ransomexx_win | d85f4448d5aea240d68c07bec6f363986d71940c3c1a3e49053d55fd1741c41e

Analysis

max time kernel
117s
max time network
117s
platform
windows7_x64
resource
win7-en-20211014
submitted
30-11-2021 13:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d85f4448d5aea240d68c07bec6f363986d71940c3c1a3e49053d55fd1741c41e.bin.sample.exe
Size

156KB
MD5

b36c45a9548330108c3e5731607eb7fb
SHA1

24e773aa271fc0636cda6b0966a6034b65cb3052
SHA256

d85f4448d5aea240d68c07bec6f363986d71940c3c1a3e49053d55fd1741c41e
SHA512

1bdb0b3772057cef466e496d5f1bf248fde7337d4bc8bf1ce94a1b56eafed3f83d82b1bc9c607c055641a303f604689297f8aa1c53e33568de0d455a07950889

Score

10^/10

ransomexx_win evasion ransomware

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\!TXDOT_READ_ME!.txt

Ransom Note

Greetings, Texas Department of Transportation! Read this message CAREFULLY and contact someone from IT department. Your files are securely ENCRYPTED. No third party decryption software EXISTS. MODIFICATION or RENAMING encrypted files may cause decryption failure. You can send us an encrypted file (not greater than 400KB) and we will decrypt it FOR FREE, so you have no doubts in possibility to restore all files from all affected systems ANY TIME. Encrypted file SHOULD NOT contain sensitive information (technical, backups, databases, large documents). The rest of data will be available after the PAYMENT. Infrastructure rebuild will cost you MUCH more. Contact us ONLY if you officially represent the whole affected network. The ONLY attachments we accept are non archived encrypted files for test decryption. Speak ENGLISH when contacting us. Mail us: [email protected] We kindly ask you not to use GMAIL, YAHOO or LIVE to contact us. The PRICE depends on how quickly you do it. �

Emails

[email protected]

Signatures

Deletes NTFS Change Journal 2 TTPs
The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.
ransomware

Inhibit System Recovery
T1490

Data Destruction
T1485
RansomEXX Ransomware
Targeted ransomware with variants which affect Windows and Linux systems.
ransomware ransomexx_win
Clears Windows event logs 1 TTPs
evasion ransomware

Indicator Removal on Host
T1070

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
840	bcdedit.exe
1780	bcdedit.exe

Deletes backup catalog 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command-Line Interface

T1059

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1936	wbadmin.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Modifies extensions of user files 10 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\DismountSkip.raw => C:\Users\Admin\Pictures\DismountSkip.raw.txd0t	d85f4448d5aea240d68c07bec6f363986d71940c3c1a3e49053d55fd1741c41e.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\InstallRegister.tif => C:\Users\Admin\Pictures\InstallRegister.tif.txd0t	d85f4448d5aea240d68c07bec6f363986d71940c3c1a3e49053d55fd1741c41e.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\TraceFind.raw => C:\Users\Admin\Pictures\TraceFind.raw.txd0t	d85f4448d5aea240d68c07bec6f363986d71940c3c1a3e49053d55fd1741c41e.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\WriteDisconnect.png => C:\Users\Admin\Pictures\WriteDisconnect.png.txd0t	d85f4448d5aea240d68c07bec6f363986d71940c3c1a3e49053d55fd1741c41e.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\CheckpointUnpublish.png => C:\Users\Admin\Pictures\CheckpointUnpublish.png.txd0t	d85f4448d5aea240d68c07bec6f363986d71940c3c1a3e49053d55fd1741c41e.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\FindMove.tif => C:\Users\Admin\Pictures\FindMove.tif.txd0t	d85f4448d5aea240d68c07bec6f363986d71940c3c1a3e49053d55fd1741c41e.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\InitializeAssert.png => C:\Users\Admin\Pictures\InitializeAssert.png.txd0t	d85f4448d5aea240d68c07bec6f363986d71940c3c1a3e49053d55fd1741c41e.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\ImportExit.crw => C:\Users\Admin\Pictures\ImportExit.crw.txd0t	d85f4448d5aea240d68c07bec6f363986d71940c3c1a3e49053d55fd1741c41e.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\RenameMerge.crw => C:\Users\Admin\Pictures\RenameMerge.crw.txd0t	d85f4448d5aea240d68c07bec6f363986d71940c3c1a3e49053d55fd1741c41e.bin.sample.exe
File renamed	C:\Users\Admin\Pictures\ShowSearch.crw => C:\Users\Admin\Pictures\ShowSearch.crw.txd0t	d85f4448d5aea240d68c07bec6f363986d71940c3c1a3e49053d55fd1741c41e.bin.sample.exe

Overwrites deleted data with Cipher tool 1 TTPs
Cipher is a Windows tool which be used to securely wipe deallocated HDD space, preventing recovery of deleted data.
ransomware

Inhibit System Recovery
T1490

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	cipher.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1524	d85f4448d5aea240d68c07bec6f363986d71940c3c1a3e49053d55fd1741c41e.bin.sample.exe
1524	d85f4448d5aea240d68c07bec6f363986d71940c3c1a3e49053d55fd1741c41e.bin.sample.exe
1524	d85f4448d5aea240d68c07bec6f363986d71940c3c1a3e49053d55fd1741c41e.bin.sample.exe
1524	d85f4448d5aea240d68c07bec6f363986d71940c3c1a3e49053d55fd1741c41e.bin.sample.exe
1524	d85f4448d5aea240d68c07bec6f363986d71940c3c1a3e49053d55fd1741c41e.bin.sample.exe
1524	d85f4448d5aea240d68c07bec6f363986d71940c3c1a3e49053d55fd1741c41e.bin.sample.exe
1524	d85f4448d5aea240d68c07bec6f363986d71940c3c1a3e49053d55fd1741c41e.bin.sample.exe
1524	d85f4448d5aea240d68c07bec6f363986d71940c3c1a3e49053d55fd1741c41e.bin.sample.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1796	wevtutil.exe
Token: SeBackupPrivilege	1796	wevtutil.exe
Token: SeSecurityPrivilege	1080	wevtutil.exe
Token: SeSecurityPrivilege	1364	wevtutil.exe
Token: SeBackupPrivilege	1080	wevtutil.exe
Token: SeBackupPrivilege	1364	wevtutil.exe
Token: SeSecurityPrivilege	1200	wevtutil.exe
Token: SeBackupPrivilege	1200	wevtutil.exe
Token: SeBackupPrivilege	1332	wbengine.exe
Token: SeRestorePrivilege	1332	wbengine.exe
Token: SeSecurityPrivilege	1332	wbengine.exe
Token: SeSecurityPrivilege	1548	wevtutil.exe
Token: SeBackupPrivilege	1548	wevtutil.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 1524 wrote to memory of 1280	1524	d85f4448d5aea240d68c07bec6f363986d71940c3c1a3e49053d55fd1741c41e.bin.sample.exe	37
PID 1524 wrote to memory of 1280	1524	d85f4448d5aea240d68c07bec6f363986d71940c3c1a3e49053d55fd1741c41e.bin.sample.exe	37
PID 1524 wrote to memory of 1280	1524	d85f4448d5aea240d68c07bec6f363986d71940c3c1a3e49053d55fd1741c41e.bin.sample.exe	37
PID 1524 wrote to memory of 1280	1524	d85f4448d5aea240d68c07bec6f363986d71940c3c1a3e49053d55fd1741c41e.bin.sample.exe	37
PID 1524 wrote to memory of 1364	1524	d85f4448d5aea240d68c07bec6f363986d71940c3c1a3e49053d55fd1741c41e.bin.sample.exe	36
PID 1524 wrote to memory of 1364	1524	d85f4448d5aea240d68c07bec6f363986d71940c3c1a3e49053d55fd1741c41e.bin.sample.exe	36
PID 1524 wrote to memory of 1364	1524	d85f4448d5aea240d68c07bec6f363986d71940c3c1a3e49053d55fd1741c41e.bin.sample.exe	36
PID 1524 wrote to memory of 1364	1524	d85f4448d5aea240d68c07bec6f363986d71940c3c1a3e49053d55fd1741c41e.bin.sample.exe	36
PID 1524 wrote to memory of 1796	1524	d85f4448d5aea240d68c07bec6f363986d71940c3c1a3e49053d55fd1741c41e.bin.sample.exe	34
PID 1524 wrote to memory of 1796	1524	d85f4448d5aea240d68c07bec6f363986d71940c3c1a3e49053d55fd1741c41e.bin.sample.exe	34
PID 1524 wrote to memory of 1796	1524	d85f4448d5aea240d68c07bec6f363986d71940c3c1a3e49053d55fd1741c41e.bin.sample.exe	34
PID 1524 wrote to memory of 1796	1524	d85f4448d5aea240d68c07bec6f363986d71940c3c1a3e49053d55fd1741c41e.bin.sample.exe	34
PID 1524 wrote to memory of 1548	1524	d85f4448d5aea240d68c07bec6f363986d71940c3c1a3e49053d55fd1741c41e.bin.sample.exe	35
PID 1524 wrote to memory of 1548	1524	d85f4448d5aea240d68c07bec6f363986d71940c3c1a3e49053d55fd1741c41e.bin.sample.exe	35
PID 1524 wrote to memory of 1548	1524	d85f4448d5aea240d68c07bec6f363986d71940c3c1a3e49053d55fd1741c41e.bin.sample.exe	35
PID 1524 wrote to memory of 1548	1524	d85f4448d5aea240d68c07bec6f363986d71940c3c1a3e49053d55fd1741c41e.bin.sample.exe	35
PID 1524 wrote to memory of 1412	1524	d85f4448d5aea240d68c07bec6f363986d71940c3c1a3e49053d55fd1741c41e.bin.sample.exe	31
PID 1524 wrote to memory of 1412	1524	d85f4448d5aea240d68c07bec6f363986d71940c3c1a3e49053d55fd1741c41e.bin.sample.exe	31
PID 1524 wrote to memory of 1412	1524	d85f4448d5aea240d68c07bec6f363986d71940c3c1a3e49053d55fd1741c41e.bin.sample.exe	31
PID 1524 wrote to memory of 1412	1524	d85f4448d5aea240d68c07bec6f363986d71940c3c1a3e49053d55fd1741c41e.bin.sample.exe	31
PID 1524 wrote to memory of 840	1524	d85f4448d5aea240d68c07bec6f363986d71940c3c1a3e49053d55fd1741c41e.bin.sample.exe	32
PID 1524 wrote to memory of 840	1524	d85f4448d5aea240d68c07bec6f363986d71940c3c1a3e49053d55fd1741c41e.bin.sample.exe	32
PID 1524 wrote to memory of 840	1524	d85f4448d5aea240d68c07bec6f363986d71940c3c1a3e49053d55fd1741c41e.bin.sample.exe	32
PID 1524 wrote to memory of 840	1524	d85f4448d5aea240d68c07bec6f363986d71940c3c1a3e49053d55fd1741c41e.bin.sample.exe	32
PID 1524 wrote to memory of 1348	1524	d85f4448d5aea240d68c07bec6f363986d71940c3c1a3e49053d55fd1741c41e.bin.sample.exe	33
PID 1524 wrote to memory of 1348	1524	d85f4448d5aea240d68c07bec6f363986d71940c3c1a3e49053d55fd1741c41e.bin.sample.exe	33
PID 1524 wrote to memory of 1348	1524	d85f4448d5aea240d68c07bec6f363986d71940c3c1a3e49053d55fd1741c41e.bin.sample.exe	33
PID 1524 wrote to memory of 1348	1524	d85f4448d5aea240d68c07bec6f363986d71940c3c1a3e49053d55fd1741c41e.bin.sample.exe	33
PID 1524 wrote to memory of 1080	1524	d85f4448d5aea240d68c07bec6f363986d71940c3c1a3e49053d55fd1741c41e.bin.sample.exe	30
PID 1524 wrote to memory of 1080	1524	d85f4448d5aea240d68c07bec6f363986d71940c3c1a3e49053d55fd1741c41e.bin.sample.exe	30
PID 1524 wrote to memory of 1080	1524	d85f4448d5aea240d68c07bec6f363986d71940c3c1a3e49053d55fd1741c41e.bin.sample.exe	30
PID 1524 wrote to memory of 1080	1524	d85f4448d5aea240d68c07bec6f363986d71940c3c1a3e49053d55fd1741c41e.bin.sample.exe	30
PID 1524 wrote to memory of 1780	1524	d85f4448d5aea240d68c07bec6f363986d71940c3c1a3e49053d55fd1741c41e.bin.sample.exe	43
PID 1524 wrote to memory of 1780	1524	d85f4448d5aea240d68c07bec6f363986d71940c3c1a3e49053d55fd1741c41e.bin.sample.exe	43
PID 1524 wrote to memory of 1780	1524	d85f4448d5aea240d68c07bec6f363986d71940c3c1a3e49053d55fd1741c41e.bin.sample.exe	43
PID 1524 wrote to memory of 1780	1524	d85f4448d5aea240d68c07bec6f363986d71940c3c1a3e49053d55fd1741c41e.bin.sample.exe	43
PID 1524 wrote to memory of 668	1524	d85f4448d5aea240d68c07bec6f363986d71940c3c1a3e49053d55fd1741c41e.bin.sample.exe	42
PID 1524 wrote to memory of 668	1524	d85f4448d5aea240d68c07bec6f363986d71940c3c1a3e49053d55fd1741c41e.bin.sample.exe	42
PID 1524 wrote to memory of 668	1524	d85f4448d5aea240d68c07bec6f363986d71940c3c1a3e49053d55fd1741c41e.bin.sample.exe	42
PID 1524 wrote to memory of 668	1524	d85f4448d5aea240d68c07bec6f363986d71940c3c1a3e49053d55fd1741c41e.bin.sample.exe	42
PID 1524 wrote to memory of 1200	1524	d85f4448d5aea240d68c07bec6f363986d71940c3c1a3e49053d55fd1741c41e.bin.sample.exe	41
PID 1524 wrote to memory of 1200	1524	d85f4448d5aea240d68c07bec6f363986d71940c3c1a3e49053d55fd1741c41e.bin.sample.exe	41
PID 1524 wrote to memory of 1200	1524	d85f4448d5aea240d68c07bec6f363986d71940c3c1a3e49053d55fd1741c41e.bin.sample.exe	41
PID 1524 wrote to memory of 1200	1524	d85f4448d5aea240d68c07bec6f363986d71940c3c1a3e49053d55fd1741c41e.bin.sample.exe	41
PID 1524 wrote to memory of 1936	1524	d85f4448d5aea240d68c07bec6f363986d71940c3c1a3e49053d55fd1741c41e.bin.sample.exe	38
PID 1524 wrote to memory of 1936	1524	d85f4448d5aea240d68c07bec6f363986d71940c3c1a3e49053d55fd1741c41e.bin.sample.exe	38
PID 1524 wrote to memory of 1936	1524	d85f4448d5aea240d68c07bec6f363986d71940c3c1a3e49053d55fd1741c41e.bin.sample.exe	38
PID 1524 wrote to memory of 1936	1524	d85f4448d5aea240d68c07bec6f363986d71940c3c1a3e49053d55fd1741c41e.bin.sample.exe	38

