Overview

overview

10

Static

static

7

b53415f6_l...4J.exe

windows10_x64

10

Resubmissions

25-10-2021 07:50

211025-jn857sfgg4 10

20-10-2021 09:26

211020-ld6cnshgel 10

Analysis

  • max time kernel
    376s
  • max time network
    375s
  • platform
    windows10_x64
  • resource
    win10-en-20210920
  • submitted
    20-10-2021 09:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b53415f6_lcvDB3iF4J.exe

  • Size

    7.4MB

  • MD5

    b53415f6d38ce4831cbf327daf5201b4

  • SHA1

    778d6f976e10d201903c76adcd18f14e685a3704

  • SHA256

    4efcc256493c1c7d8f695bee676beab4aaf3d3d1e1847cf8462c38af1107b7b8

  • SHA512

    0c2e2fd8ebfe175dc844d64ad9e85f8ab23f8e63b75d7773a38bf68741071c0ea6aa91402b1ab5813a7d66b289650b1e868c56dd86636dcc26c37c07bdb55bb4

Score
10/10
mazediscoveryevasionexploitransomwarethemidatrojan

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\DECRYPT-FILES.TXT

Ransom Note
Ooops! All your important files are encrypted! [+] What happend to my computer? [+] All your important files are encrypted. No one can help you to restore files without our special decryptor. Backups were either encrypted or deleted. Shadow copies also removed. If you want to restore some of your files for free write to email (contact is below) and attach 2-3 encrypted files. You will receive decrypted samples. To decrypt other files you have to pay $250. [+] How do i pay? [+] Payment is accepted in Bitcoin only. Please check the current price of Bitcoin and buy some Bitcoins. And send the correct amount to the address specified at the bottom. [+] How can i contact? [+] 1.Download Tor browser (https://www.torproject.org/) 2.Create account on mail2tor (http://mail2tor2zyjdctd.onion/) 3.Write email to us (CobraLocker@mail2tor.com) If you can't use tor in your country you can write to us on our temporary email address. [+] What if i already paid? [+] Send your Bitcoin wallet ID to e-mail provided above. Attention! 1.Do not modify encrypted files. 2.Do not try decrypt your data using third party software. 3.Do not turn off your computer. Our bitcoin address: bc1q80xu9j6wpesm2jg2w4pzpyhqjd5wsrg46ap6pe Our temporary e-mail address: f64dfn9pbhybaqfrh5dp65jrzcg@protonmail.com
Emails

CobraLocker@mail2tor.com

f64dfn9pbhybaqfrh5dp65jrzcg@protonmail.com
Wallets

bc1q80xu9j6wpesm2jg2w4pzpyhqjd5wsrg46ap6pe

URLs

http://mail2tor2zyjdctd.onion/

Signatures

  • Maze

    Ransomware family also known as ChaCha.

    trojanransomwaremaze
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Executes dropped EXE 1 IoCs
  • Modifies extensions of user files 1 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Possible privilege escalation attempt 5 IoCs
    exploit
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Modifies file permissions 1 TTPs 5 IoCs
    discovery
  • Themida packer 4 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b53415f6_lcvDB3iF4J.exe
    "C:\Users\Admin\AppData\Local\Temp\b53415f6_lcvDB3iF4J.exe"
    1⤵
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3600
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $true
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4368
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent NeverSend
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4372
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" New-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender' -Name DisableAntiSpyware -Value 1 -PropertyType DWORD -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4560
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting Disable
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1688
    • C:\Users\Admin\AppData\Local\Temp\VSSVC.exe
      "C:\Users\Admin\AppData\Local\Temp\VSSVC.exe"
      2⤵
      • Executes dropped EXE
      • Modifies extensions of user files
      • Checks BIOS information in registry
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3184
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant %username%:F && takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant %username%:F && takeown /f C:\Windows\System32\LogonUI.exe && icacls C:\Windows\System32\LogonUI.exe /grant %username%:F && takeown /f C:\bootmgr && icacls C:\bootmgr /grant %username%:F && attrib -s -r -h C:\bootmgr && del C:\bootmgr && takeown /f C:\Windows\regedit.exe && icacls C:\Windows\regedit.exe /grant %username%:F && del C:\Windows\regedit.exe && takeown /f C:\Windows\System32\shutdown.exe && icacls C:\Windows\System32\shutdown.exe /grant %username%:F && del C:\Windows\System32\shutdown.exe && Exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2340
        • C:\Windows\SysWOW64\takeown.exe
          takeown /f C:\Windows\System32
          4⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          • Suspicious use of AdjustPrivilegeToken
          PID:2636
        • C:\Windows\SysWOW64\icacls.exe
          icacls C:\Windows\System32 /grant Admin:F
          4⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:296
        • C:\Windows\SysWOW64\takeown.exe
          takeown /f C:\Windows\System32\drivers
          4⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          • Suspicious use of AdjustPrivilegeToken
          PID:2660
        • C:\Windows\SysWOW64\icacls.exe
          icacls C:\Windows\System32\drivers /grant Admin:F
          4⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:4244
        • C:\Windows\SysWOW64\takeown.exe
          takeown /f C:\Windows\System32\LogonUI.exe
          4⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          • Suspicious use of AdjustPrivilegeToken
          PID:1936
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:5052
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\DECRYPT-FILES.TXT
      1⤵
        PID:3756

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Virtualization/Sandbox Evasion

      1
      T1497

      File Permissions Modification

      1
      T1222

      Credential Access

      Discovery

      Query Registry

      2
      T1012

      Virtualization/Sandbox Evasion

      1
      T1497

      System Information Discovery

      3
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
        MD5

        6bf0e5945fb9da68e1b03bdaed5f6f8d

        SHA1

        eed3802c8e4abe3b327c100c99c53d3bbcf8a33d

        SHA256

        dda58fd16fee83a65c05936b1a070187f2c360024650ecaf857c5e060a6a55f1

        SHA512

        977a393fdad2b162aa42194ddad6ec8bcab24f81980ff01b1c22c4d59ac268bb5ce947105c968de1a8a66b35023280a1e7709dfea5053385f87141389ebecb25

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
        MD5

        7247129cd0644457905b7d6bf17fd078

        SHA1

        dbf9139b5a1b72141f170d2eae911bbbe7e128c8

        SHA256

        dfa6e0d79449f29310b2a0400dc7fa5a3a6b08182233147a81902d1f80a0f8e4

        SHA512

        9b1ebd7fe485811f10ec02778d90a7f7eccafa0231027b640b94eaed8408107051da7fcc4f17a9aa0eef900fa2595f44be7fd115331fb6da9b10076f5fcf87e0

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
        MD5

        7247129cd0644457905b7d6bf17fd078

        SHA1

        dbf9139b5a1b72141f170d2eae911bbbe7e128c8

        SHA256

        dfa6e0d79449f29310b2a0400dc7fa5a3a6b08182233147a81902d1f80a0f8e4

        SHA512

        9b1ebd7fe485811f10ec02778d90a7f7eccafa0231027b640b94eaed8408107051da7fcc4f17a9aa0eef900fa2595f44be7fd115331fb6da9b10076f5fcf87e0

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        MD5

        7359845b8f7ea1b1c7fb055a96357b8f

        SHA1

        7a08f7d68dd36190face57e000b9c96632406699

        SHA256

        bf54d74a8a201981317ba49617486a2595587e695f1f6aa2dc3600367201dd23

        SHA512

        add50af15615a083265f4f9613eb422bc3a5f7e1cf73a87ab7e5f82a1a31af21a046dd6a34788c4538d350e05f7c3497fd110483ab92f4b3c8183dcbee41b44d

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        MD5

        3511ee1f148b3ad036bdeae0f387ed78

        SHA1

        1c271a2cafcfb51b0a1b7a772ef615bbb8b410cd

        SHA256

        574af53e793f9ea124db211f78ec1f5a96e4d4b3c4a27b35340d5905d8dae90a

        SHA512

        97eac4aeafc87863ff9b61356955735110f0a624e179899601ee00d1634dd58cc9910378d8f1c3c1c978bf1d16fd11a83f4d1702dd6730f16869ccf265600ec2

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        MD5

        3511ee1f148b3ad036bdeae0f387ed78

        SHA1

        1c271a2cafcfb51b0a1b7a772ef615bbb8b410cd

        SHA256

        574af53e793f9ea124db211f78ec1f5a96e4d4b3c4a27b35340d5905d8dae90a

        SHA512

        97eac4aeafc87863ff9b61356955735110f0a624e179899601ee00d1634dd58cc9910378d8f1c3c1c978bf1d16fd11a83f4d1702dd6730f16869ccf265600ec2

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\VSSVC.exe
        MD5

        e4f24d91d8e7290ffd6afc8aa01c6d63

        SHA1

        b552c6af33cc5a62379028687924406cba8ff74d

        SHA256

        5eb371a9cf91b981502d3ee26880b8c15f62b3eeaaa2484d523a2a03a233bebb

        SHA512

        ae0d0c2494b0a4753039f4fdf6a589848a44a386b759511aab9374e9446f84c39895ec2c9d00ed0ce3df07663a9f14e2f21f42a85966336b0e35204da0d82e00

