ransomexx_win | 64c51351aafb4cd339934a78d064847bdd833b963eafbade86eb51ac2c1677f4

General

Target

64c51351aafb4cd339934a78d064847bdd833b963eafbade86eb51ac2c1677f4.bin.sample.exe
Size

156KB
MD5

1af3b3dbc826f6dadf14025588ff96f6
SHA1

5238ba19bb3c7298ee13fe6eb0cf5f8787c13cd8
SHA256

64c51351aafb4cd339934a78d064847bdd833b963eafbade86eb51ac2c1677f4
SHA512

a2dfefe1e78e3267755e45cefb88ffc65240b6c0aaf8546480ce38a2d6432f7907be86aeb579095e4781b21a0125434e6c945777ca50362765ce63324aac282d

Score

10^/10

ransomexx_win evasion ransomware

Malware Config

Extracted

Path

C:\Users\Admin\.oracle_jre_usage\!TXDOT_READ_ME!.txt

Ransom Note

Greetings, Texas Department of Transportation! Read this message CAREFULLY and contact someone from IT department. Your files are securely ENCRYPTED. No third party decryption software EXISTS. MODIFICATION or RENAMING encrypted files may cause decryption failure. You can send us an encrypted file (not greater than 400KB) and we will decrypt it FOR FREE, so you have no doubts in possibility to restore all files from all affected systems ANY TIME. Encrypted file SHOULD NOT contain sensitive information (technical, backups, databases, large documents). The rest of data will be available after the PAYMENT. Infrastructure rebuild will cost you MUCH more. Contact us ONLY if you officially represent the whole affected network. The ONLY attachments we accept are non archived encrypted files for test decryption. Speak ENGLISH when contacting us. Mail us: [email protected] We kindly ask you not to use GMAIL, YAHOO or LIVE to contact us. The PRICE depends on how quickly you do it. �

Emails

[email protected]

Signatures

Deletes NTFS Change Journal 2 TTPs
The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.
ransomware

Inhibit System Recovery
T1490

Data Destruction
T1485
RansomEXX Ransomware
Targeted ransomware with variants which affect Windows and Linux systems.
ransomware ransomexx_win
Clears Windows event logs 1 TTPs
evasion ransomware

Indicator Removal on Host
T1070

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
2440	bcdedit.exe
3544	bcdedit.exe

Deletes backup catalog 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command-Line Interface

T1059

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
3680	wbadmin.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Modifies extensions of user files 3 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\RepairExit.png => C:\Users\Admin\Pictures\RepairExit.png.txd0t	64c51351aafb4cd339934a78d064847bdd833b963eafbade86eb51ac2c1677f4.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\SaveExit.tiff => C:\Users\Admin\Pictures\SaveExit.tiff.txd0t	64c51351aafb4cd339934a78d064847bdd833b963eafbade86eb51ac2c1677f4.bin.sample.exe
File opened for modification	C:\Users\Admin\Pictures\SaveExit.tiff	64c51351aafb4cd339934a78d064847bdd833b963eafbade86eb51ac2c1677f4.bin.sample.exe

Overwrites deleted data with Cipher tool 1 TTPs
Cipher is a Windows tool which be used to securely wipe deallocated HDD space, preventing recovery of deleted data.
ransomware

