Analysis
-
max time kernel
113s -
max time network
116s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
07/09/2021, 13:56
Static task
static1
Behavioral task
behavioral1
Sample
44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe
Resource
win7-en
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe
Resource
win10v20210408
windows10_x64
0 signatures
0 seconds
General
-
Target
44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe
-
Size
1.1MB
-
MD5
fc95d7841f298dbe638cbe63d7878d89
-
SHA1
919324ceb106a872866c9b78612094666644b03d
-
SHA256
44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78
-
SHA512
b7a581dda18cf09b9b4f69e922244efb90b8494536e1281b01a86a5dcc25cf0a3edc1361895b4bbd305eb8368471a37b811c4ce956f8e047f8aab7365fb2b45f
Score
10/10
Malware Config
Extracted
Path
C:\ReadMe.txt
Ransom Note
Gentlemen!
Your business is at serios risk .
There is a significant hole in the security system of your company.
We have easily penetrated your network.
You should thank the Lord for being hacked by serios people not some stupid schoolboys or dangerous punks.
They can damage all your important data just for fun.
All files on each host in the network have been encrypted with a strong algorithm
Now your files are crypted with the strongest millitary algorithms RSA4096 and AES-256.
No one can help you to restore files without our special decoder.
Photorec, RannoDecryptor etc. repair tools
Are useless and can destroy your files irreversibly.
If you want to restore your files write to emails (contacts are at the bottom of the sheet )
and attach 2 encrypted files
(Less than 5 Mb each, non-archived and your files should not contain valuable information
(Databases, backups, large excel sheets, etc. ))
You will receive decrypted samples and our conditions how to get the decoder.
Please don't forget to write the name of your company in the subject of your e-mail.
You have to pay for decryption in Bitcoins.
The final price depends on how fast you write to us.
Every day of delay will cost you additional BTC
Nothing personal just business
As soon as we get bitcoins you'll get all your decrypted data back.
Moreover you will get instructions how to close the hole in security
and how to avoid such problems in the future
we will recommend you special software that makes the most problems to hackers.
Attention! One more time !
Do not rename encrypted files.
Do not try to decrypt your data using third party software.
P.S. Remember, we are not scammers.
We dont need your files and your information.
But after 2 weeks all your files and keys will be deleted automatically.
Just send a request immediately after infection.
All data will be restored absolutely.
Your warranty - decrypted samples.
Contact emails
Primary email : [email protected]
Secondary email : [email protected]
Signatures
-
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery.bmp 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Recovery.bmp 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\J: 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe File opened (read-only) \??\H: 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe File opened (read-only) \??\G: 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe File opened (read-only) \??\B: 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe File opened (read-only) \??\R: 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe File opened (read-only) \??\Q: 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe File opened (read-only) \??\K: 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe File opened (read-only) \??\Z: 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe File opened (read-only) \??\N: 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe File opened (read-only) \??\A: 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe File opened (read-only) \??\P: 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe File opened (read-only) \??\O: 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe File opened (read-only) \??\L: 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe File opened (read-only) \??\I: 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe File opened (read-only) \??\E: 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe File opened (read-only) \??\V: 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe File opened (read-only) \??\U: 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe File opened (read-only) \??\T: 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe File opened (read-only) \??\S: 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe File opened (read-only) \??\M: 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe File opened (read-only) \??\F: 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe File opened (read-only) \??\Y: 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe File opened (read-only) \??\X: 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe File opened (read-only) \??\W: 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe -
Drops file in Program Files directory 18 IoCs
description ioc Process File opened for modification C:\PROGRA~3\REGID1~1.MIC\REGID1~2.SWI 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe File opened for modification C:\PROGRA~3\REGID1~1.MIC\REGID1~3.SWI 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe File opened for modification C:\PROGRA~3\TEMPLA~1 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.ini 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe File opened for modification C:\PROGRA~3\Mozilla\updates\308046~1\UPDATE~1.JSO 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\state.rsm 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe File opened for modification C:\PROGRA~3\REGID1~1.MIC\REGID1~4.SWI 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe File opened for modification C:\PROGRA~3\STARTM~1 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe File opened for modification C:\PROGRA~3\APPLIC~1 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe File opened for modification C:\PROGRA~3\Oracle\Java\JAVASE~1.CFG 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe File opened for modification C:\PROGRA~3\PACKAG~1\{F4220~1\state.rsm 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe File opened for modification C:\PROGRA~3\REGID1~1.MIC\REGID1~1.SWI 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe File opened for modification C:\PROGRA~3\Oracle\Java\INSTAL~1\BASEIM~1 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\state.rsm 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\abcpy.ini 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe File opened for modification C:\PROGRA~3\Desktop 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe File opened for modification C:\PROGRA~3\DOCUME~1 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe File opened for modification C:\PROGRA~3\MICROS~2\setup\refcount.ini 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 48 IoCs
pid Process 568 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe 568 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe 568 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe 568 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe 568 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe 568 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe 568 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe 568 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe 568 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe 568 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe 568 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe 568 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe 568 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe 568 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe 568 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe 568 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe 568 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe 568 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe 568 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe 568 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe 568 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe 568 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe 568 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe 568 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe 568 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe 568 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe 568 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe 568 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe 568 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe 568 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe 568 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe 568 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe 568 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe 568 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe 568 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe 568 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe 568 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe 568 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe 568 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe 568 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe 568 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe 568 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe 568 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe 568 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe 568 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe 568 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe 1300 mspaint.exe 1300 mspaint.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 568 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 1300 mspaint.exe 1300 mspaint.exe 1300 mspaint.exe 1300 mspaint.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 568 wrote to memory of 3748 568 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe 79 PID 568 wrote to memory of 3748 568 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe 79 PID 568 wrote to memory of 3748 568 44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe 79
Processes
-
C:\Users\Admin\AppData\Local\Temp\44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe"C:\Users\Admin\AppData\Local\Temp\44f0b6ee096aeb62aa585a0c37decaae0177eae22c18e40b0e823d9eaf856b78.exe"1⤵
- Drops startup file
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:568 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\44F0B6~1.BAT2⤵PID:3748
-
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\Recovery.bmp"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1300
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s DeviceAssociationService1⤵PID:3588