C:\Users\Admin\AppData\Local\Temp\d85f4448d5aea240d68c07bec6f363986d71940c3c1a3e49053d55fd1741c41e.bin.sample.exe
"C:\Users\Admin\AppData\Local\Temp\d85f4448d5aea240d68c07bec6f363986d71940c3c1a3e49053d55fd1741c41e.bin.sample.exe"
1⤵
- Modifies extensions of user files
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1524
- C:\Windows\System32\wevtutil.exe
  "C:\Windows\System32\wevtutil.exe" sl Security /e:false
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1080
- C:\Windows\System32\fsutil.exe
  "C:\Windows\System32\fsutil.exe" usn deletejournal /D C:
  2⤵
  PID:1412
- C:\Windows\System32\bcdedit.exe
  "C:\Windows\System32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:840
- C:\Windows\SysWOW64\cipher.exe
  "C:\Windows\System32\cipher.exe" /w:D:
  2⤵
  - Enumerates connected drives
  PID:1348
- C:\Windows\System32\wevtutil.exe
  "C:\Windows\System32\wevtutil.exe" cl System
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1796
- C:\Windows\System32\wevtutil.exe
  "C:\Windows\System32\wevtutil.exe" cl Setup
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1548
- C:\Windows\System32\wevtutil.exe
  "C:\Windows\System32\wevtutil.exe" cl Application
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1364
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable
  2⤵
  PID:1280
- C:\Windows\System32\wbadmin.exe
  "C:\Windows\System32\wbadmin.exe" delete catalog -quiet
  2⤵
  - Deletes backup catalog
  PID:1936
- C:\Windows\System32\wevtutil.exe
  "C:\Windows\System32\wevtutil.exe" cl Security
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1200
- C:\Windows\SysWOW64\cipher.exe
  "C:\Windows\System32\cipher.exe" /w:C:
  2⤵
  PID:668
- C:\Windows\System32\bcdedit.exe
  "C:\Windows\System32\bcdedit.exe" /set {default} recoveryenabled no
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:1780

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1332

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:1948

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:2012

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Indicator Removal on Host

T1070

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Data Destruction

T1485

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1524-55-0x00000000764D1000-0x00000000764D3000-memory.dmp

Filesize
8KB

Download
memory/1524-56-0x00000000084B0000-0x0000000008F6A000-memory.dmp

Filesize
10.7MB

Download
memory/1796-69-0x000007FEFBDC1000-0x000007FEFBDC3000-memory.dmp

Filesize
8KB

Download