Overview

overview

10

Static

static

7

SysLogsService.exe

windows7_x64

10

SysLogsService.exe

windows10_x64

10

Resubmissions

26-09-2022 15:09

220926-sjlzjscchm 9

05-12-2021 07:55

211205-jscmsscbeq 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    SysLogsService.exe

  • Size

    7.7MB

  • Sample

    211205-jscmsscbeq

  • MD5

    0b97fa8b682939e55df2bcfe3d17dba5

  • SHA1

    9d0101a59a1f705d55ab5acb0577ea9a967a6bab

  • SHA256

    ef7fefcb41d79c824c429819fbe73e6d0186c0586bc5f031debf553cd43edce4

  • SHA512

    1d4e414a9abd9b4f317f4ea37fc2a76ee8d3057b5079f654c142ef0b938433d0c52f8620526375eed4b9ac0adceda26484ebad9e63b7c4df5aef272d07620e68

Score
10/10
dmalockerevasionransomwarespywarestealersuricatathemidatrojan

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\CRYPTiNFO.TXT

Ransom Note
################################################################################# ############## You became victim of the .T1000 Ransomware-Virus C&C ############# ################################################################################# The harddisks of your computer have been encrypted with an military grade encryption algorithm TermCryptS7+RSA4096. There is no way to restore your data without a special key. To get RSA private key you have to contact us via the link below, located in the TOR private network ######################################################## ##HWID YOUR SYSTEM >> {56DD9D47-7BE5-8B82-389B91405260980C} > Required when paying ######################################################################### ##Download the Tor Browser at >>> https://www.torproject.org <<< ##If you need help. please google for "access onion page". ## Uisit one of the following pages with the Tor Browser: ##http://kwk62hefhey3zh4ki332d7uluww5oilm4c6t5tnhb4g5hrf7a2szvlqd.onion/index.php >>> For payment ##Amount to pay Bitcoin Exchangers for exchanging for cryptocurrency: >>> https://www.bestchange.net <<< If you want to decrypt your files, you have to get RSA private key. ## Chat support: > http://kwk62hefhey3zh4ki332d7uluww5oilm4c6t5tnhb4g5hrf7a2szvlqd.onion/chat ## Jabber: > t1000rn@404.city FULL ONLINE< ##After the successful payment and decrypting your files, we will give you FULL instructions HOW to IMPROVE your security system. ## If you have any problems with TOR browser, TELEGRAM us: >> @t1000rn << >>>>Do not pay data recovery companies to get the key, they will email me! <<<< We ready to answer all your questions! ## ## HOW to understand that we are NOT scammers? You can ask SUPPORT for the TEST-decryption for ONE file! ##################### ############### LIST OF ENCRYPTED FILES ####################################### ############################################################################### -------------------------------------------------------------------------------- C:\vcredist2010_x64.log.html 88496 C:\vcredist2012_x64_0_vcRuntimeMinimum_x64.log 169694 C:\vcredist2012_x64_1_vcRuntimeAdditional_x64.log 197550 C:\Users\Default\NTUSER.DAT.LOG 1024 C:\Users\Admin\deployment.properties 1646 C:\Users\Admin\ntuser.dat.LOG1 0 C:\Users\Admin\ntuser.dat.LOG2 0 C:\Users\Admin\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf 0 C:\Users\Admin\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms 0 C:\Users\Admin\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms 0 C:\vcredist2013_x64_000_vcRuntimeMinimum_x64.log 171966 C:\Users\Default\NTUSER.DAT.LOG1 189440 C:\Users\Default\NTUSER.DAT.LOG2 0 C:\Users\Default\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf 65536 C:\Users\Default\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms 524288 C:\Users\Default\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms 524288 C:\Recovery\590dd5e2-2d4f-11ec-8202-e2f59334bf81\boot.sdi 3170304 C:\vcredist2013_x64_001_vcRuntimeAdditional_x64.log 193102 C:\vcredist2019_x64_001_vcRuntimeMinimum_x64.log 120814 C:\vcredist2019_x64_002_vcRuntimeAdditional_x64.log 131692 C:\Users\Admin\Contacts\Admin.contact 68374 C:\Users\Public\Libraries\RecordedTV.library-ms 876 C:\Users\Admin\Desktop\CompleteCompare.mpg 369180 C:\Users\Admin\Desktop\CompressBlock.zip 843840 C:\Users\Admin\Desktop\ConnectPublish.xls 975690 C:\Users\Admin\Desktop\ConnectRestart.DVR 632880 C:\Users\Admin\Desktop\CopySkip.xsl 421920 C:\Users\Admin\Desktop\DisconnectConfirm.mht 764730 C:\Users\Admin\Desktop\DisconnectSwitch.mpeg3 791100 C:\Users\Admin\Desktop\ExitConfirm.wpl 474660 C:\Users\Admin\Desktop\ExportOpen.ppsx 501030 C:\Users\Admin\Desktop\ExportResume.wps 448290 C:\Users\Admin\Desktop\FindReset.DVR 922950 C:\Users\Admin\Desktop\FormatSuspend.aiff 685620 C:\Users\Admin\Desktop\NewEnable.otf 606510 C:\Users\Admin\Desktop\NewExit.mpe 342810 C:\Users\Admin\Desktop\ReceiveDismount.emz 1344542 C:\Users\Admin\Downloads\BlockSplit.vst 753160 C:\Users\Admin\Desktop\RegisterConnect.png 580140 C:\Users\Admin\Downloads\ClearUpdate.xsl 626312 C:\Users\Admin\Desktop\RestartRemove.M2V 659250 C:\Users\Admin\Downloads\CloseUninstall.wma 388472 C:\Users\Admin\Desktop\RevokeReset.mp4 395550 C:\Users\Admin\Downloads\CompleteUnprotect.mov 467752 C:\Users\Admin\Desktop\SearchUnprotect.html 870210 C:\Users\Admin\Downloads\CompressUnpublish.mp4 309192 C:\Users\Admin\Desktop\ShowClear.pps 553770 C:\Users\Admin\Downloads\CopyUpdate.tmp 848296 C:\Users\Admin\Downloads\DenyStep.wax 325048 C:\Users\Admin\Desktop\SubmitAssert.gif 817470 C:\Users\Admin\Downloads\ExitAssert.rm 864152 C:\Users\Admin\Desktop\SuspendSplit.ppsx 711990 C:\Users\Admin\Downloads\ExpandEnter.zip 451896 C:\Users\Admin\Downloads\ExportCompare.crw 547032 C:\Users\Admin\Desktop\TestMerge.mp4 738360 C:\Users\Admin\Downloads\ExportConvertFrom.rle 832440 C:\Users\Admin\Downloads\ExportDebug.pptm 769016 C:\Users\Admin\Downloads\GrantClear.aifc 594600 C:\Users\Admin\Desktop\WaitUnprotect.dxf 896580 C:\Users\Admin\Downloads\GrantUninstall.xltx 784872 C:\Users\Admin\Downloads\ImportRequest.cr2 531176 C:\Users\Admin\Downloads\InstallMeasure.easmx 673880 C:\Users\Admin\Downloads\MountRestore.au 642168 C:\Users\Admin\Downloads\MoveClose.dxf 658024 C:\Users\Admin\Downloads\OpenPush.pcx 483608 C:\Users\Admin\Downloads\OutUpdate.M2V 578744 C:\Users\Admin\Pictures\ApproveInstall.tiff 159744 C:\Users\Admin\Pictures\CheckpointWrite.wmf 129024 C:\Users\Admin\Pictures\CopyImport.raw 258048 C:\Users\Admin\Pictures\DebugInstall.jpeg 221184 C:\Users\Admin\Pictures\DenyMerge.eps 245760 C:\Users\Admin\Pictures\DenyUnlock.jpeg 264192 C:\Users\Admin\Pictures\DismountCopy.crw 98304 C:\Users\Admin\Pictures\FindRevoke.tiff 184320 C:\Users\Admin\Pictures\ImportJoin.pcx 276480 C:\Users\Admin\Pictures\MeasureAdd.pcx 147456 C:\Users\Admin\Pictures\PingSwitch.dxf 135168 C:\Users\Admin\Documents\Are.docx 11525 C:\Users\Admin\Documents\ClearUpdate.vstx 788929 C:\Users\Admin\Documents\CompressUndo.csv 314040 C:\Users\Admin\Documents\ConvertToClose.odt 283402 C:\Users\Admin\Documents\DenySelect.dotm 574463 C:\Users\Admin\Documents\DenySuspend.ppt 298721 C:\Users\Admin\Documents\DenyUnregister.xls 651058 C:\Users\Admin\Documents\EnableCompress.odp 804248 C:\Users\Admin\Documents\EnableExpand.vst 513187 C:\Users\Admin\Documents\EnterWait.dot 528506 C:\Users\Admin\Documents\ExitInitialize.odp 742972 C:\Users\Admin\Documents\Files.docx 11551 C:\Users\Admin\Documents\FindShow.pptx 451911 C:\Users\Admin\Documents\JoinDisable.csv 727653 C:\Users\Admin\Documents\MeasureRename.odp 390635 C:\Users\Admin\Documents\MergeDeny.mhtml 605101 C:\Users\Admin\Documents\MergeLock.mpp 758291 C:\Users\Admin\Documents\MountAssert.pdf 819567 C:\Users\Admin\Documents\MountSubmit.ppsm 712334 C:\Users\Admin\Music\ApproveCompare.dib 239616 C:\Users\Admin\Documents\NewDisable.vsdx 329359 C:\Users\Admin\Pictures\PublishSend.svg 122880 C:\Users\Admin\Pictures\ReceivePush.dwg 233472 C:\Users\Admin\Documents\Opened.docx 11538 C:\Users\Admin\Searches\Everywhere.search-ms 248 C:\Users\Admin\Searches\Indexed Locations.search-ms 248 C:\Users\Admin\Documents\PingDismount.vdw 773610 C:\Users\Admin\Music\ApproveRepair.mpg 276480 C:\Users\Admin\Pictures\RenameRegister.dwg 165888 C:\Users\Admin\Downloads\PopMove.mht 562888 C:\Users\Admin\Pictures\RepairWrite.gif 215040 C:\Users\Admin\Pictures\ResolveClose.tiff 208896 C:\Users\Admin\Pictures\ResolveDisconnect.raw 196608 C:\Users\Admin\Downloads\PopUnprotect.rtf 800728 C:\Users\Admin\Pictures\RevokeTest.emf 387072 C:\Users\Admin\Pictures\SaveStep.gif 104448 C:\Users\Admin\Downloads\PublishStop.xsl 895864 C:\Users\Admin\Pictures\ShowLock.png 153600 C:\Users\Admin\Pictures\SuspendPush.eps 251904 C:\Users\Admin\Pictures\UnblockRegister.crw 190464 C:\Users\Admin\Pictures\UninstallClear.tiff 116736 C:\Users\Admin\Downloads\PushLimit.aifc 1221184 C:\Users\Admin\Documents\PublishCompress.mhtml 359997 C:\Users\Admin\Downloads\PushUninstall.pcx 499464 C:\Users\Admin\Downloads\RestartInvoke.js 420184 C:\Users\Admin\Documents\ReadBlock.pps 681696 C:\Users\Admin\Music\AssertExit.7z 331776 C:\Users\Admin\Pictures\UpdateRepair.dwg 239616 C:\Users\Admin\Music\BackupCompare.vstx 368640 C:\Users\Admin\Pictures\WatchUnregister.png 282624 C:\Users\Admin\Downloads\RestartSet.mp4 404328 C:\Users\Admin\Music\ClearEnter.xhtml 322560 C:\Users\Admin\Downloads\RestoreConnect.tif 689736 C:\Users\Admin\Music\CompleteGrant.wvx 423936 C:\Users\Admin\Music\ConfirmConvertTo.jpeg 221184 C:\Users\Admin\Downloads\SearchSubmit.xlsb 356760 C:\Users\Admin\Music\ConvertToRequest.pptx 313344 C:\Users\Admin\Music\CopyDeny.nfo 147456 C:\Users\Admin\Downloads\SuspendExit.mpa 610456 C:\Users\Admin\Music\ExportDismount.zip 230400 C:\Users\Admin\Downloads\SuspendFind.midi 436040 C:\Users\Admin\Music\ExportRestore.mid 387072 C:\Users\Admin\Downloads\SuspendOpen.ppsm 705592 C:\Users\Admin\Music\ImportSplit.htm 580608 C:\Users\Admin\Music\ImportUninstall.001 175104 C:\Users\Admin\Music\InvokePublish.php 202752 C:\Users\Admin\Music\MoveCompress.shtml 304128 C:\Users\Admin\Downloads\SyncResolve.7z 515320 C:\Users\Admin\Documents\Recently.docx 11533 C:\Users\Admin\Documents\RemoveSelect.html 497868 C:\Users\Admin\Downloads\UnregisterSubmit.mpg 816584 C:\Users\Admin\Documents\RenameBlock.vst 697015 C:\Users\Admin\Downloads\UpdateSet.temp 880008 C:\Users\Admin\Documents\RequestSelect.mhtml 467230 C:\Users\Admin\Downloads\WriteUnprotect.vstm 340904 C:\Users\Admin\Documents\ResetRedo.html 589782 C:\Users\Admin\Music\ProtectExit.midi 184320 C:\Users\Admin\Music\PublishStart.xps 211968 C:\Users\Admin\Music\PushClose.eprtx 396288 C:\Users\Admin\Music\ReadJoin.pptx 405504 C:\Users\Admin\Documents\RestoreRepair.vdw 1118078 C:\Users\Admin\Documents\SaveSkip.docm 543825 C:\Users\Admin\Documents\SearchWait.mht 482549 C:\Users\Admin\Documents\ShowLock.rtf 666377 C:\Users\Admin\Documents\ShowUnlock.potx 635739 C:\Users\Admin\Documents\SkipTrace.xls 344678 C:\Users\Admin\Documents\SuspendUndo.vstm 375316 C:\Users\Admin\Music\ReceiveStop.wpl 193536 C:\Users\Admin\Music\ResetUnprotect.png 294912 C:\Users\Admin\Music\SaveCopy.php 340992 C:\Users\Admin\Music\SplitStart.m4v 258048 C:\Users\Admin\Music\SubmitMeasure.wmx 267264 C:\Users\Admin\Music\SuspendAssert.xht 248832 C:\Users\Admin\Music\TraceWait.xlsm 165888 C:\Users\Admin\Documents\These.docx 11462 C:\Users\Admin\Documents\UndoAdd.rtf 620420 C:\Users\Admin\Documents\UseClear.vsx 421273 C:\Users\Admin\Documents\UseTrace.vdx 436592 C:\Recovery\590dd5e2-2d4f-11ec-8202-e2f59334bf81\Winre.wim 169213970 C:\Users\Admin\Favorites\Links for United States\GobiernoUSA.gov.url 134 C:\Users\Admin\Favorites\Links for United States\USA.gov.url 134 C:\Users\Admin\Favorites\Microsoft Websites\IE Add-on site.url 133 C:\Users\Admin\Favorites\Microsoft Websites\IE site on Microsoft.com.url 133 C:\Users\Public\Recorded TV\Sample Media\win7_scenic-demoshort_raw.wtv 9699328 C:\Users\Admin\Favorites\Microsoft Websites\Microsoft At Home.url 133 C:\Users\Admin\Favorites\Links\Suggested Sites.url 302 C:\Users\Admin\Favorites\Links\Web Slice Gallery.url 226 C:\Users\Admin\Favorites\Microsoft Websites\Microsoft At Work.url 133 C:\Users\Admin\Favorites\Microsoft Websites\Microsoft Store.url 134 C:\Users\Admin\Favorites\Windows Live\Get Windows Live.url 133 C:\Users\Admin\Favorites\Windows Live\Windows Live Gallery.url 133 C:\Users\Admin\Favorites\Windows Live\Windows Live Mail.url 133 C:\Users\Admin\Favorites\Windows Live\Windows Live Spaces.url 133 C:\Users\Admin\Favorites\MSN Websites\MSN Autos.url 133 C:\Users\Admin\Favorites\MSN Websites\MSN Entertainment.url 133 C:\Users\Admin\Favorites\MSN Websites\MSN Money.url 133 C:\Users\Admin\Favorites\MSN Websites\MSN Sports.url 133 C:\Users\Admin\Favorites\MSN Websites\MSN.url 133 C:\Users\Admin\Favorites\MSN Websites\MSNBC News.url 133 C:\Users\Public\Videos\Sample Videos\Wildlife.wmv 26246026
Emails

t1000rn@404.city

URLs

https://www.bestchange.net

http://kwk62hefhey3zh4ki332d7uluww5oilm4c6t5tnhb4g5hrf7a2szvlqd.onion/chat

Targets

    • Target

      SysLogsService.exe

    • Size

      7.7MB

    • MD5

      0b97fa8b682939e55df2bcfe3d17dba5

    • SHA1

      9d0101a59a1f705d55ab5acb0577ea9a967a6bab

    • SHA256

      ef7fefcb41d79c824c429819fbe73e6d0186c0586bc5f031debf553cd43edce4

    • SHA512

      1d4e414a9abd9b4f317f4ea37fc2a76ee8d3057b5079f654c142ef0b938433d0c52f8620526375eed4b9ac0adceda26484ebad9e63b7c4df5aef272d07620e68

    Score
    10/10
    dmalockerevasionransomwarespywarestealersuricatathemidatrojan

    • DMA Locker

      Ransomware family with some advanced features, like encryption of unmapped network shares.

      ransomwaredmalocker

    • suricata: ET MALWARE BigLock Ransomware CnC Activity (ext)

      suricata: ET MALWARE BigLock Ransomware CnC Activity (ext)

      suricata

    • suricata: ET MALWARE BigLock Ransomware CnC Activity (gen)

      suricata: ET MALWARE BigLock Ransomware CnC Activity (gen)

      suricata

    • suricata: ET MALWARE BigLock Ransomware CnC Activity (info)

      suricata: ET MALWARE BigLock Ransomware CnC Activity (info)

      suricata

    • suricata: ET MALWARE BigLock Ransomware CnC Activity (name)

      suricata: ET MALWARE BigLock Ransomware CnC Activity (name)

      suricata

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Deletes System State backups

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Checks whether UAC is enabled

      evasiontrojan

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1
T1059

Persistence

Privilege Escalation

Defense Evasion

File Deletion

3
T1107

Virtualization/Sandbox Evasion

1
T1497

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

3
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

4
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

4
T1490

Tasks