f0f90338553ab244d779b2f172c2e6c82f7fc5725cba6ddb8d09c48d5f481e07

Analysis

max time kernel
209s
max time network
123s
platform
windows7_x64
resource
win7-en-20210920
submitted
30/10/2021, 03:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SS.exe
Size

30.3MB
MD5

d6d78e94de610fad6749338f855edbcc
SHA1

0fb9d7b713ae158bf35f480f62d20255b6d14a97
SHA256

f0f90338553ab244d779b2f172c2e6c82f7fc5725cba6ddb8d09c48d5f481e07
SHA512

33f36597a642af214f2e349015f5a0a625014536ae00016e9fdc110f2a37ea84cdfb7c6e9039a02830730314fc8358bc7076c7fdfec12c140f4394cfb0e4079f

Score

10^/10

evasion ransomware spyware stealer

Malware Config

Extracted

Path

C:\Windows\Vss\ReadIt.txt

Ransom Note

Hello my friend Your system was vulnerable I'm here to teach you a lesson,The Security Lesson!!!! All your files are encrypted and the important one stolen You must pay an anount of Bitcoin in exchange for decrypting files and understanding the flaws in your system And prevent your files from becoming public Don't worry about the amount, it's spent on the security of your system and it's fair. To show our good intentions and trust, you can send us a small, worthless file to test the decryption. This is your ID : FFF456E1 And this is my email :[email protected] Send your ID to my email to speack about it If I don't respond for 8 hours, send messages to these emails : - [email protected] - [email protected] Don't forget if you try to decypt them yourself, never come back to us. So the first thing you have to do is email us because no one can decrypt them.

Emails

[email protected]

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Disables Task Manager via registry modification
evasion

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini+Id(FFF456E1) mail([email protected]).REAL	SS.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ReadIt.txt	SS.exe

