d81f751a2b47e3195fb035c804fc7a54d1c51426f759c53048bd9837663a101a

General

Target

e_win.exe
Size

664KB
MD5

2c1bacb056654515171bedadaecfe67e
SHA1

d45f9fccbb7c4c1221e3eb4d7801fa0a5910012e
SHA256

d81f751a2b47e3195fb035c804fc7a54d1c51426f759c53048bd9837663a101a
SHA512

79977a9fd287bc32072e74a45cc81e96351b6805e65c700df1be5e1e64a3c3f1db36830544418490896f88e630748d14c88bf86321a0f88ca50b3dffab57830a

Score

10^/10

ransomware

Malware Config

Extracted

Path

C:\Guide To Recover Your Files.txt

Ransom Note

!!! YOUR NETWORK ENCRYPTED !!! What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted from your network and copied. We use strong encryption algorithms, so you cannot decrypt your data. What guarantees? ---------------------------------------------- We guarantee that you can recover all your files safely and easily. You can decrypt a single file for warranty - we can do it. Find a *.chichi file on your computer and upload and get the original. (maximum file size - 512Kb) Chat with support But if you want to decrypt all your files, you need to pay. Write to support if you want to buy decryptor. How to contact us? ---------------------------------------------- Write to email : [email protected], [email protected], [email protected], [email protected], [email protected] How to Pay? ---------------------------------------------- You need pay $300,000 Payment has to be deposited in Bitcoin based on the Bitcoin/USD exchange rate at the moment of payment. The address you have to make payment is: bc1q0lasrt2qjgantwy0ylzrdttlmmz6ap09l8964g Attention! ---------------------------------------------- Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. You have to deposit payment within 72 hours (3 days) after receiving this message, otherwise, you will lose your files forever and we will start posting your data to the dark web.

Emails

[email protected]

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 22 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\OutWatch.crw => C:\Users\Admin\Pictures\OutWatch.crw.chichi	e_win.exe
File renamed	C:\Users\Admin\Pictures\LimitEnter.png => C:\Users\Admin\Pictures\LimitEnter.png.chichi	e_win.exe
File opened for modification	C:\Users\Admin\Pictures\OutWatch.crw.chichi	e_win.exe
File opened for modification	C:\Users\Admin\Pictures\OpenStart.tif.chichi	e_win.exe
File renamed	C:\Users\Admin\Pictures\ResumePublish.raw => C:\Users\Admin\Pictures\ResumePublish.raw.chichi	e_win.exe
File opened for modification	C:\Users\Admin\Pictures\TraceJoin.png.chichi	e_win.exe
File renamed	C:\Users\Admin\Pictures\TraceJoin.png => C:\Users\Admin\Pictures\TraceJoin.png.chichi	e_win.exe
File opened for modification	C:\Users\Admin\Pictures\InitializeWatch.png.chichi	e_win.exe
File opened for modification	C:\Users\Admin\Pictures\MergeExpand.tiff.chichi	e_win.exe
File opened for modification	C:\Users\Admin\Pictures\LimitEnter.png.chichi	e_win.exe
File opened for modification	C:\Users\Admin\Pictures\RestoreNew.raw.chichi	e_win.exe
File renamed	C:\Users\Admin\Pictures\SplitUnlock.tif => C:\Users\Admin\Pictures\SplitUnlock.tif.chichi	e_win.exe
File opened for modification	C:\Users\Admin\Pictures\SplitUnlock.tif.chichi	e_win.exe
File renamed	C:\Users\Admin\Pictures\MergeExpand.tiff => C:\Users\Admin\Pictures\MergeExpand.tiff.chichi	e_win.exe
File renamed	C:\Users\Admin\Pictures\OpenStart.tif => C:\Users\Admin\Pictures\OpenStart.tif.chichi	e_win.exe
File renamed	C:\Users\Admin\Pictures\RestoreNew.raw => C:\Users\Admin\Pictures\RestoreNew.raw.chichi	e_win.exe
File opened for modification	C:\Users\Admin\Pictures\ResumePublish.raw.chichi	e_win.exe
File renamed	C:\Users\Admin\Pictures\SplitSkip.tiff => C:\Users\Admin\Pictures\SplitSkip.tiff.chichi	e_win.exe
File opened for modification	C:\Users\Admin\Pictures\SplitSkip.tiff.chichi	e_win.exe
File opened for modification	C:\Users\Admin\Pictures\MergeExpand.tiff	e_win.exe
File renamed	C:\Users\Admin\Pictures\InitializeWatch.png => C:\Users\Admin\Pictures\InitializeWatch.png.chichi	e_win.exe
File opened for modification	C:\Users\Admin\Pictures\SplitSkip.tiff	e_win.exe

