Overview

overview

10

Static

static

10

1.bin/1.exe

windows10_x64

10

2019-09-02...10.exe

windows10_x64

10

31.exe

windows10_x64

10

3DMark 11 ...on.exe

windows10_x64

1

5da0116af4...18.exe

windows10_x64

10

Archive.zi...3e.exe

windows10_x64

6

CVE-2018-1...oC.swf

windows10_x64

3

CVWSHSetup...1].exe

windows10_x64

4

DiskIntern...en.exe

windows10_x64

1

ForceOp 2....ce.exe

windows10_x64

10

HYDRA.exe

windows10_x64

10

Keygen.exe

windows10_x64

10

Lonelyscre...ox.exe

windows10_x64

1

LtHv0O2KZDK4M637.exe

windows10_x64

10

Magic_File...ja.exe

windows10_x64

1

OnlineInstaller.exe

windows10_x64

10

Remouse.Mi...cg.exe

windows10_x64

1

SecurityTa...up.exe

windows10_x64

8

Treasure.V...ox.exe

windows10_x64

1

VyprVPN.exe

windows10_x64

10

WSHSetup[1].exe

windows10_x64

3

___ _ ____...��.exe

windows10_x64

10

___ _ ____...��.exe

windows10_x64

10

amtemu.v0....ed.exe

windows10_x64

10

api.exe

windows10_x64

1

default.exe

windows10_x64

10

efd97b1038...ea4.js

windows10_x64

3

good.exe

windows10_x64

10

infected d...er.exe

windows10_x64

8

oof.exe

windows10_x64

10

ou55sg33s_1.exe

windows10_x64

10

update.exe

windows10_x64

10

Resubmissions

12-11-2021 18:04

211112-wnzb8aahhm 10

19-11-2020 10:08

201119-rhwlt38jrx 10

18-11-2020 17:26

201118-htd4fq29va 10

Analysis

  • max time kernel
    195s
  • max time network
    194s
  • platform
    windows10_x64
  • resource
    win10-en-20211104
  • submitted
    12-11-2021 18:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe

  • Size

    669KB

  • MD5

    ead18f3a909685922d7213714ea9a183

  • SHA1

    1270bd7fd62acc00447b30f066bb23f4745869bf

  • SHA256

    5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18

  • SHA512

    6e532d9c3d186e4dac38823ae9152056346e283613f0caf088b21a1b3e5f4f6cf3bad8c407168b1072895a386e3be0b8c11ad1cb326d3d3ff0eb8562052def91

Score
10/10
discoverypersistenceransomwareupx

Malware Config

Extracted

Path

C:\_readme.txt

Ransom Note
ATTENTION! Don't worry my friend, you can return all your files! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-T9WE5uiVT6 Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 046Sdsd3273yifhsisySD60h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1
URLs

https://we.tl/t-T9WE5uiVT6

Signatures

  • Executes dropped EXE 4 IoCs
  • Modifies Installed Components in the registry 2 TTPs
    persistence
  • Modifies extensions of user files 8 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 34 IoCs
  • Looks up external IP address via web service 10 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 2 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 42 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 8 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    "C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe"
    1⤵
    • Adds Run key to start application
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4388
    • C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Users\Admin\AppData\Local\b9df14eb-f11b-41f1-aad6-8b4f24fb0725" /deny *S-1-1-0:(OI)(CI)(DE,DC)
      2⤵
      • Modifies file permissions
      PID:4640
    • C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
      "C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Admin IsNotAutoStart IsNotTask
      2⤵
      • Modifies extensions of user files
      • Drops desktop.ini file(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4520
      • C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
        "C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --ForNetRes "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1 IsNotAutoStart IsNotTask
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:868
        • C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
          "C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 868 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:1500
      • C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
        "C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 4520 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:1092
  • C:\Users\Admin\AppData\Local\b9df14eb-f11b-41f1-aad6-8b4f24fb0725\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    C:\Users\Admin\AppData\Local\b9df14eb-f11b-41f1-aad6-8b4f24fb0725\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe --Task
    1⤵
    • Executes dropped EXE
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3868
    • C:\Users\Admin\AppData\Local\b9df14eb-f11b-41f1-aad6-8b4f24fb0725\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
      "C:\Users\Admin\AppData\Local\b9df14eb-f11b-41f1-aad6-8b4f24fb0725\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --ForNetRes "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1 IsNotAutoStart IsTask
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1532
      • C:\Users\Admin\AppData\Local\b9df14eb-f11b-41f1-aad6-8b4f24fb0725\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
        "C:\Users\Admin\AppData\Local\b9df14eb-f11b-41f1-aad6-8b4f24fb0725\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 1532 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:4952
    • C:\Users\Admin\AppData\Local\b9df14eb-f11b-41f1-aad6-8b4f24fb0725\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
      "C:\Users\Admin\AppData\Local\b9df14eb-f11b-41f1-aad6-8b4f24fb0725\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 3868 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:4772
  • C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2236 -s 7176
    1⤵
    • Program crash
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:4724
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:5024
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 5024 -s 2056
      2⤵
      • Program crash
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5092

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/868-134-0x0000000000400000-0x00000000004A9000-memory.dmp

    Filesize

    676KB

    Download

  • memory/1092-131-0x00000000005ED000-0x000000000061E000-memory.dmp

    Filesize

    196KB

    Download

  • memory/1092-133-0x0000000000400000-0x00000000004A9000-memory.dmp

    Filesize

    676KB

    Download

  • memory/1500-136-0x000000000052E000-0x000000000055F000-memory.dmp

    Filesize

    196KB

    Download

  • memory/1500-137-0x0000000000400000-0x00000000004A9000-memory.dmp

    Filesize

    676KB

    Download

  • memory/1532-154-0x0000000000400000-0x00000000004A9000-memory.dmp

    Filesize

    676KB

    Download

  • memory/1532-153-0x00000000007AE000-0x00000000007DE000-memory.dmp

    Filesize

    192KB

    Download

  • memory/3868-140-0x0000000000400000-0x00000000004A9000-memory.dmp

    Filesize

    676KB

    Download

  • memory/3868-139-0x0000000000859000-0x0000000000889000-memory.dmp

    Filesize

    192KB

    Download

  • memory/4388-118-0x00000000007B8000-0x00000000007E9000-memory.dmp

    Filesize

    196KB

    Download

  • memory/4388-119-0x0000000000400000-0x00000000004A9000-memory.dmp

    Filesize

    676KB

    Download

  • memory/4520-124-0x0000000000400000-0x00000000004A9000-memory.dmp

    Filesize

    676KB

    Download

  • memory/4520-123-0x00000000006FD000-0x000000000072E000-memory.dmp

    Filesize

    196KB

    Download

  • memory/4772-156-0x000000000077E000-0x00000000007AE000-memory.dmp

    Filesize

    192KB

    Download

  • memory/4772-158-0x0000000000400000-0x00000000004A9000-memory.dmp

    Filesize

    676KB

    Download

  • memory/4952-159-0x00000000005EE000-0x000000000061E000-memory.dmp

    Filesize

    192KB

    Download

  • memory/4952-160-0x0000000000400000-0x00000000004A9000-memory.dmp

    Filesize

    676KB

    Download