Overview

overview

10

Static

static

44f0b6ee09...78.exe

windows7_x64

10

44f0b6ee09...78.exe

windows10_x64

10

Analysis

  • max time kernel
    101s
  • max time network
    80s
  • platform
    windows7_x64
  • resource
    win7-en
  • submitted
    07-09-2021 13:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe

  • Size

    1.1MB

  • MD5

    fc95d7841f298dbe638cbe63d7878d89

  • SHA1

    919324ceb106a872866c9b78612094666644b03d

  • SHA256

    44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78

  • SHA512

    b7a581dda18cf09b9b4f69e922244efb90b8494536e1281b01a86a5dcc25cf0a3edc1361895b4bbd305eb8368471a37b811c4ce956f8e047f8aab7365fb2b45f

Score
10/10
ransomwarespywarestealer

Malware Config

Extracted

Path

C:\ProgramData\Adobe\Acrobat\9.0\Replicate\Security\ReadMe.txt

Ransom Note
Gentlemen! Your business is at serios risk . There is a significant hole in the security system of your company. We have easily penetrated your network. You should thank the Lord for being hacked by serios people not some stupid schoolboys or dangerous punks. They can damage all your important data just for fun. All files on each host in the network have been encrypted with a strong algorithm Now your files are crypted with the strongest millitary algorithms RSA4096 and AES-256. No one can help you to restore files without our special decoder. Photorec, RannoDecryptor etc. repair tools Are useless and can destroy your files irreversibly. If you want to restore your files write to emails (contacts are at the bottom of the sheet ) and attach 2 encrypted files (Less than 5 Mb each, non-archived and your files should not contain valuable information (Databases, backups, large excel sheets, etc. )) You will receive decrypted samples and our conditions how to get the decoder. Please don't forget to write the name of your company in the subject of your e-mail. You have to pay for decryption in Bitcoins. The final price depends on how fast you write to us. Every day of delay will cost you additional BTC Nothing personal just business As soon as we get bitcoins you'll get all your decrypted data back. Moreover you will get instructions how to close the hole in security and how to avoid such problems in the future we will recommend you special software that makes the most problems to hackers. Attention! One more time ! Do not rename encrypted files. Do not try to decrypt your data using third party software. P.S. Remember, we are not scammers. We dont need your files and your information. But after 2 weeks all your files and keys will be deleted automatically. Just send a request immediately after infection. All data will be restored absolutely. Your warranty - decrypted samples. Contact emails Primary email : unibovwood1984@protonmail.com Secondary email : ormecha19@tutanota.com
Emails

unibovwood1984@protonmail.com

ormecha19@tutanota.com

Signatures

  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 40 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
    adwarespyware
  • Opens file in notepad (likely ransom note) 2 IoCs
    ransomware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe
    "C:\Users\Admin\AppData\Local\Temp\44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe"
    1⤵
    • Drops startup file
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1136
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\44F0B6~1.BAT
      2⤵
      • Deletes itself
      PID:344
  • C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\ReadMe.txt
    1⤵
    • Opens file in notepad (likely ransom note)
    PID:668
  • C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    1⤵
      PID:1764
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x2b8
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1624
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\Documents\Are.docx"
      1⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:1892
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Documents\ReadMe.txt
      1⤵
      • Opens file in notepad (likely ransom note)
      PID:340

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    Query Registry

    1
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe.bat
      MD5

      837c409563fc188640223174a9af63c7

      SHA1

      f67029d8acc3322e0b3be0498ec8ce68476fa3db

      SHA256

      57976e286311302bb9c2bc4b379984002fdaf4dd44a47e969827f96aebd87a47

      SHA512

      3008f150f91a8e8a180f53fe1c8a6acc55364e732f5e54f8c78d6169459a16817d0a6e389355b26d641348ece017e3148a9c2daf0e3150ef507382cd960d3ca0

      Download Submit
    • C:\Users\Admin\Desktop\ReadMe.txt
      MD5

      d0fb4838a9b950e6311e0fd7d18c138c

      SHA1

      1f96f64bd12434d6216040a20d6631f9d9d35c7b

      SHA256

      87de37c3692d3b960ab8f73c7ecd12d7894cb2042ba5741ffbcf8e769f284d63

      SHA512

      d853cba6e1dcab9a36f61f1f495128c6e739637d6ec478fe4d0d2d8ab7fb8601131ffcd30538b5943ce3ef932e574394b3c899c6ecff7a19f97d1c27d0eee488

      Download Submit
    • C:\Users\Admin\Documents\Are.docx
      MD5

      5ed40f0ec8b466a61a280b9b1865f84f

      SHA1

      9c7e0a790648b6618986ae9436021c2f65416ae0

      SHA256

      c0c010fe6f8a5796e287a59c98a6464e3f87f3c709cc608a62d07737f5b0ebac

      SHA512

      f846cf54de58bbc25729f82cb37c55dd36de917b88bc368b313f5e79d14d3823ba56bc9b5ae65e4ecc87fd4b2f99c8bf10d42bef475099b0f9f4943d4d509e10

      Download Submit
    • C:\Users\Admin\Documents\ReadMe.txt
      MD5

      d0fb4838a9b950e6311e0fd7d18c138c

      SHA1

      1f96f64bd12434d6216040a20d6631f9d9d35c7b

      SHA256

      87de37c3692d3b960ab8f73c7ecd12d7894cb2042ba5741ffbcf8e769f284d63

      SHA512

      d853cba6e1dcab9a36f61f1f495128c6e739637d6ec478fe4d0d2d8ab7fb8601131ffcd30538b5943ce3ef932e574394b3c899c6ecff7a19f97d1c27d0eee488

      Download Submit
    • memory/344-54-0x0000000000000000-mapping.dmp
      Download
    • memory/668-56-0x000007FEFBD11000-0x000007FEFBD13000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1136-53-0x0000000075641000-0x0000000075643000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1892-59-0x0000000072801000-0x0000000072804000-memory.dmp
      Filesize

      12KB

      Download
    • memory/1892-60-0x0000000070281000-0x0000000070283000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1892-61-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1892-64-0x000000005FFF0000-0x0000000060000000-memory.dmp
      Filesize

      64KB

      Download