Overview

overview

10

Static

static

8

1699dd3b24...le.exe

windows7_x64

10

1699dd3b24...le.exe

windows10_x64

10

Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-en-20211014
  • submitted
    30-11-2021 13:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1699dd3b24dd5a405449a60f94b0043731deaa749d4899f2f927d913c624895b.bin.sample.exe

  • Size

    5.4MB

  • MD5

    bf8dafaedf5b031ba01200e2ec608f96

  • SHA1

    3e6689dc6a8a717b4114a7fe65bba594c597c7b9

  • SHA256

    1699dd3b24dd5a405449a60f94b0043731deaa749d4899f2f927d913c624895b

  • SHA512

    625535d71b2ca8a547924f08357eda1dc1d669b6c4ae1d0a436af1435fb9af58f24b63cde71588cee1785e36bb950c8c412db9c1e0541e65d11f2a13955fe7f6

Score
10/10
ransomexx_winevasionransomwarevmprotect

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\!TXDOT_READ_ME!.txt

Ransom Note
Greetings, Texas Department of Transportation! Read this message CAREFULLY and contact someone from IT department. Your files are securely ENCRYPTED. No third party decryption software EXISTS. MODIFICATION or RENAMING encrypted files may cause decryption failure. You can send us an encrypted file (not greater than 400KB) and we will decrypt it FOR FREE, so you have no doubts in possibility to restore all files from all affected systems ANY TIME. Encrypted file SHOULD NOT contain sensitive information (technical, backups, databases, large documents). The rest of data will be available after the PAYMENT. Infrastructure rebuild will cost you MUCH more. Contact us ONLY if you officially represent the whole affected network. The ONLY attachments we accept are non archived encrypted files for test decryption. Speak ENGLISH when contacting us. Mail us: [email protected] We kindly ask you not to use GMAIL, YAHOO or LIVE to contact us. The PRICE depends on how quickly you do it. �

Signatures

  • Deletes NTFS Change Journal 2 TTPs

    The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.

    ransomware
  • RansomEXX Ransomware

    Targeted ransomware with variants which affect Windows and Linux systems.

    ransomwareransomexx_win
  • Clears Windows event logs 1 TTPs
    evasionransomware
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Disables use of System Restore points 1 TTPs
    evasion
  • Modifies extensions of user files 5 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Overwrites deleted data with Cipher tool 1 TTPs

    Cipher is a Windows tool which be used to securely wipe deallocated HDD space, preventing recovery of deleted data.

    ransomware
  • VMProtect packed file 1 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1699dd3b24dd5a405449a60f94b0043731deaa749d4899f2f927d913c624895b.bin.sample.exe
    "C:\Users\Admin\AppData\Local\Temp\1699dd3b24dd5a405449a60f94b0043731deaa749d4899f2f927d913c624895b.bin.sample.exe"
    1⤵
    • Modifies extensions of user files
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1336
    • C:\Windows\System32\fsutil.exe
      "C:\Windows\System32\fsutil.exe" usn deletejournal /D C:
      2⤵
        PID:2036
      • C:\Windows\System32\wbadmin.exe
        "C:\Windows\System32\wbadmin.exe" delete catalog -quiet
        2⤵
        • Deletes backup catalog
        PID:1560
      • C:\Windows\System32\bcdedit.exe
        "C:\Windows\System32\bcdedit.exe" /set {default} recoveryenabled no
        2⤵
        • Modifies boot configuration data using bcdedit
        PID:992
      • C:\Windows\System32\bcdedit.exe
        "C:\Windows\System32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures
        2⤵
        • Modifies boot configuration data using bcdedit
        PID:1340
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable
        2⤵
          PID:308
        • C:\Windows\System32\wevtutil.exe
          "C:\Windows\System32\wevtutil.exe" cl System
          2⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:588
        • C:\Windows\System32\wevtutil.exe
          "C:\Windows\System32\wevtutil.exe" sl Security /e:false
          2⤵
            PID:1940
          • C:\Windows\System32\wevtutil.exe
            "C:\Windows\System32\wevtutil.exe" cl Application
            2⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1904
          • C:\Windows\System32\wevtutil.exe
            "C:\Windows\System32\wevtutil.exe" cl Security
            2⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1732
          • C:\Windows\System32\wevtutil.exe
            "C:\Windows\System32\wevtutil.exe" cl Setup
            2⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1748
          • C:\Windows\SysWOW64\cipher.exe
            "C:\Windows\System32\cipher.exe" /w:C:
            2⤵
              PID:1444
            • C:\Windows\SysWOW64\cipher.exe
              "C:\Windows\System32\cipher.exe" /w:D:
              2⤵
              • Enumerates connected drives
              PID:1756
          • C:\Windows\system32\wbengine.exe
            "C:\Windows\system32\wbengine.exe"
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:964
          • C:\Windows\System32\vdsldr.exe
            C:\Windows\System32\vdsldr.exe -Embedding
            1⤵
              PID:892
            • C:\Windows\System32\vds.exe
              C:\Windows\System32\vds.exe
              1⤵
                PID:1944

              Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • memory/1336-57-0x0000000000080000-0x0000000000081000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1336-56-0x0000000000080000-0x0000000000081000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1336-59-0x0000000001140000-0x0000000001A1C000-memory.dmp

                Filesize

                8.9MB

                Download

              • memory/1336-61-0x0000000000080000-0x0000000000081000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1336-55-0x0000000076531000-0x0000000076533000-memory.dmp

                Filesize

                8KB

                Download

              • memory/1904-75-0x000007FEFC3C1000-0x000007FEFC3C3000-memory.dmp

                Filesize

                8KB

                Download