Resubmissions

25-06-2024 12:19

240625-phcgyayhqe 10

28-11-2021 04:49

211128-ff255sfhgj 10

Analysis

  • max time kernel
    205s
  • max time network
    211s
  • platform
    windows10_x64
  • resource
    win10-en-20211104
  • submitted
    28-11-2021 04:49

General

  • Target

    e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe

  • Size

    128KB

  • MD5

    99e949ddd57dbc19457eba5f235516f3

  • SHA1

    99f9270e85ec53b8dada459279d30e8b169462c1

  • SHA256

    e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b

  • SHA512

    4b4746c6d23be8d445876e5e6931d48ebbac8eca6c4ad545b6dc94c400f768df87ad03984c1c83a7e7d0225fd8cdd6305e4f7ef4d580378b42424288def7fa41

Malware Config

Extracted

Path

C:\$Recycle.Bin\How to decrypt files.txt

Family

targetcompany

Ransom Note
Your personal identifier: BRD454A21JS All files on BRG Precision Products network have been encrypted due to insufficient security. The only way to quickly and reliably regain access to your files is to contact us. The price depends on how fast you write to us. In other cases, you risk losing your time and access to data. Usually time is much more valuable than money. In addition, we downloaded about 100 gb of data from your network. We will publish the data if you do not negotiate with us. FAQ Q: How to contact us A: * Download Tor Browser - https://www.torproject.org/ * Open link in Tor Browser http://eghv5cpdsmuj5e6tpyjk5icgq642hqubildf6yrfnqlq3rmsqk2zanid.onion/contact * Follow the instructions on the website. Q: What guarantees? A: Before paying, we can decrypt several of your test files. Files should not contain valuable information. Q: Can I decrypt my data for free or through intermediaries? A: Use third party programs and intermediaries at your own risk. Third party software may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price or you can become a victim of a scam. �
URLs

http://eghv5cpdsmuj5e6tpyjk5icgq642hqubildf6yrfnqlq3rmsqk2zanid.onion/contact

Signatures

  • TargetCompany

    Ransomware which encrypts files using a combination of ChaCha20, AES-128, and Curve25519, first seen in June 2021.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
  • Modifies extensions of user files 6 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe
    "C:\Users\Admin\AppData\Local\Temp\e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe"
    1⤵
    • Modifies extensions of user files
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3516
    • C:\Windows\System32\vssadmin.exe
      "C:\Windows\sysnative\vssadmin.exe" delete shadows /all /quiet
      2⤵
      • Interacts with shadow copies
      PID:520
    • C:\Windows\System32\cmd.exe
      "C:\Windows\sysnative\cmd.exe" /c bcdedit /set {current} bootstatuspolicy ignoreallfailures
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:604
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set {current} bootstatuspolicy ignoreallfailures
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:2212
    • C:\Windows\System32\cmd.exe
      "C:\Windows\sysnative\cmd.exe" /c bcdedit /set {current} recoveryenabled no
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1032
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set {current} recoveryenabled no
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:2852
    • C:\Windows\System32\cmd.exe
      "C:\Windows\sysnative\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe" >> NUL
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:772
      • C:\Windows\system32\PING.EXE
        ping 127.0.0.1
        3⤵
        • Runs ping.exe
        PID:3528
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1136

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads