Analysis

  • max time kernel
    25s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-en-20211014
  • submitted
    20-10-2021 09:44

General

  • Target

    480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7.exe

  • Size

    156KB

  • MD5

    9832040cb9c0aa58cd12d656f82420ba

  • SHA1

    74a62abd145e9571e029db76c06c3100bfb3f4a9

  • SHA256

    480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7

  • SHA512

    f41ea39996bd4dd11d6df8250754612068e52e42da6c737340b0d73e71d487a2f9074ea0394957f34bb3cbc72a0cb3aa479b91a7c4177089ccdc1578a232cf49

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\!TXDOT_READ_ME!.txt

Ransom Note
Greetings, Texas Department of Transportation! Read this message CAREFULLY and contact someone from IT department. Your files are securely ENCRYPTED. No third party decryption software EXISTS. MODIFICATION or RENAMING encrypted files may cause decryption failure. You can send us an encrypted file (not greater than 400KB) and we will decrypt it FOR FREE, so you have no doubts in possibility to restore all files from all affected systems ANY TIME. Encrypted file SHOULD NOT contain sensitive information (technical, backups, databases, large documents). The rest of data will be available after the PAYMENT. Infrastructure rebuild will cost you MUCH more. Contact us ONLY if you officially represent the whole affected network. The ONLY attachments we accept are non archived encrypted files for test decryption. Speak ENGLISH when contacting us. Mail us: [email protected] We kindly ask you not to use GMAIL, YAHOO or LIVE to contact us. The PRICE depends on how quickly you do it. �

Signatures

  • Deletes NTFS Change Journal 2 TTPs

    The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.

  • RansomEXX Ransomware

    Targeted ransomware with variants which affect Windows and Linux systems.

  • Clears Windows event logs 1 TTPs
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

  • Disables use of System Restore points 1 TTPs
  • Modifies extensions of user files 4 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Overwrites deleted data with Cipher tool 1 TTPs

    Cipher is a Windows tool which be used to securely wipe deallocated HDD space, preventing recovery of deleted data.

  • Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7.exe
    "C:\Users\Admin\AppData\Local\Temp\480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7.exe"
    1⤵
    • Modifies extensions of user files
    • Suspicious behavior: EnumeratesProcesses
    PID:1700
    • C:\Windows\System32\fsutil.exe
      "C:\Windows\System32\fsutil.exe" usn deletejournal /D C:
      2⤵
        PID:968
      • C:\Windows\System32\wevtutil.exe
        "C:\Windows\System32\wevtutil.exe" sl Security /e:false
        2⤵
          PID:1972
        • C:\Windows\System32\bcdedit.exe
          "C:\Windows\System32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures
          2⤵
          • Modifies boot configuration data using bcdedit
          PID:1684
        • C:\Windows\System32\bcdedit.exe
          "C:\Windows\System32\bcdedit.exe" /set {default} recoveryenabled no
          2⤵
          • Modifies boot configuration data using bcdedit
          PID:1640
        • C:\Windows\SysWOW64\cipher.exe
          "C:\Windows\System32\cipher.exe" /w:C:
          2⤵
            PID:1868
          • C:\Windows\System32\wevtutil.exe
            "C:\Windows\System32\wevtutil.exe" cl Setup
            2⤵
              PID:1492
            • C:\Windows\System32\wevtutil.exe
              "C:\Windows\System32\wevtutil.exe" cl System
              2⤵
                PID:1628
              • C:\Windows\System32\wevtutil.exe
                "C:\Windows\System32\wevtutil.exe" cl Security
                2⤵
                  PID:1476
                • C:\Windows\SysWOW64\cipher.exe
                  "C:\Windows\System32\cipher.exe" /w:D:
                  2⤵
                    PID:1144
                  • C:\Windows\System32\wevtutil.exe
                    "C:\Windows\System32\wevtutil.exe" cl Application
                    2⤵
                      PID:1316
                    • C:\Windows\System32\wbadmin.exe
                      "C:\Windows\System32\wbadmin.exe" delete catalog -quiet
                      2⤵
                      • Deletes backup catalog
                      PID:1960
                    • C:\Windows\System32\schtasks.exe
                      "C:\Windows\System32\schtasks.exe" /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable
                      2⤵
                        PID:1968
                    • C:\Windows\system32\wbengine.exe
                      "C:\Windows\system32\wbengine.exe"
                      1⤵
                        PID:324
                      • C:\Windows\System32\vdsldr.exe
                        C:\Windows\System32\vdsldr.exe -Embedding
                        1⤵
                          PID:612
                        • C:\Windows\System32\vds.exe
                          C:\Windows\System32\vds.exe
                          1⤵
                            PID:904

                          Network

                          MITRE ATT&CK Enterprise v6

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • memory/1316-69-0x000007FEFC1D1000-0x000007FEFC1D3000-memory.dmp

                            Filesize

                            8KB

                          • memory/1700-55-0x00000000762D1000-0x00000000762D3000-memory.dmp

                            Filesize

                            8KB

                          • memory/1700-56-0x0000000008930000-0x00000000093EA000-memory.dmp

                            Filesize

                            10.7MB