Overview

overview

10

Static

static

44f0b6ee09...78.exe

windows7_x64

10

44f0b6ee09...78.exe

windows10_x64

10

Analysis

  • max time kernel
    101s
  • max time network
    80s
  • platform
    windows7_x64
  • resource
    win7-en
  • submitted
    07/09/2021, 13:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe

  • Size

    1.1MB

  • MD5

    fc95d7841f298dbe638cbe63d7878d89

  • SHA1

    919324ceb106a872866c9b78612094666644b03d

  • SHA256

    44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78

  • SHA512

    b7a581dda18cf09b9b4f69e922244efb90b8494536e1281b01a86a5dcc25cf0a3edc1361895b4bbd305eb8368471a37b811c4ce956f8e047f8aab7365fb2b45f

Score
10/10
ransomwarespywarestealer

Malware Config

Extracted

Path

C:\ProgramData\Adobe\Acrobat\9.0\Replicate\Security\ReadMe.txt

Ransom Note
Gentlemen! Your business is at serios risk . There is a significant hole in the security system of your company. We have easily penetrated your network. You should thank the Lord for being hacked by serios people not some stupid schoolboys or dangerous punks. They can damage all your important data just for fun. All files on each host in the network have been encrypted with a strong algorithm Now your files are crypted with the strongest millitary algorithms RSA4096 and AES-256. No one can help you to restore files without our special decoder. Photorec, RannoDecryptor etc. repair tools Are useless and can destroy your files irreversibly. If you want to restore your files write to emails (contacts are at the bottom of the sheet ) and attach 2 encrypted files (Less than 5 Mb each, non-archived and your files should not contain valuable information (Databases, backups, large excel sheets, etc. )) You will receive decrypted samples and our conditions how to get the decoder. Please don't forget to write the name of your company in the subject of your e-mail. You have to pay for decryption in Bitcoins. The final price depends on how fast you write to us. Every day of delay will cost you additional BTC Nothing personal just business As soon as we get bitcoins you'll get all your decrypted data back. Moreover you will get instructions how to close the hole in security and how to avoid such problems in the future we will recommend you special software that makes the most problems to hackers. Attention! One more time ! Do not rename encrypted files. Do not try to decrypt your data using third party software. P.S. Remember, we are not scammers. We dont need your files and your information. But after 2 weeks all your files and keys will be deleted automatically. Just send a request immediately after infection. All data will be restored absolutely. Your warranty - decrypted samples. Contact emails Primary email : [email protected] Secondary email : [email protected]

Signatures

  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 40 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
    adwarespyware
  • Opens file in notepad (likely ransom note) 2 IoCs
    ransomware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe
    "C:\Users\Admin\AppData\Local\Temp\44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe"
    1⤵
    • Drops startup file
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1136
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\44F0B6~1.BAT
      2⤵
      • Deletes itself
      PID:344
  • C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\ReadMe.txt
    1⤵
    • Opens file in notepad (likely ransom note)
    PID:668
  • C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    1⤵
      PID:1764
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x2b8
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1624
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\Documents\Are.docx"
      1⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:1892
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Documents\ReadMe.txt
      1⤵
      • Opens file in notepad (likely ransom note)
      PID:340

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/668-56-0x000007FEFBD11000-0x000007FEFBD13000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1136-53-0x0000000075641000-0x0000000075643000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1892-59-0x0000000072801000-0x0000000072804000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1892-60-0x0000000070281000-0x0000000070283000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1892-61-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1892-64-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download