Overview

overview

10

Static

static

BS.exe

windows7_x64

10

BS.exe

windows10_x64

10

BuildS.exe

windows7_x64

10

BuildS.exe

windows10_x64

10

READS.exe

windows7_x64

10

READS.exe

windows10_x64

10

baseus_nowin.exe

windows7_x64

10

baseus_nowin.exe

windows10_x64

10

rbs.exe

windows7_x64

10

rbs.exe

windows10_x64

10

scan.exe

windows7_x64

1

scan.exe

windows10_x64

1

Analysis

  • max time kernel
    161s
  • max time network
    143s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    20-10-2021 09:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    READS.exe

  • Size

    53KB

  • MD5

    9bd839a710177cf31625c09e321418ba

  • SHA1

    82ebafbffb2ff94b91c037d5b51561d726ec32c5

  • SHA256

    3e526ba55e9dc43928b592e879aa2ea896681e709a22c6b0b8911d6f264ed63c

  • SHA512

    d3974db692f256f7733ccbf5d130bdcdcc18d18147b0522e8b0a3c10161604c1ee23e651cd132e3e61d81ff99c8af5a24abf465426aedc6dca1baa7adb53fc34

Score
10/10
ransomwarespywarestealer

Malware Config

Extracted

Path

C:\how_to_back_files.html

Ransom Note
<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">����������35 C2 F6 AB 1B A9 B5 E5 4F BB AA 43 66 E7 60 62 99 D8 62 24 33 F7 DD 61 4C C1 2B 11 8C 97 CF 7E 49 65 E5 A8 44 E2 7D 90 14 2E 47 5C 71 4F F2 27 C9 EF FD 0F 2B 39 8D A6 B6 06 B2 0C 75 B7 B0 BB 08 77 1A F6 6E 04 92 27 07 58 3E 22 78 DC 3C 0D 12 40 55 12 AC C2 FD 92 2A A1 FE 7D E2 AB 46 D0 2E 0D CC 93 F9 CA A7 F1 7F 76 29 E8 A3 A9 D2 DA DA 21 77 09 27 C1 90 BC B2 7A 2D D6 C9 1F C1 A8 BE F2 69 88 F1 0B 4F 7A 8C FA 9D E6 27 FB 00 26 F5 45 94 1A 14 0D A7 9F F8 85 69 D0 D9 A8 CF 44 68 56 D3 A9 F6 80 0C 4F D7 68 A2 EB D2 B4 A9 49 71 55 86 49 0A 92 3F 53 C0 92 C7 94 52 D8 29 F2 16 D7 F8 F3 2A 32 E3 1E 69 CD A4 E8 9F 8B 94 D8 AF CC C7 95 95 F1 33 90 1E 4E 63 CE 1F E0 EC 6E 09 67 DF 31 69 2A E8 5A A1 F4 98 8A 21 15 E2 98 E9 73 04 3E 5D 1A 77 21 87 BA B9 CD 9F A8 D1 FF </span> <br> <!-- !!! dont changing this !!! --> </div> </div> <!-- --> <div class="tabs"> <!--tab--> <div class="tab"> <div id="tab-content1" class="content"> <div class="text"> <!--text data --> <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br> <!--text data --> <hr> <b>Contact us for price and get decryption software.</b><br><br> <a>.onion</a><br> * Note that this server is available via Tor browser only<br><br> Follow the instructions to open the link:<br> 1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br> 2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br> 3. Now you have Tor browser. In the Tor Browser open <a>.onion </a><br> 4. Start a chat and follow the further instructions. <br><br> <hr> <b>If you can not use the above link, use the email:</b><br> <a href="[email protected] ">[email protected] </a> <br><a href="[email protected]">[email protected]</a> <br> <b>* To contact us, create a new free email account on the site:</b> <a href="https://protonmail.com">protonmail.com<br> <hr> <b> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> </div> </div> </div> <!--tab--> <!--text data --> </div> </div> <!--tab--> </div> </div> </body> </html> ���������

Signatures

  • Modifies extensions of user files 7 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 26 IoCs
  • Drops file in Program Files directory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\READS.exe
    "C:\Users\Admin\AppData\Local\Temp\READS.exe"
    1⤵
    • Modifies extensions of user files
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    PID:1672

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads