Overview

overview

10

Static

static

5378249a2b...9d.exe

windows7_x64

10

5378249a2b...9d.exe

windows10_x64

10

Analysis

  • max time kernel
    185s
  • max time network
    136s
  • platform
    windows10_x64
  • resource
    win10-en-20210920
  • submitted
    24/10/2021, 03:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5378249a2b439e92691fb87751adc9fc4e2dea1792309d695b7f1d9c6887b09d.exe

  • Size

    14KB

  • MD5

    a43ee303f6e4e6870036dad6666cbbd0

  • SHA1

    95007b7c46858107378b9e444c83a772295fc6d9

  • SHA256

    5378249a2b439e92691fb87751adc9fc4e2dea1792309d695b7f1d9c6887b09d

  • SHA512

    78c216ba26fcf3d880c0a3485076fba48e02c4f309b452924214b5298b9582e9af41dc846e830dd5a2e00ef51870c40580920a7f6f020d627269c1ff543bf97c

Score
10/10
ransomwarespywarestealer

Malware Config

Extracted

Path

C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\#Decrypt#.txt

Ransom Note
Hello my dear friend Unfortunately for you, a major IT security weakness left you open to attack, your files have been encrypted If you want to restore them, install ICQ software on your PC https://icq.com/windows/ or on your mobile phone search in Appstore / Google market ICQ Write to our ICQ @Whitehorsedecryption https://icq.im/Whitehorsedecryption Skype Whitehorsedecryption Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. We are always ready to cooperate and find the best way to solve your problem. The faster you write, the more favorable the conditions will be for you. Our company values its reputation. We give all guarantees of your files decryption IF WE DONT SEE MESSAGES FROM YOU IN 72 HOURS - WE WILL SELL YOUR DATABASES AND IMPORTANT INFORMATION TO YOUR COMPETITORS,AFTER YOU WILL SEE IT AT OPEN SOURCE AND DARKNET tell your unique ID S4oIO8CyBJA+JR7Ac6xM5npK0AuOXM/nWxoNuYGyU2JTQ8doaLxr4mEV37un0f3klwKvJAYeu6xi97xWMnLHYhdNaU8boarIax5kLMOnsPPlI11KPwj7FVkyPgUxXyjNZCQNu7tlZv3E67pnKz5pi4zB06OdEN5EA8A+sbo6SJ23vaS2nTs2Mhlyg0Oxou59XLY2SADvPNzFT21hwUJf3adTI7E/zAG4y65G76CIcX24rh37U3yrwTrlLIpgvP60zOWbPAlhACSGUTE8QanOW8ED0wMrA4YC7TFSYuw947Cz6gAbx3UNvNcC4loSFDrJ+Wd6wRbuqz61HoF3pJSxTd7EQJb3JpHrwaj+VuSZa7BUq2d1VUyioJ+hm0hhXdsfAoSLph1D+8i4rDfsDK3MdPn+fsO1MZXawabcrIyVuMTX0rVtD4JcwZ3Btd9YUduY0w63CsB1MUR5SKfWEA/85rP7nwFqx0w8ho27YaANq+A97wiH+OeXzERtBOCJO3suIMvk2r6xf9o5nYnrIZ9FvL0oYIpG9k5XdS8f11jC/c3Yuuxepa2orDxxxdTIfd3QBkt8oBqx3jp2C0MVL8wAR0JTXyCyyYJ3iEdXS4md34adicR4xI8tv2FZZkBKkYt393quETlF2ooK0oM9p5Owy0nnjzdTdpaCVH7qIAJor8SvusPCBblo0q9W8nwk1lV7KOS2NqhXBGApvlSOHoCFb+ccWuXtjITG+IBhVeZKV3BGirH/4BWwQgY1yWlRr1Dn/+fp5iPI7xdmv2gttvd/ZwHUUNchz3xnPGYBX7SBvCaoQS6BrNzuibExoqlC2Vis/ZAKgm1qLw0amvCsAo6dpwlsNbwS2VXBUhSQxVVNUThJhYm/aYU8EXxnXLEtIbB3Z/xlbe7wveVxL3ZYrHvEk6QHOd/NxB8Ufn3HeOG/Q0XioQRN0w/zOXeOwjIa59p/Cp9tl3yWzAQyKLHLcrftegKiMdXFzQL9Y3nl7xjses/GVWnhOO7RnSKlHSDe6bv/e8V0pSITrdz4rTfqBjb3M/y89Q6gHwRN1xkpZgm+4SrlevbDXRHUqj/86dZIn5/4rxU9USOVKwRxRycHigRxk7SW0Js0cJWosDbTn7x5XosC8b2NKkDETQTLCD74qkAWqKXxyvi8An4vGknA81/tRY/rh8QolazXb125rdddDxuuqI6pC7uqvjrxaLmJbUE2N+j51KC6cHey3P/kXDCD+b7zS0cVybG0E1Sm3/FNLMbBmr+7EMIMF7a9ag8D/mxjldJ1IsiYp28K4igjgJO53HOko0wxk3NA3vyAq7JUHJitg5766NSITQmwWW5Al8EZsG/NKmsD3PLg5m+5C+J+IQ==
URLs

https://icq.com/windows/

https://icq.im/Whitehorsedecryption

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 5 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 33 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5378249a2b439e92691fb87751adc9fc4e2dea1792309d695b7f1d9c6887b09d.exe
    "C:\Users\Admin\AppData\Local\Temp\5378249a2b439e92691fb87751adc9fc4e2dea1792309d695b7f1d9c6887b09d.exe"
    1⤵
    • Modifies extensions of user files
    • Drops startup file
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3820
    • C:\Windows\System32\vssadmin.exe
      delete shadows /all /quiet
      2⤵
      • Interacts with shadow copies
      PID:652
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" bcdedit /set {current} bootstatuspolicy ignoreallfailures
      2⤵
        PID:1056
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" bcdedit /set {current} recoveryenabled no
        2⤵
          PID:1604
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" netsh advfirewall set allprofiles state off
          2⤵
            PID:816
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c timeout 1 && del "C:\Users\Admin\AppData\Local\Temp\5378249a2b439e92691fb87751adc9fc4e2dea1792309d695b7f1d9c6887b09d.exe" >> NUL
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:2156
            • C:\Windows\SysWOW64\timeout.exe
              timeout 1
              3⤵
              • Delays execution with timeout.exe
              PID:3240
        • C:\Windows\system32\vssvc.exe
          C:\Windows\system32\vssvc.exe
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:3584

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads