Analysis
-
max time kernel
129s -
max time network
132s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
08-12-2021 08:15
General
-
Target
software.exe
-
Size
3.2MB
-
MD5
9bb9bef710583acc0b74b42e9c244209
-
SHA1
ac0cb5474c2bd21263c3758aaff6420f7380f5b6
-
SHA256
15fea1662d7a85e4d95fd89e36b4f02dd6657045ea9f20301130a321994504c6
-
SHA512
aa630dec6a967b9bbbad8425ac8afee443f7e37dbf21fe761fd3a4a27f3b78efdd92b13fd14a3e8931045d803ec52f7b1276f6534bf6b07e8ab1a4e74340ae17
Score
10/10
Malware Config
Extracted
Path
C:\Decryption-Guide.txt
Ransom Note
Your Files Are Has Been Locked
Your Files Has Been Encrypted with cryptography Algorithm
If You Need Your Files And They are Important to You, Dont be shy Send Me an Email
Send Test File + The Key File on Your System (File Exist in C:/ProgramData example : RSAKEY-SE-24r6t523 pr RSAKEY.KEY) to Make Sure Your Files Can be Restored
Make an Agreement on Price with me and Pay
Get Decryption Tool + RSA Key AND Instruction For Decryption Process
Attention:
1- Do Not Rename or Modify The Files (You May loose That file)
2- Do Not Try To Use 3rd Party Apps or Recovery Tools ( if You want to do that make an copy from Files and try on them and Waste Your time )
3-Do not Reinstall Operation System(Windows) You may loose the key File and Loose Your Files
4-Do Not Always Trust to Middle mans and negotiators (some of them are good but some of them agree on 4000usd for example and Asked 10000usd From Client) this Was happened
Your Case ID :MJ-EA4823170659
OUR Email :wixawm@gmail.com
Emails
wixawm@gmail.com
Signatures
-
Drops file in Drivers directory 15 IoCs
-
Modifies Windows Firewall 1 TTPs
-
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
-
Drops startup file 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 64 IoCs
-
Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory 64 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 64 IoCs
-
NTFS ADS 10 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\software.exe"C:\Users\Admin\AppData\Local\Temp\software.exe"1⤵
- Drops file in Drivers directory
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop MSDTC2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop MSDTC3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSDTC4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop SQLSERVERAGENT3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLSERVERAGENT4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop MSSQLSERVER2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop MSSQLSERVER3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLSERVER4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop vds2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop vds3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop vds4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set currentprofile state off3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh firewall set opmode mode=disable2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode mode=disable3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop SQLWriter2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop SQLWriter3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLWriter4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop SQLBrowser2⤵
-
C:\Windows\SysWOW64\net.exenet stop SQLBrowser3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLBrowser4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop MSSQLSERVER2⤵
-
C:\Windows\SysWOW64\net.exenet stop MSSQLSERVER3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLSERVER4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop MSSQL$CONTOSO12⤵
-
C:\Windows\SysWOW64\net.exenet stop MSSQL$CONTOSO13⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$CONTOSO14⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/60-123-0x0000000000000000-mapping.dmp
-
memory/348-120-0x0000000000000000-mapping.dmp
-
memory/496-133-0x0000000000000000-mapping.dmp
-
memory/660-125-0x0000000000000000-mapping.dmp
-
memory/692-146-0x0000000000000000-mapping.dmp
-
memory/1016-135-0x0000000000000000-mapping.dmp
-
memory/1116-132-0x0000000000000000-mapping.dmp
-
memory/1508-126-0x0000000000000000-mapping.dmp
-
memory/1568-130-0x0000000000000000-mapping.dmp
-
memory/1584-121-0x0000000000000000-mapping.dmp
-
memory/2060-140-0x0000000000000000-mapping.dmp
-
memory/2160-129-0x0000000000000000-mapping.dmp
-
memory/2216-148-0x0000000000000000-mapping.dmp
-
memory/2220-147-0x0000000000000000-mapping.dmp
-
memory/2252-138-0x0000000000000000-mapping.dmp
-
memory/2300-122-0x0000000000000000-mapping.dmp
-
memory/2372-142-0x0000000000000000-mapping.dmp
-
memory/2452-124-0x0000000000000000-mapping.dmp
-
memory/2708-131-0x0000000000000000-mapping.dmp
-
memory/2784-128-0x0000000000000000-mapping.dmp
-
memory/2936-144-0x0000000000000000-mapping.dmp
-
memory/3260-139-0x0000000000000000-mapping.dmp
-
memory/3348-143-0x0000000000000000-mapping.dmp
-
memory/3396-136-0x0000000000000000-mapping.dmp
-
memory/3404-141-0x0000000000000000-mapping.dmp
-
memory/3448-145-0x0000000000000000-mapping.dmp
-
memory/3468-134-0x0000000000000000-mapping.dmp
-
memory/3824-119-0x0000000000000000-mapping.dmp
-
memory/3872-118-0x0000000000000000-mapping.dmp
-
memory/4060-137-0x0000000000000000-mapping.dmp
-
memory/4064-127-0x0000000000000000-mapping.dmp