Inhibit System Recovery
T1490

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	cipher.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	vds.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2728	64c51351aafb4cd339934a78d064847bdd833b963eafbade86eb51ac2c1677f4.bin.sample.exe
2728	64c51351aafb4cd339934a78d064847bdd833b963eafbade86eb51ac2c1677f4.bin.sample.exe
2728	64c51351aafb4cd339934a78d064847bdd833b963eafbade86eb51ac2c1677f4.bin.sample.exe
2728	64c51351aafb4cd339934a78d064847bdd833b963eafbade86eb51ac2c1677f4.bin.sample.exe
2728	64c51351aafb4cd339934a78d064847bdd833b963eafbade86eb51ac2c1677f4.bin.sample.exe
2728	64c51351aafb4cd339934a78d064847bdd833b963eafbade86eb51ac2c1677f4.bin.sample.exe
2728	64c51351aafb4cd339934a78d064847bdd833b963eafbade86eb51ac2c1677f4.bin.sample.exe
2728	64c51351aafb4cd339934a78d064847bdd833b963eafbade86eb51ac2c1677f4.bin.sample.exe
2728	64c51351aafb4cd339934a78d064847bdd833b963eafbade86eb51ac2c1677f4.bin.sample.exe
2728	64c51351aafb4cd339934a78d064847bdd833b963eafbade86eb51ac2c1677f4.bin.sample.exe
2728	64c51351aafb4cd339934a78d064847bdd833b963eafbade86eb51ac2c1677f4.bin.sample.exe
2728	64c51351aafb4cd339934a78d064847bdd833b963eafbade86eb51ac2c1677f4.bin.sample.exe
2728	64c51351aafb4cd339934a78d064847bdd833b963eafbade86eb51ac2c1677f4.bin.sample.exe
2728	64c51351aafb4cd339934a78d064847bdd833b963eafbade86eb51ac2c1677f4.bin.sample.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeSecurityPrivilege	720	wevtutil.exe
Token: SeBackupPrivilege	720	wevtutil.exe
Token: SeSecurityPrivilege	896	wevtutil.exe
Token: SeBackupPrivilege	896	wevtutil.exe
Token: SeSecurityPrivilege	676	wevtutil.exe
Token: SeBackupPrivilege	676	wevtutil.exe
Token: SeSecurityPrivilege	1664	wevtutil.exe
Token: SeBackupPrivilege	1664	wevtutil.exe
Token: SeSecurityPrivilege	852	wevtutil.exe
Token: SeBackupPrivilege	852	wevtutil.exe
Token: SeBackupPrivilege	3748	wbengine.exe
Token: SeRestorePrivilege	3748	wbengine.exe
Token: SeSecurityPrivilege	3748	wbengine.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2728 wrote to memory of 852	2728	64c51351aafb4cd339934a78d064847bdd833b963eafbade86eb51ac2c1677f4.bin.sample.exe	77
PID 2728 wrote to memory of 852	2728	64c51351aafb4cd339934a78d064847bdd833b963eafbade86eb51ac2c1677f4.bin.sample.exe	77
PID 2728 wrote to memory of 720	2728	64c51351aafb4cd339934a78d064847bdd833b963eafbade86eb51ac2c1677f4.bin.sample.exe	73
PID 2728 wrote to memory of 720	2728	64c51351aafb4cd339934a78d064847bdd833b963eafbade86eb51ac2c1677f4.bin.sample.exe	73
PID 2728 wrote to memory of 1180	2728	64c51351aafb4cd339934a78d064847bdd833b963eafbade86eb51ac2c1677f4.bin.sample.exe	78
PID 2728 wrote to memory of 1180	2728	64c51351aafb4cd339934a78d064847bdd833b963eafbade86eb51ac2c1677f4.bin.sample.exe	78
PID 2728 wrote to memory of 1236	2728	64c51351aafb4cd339934a78d064847bdd833b963eafbade86eb51ac2c1677f4.bin.sample.exe	74
PID 2728 wrote to memory of 1236	2728	64c51351aafb4cd339934a78d064847bdd833b963eafbade86eb51ac2c1677f4.bin.sample.exe	74
PID 2728 wrote to memory of 1236	2728	64c51351aafb4cd339934a78d064847bdd833b963eafbade86eb51ac2c1677f4.bin.sample.exe	74
PID 2728 wrote to memory of 896	2728	64c51351aafb4cd339934a78d064847bdd833b963eafbade86eb51ac2c1677f4.bin.sample.exe	76
PID 2728 wrote to memory of 896	2728	64c51351aafb4cd339934a78d064847bdd833b963eafbade86eb51ac2c1677f4.bin.sample.exe	76
PID 2728 wrote to memory of 676	2728	64c51351aafb4cd339934a78d064847bdd833b963eafbade86eb51ac2c1677f4.bin.sample.exe	72
PID 2728 wrote to memory of 676	2728	64c51351aafb4cd339934a78d064847bdd833b963eafbade86eb51ac2c1677f4.bin.sample.exe	72
PID 2728 wrote to memory of 3680	2728	64c51351aafb4cd339934a78d064847bdd833b963eafbade86eb51ac2c1677f4.bin.sample.exe	79
PID 2728 wrote to memory of 3680	2728	64c51351aafb4cd339934a78d064847bdd833b963eafbade86eb51ac2c1677f4.bin.sample.exe	79
PID 2728 wrote to memory of 1876	2728	64c51351aafb4cd339934a78d064847bdd833b963eafbade86eb51ac2c1677f4.bin.sample.exe	75
PID 2728 wrote to memory of 1876	2728	64c51351aafb4cd339934a78d064847bdd833b963eafbade86eb51ac2c1677f4.bin.sample.exe	75
PID 2728 wrote to memory of 1876	2728	64c51351aafb4cd339934a78d064847bdd833b963eafbade86eb51ac2c1677f4.bin.sample.exe	75
PID 2728 wrote to memory of 1664	2728	64c51351aafb4cd339934a78d064847bdd833b963eafbade86eb51ac2c1677f4.bin.sample.exe	71
PID 2728 wrote to memory of 1664	2728	64c51351aafb4cd339934a78d064847bdd833b963eafbade86eb51ac2c1677f4.bin.sample.exe	71
PID 2728 wrote to memory of 1252	2728	64c51351aafb4cd339934a78d064847bdd833b963eafbade86eb51ac2c1677f4.bin.sample.exe	80
PID 2728 wrote to memory of 1252	2728	64c51351aafb4cd339934a78d064847bdd833b963eafbade86eb51ac2c1677f4.bin.sample.exe	80
PID 2728 wrote to memory of 3544	2728	64c51351aafb4cd339934a78d064847bdd833b963eafbade86eb51ac2c1677f4.bin.sample.exe	82
PID 2728 wrote to memory of 3544	2728	64c51351aafb4cd339934a78d064847bdd833b963eafbade86eb51ac2c1677f4.bin.sample.exe	82
PID 2728 wrote to memory of 2440	2728	64c51351aafb4cd339934a78d064847bdd833b963eafbade86eb51ac2c1677f4.bin.sample.exe	81
PID 2728 wrote to memory of 2440	2728	64c51351aafb4cd339934a78d064847bdd833b963eafbade86eb51ac2c1677f4.bin.sample.exe	81

