Overview

overview

10

Static

static

hptestu.exe

windows7_x64

10

hptestu.exe

windows10_x64

10

Analysis

  • max time kernel
    195s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-en-20210920
  • submitted
    12-10-2021 13:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    hptestu.exe

  • Size

    662KB

  • MD5

    1f7b5c64fdc506bb5384b938c141d050

  • SHA1

    ae1b5233145eb28c0e0b34d92da9c9b93efe73a0

  • SHA256

    2c895d282fa795252bb859323040e62af0087e626244a9768eca8089ce25291f

  • SHA512

    0309dec997b0c73177f97616afccacbce102c1b64aa6b71ccf0f8a370ce4e2633693a2b7a16f3f663be6f3a042d712ff9ba6e387b07e8cebdb1fafbb37e54231

Score
10/10
ransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\README_encrypted.txt

Ransom Note
ATTENTION!!! ALL YOUR FILES HAVE BEEN ENCRYPTED YOU WILL HAVE TO PAY 1 Monero (https://www.getmonero.org/get-started/what-is-monero/) TO UNLOCK YOUR FILES. PLEASE GO TO http://t2tqvp4pctcr7vxhgz5yd5x4ino5tw7jzs3whbntxirhp32djhi7q3id.onion/register IN TOR BROWSER (https://torproject.org/download/) AND NOTE DOWN YOUR REDEEM ID AND PAYMENT ADDRESS. AFTER THEN TRANSFER 1 Monero TO THE PAYMENT ADDRESS (https://www.getmonero.org/resources/user-guides/make-payment.html). GO TO THE PAGE AGAIN AND CLICK THE "To redeem a payment, click here" LINK AND TYPE YOUR REDEEM ID THEN CLICK "Check payment". AFTER THEN AT THE UPLOAD PAGE SELECT THE metadata.bin FILE IN YOUR USER FOLDER AND CLICK "Get decryption keys" AND DOWNLOAD YOU DECRYPTION KEYS. PLEASE DO NOT ATTEMPT TO USE THIRD-PARTY DECRYPTION SERVICES. THIS WILL RESULT IN YOUR FILES PERMANENTLY LOCKED. THIS SOFTWARE USES STATE-OF-THE-ART ENCRYPTION ALGORITHMS USING X25519 AND ChaCha20 ENCRYPTION ALGORITHMS. ONLY OUR DECRYPTION SERVICE CAN UNLOCK YOUR FILES.
URLs

https://www.getmonero.org/get-started/what-is-monero/

http://t2tqvp4pctcr7vxhgz5yd5x4ino5tw7jzs3whbntxirhp32djhi7q3id.onion/register

https://www.getmonero.org/resources/user-guides/make-payment.html

Signatures

  • Modifies extensions of user files 6 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\hptestu.exe
    "C:\Users\Admin\AppData\Local\Temp\hptestu.exe"
    1⤵
    • Modifies extensions of user files
    PID:1324
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:460
  • C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    1⤵
      PID:2456
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\README_encrypted.txt
      1⤵
      • Opens file in notepad (likely ransom note)
      PID:2684

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\Desktop\README_encrypted.txt
      MD5

      431cc08e49697f465f0834df473223df

      SHA1

      a8c0d09f3b84e225c6f7390d10155c42f4225674

      SHA256

      f8f5938fad58747f6238e2761be8b7f1fdccaf637227c1e4eb7f000926f0d6c2

      SHA512

      e74c44ecec011367d65cc4baf626953a8baa1bad04121718768d041c493a570e6d2b5039eee321478e046e8ddfdcc006c38f89e1b3dc5b37417e63b7857edf51

      Download Submit
    • memory/2456-54-0x000007FEFC051000-0x000007FEFC053000-memory.dmp
      Filesize

      8KB

      Download