Analysis
-
max time kernel
25s -
max time network
120s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
20-10-2021 09:44
Static task
static1
Behavioral task
behavioral1
Sample
480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7.exe
Resource
win10-en-20210920
General
-
Target
480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7.exe
-
Size
156KB
-
MD5
9832040cb9c0aa58cd12d656f82420ba
-
SHA1
74a62abd145e9571e029db76c06c3100bfb3f4a9
-
SHA256
480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7
-
SHA512
f41ea39996bd4dd11d6df8250754612068e52e42da6c737340b0d73e71d487a2f9074ea0394957f34bb3cbc72a0cb3aa479b91a7c4177089ccdc1578a232cf49
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\!TXDOT_READ_ME!.txt
txdot911@protonmail.com
Signatures
-
Deletes NTFS Change Journal 2 TTPs
The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.
-
RansomEXX Ransomware
Targeted ransomware with variants which affect Windows and Linux systems.
-
Clears Windows event logs 1 TTPs
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 1684 bcdedit.exe 1640 bcdedit.exe -
Processes:
wbadmin.exepid process 1960 wbadmin.exe -
Disables use of System Restore points 1 TTPs
-
Modifies extensions of user files 4 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7.exedescription ioc process File renamed C:\Users\Admin\Pictures\ExpandUnpublish.tif => C:\Users\Admin\Pictures\ExpandUnpublish.tif.txd0t 480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7.exe File renamed C:\Users\Admin\Pictures\NewConnect.png => C:\Users\Admin\Pictures\NewConnect.png.txd0t 480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7.exe File renamed C:\Users\Admin\Pictures\RequestCopy.png => C:\Users\Admin\Pictures\RequestCopy.png.txd0t 480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7.exe File renamed C:\Users\Admin\Pictures\SyncRead.raw => C:\Users\Admin\Pictures\SyncRead.raw.txd0t 480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7.exe -
Overwrites deleted data with Cipher tool 1 TTPs
Cipher is a Windows tool which be used to securely wipe deallocated HDD space, preventing recovery of deleted data.
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7.exepid process 1700 480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7.exe 1700 480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7.exe 1700 480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7.exe 1700 480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7.exe 1700 480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7.exe 1700 480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7.exe 1700 480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7.exe"C:\Users\Admin\AppData\Local\Temp\480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7.exe"1⤵
- Modifies extensions of user files
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\fsutil.exe"C:\Windows\System32\fsutil.exe" usn deletejournal /D C:2⤵
-
C:\Windows\System32\wevtutil.exe"C:\Windows\System32\wevtutil.exe" sl Security /e:false2⤵
-
C:\Windows\System32\bcdedit.exe"C:\Windows\System32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures2⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\System32\bcdedit.exe"C:\Windows\System32\bcdedit.exe" /set {default} recoveryenabled no2⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\SysWOW64\cipher.exe"C:\Windows\System32\cipher.exe" /w:C:2⤵
-
C:\Windows\System32\wevtutil.exe"C:\Windows\System32\wevtutil.exe" cl Setup2⤵
-
C:\Windows\System32\wevtutil.exe"C:\Windows\System32\wevtutil.exe" cl System2⤵
-
C:\Windows\System32\wevtutil.exe"C:\Windows\System32\wevtutil.exe" cl Security2⤵
-
C:\Windows\SysWOW64\cipher.exe"C:\Windows\System32\cipher.exe" /w:D:2⤵
-
C:\Windows\System32\wevtutil.exe"C:\Windows\System32\wevtutil.exe" cl Application2⤵
-
C:\Windows\System32\wbadmin.exe"C:\Windows\System32\wbadmin.exe" delete catalog -quiet2⤵
- Deletes backup catalog
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable2⤵
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/968-57-0x0000000000000000-mapping.dmp
-
memory/1144-65-0x0000000000000000-mapping.dmp
-
memory/1316-69-0x000007FEFC1D1000-0x000007FEFC1D3000-memory.dmpFilesize
8KB
-
memory/1316-61-0x0000000000000000-mapping.dmp
-
memory/1476-67-0x0000000000000000-mapping.dmp
-
memory/1492-66-0x0000000000000000-mapping.dmp
-
memory/1628-68-0x0000000000000000-mapping.dmp
-
memory/1640-62-0x0000000000000000-mapping.dmp
-
memory/1684-63-0x0000000000000000-mapping.dmp
-
memory/1700-55-0x00000000762D1000-0x00000000762D3000-memory.dmpFilesize
8KB
-
memory/1700-56-0x0000000008930000-0x00000000093EA000-memory.dmpFilesize
10.7MB
-
memory/1868-64-0x0000000000000000-mapping.dmp
-
memory/1960-59-0x0000000000000000-mapping.dmp
-
memory/1968-60-0x0000000000000000-mapping.dmp
-
memory/1972-58-0x0000000000000000-mapping.dmp