Deletes itself 1 IoCs

pid	Process
564	cmd.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	e_win.exe
File opened (read-only)	\??\B:	e_win.exe
File opened (read-only)	\??\M:	e_win.exe
File opened (read-only)	\??\O:	e_win.exe
File opened (read-only)	\??\J:	e_win.exe
File opened (read-only)	\??\Y:	e_win.exe
File opened (read-only)	\??\U:	e_win.exe
File opened (read-only)	\??\I:	e_win.exe
File opened (read-only)	\??\P:	e_win.exe
File opened (read-only)	\??\L:	e_win.exe
File opened (read-only)	\??\Z:	e_win.exe
File opened (read-only)	\??\W:	e_win.exe
File opened (read-only)	\??\R:	e_win.exe
File opened (read-only)	\??\V:	e_win.exe
File opened (read-only)	\??\N:	e_win.exe
File opened (read-only)	\??\G:	e_win.exe
File opened (read-only)	\??\H:	e_win.exe
File opened (read-only)	\??\X:	e_win.exe
File opened (read-only)	\??\T:	e_win.exe
File opened (read-only)	\??\F:	e_win.exe
File opened (read-only)	\??\A:	e_win.exe
File opened (read-only)	\??\S:	e_win.exe
File opened (read-only)	\??\Q:	e_win.exe
File opened (read-only)	\??\E:	e_win.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1876	vssadmin.exe
1960	vssadmin.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1968	PING.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1052	e_win.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	1564	vssvc.exe
Token: SeRestorePrivilege	1564	vssvc.exe
Token: SeAuditPrivilege	1564	vssvc.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1052 wrote to memory of 1100	1052	e_win.exe	28
PID 1052 wrote to memory of 1100	1052	e_win.exe	28
PID 1052 wrote to memory of 1100	1052	e_win.exe	28
PID 1052 wrote to memory of 1100	1052	e_win.exe	28
PID 1100 wrote to memory of 1876	1100	cmd.exe	30
PID 1100 wrote to memory of 1876	1100	cmd.exe	30
PID 1100 wrote to memory of 1876	1100	cmd.exe	30
PID 1052 wrote to memory of 872	1052	e_win.exe	34
PID 1052 wrote to memory of 872	1052	e_win.exe	34
PID 1052 wrote to memory of 872	1052	e_win.exe	34
PID 1052 wrote to memory of 872	1052	e_win.exe	34
PID 872 wrote to memory of 1960	872	cmd.exe	36
PID 872 wrote to memory of 1960	872	cmd.exe	36
PID 872 wrote to memory of 1960	872	cmd.exe	36
PID 1052 wrote to memory of 564	1052	e_win.exe	37
PID 1052 wrote to memory of 564	1052	e_win.exe	37
PID 1052 wrote to memory of 564	1052	e_win.exe	37
PID 1052 wrote to memory of 564	1052	e_win.exe	37
PID 564 wrote to memory of 1968	564	cmd.exe	39
PID 564 wrote to memory of 1968	564	cmd.exe	39
PID 564 wrote to memory of 1968	564	cmd.exe	39
PID 564 wrote to memory of 1968	564	cmd.exe	39

C:\Users\Admin\AppData\Local\Temp\e_win.exe
"C:\Users\Admin\AppData\Local\Temp\e_win.exe"
1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1052
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1100
- - C:\Windows\system32\vssadmin.exe
    vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:1876
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:872
- - C:\Windows\system32\vssadmin.exe
    vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:1960
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ping localhost -n 3 > nul & del /q "C:\Users\Admin\AppData\Local\Temp\e_win.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:564
- - C:\Windows\SysWOW64\PING.EXE
    ping localhost -n 3
    3⤵
    - Runs ping.exe
    PID:1968