Analysis
-
max time kernel
762s -
max time network
1719s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
14-09-2021 08:44
Static task
static1
Behavioral task
behavioral1
Sample
fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe
Resource
win7-en
Behavioral task
behavioral2
Sample
fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe
Resource
win10v20210408
General
-
Target
fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe
-
Size
122KB
-
MD5
1df36997a8f9096272006b365a68a76d
-
SHA1
2496712427d789d1bd804835e81d5a210fb5bff8
-
SHA256
fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b
-
SHA512
c2701d71d52854a08f1daacb0d523d12e40096c33feef161fc992a3dda2a16f58de997dfde33c66cb1128a3a61a6a8e1e5425a936bc0f2ba83b3ad6696bf9b3d
Malware Config
Extracted
C:\vzts0-readme.txt
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/75D30EC5588FDE81
http://decoder.re/75D30EC5588FDE81
Signatures
-
Modifies Windows Firewall 1 TTPs
-
Modifies extensions of user files 16 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exedescription ioc process File renamed C:\Users\Admin\Pictures\SubmitUndo.tif => \??\c:\users\admin\pictures\SubmitUndo.tif.vzts0 fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe File opened for modification \??\c:\users\admin\pictures\UseLimit.tiff fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe File renamed C:\Users\Admin\Pictures\CompleteSelect.png => \??\c:\users\admin\pictures\CompleteSelect.png.vzts0 fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe File renamed C:\Users\Admin\Pictures\PopUnregister.tif => \??\c:\users\admin\pictures\PopUnregister.tif.vzts0 fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe File renamed C:\Users\Admin\Pictures\RevokeInitialize.png => \??\c:\users\admin\pictures\RevokeInitialize.png.vzts0 fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe File renamed C:\Users\Admin\Pictures\RevokeMerge.tif => \??\c:\users\admin\pictures\RevokeMerge.tif.vzts0 fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe File renamed C:\Users\Admin\Pictures\StopBackup.png => \??\c:\users\admin\pictures\StopBackup.png.vzts0 fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe File renamed C:\Users\Admin\Pictures\FormatShow.tif => \??\c:\users\admin\pictures\FormatShow.tif.vzts0 fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe File renamed C:\Users\Admin\Pictures\ImportUninstall.tiff => \??\c:\users\admin\pictures\ImportUninstall.tiff.vzts0 fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe File renamed C:\Users\Admin\Pictures\MoveResolve.raw => \??\c:\users\admin\pictures\MoveResolve.raw.vzts0 fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe File renamed C:\Users\Admin\Pictures\RevokeTest.tif => \??\c:\users\admin\pictures\RevokeTest.tif.vzts0 fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe File renamed C:\Users\Admin\Pictures\UseUndo.png => \??\c:\users\admin\pictures\UseUndo.png.vzts0 fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe File renamed C:\Users\Admin\Pictures\ConfirmRestore.tif => \??\c:\users\admin\pictures\ConfirmRestore.tif.vzts0 fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe File opened for modification \??\c:\users\admin\pictures\ImportUninstall.tiff fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe File renamed C:\Users\Admin\Pictures\UnlockEdit.crw => \??\c:\users\admin\pictures\UnlockEdit.crw.vzts0 fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe File renamed C:\Users\Admin\Pictures\UseLimit.tiff => \??\c:\users\admin\pictures\UseLimit.tiff.vzts0 fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exedescription ioc process File opened (read-only) \??\G: fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe File opened (read-only) \??\I: fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe File opened (read-only) \??\R: fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe File opened (read-only) \??\W: fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe File opened (read-only) \??\Z: fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe File opened (read-only) \??\J: fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe File opened (read-only) \??\M: fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe File opened (read-only) \??\T: fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe File opened (read-only) \??\U: fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe File opened (read-only) \??\X: fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe File opened (read-only) \??\D: fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe File opened (read-only) \??\A: fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe File opened (read-only) \??\B: fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe File opened (read-only) \??\H: fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe File opened (read-only) \??\Q: fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe File opened (read-only) \??\S: fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe File opened (read-only) \??\V: fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe File opened (read-only) \??\P: fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe File opened (read-only) \??\Y: fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe File opened (read-only) \??\E: fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe File opened (read-only) \??\F: fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe File opened (read-only) \??\K: fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe File opened (read-only) \??\L: fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe File opened (read-only) \??\N: fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe File opened (read-only) \??\O: fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tg6hbl.bmp" fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe -
Drops file in Program Files directory 14 IoCs
Processes:
fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exedescription ioc process File created \??\c:\program files\tmp fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe File created \??\c:\program files (x86)\vzts0-readme.txt fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe File opened for modification \??\c:\program files\ExitGet.tiff fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe File opened for modification \??\c:\program files\OptimizeSplit.mov fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe File opened for modification \??\c:\program files\RenameSubmit.avi fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe File opened for modification \??\c:\program files\ResetDisconnect.m1v fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe File opened for modification \??\c:\program files\SubmitDebug.mpeg2 fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe File opened for modification \??\c:\program files\MeasureTrace.sql fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe File opened for modification \??\c:\program files\ProtectInstall.pub fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe File opened for modification \??\c:\program files\SaveProtect.m4a fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe File created \??\c:\program files\vzts0-readme.txt fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe File created \??\c:\program files (x86)\tmp fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe File opened for modification \??\c:\program files\InstallLimit.csv fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe File opened for modification \??\c:\program files\StepPublish.shtml fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exepid process 580 fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe 580 fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe 580 fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe 580 fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe 580 fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe 580 fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe 580 fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe 580 fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe 580 fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe 580 fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exevssvc.exedescription pid process Token: SeDebugPrivilege 580 fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe Token: SeTakeOwnershipPrivilege 580 fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe Token: SeBackupPrivilege 3392 vssvc.exe Token: SeRestorePrivilege 3392 vssvc.exe Token: SeAuditPrivilege 3392 vssvc.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exedescription pid process target process PID 580 wrote to memory of 3976 580 fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe netsh.exe PID 580 wrote to memory of 3976 580 fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe netsh.exe PID 580 wrote to memory of 3976 580 fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe"C:\Users\Admin\AppData\Local\Temp\fee74e1a60a9bfe9f976fad24d9f63651e6cc479004e9036d2e83a7c561b243b.bin.sample.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:580 -
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall set rule group="Network Discovery" new enable=Yes2⤵PID:3976
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:4044
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3392
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3976-114-0x0000000000000000-mapping.dmp