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\VSSVC.exe
        MD5

        e4f24d91d8e7290ffd6afc8aa01c6d63

        SHA1

        b552c6af33cc5a62379028687924406cba8ff74d

        SHA256

        5eb371a9cf91b981502d3ee26880b8c15f62b3eeaaa2484d523a2a03a233bebb

        SHA512

        ae0d0c2494b0a4753039f4fdf6a589848a44a386b759511aab9374e9446f84c39895ec2c9d00ed0ce3df07663a9f14e2f21f42a85966336b0e35204da0d82e00

        Download Submit
      • C:\Users\Admin\Desktop\DECRYPT-FILES.TXT
        MD5

        8f6a1f1586c647b68aad35ce0f8dd416

        SHA1

        43a1727b987a2f66e7a9589c2ddac52030ca259b

        SHA256

        452727c78872048a0a2a8ebd2c8ea1246f1c959c521cc7f45d99956a67c1325f

        SHA512

        13bf3adbfd4deb3f60be04bf0fc87c56e483764e6806a072ec339cb48a080eab7d2f84439a0e2498f1c82231f8afae08de46253c79ee4ec3dcaec9c370e632ac

        Download Submit
      • memory/296-915-0x0000000000000000-mapping.dmp
        Download
      • memory/1688-180-0x0000000007710000-0x0000000007711000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1688-126-0x0000000000000000-mapping.dmp
        Download
      • memory/1688-151-0x0000000006930000-0x0000000006931000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1688-128-0x0000000002BA0000-0x0000000002BA1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1688-193-0x0000000002BA0000-0x0000000002BA1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1688-131-0x0000000002BA0000-0x0000000002BA1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1688-155-0x0000000006932000-0x0000000006933000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1688-291-0x0000000006933000-0x0000000006934000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1688-228-0x000000007F380000-0x000000007F381000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1936-918-0x0000000000000000-mapping.dmp
        Download
      • memory/2340-913-0x0000000000000000-mapping.dmp
        Download
      • memory/2636-914-0x0000000000000000-mapping.dmp
        Download
      • memory/2660-916-0x0000000000000000-mapping.dmp
        Download
      • memory/3184-158-0x00000000008E0000-0x00000000008E1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3184-132-0x0000000000000000-mapping.dmp
        Download
      • memory/3184-154-0x0000000077CC0000-0x0000000077E4E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3184-179-0x0000000005B40000-0x000000000603E000-memory.dmp
        Filesize

        5.0MB

        Download
      • memory/3600-118-0x00000000009C0000-0x00000000009C1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3600-120-0x00000000066E0000-0x00000000066E1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3600-121-0x0000000006280000-0x0000000006281000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3600-122-0x00000000061E0000-0x00000000066DE000-memory.dmp
        Filesize

        5.0MB

        Download
      • memory/3600-123-0x0000000006210000-0x0000000006211000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3600-115-0x0000000077CC0000-0x0000000077E4E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4244-917-0x0000000000000000-mapping.dmp
        Download
      • memory/4368-187-0x0000000008A70000-0x0000000008A71000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4368-129-0x0000000004DC0000-0x0000000004DC1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4368-124-0x0000000000000000-mapping.dmp
        Download
      • memory/4368-159-0x0000000007FD0000-0x0000000007FD1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4368-139-0x0000000007280000-0x0000000007281000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4368-182-0x0000000008770000-0x0000000008771000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4368-287-0x0000000004EE3000-0x0000000004EE4000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4368-192-0x0000000004DC0000-0x0000000004DC1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4368-144-0x00000000078F0000-0x00000000078F1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4368-143-0x0000000004EE0000-0x0000000004EE1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4368-130-0x0000000004DC0000-0x0000000004DC1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4368-220-0x000000007EB70000-0x000000007EB71000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4368-147-0x0000000004EE2000-0x0000000004EE3000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4372-134-0x00000000044D0000-0x00000000044D1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4372-150-0x0000000006B40000-0x0000000006B41000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4372-224-0x000000007EED0000-0x000000007EED1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4372-125-0x0000000000000000-mapping.dmp
        Download
      • memory/4372-136-0x00000000044D0000-0x00000000044D1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4372-194-0x00000000044D0000-0x00000000044D1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4372-174-0x0000000007AF0000-0x0000000007AF1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4372-168-0x00000000078A0000-0x00000000078A1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4372-164-0x0000000007090000-0x0000000007091000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4372-284-0x0000000006B43000-0x0000000006B44000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4372-149-0x0000000006B42000-0x0000000006B43000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4560-153-0x0000000004392000-0x0000000004393000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4560-152-0x0000000004390000-0x0000000004391000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4560-133-0x0000000004130000-0x0000000004131000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4560-464-0x0000000004393000-0x0000000004394000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4560-135-0x0000000004130000-0x0000000004131000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4560-127-0x0000000000000000-mapping.dmp
        Download
      • memory/4560-198-0x0000000004130000-0x0000000004131000-memory.dmp
        Filesize

        4KB

        Download