11c79f0312f3d551b6230ae3f7b79125121fd5af8e3310f967aef8b77bafa2552a2fdbd2b08024b5d8719ec3821e47e67ba42e5a66150c30594ac
Score
10/10
Malware Config
Extracted
Path
C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT
Family
buran
Ransom Note
!!! ALL YOUR FILES ARE ENCRYPTED !!!
All your files, documents, photos, databases and other important files are encrypted.
You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key.
Only we can give you this key and only we can recover your files.
PAY FAST 500$=0.013 btc
or the price will increase tomorrow
bitcoin address
bc1qqxnp9z0ff8x852dyflp5r9r6rzse8jl5hzmqz8
To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free.
But this file should be of not valuable!
Do you really want to restore your files?
[email protected]
TELEGRAM @ payfast290
Your personal ID: BEB-200-31C
Attention!
* Do not rename encrypted files.
* Do not try to decrypt your data using third party software, it may cause permanent data loss.
* Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Extracted
Family
smokeloader
Version
2020
C2
http://readinglistforaugust1.xyz/
http://readinglistforaugust2.xyz/
http://readinglistforaugust3.xyz/
http://readinglistforaugust4.xyz/
http://readinglistforaugust5.xyz/
http://readinglistforaugust6.xyz/
http://readinglistforaugust7.xyz/
http://readinglistforaugust8.xyz/
http://readinglistforaugust9.xyz/
http://readinglistforaugust10.xyz/
http://readinglistforaugust1.site/
http://readinglistforaugust2.site/
http://readinglistforaugust3.site/
http://readinglistforaugust4.site/
http://readinglistforaugust5.site/
http://readinglistforaugust6.site/
http://readinglistforaugust7.site/
http://readinglistforaugust8.site/
http://readinglistforaugust9.site/
http://readinglistforaugust10.site/
rc4.i32
rc4.i32
Extracted
Family
redline
Botnet
WORD1
C2
94.26.249.88:1902
Extracted
Family
raccoon
Botnet
20d9c80657d1d0fda9625cbd629ba419b8a34404
Attributes
-
url4cnc
https://telete.in/hfuimoneymake
rc4.plain
rc4.plain
Extracted
Family
redline
Botnet
nn
C2
135.181.49.56:47634
Extracted
Family
redline
Botnet
superstar75737
C2
95.181.152.190:33007
Extracted
Family
redline
Botnet
1000
C2
94.103.9.138:80
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
-
Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 9 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty Payload 2 IoCs
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
-
Turns off Windows Defender SpyNet reporting 2 TTPs
-
UAC bypass 3 TTPs
-
Windows security bypass 2 TTPs
-
Async RAT payload 2 IoCs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Nirsoft 4 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 15 IoCs
-
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer 8 IoCs
Detects Themida, an advanced Windows software protection system.
-
Uses the VBS compiler for execution 1 TTPs
-
Windows security modification 2 TTPs 10 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 5 IoCs
-
Drops desktop.ini file(s) 7 IoCs
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 14 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 19 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\b8f76d9cd83557379f3fe8b5dd080f9a.exe"C:\Users\Admin\AppData\Local\Temp\b8f76d9cd83557379f3fe8b5dd080f9a.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\b8f76d9cd83557379f3fe8b5dd080f9a.exe"C:\Users\Admin\AppData\Local\Temp\b8f76d9cd83557379f3fe8b5dd080f9a.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
C:\Users\Admin\AppData\Local\Temp\F65C.exeC:\Users\Admin\AppData\Local\Temp\F65C.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 7322⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 7482⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 7522⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 8802⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 11842⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 12482⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 8362⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 11962⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 13082⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 8282⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 13202⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 12882⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 13722⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 12402⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\F757.exeC:\Users\Admin\AppData\Local\Temp\F757.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\FD34.exeC:\Users\Admin\AppData\Local\Temp\FD34.exe1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\9A8.exeC:\Users\Admin\AppData\Local\Temp\9A8.exe1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\EBA.exeC:\Users\Admin\AppData\Local\Temp\EBA.exe1⤵
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\9d287169-f322-41a5-af1a-2d9817e29c04\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\9d287169-f322-41a5-af1a-2d9817e29c04\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\9d287169-f322-41a5-af1a-2d9817e29c04\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9d287169-f322-41a5-af1a-2d9817e29c04\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\9d287169-f322-41a5-af1a-2d9817e29c04\AdvancedRun.exe" /SpecialRun 4101d8 40523⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\EBA.exe" -Force2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\EBA.exe" -Force2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\1330.exeC:\Users\Admin\AppData\Local\Temp\1330.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\2300.exeC:\Users\Admin\AppData\Local\Temp\2300.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Fineeest_.exe"C:\Users\Admin\AppData\Local\Temp\Fineeest_.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\AppData\Local\Temp\PryntVirus.exe"C:\Users\Admin\AppData\Local\Temp\PryntVirus.exe"2⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All3⤵
-
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile4⤵
-
-
C:\Windows\SysWOW64\findstr.exefindstr All4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid3⤵
-
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid4⤵
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\Admin\AppData\Local\Temp\PryntVirus.exe"3⤵
- Creates scheduled task(s)
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000 hq.exe"C:\Users\Admin\AppData\Local\Temp\1000 hq.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\24C6.exeC:\Users\Admin\AppData\Local\Temp\24C6.exe1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe" -start2⤵
- Executes dropped EXE
- Enumerates connected drives
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete3⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet3⤵
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat3⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵
-
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe" -agent 03⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet3⤵
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad.exe2⤵
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
Network
MITRE ATT&CK Enterprise v6
Defense Evasion
Bypass User Account Control
1Disabling Security Tools
4File Deletion
2Modify Registry
6Scripting
1Virtualization/Sandbox Evasion
1Web Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.0MB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
1.6MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
128KB
-
Filesize
6.0MB
-
Filesize
36KB
-
Filesize
20KB
-
Filesize
44KB
-
Filesize
28KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
456KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
36KB
-
Filesize
16KB
-
Filesize
4KB
-
Filesize
25.6MB
-
Filesize
1.3MB
-
Filesize
124KB
-
Filesize
8KB
-
Filesize
120KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
36KB
-
Filesize
20KB
-
Filesize
88KB
-
Filesize
6.0MB
-
Filesize
136KB
-
Filesize
4KB
-
Filesize
1.6MB
-
Filesize
36KB
-
Filesize
28KB
-
Filesize
48KB
-
Filesize
25.7MB
-
Filesize
572KB
-
Filesize
1.6MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
196KB
-
Filesize
4KB
-
Filesize
48KB
-
Filesize
24KB
-
Filesize
4KB
-
Filesize
20KB
-
Filesize
36KB
-
Filesize
428KB
-
Filesize
464KB
-
Filesize
696KB
-
Filesize
36KB
-
Filesize
60KB