Analysis
-
max time kernel
25s -
max time network
120s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
20-10-2021 09:44
Static task
static1
Behavioral task
behavioral1
Sample
480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7.exe
Resource
win10-en-20210920
General
-
Target
480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7.exe
-
Size
156KB
-
MD5
9832040cb9c0aa58cd12d656f82420ba
-
SHA1
74a62abd145e9571e029db76c06c3100bfb3f4a9
-
SHA256
480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7
-
SHA512
f41ea39996bd4dd11d6df8250754612068e52e42da6c737340b0d73e71d487a2f9074ea0394957f34bb3cbc72a0cb3aa479b91a7c4177089ccdc1578a232cf49
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\!TXDOT_READ_ME!.txt
Signatures
-
Deletes NTFS Change Journal 2 TTPs
The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.
-
RansomEXX Ransomware
Targeted ransomware with variants which affect Windows and Linux systems.
-
Clears Windows event logs 1 TTPs
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 1684 bcdedit.exe 1640 bcdedit.exe -
pid Process 1960 wbadmin.exe -
Disables use of System Restore points 1 TTPs
-
Modifies extensions of user files 4 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\ExpandUnpublish.tif => C:\Users\Admin\Pictures\ExpandUnpublish.tif.txd0t 480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7.exe File renamed C:\Users\Admin\Pictures\NewConnect.png => C:\Users\Admin\Pictures\NewConnect.png.txd0t 480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7.exe File renamed C:\Users\Admin\Pictures\RequestCopy.png => C:\Users\Admin\Pictures\RequestCopy.png.txd0t 480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7.exe File renamed C:\Users\Admin\Pictures\SyncRead.raw => C:\Users\Admin\Pictures\SyncRead.raw.txd0t 480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7.exe -
Overwrites deleted data with Cipher tool 1 TTPs
Cipher is a Windows tool which be used to securely wipe deallocated HDD space, preventing recovery of deleted data.
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 1700 480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7.exe 1700 480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7.exe 1700 480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7.exe 1700 480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7.exe 1700 480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7.exe 1700 480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7.exe 1700 480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7.exe"C:\Users\Admin\AppData\Local\Temp\480af18104198ad3db1518501ee58f9c4aecd19dbbf2c5dd7694d1d87e9aeac7.exe"1⤵
- Modifies extensions of user files
- Suspicious behavior: EnumeratesProcesses
PID:1700 -
C:\Windows\System32\fsutil.exe"C:\Windows\System32\fsutil.exe" usn deletejournal /D C:2⤵PID:968
-
-
C:\Windows\System32\wevtutil.exe"C:\Windows\System32\wevtutil.exe" sl Security /e:false2⤵PID:1972
-
-
C:\Windows\System32\bcdedit.exe"C:\Windows\System32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures2⤵
- Modifies boot configuration data using bcdedit
PID:1684
-
-
C:\Windows\System32\bcdedit.exe"C:\Windows\System32\bcdedit.exe" /set {default} recoveryenabled no2⤵
- Modifies boot configuration data using bcdedit
PID:1640
-
-
C:\Windows\SysWOW64\cipher.exe"C:\Windows\System32\cipher.exe" /w:C:2⤵PID:1868
-
-
C:\Windows\System32\wevtutil.exe"C:\Windows\System32\wevtutil.exe" cl Setup2⤵PID:1492
-
-
C:\Windows\System32\wevtutil.exe"C:\Windows\System32\wevtutil.exe" cl System2⤵PID:1628
-
-
C:\Windows\System32\wevtutil.exe"C:\Windows\System32\wevtutil.exe" cl Security2⤵PID:1476
-
-
C:\Windows\SysWOW64\cipher.exe"C:\Windows\System32\cipher.exe" /w:D:2⤵PID:1144
-
-
C:\Windows\System32\wevtutil.exe"C:\Windows\System32\wevtutil.exe" cl Application2⤵PID:1316
-
-
C:\Windows\System32\wbadmin.exe"C:\Windows\System32\wbadmin.exe" delete catalog -quiet2⤵
- Deletes backup catalog
PID:1960
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable2⤵PID:1968
-
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵PID:324
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:612
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵PID:904