2c895d282fa795252bb859323040e62af0087e626244a9768eca8089ce25291f

General

Target

hptestu.exe
Size

662KB
MD5

1f7b5c64fdc506bb5384b938c141d050
SHA1

ae1b5233145eb28c0e0b34d92da9c9b93efe73a0
SHA256

2c895d282fa795252bb859323040e62af0087e626244a9768eca8089ce25291f
SHA512

0309dec997b0c73177f97616afccacbce102c1b64aa6b71ccf0f8a370ce4e2633693a2b7a16f3f663be6f3a042d712ff9ba6e387b07e8cebdb1fafbb37e54231

Score

10^/10

ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\README_encrypted.txt

Ransom Note

ATTENTION!!! ALL YOUR FILES HAVE BEEN ENCRYPTED YOU WILL HAVE TO PAY 1 Monero (https://www.getmonero.org/get-started/what-is-monero/) TO UNLOCK YOUR FILES. PLEASE GO TO http://t2tqvp4pctcr7vxhgz5yd5x4ino5tw7jzs3whbntxirhp32djhi7q3id.onion/register IN TOR BROWSER (https://torproject.org/download/) AND NOTE DOWN YOUR REDEEM ID AND PAYMENT ADDRESS. AFTER THEN TRANSFER 1 Monero TO THE PAYMENT ADDRESS (https://www.getmonero.org/resources/user-guides/make-payment.html). GO TO THE PAGE AGAIN AND CLICK THE "To redeem a payment, click here" LINK AND TYPE YOUR REDEEM ID THEN CLICK "Check payment". AFTER THEN AT THE UPLOAD PAGE SELECT THE metadata.bin FILE IN YOUR USER FOLDER AND CLICK "Get decryption keys" AND DOWNLOAD YOU DECRYPTION KEYS. PLEASE DO NOT ATTEMPT TO USE THIRD-PARTY DECRYPTION SERVICES. THIS WILL RESULT IN YOUR FILES PERMANENTLY LOCKED. THIS SOFTWARE USES STATE-OF-THE-ART ENCRYPTION ALGORITHMS USING X25519 AND ChaCha20 ENCRYPTION ALGORITHMS. ONLY OUR DECRYPTION SERVICE CAN UNLOCK YOUR FILES.

URLs

https://www.getmonero.org/get-started/what-is-monero/

http://t2tqvp4pctcr7vxhgz5yd5x4ino5tw7jzs3whbntxirhp32djhi7q3id.onion/register

https://www.getmonero.org/resources/user-guides/make-payment.html

Signatures

Modifies extensions of user files 6 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File created	C:\Users\Admin\Pictures\UnprotectMount.tif_encrypted	hptestu.exe
File created	C:\Users\Admin\Pictures\ShowGroup.tiff_encrypted	hptestu.exe
File created	C:\Users\Admin\Pictures\SplitClose.tif_encrypted	hptestu.exe
File created	C:\Users\Admin\Pictures\UnprotectReceive.tiff_encrypted	hptestu.exe
File created	C:\Users\Admin\Pictures\EditRevoke.tiff_encrypted	hptestu.exe
File created	C:\Users\Admin\Pictures\PingDismount.raw_encrypted	hptestu.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2684	NOTEPAD.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	460	vssvc.exe
Token: SeRestorePrivilege	460	vssvc.exe
Token: SeAuditPrivilege	460	vssvc.exe

C:\Users\Admin\AppData\Local\Temp\hptestu.exe
"C:\Users\Admin\AppData\Local\Temp\hptestu.exe"
1⤵
- Modifies extensions of user files
PID:1324

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:460

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2456

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\README_encrypted.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:2684

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2456-54-0x000007FEFC051000-0x000007FEFC053000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing