Analysis

  • max time kernel
    190s
  • max time network
    117s
  • platform
    windows7_x64
  • resource
    win7-en-20211014
  • submitted
    28-11-2021 04:49

General

  • Target

    e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe

  • Size

    128KB

  • MD5

    99e949ddd57dbc19457eba5f235516f3

  • SHA1

    99f9270e85ec53b8dada459279d30e8b169462c1

  • SHA256

    e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b

  • SHA512

    4b4746c6d23be8d445876e5e6931d48ebbac8eca6c4ad545b6dc94c400f768df87ad03984c1c83a7e7d0225fd8cdd6305e4f7ef4d580378b42424288def7fa41

Malware Config

Extracted

Path

C:\Users\Admin\How to decrypt files.txt

Family

targetcompany

Ransom Note
Your personal identifier: BRD454A21JS All files on BRG Precision Products network have been encrypted due to insufficient security. The only way to quickly and reliably regain access to your files is to contact us. The price depends on how fast you write to us. In other cases, you risk losing your time and access to data. Usually time is much more valuable than money. In addition, we downloaded about 100 gb of data from your network. We will publish the data if you do not negotiate with us. FAQ Q: How to contact us A: * Download Tor Browser - https://www.torproject.org/ * Open link in Tor Browser http://eghv5cpdsmuj5e6tpyjk5icgq642hqubildf6yrfnqlq3rmsqk2zanid.onion/contact * Follow the instructions on the website. Q: What guarantees? A: Before paying, we can decrypt several of your test files. Files should not contain valuable information. Q: Can I decrypt my data for free or through intermediaries? A: Use third party programs and intermediaries at your own risk. Third party software may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price or you can become a victim of a scam. �
URLs

http://eghv5cpdsmuj5e6tpyjk5icgq642hqubildf6yrfnqlq3rmsqk2zanid.onion/contact

Signatures

  • TargetCompany

    Ransomware which encrypts files using a combination of ChaCha20, AES-128, and Curve25519, first seen in June 2021.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
  • Modifies extensions of user files 10 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Deletes itself 1 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe
    "C:\Users\Admin\AppData\Local\Temp\e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe"
    1⤵
    • Modifies extensions of user files
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1692
    • C:\Windows\system32\vssadmin.exe
      "C:\Windows\sysnative\vssadmin.exe" delete shadows /all /quiet
      2⤵
      • Interacts with shadow copies
      PID:760
    • C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd.exe" /c bcdedit /set {current} bootstatuspolicy ignoreallfailures
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1040
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set {current} bootstatuspolicy ignoreallfailures
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:1164
    • C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd.exe" /c bcdedit /set {current} recoveryenabled no
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:692
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set {current} recoveryenabled no
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:1068
    • C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe" >> NUL
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:1736
      • C:\Windows\system32\PING.EXE
        ping 127.0.0.1
        3⤵
        • Runs ping.exe
        PID:920
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:816
  • C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\How to decrypt files.txt
    1⤵
      PID:1164

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Defense Evasion

    File Deletion

    2
    T1107

    Discovery

    Query Registry

    1
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    2
    T1082

    Remote System Discovery

    1
    T1018

    Impact

    Inhibit System Recovery

    3
    T1490

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Public\Desktop\How to decrypt files.txt
      MD5

      ef0b6f818162e1cb90f601e0d1fbcecf

      SHA1

      33fab6593738af52393884c589fb40417d9292aa

      SHA256

      0b2fd826cd23e013dba97e5e398af8992b9b48d69a0bbb6cffa1ea5fa896b4fe

      SHA512

      89c141064843766fbd10fc64e0be403cd40e79788ced2934a99d435ae0643290f6f697ae7214c0f0fb23c62b37d8074ee2bd7881005541e272231dca62849502

    • memory/692-58-0x0000000000000000-mapping.dmp
    • memory/760-56-0x0000000000000000-mapping.dmp
    • memory/920-64-0x0000000000000000-mapping.dmp
    • memory/1040-57-0x0000000000000000-mapping.dmp
    • memory/1068-59-0x0000000000000000-mapping.dmp
    • memory/1164-60-0x0000000000000000-mapping.dmp
    • memory/1164-61-0x000007FEFBDC1000-0x000007FEFBDC3000-memory.dmp
      Filesize

      8KB

    • memory/1692-55-0x00000000764D1000-0x00000000764D3000-memory.dmp
      Filesize

      8KB

    • memory/1736-63-0x0000000000000000-mapping.dmp