Loads dropped DLL 59 IoCs

pid	Process
1000	SS.exe
1000	SS.exe
1000	SS.exe
1000	SS.exe
1000	SS.exe
1000	SS.exe
1000	SS.exe
1000	SS.exe
1000	SS.exe
1000	SS.exe
1000	SS.exe
1000	SS.exe
1000	SS.exe
1000	SS.exe
1000	SS.exe
1000	SS.exe
1000	SS.exe
1000	SS.exe
1000	SS.exe
1000	SS.exe
1000	SS.exe
1000	SS.exe
1000	SS.exe
1000	SS.exe
1000	SS.exe
1000	SS.exe
1000	SS.exe
1000	SS.exe
1000	SS.exe
1000	SS.exe
1000	SS.exe
1000	SS.exe
1000	SS.exe
1000	SS.exe
1000	SS.exe
1000	SS.exe
1000	SS.exe
1000	SS.exe
1000	SS.exe
1000	SS.exe
1000	SS.exe
1000	SS.exe
1000	SS.exe
1000	SS.exe
1000	SS.exe
1000	SS.exe
1000	SS.exe
1000	SS.exe
1000	SS.exe
1000	SS.exe
1000	SS.exe
1000	SS.exe
1000	SS.exe
1000	SS.exe
1000	SS.exe
1000	SS.exe
1000	SS.exe
1000	SS.exe
1000	SS.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1000	SS.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Windows.Presentation.resources.dll+Id(FFF456E1) mail([email protected]).REAL	SS.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\HEADER.GIF+Id(FFF456E1) mail([email protected]).REAL	SS.exe
File created	C:\Program Files (x86)\Windows Media Player\de-DE\mpvis.dll.mui+Id(FFF456E1) mail([email protected]).REAL	SS.exe
File created	C:\Program Files\Java\jre7\bin\jp2native.dll+Id(FFF456E1) mail([email protected]).REAL	SS.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\js\ReadIt.txt	SS.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsViewAttachmentIcons.jpg+Id(FFF456E1) mail([email protected]).REAL	SS.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\QUIKPUBS.POC+Id(FFF456E1) mail([email protected]).REAL	SS.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.nl_ja_4.4.0.v20140623020002.jar+Id(FFF456E1) mail([email protected]).REAL	SS.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\de-DE\gadget.xml+Id(FFF456E1) mail([email protected]).REAL	SS.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.dll+Id(FFF456E1) mail([email protected]).REAL	SS.exe
File created	C:\Program Files (x86)\Windows Defender\de-DE\MpAsDesc.dll.mui+Id(FFF456E1) mail([email protected]).REAL	SS.exe
File created	C:\Program Files\Common Files\System\Ole DB\msxactps.dll+Id(FFF456E1) mail([email protected]).REAL	SS.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe+Id(FFF456E1) mail([email protected]).REAL	SS.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0199279.WMF+Id(FFF456E1) mail([email protected]).REAL	SS.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN109.XML+Id(FFF456E1) mail([email protected]).REAL	SS.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\de-DE\ReadIt.txt	SS.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\ReadIt.txt	SS.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\Informix.xsl+Id(FFF456E1) mail([email protected]).REAL	SS.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\ALERT.ICO+Id(FFF456E1) mail([email protected]).REAL	SS.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGWEBBTN.DPV+Id(FFF456E1) mail([email protected]).REAL	SS.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0318448.WMF+Id(FFF456E1) mail([email protected]).REAL	SS.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.Office.BusinessData.dll+Id(FFF456E1) mail([email protected]).REAL	SS.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE+Id(FFF456E1) mail([email protected]).REAL	SS.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341534.JPG+Id(FFF456E1) mail([email protected]).REAL	SS.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-awt.jar+Id(FFF456E1) mail([email protected]).REAL	SS.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\de-DE\ReadIt.txt	SS.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libcache_block_plugin.dll+Id(FFF456E1) mail([email protected]).REAL	SS.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AXIS\AXIS.INF+Id(FFF456E1) mail([email protected]).REAL	SS.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\triangle.png+Id(FFF456E1) mail([email protected]).REAL	SS.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host-remote_zh_CN.jar+Id(FFF456E1) mail([email protected]).REAL	SS.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0386485.JPG+Id(FFF456E1) mail([email protected]).REAL	SS.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN010.XML+Id(FFF456E1) mail([email protected]).REAL	SS.exe
File created	C:\Program Files\Java\jre7\lib\security\javafx.policy+Id(FFF456E1) mail([email protected]).REAL	SS.exe
File created	C:\Program Files\Java\jre7\lib\zi\EST5EDT+Id(FFF456E1) mail([email protected]).REAL	SS.exe
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Aspect.xml+Id(FFF456E1) mail([email protected]).REAL	SS.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Mauritius+Id(FFF456E1) mail([email protected]).REAL	SS.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR00.GIF+Id(FFF456E1) mail([email protected]).REAL	SS.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\AccessWeb\ReadIt.txt	SS.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\sa-jdi.jar+Id(FFF456E1) mail([email protected]).REAL	SS.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-nodes.xml+Id(FFF456E1) mail([email protected]).REAL	SS.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Moscow+Id(FFF456E1) mail([email protected]).REAL	SS.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00090_.GIF+Id(FFF456E1) mail([email protected]).REAL	SS.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN00217_.WMF+Id(FFF456E1) mail([email protected]).REAL	SS.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGBOXES.XML+Id(FFF456E1) mail([email protected]).REAL	SS.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\ReadIt.txt	SS.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-host.jar+Id(FFF456E1) mail([email protected]).REAL	SS.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\J0143750.GIF+Id(FFF456E1) mail([email protected]).REAL	SS.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0298653.WMF+Id(FFF456E1) mail([email protected]).REAL	SS.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\Microsoft.VisualStudio.Tools.Applications.AddInManager.dll+Id(FFF456E1) mail([email protected]).REAL	SS.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Cape_Verde+Id(FFF456E1) mail([email protected]).REAL	SS.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Niue+Id(FFF456E1) mail([email protected]).REAL	SS.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-crt-heap-l1-1-0.dll+Id(FFF456E1) mail([email protected]).REAL	SS.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Ndjamena+Id(FFF456E1) mail([email protected]).REAL	SS.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECLIPSE\ReadIt.txt	SS.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\TAB_OFF.GIF+Id(FFF456E1) mail([email protected]).REAL	SS.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Ust-Nera+Id(FFF456E1) mail([email protected]).REAL	SS.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\System.IdentityModel.Selectors.Resources.dll+Id(FFF456E1) mail([email protected]).REAL	SS.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01628_.WMF+Id(FFF456E1) mail([email protected]).REAL	SS.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATH_F_COL.HXK+Id(FFF456E1) mail([email protected]).REAL	SS.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\gadget.xml+Id(FFF456E1) mail([email protected]).REAL	SS.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR5B.GIF+Id(FFF456E1) mail([email protected]).REAL	SS.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\ApothecaryResume.dotx+Id(FFF456E1) mail([email protected]).REAL	SS.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Kiev+Id(FFF456E1) mail([email protected]).REAL	SS.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.emf.common_2.10.1.v20140901-1043.jar+Id(FFF456E1) mail([email protected]).REAL	SS.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Yes.txt	SS.exe
File created	C:\Windows\Vss\ReadIt.txt	SS.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
2032	vssadmin.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
972	reg.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1224	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1080	powershell.exe
1496	powershell.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	1000	SS.exe
Token: SeDebugPrivilege	1080	powershell.exe
Token: SeDebugPrivilege	1496	powershell.exe
Token: SeBackupPrivilege	1600	vssvc.exe
Token: SeRestorePrivilege	1600	vssvc.exe
Token: SeAuditPrivilege	1600	vssvc.exe
Token: 33	1056	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1056	AUDIODG.EXE
Token: 33	1056	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1056	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1224	NOTEPAD.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1452 wrote to memory of 1000	1452	SS.exe	28
PID 1452 wrote to memory of 1000	1452	SS.exe	28
PID 1452 wrote to memory of 1000	1452	SS.exe	28
PID 1000 wrote to memory of 1868	1000	SS.exe	29
PID 1000 wrote to memory of 1868	1000	SS.exe	29
PID 1000 wrote to memory of 1868	1000	SS.exe	29
PID 1868 wrote to memory of 1080	1868	cmd.exe	31
PID 1868 wrote to memory of 1080	1868	cmd.exe	31
PID 1868 wrote to memory of 1080	1868	cmd.exe	31
PID 1000 wrote to memory of 764	1000	SS.exe	32
PID 1000 wrote to memory of 764	1000	SS.exe	32
PID 1000 wrote to memory of 764	1000	SS.exe	32
PID 764 wrote to memory of 1496	764	cmd.exe	34
PID 764 wrote to memory of 1496	764	cmd.exe	34
PID 764 wrote to memory of 1496	764	cmd.exe	34
PID 1496 wrote to memory of 2032	1496	powershell.exe	35
PID 1496 wrote to memory of 2032	1496	powershell.exe	35
PID 1496 wrote to memory of 2032	1496	powershell.exe	35
PID 1000 wrote to memory of 1156	1000	SS.exe	38
PID 1000 wrote to memory of 1156	1000	SS.exe	38
PID 1000 wrote to memory of 1156	1000	SS.exe	38
PID 1156 wrote to memory of 972	1156	cmd.exe	40
PID 1156 wrote to memory of 972	1156	cmd.exe	40
PID 1156 wrote to memory of 972	1156	cmd.exe	40

C:\Users\Admin\AppData\Local\Temp\SS.exe
"C:\Users\Admin\AppData\Local\Temp\SS.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1452
- C:\Users\Admin\AppData\Local\Temp\SS.exe
  "C:\Users\Admin\AppData\Local\Temp\SS.exe"
  2⤵
  - Drops startup file
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1000
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell.exe -C Set-MpPreference -DisableRealtimeMonitoring $true ;
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1868
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -C Set-MpPreference -DisableRealtimeMonitoring $true ;
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1080
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell.exe -C vssadmin Delete Shadows /all /quiet ;
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:764
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -C vssadmin Delete Shadows /all /quiet ;
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1496
    - - C:\Windows\system32\vssadmin.exe
        
        "C:\Windows\system32\vssadmin.exe" Delete Shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:2032
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1156
  - - C:\Windows\system32\reg.exe
      REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      Modifies registry key
      PID:972

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1600

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x440
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1056

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\ReadIt.txt
1⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of FindShellTrayWindow
PID:1224

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1000-138-0x0000000006E30000-0x0000000006E31000-memory.dmp

Filesize
4KB

Download
memory/1080-122-0x000007FEF1D50000-0x000007FEF28AD000-memory.dmp

Filesize
11.4MB

Download
memory/1080-130-0x000000000239B000-0x00000000023BA000-memory.dmp

Filesize
124KB

Download
memory/1080-125-0x0000000002394000-0x0000000002397000-memory.dmp

Filesize
12KB

Download
memory/1080-123-0x0000000002390000-0x0000000002392000-memory.dmp

Filesize
8KB

Download
memory/1080-121-0x000007FEFBF91000-0x000007FEFBF93000-memory.dmp

Filesize
8KB

Download
memory/1080-124-0x0000000002392000-0x0000000002394000-memory.dmp

Filesize
8KB

Download
memory/1496-129-0x000007FEF1D40000-0x000007FEF289D000-memory.dmp

Filesize
11.4MB

Download
memory/1496-131-0x0000000002970000-0x0000000002972000-memory.dmp

Filesize
8KB

Download
memory/1496-132-0x0000000002972000-0x0000000002974000-memory.dmp

Filesize
8KB

Download
memory/1496-133-0x000000000297B000-0x000000000299A000-memory.dmp

Filesize
124KB

Download
memory/1496-134-0x0000000002974000-0x0000000002977000-memory.dmp

Filesize
12KB

Download