C:\Users\Admin\AppData\Local\Temp\64c51351aafb4cd339934a78d064847bdd833b963eafbade86eb51ac2c1677f4.bin.sample.exe
"C:\Users\Admin\AppData\Local\Temp\64c51351aafb4cd339934a78d064847bdd833b963eafbade86eb51ac2c1677f4.bin.sample.exe"
1⤵
- Modifies extensions of user files
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2728
- C:\Windows\System32\wevtutil.exe
  "C:\Windows\System32\wevtutil.exe" cl System
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1664
- C:\Windows\System32\wevtutil.exe
  "C:\Windows\System32\wevtutil.exe" cl Security
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:676
- C:\Windows\System32\wevtutil.exe
  "C:\Windows\System32\wevtutil.exe" sl Security /e:false
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:720
- C:\Windows\SysWOW64\cipher.exe
  "C:\Windows\System32\cipher.exe" /w:D:
  2⤵
  - Enumerates connected drives
  PID:1236
- C:\Windows\SysWOW64\cipher.exe
  "C:\Windows\System32\cipher.exe" /w:C:
  2⤵
  PID:1876
- C:\Windows\System32\wevtutil.exe
  "C:\Windows\System32\wevtutil.exe" cl Application
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:896
- C:\Windows\System32\wevtutil.exe
  "C:\Windows\System32\wevtutil.exe" cl Setup
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:852
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable
  2⤵
  PID:1180
- C:\Windows\System32\wbadmin.exe
  "C:\Windows\System32\wbadmin.exe" delete catalog -quiet
  2⤵
  - Deletes backup catalog
  PID:3680
- C:\Windows\System32\fsutil.exe
  "C:\Windows\System32\fsutil.exe" usn deletejournal /D C:
  2⤵
  PID:1252
- C:\Windows\System32\bcdedit.exe
  "C:\Windows\System32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:2440
- C:\Windows\System32\bcdedit.exe
  "C:\Windows\System32\bcdedit.exe" /set {default} recoveryenabled no
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:3544