6eeb20cc709a18bf8845f7b678967b7f0ff96475cf51a261da87244886bbfd2e

Analysis

max time kernel
84s
max time network
14s
platform
windows7_x64
resource
win7-en-20211208
submitted
12/12/2021, 13:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d25kYWttd2thZAo.exe
Size

83KB
MD5

7ade88674690aa74970c12608b23bb30
SHA1

6522ee8ccc93ce3abec0a77a1732c15bb16a7ba0
SHA256

6eeb20cc709a18bf8845f7b678967b7f0ff96475cf51a261da87244886bbfd2e
SHA512

8849c9bfb8a7221c60ce1615e65e6af6c77739f1c5696a0d37ddcad374b8564e756373a20a27b5cb4f2c079b87111e26805bf857f22f57ce787f848a35522aca

Score

10^/10

persistence ransomware

Malware Config

Extracted

Path

C:\restore_file.txt

Ransom Note

------------------------------------------------------------------------------- ----------- [ Hello! ] -------------> ****BY BLUE LOCKER**** What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted from your network and copied. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - a universal decoder. This program will restore your entire network. Follow our instructions below and you will recover all your data. If you continue to ignore this for a long time, we will start reporting the hack to mainstream media and posting your data to the dark web. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. email us. How to contact us? ---------------------------------------------- You can choose one of them: email : [email protected] qtox : 24C0CF90893D73BE99427731EFBA1A11C015D574EC433EA44908B6B6F20FB34AF56622F8A4E8 (download client from https://tox.chat) jabber : [email protected] (download client from https://www.xmpp.jp or https://xmpp.org/software/clients/ ) !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!

Emails

[email protected]

URLs

https://tox.chat

https://www.xmpp.jp

https://xmpp.org/software/clients/

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 6 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\InitializeProtect.crw => C:\Users\Admin\Pictures\InitializeProtect.crw.blue	d25kYWttd2thZAo.exe
File renamed	C:\Users\Admin\Pictures\InstallDisconnect.raw => C:\Users\Admin\Pictures\InstallDisconnect.raw.blue	d25kYWttd2thZAo.exe
File renamed	C:\Users\Admin\Pictures\RequestDisable.tif => C:\Users\Admin\Pictures\RequestDisable.tif.blue	d25kYWttd2thZAo.exe
File renamed	C:\Users\Admin\Pictures\SearchGrant.tif => C:\Users\Admin\Pictures\SearchGrant.tif.blue	d25kYWttd2thZAo.exe
File renamed	C:\Users\Admin\Pictures\SendComplete.png => C:\Users\Admin\Pictures\SendComplete.png.blue	d25kYWttd2thZAo.exe
File renamed	C:\Users\Admin\Pictures\ConvertFromStop.raw => C:\Users\Admin\Pictures\ConvertFromStop.raw.blue	d25kYWttd2thZAo.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\Bule Cryptor = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d25kYWttd2thZAo.exe"	d25kYWttd2thZAo.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-modules-appui_zh_CN.jar	d25kYWttd2thZAo.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\22.png	d25kYWttd2thZAo.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\restore_file.txt	d25kYWttd2thZAo.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\library.js	d25kYWttd2thZAo.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\css\picturePuzzle.css	d25kYWttd2thZAo.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Cocos	d25kYWttd2thZAo.exe
File created	C:\Program Files (x86)\Common Files\System\ado\restore_file.txt	d25kYWttd2thZAo.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationLeft_ButtonGraphic.png	d25kYWttd2thZAo.exe
File created	C:\Program Files\Java\jre7\lib\applet\restore_file.txt	d25kYWttd2thZAo.exe
File created	C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\restore_file.txt	d25kYWttd2thZAo.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Andorra	d25kYWttd2thZAo.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ta.txt	d25kYWttd2thZAo.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\play-static.png	d25kYWttd2thZAo.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-editor-mimelookup-impl_zh_CN.jar	d25kYWttd2thZAo.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt	d25kYWttd2thZAo.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Enderbury	d25kYWttd2thZAo.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\shadowonlyframe_videoinset.png	d25kYWttd2thZAo.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\gadget.xml	d25kYWttd2thZAo.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\bg.pak	d25kYWttd2thZAo.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mk\LC_MESSAGES\vlc.mo	d25kYWttd2thZAo.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.w3c.dom.events_3.0.0.draft20060413_v201105210656.jar	d25kYWttd2thZAo.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Baghdad	d25kYWttd2thZAo.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-uihandler.jar	d25kYWttd2thZAo.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\icon.png	d25kYWttd2thZAo.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Spelling.api	d25kYWttd2thZAo.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\restore_file.txt	d25kYWttd2thZAo.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\47.png	d25kYWttd2thZAo.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.intro.ja_5.5.0.165303.jar	d25kYWttd2thZAo.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\restore_file.txt	d25kYWttd2thZAo.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\DataMatrix.pmp	d25kYWttd2thZAo.exe
File opened for modification	C:\Program Files\Common Files\System\ado\adovbs.inc	d25kYWttd2thZAo.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationLeft_SelectionSubpicture.png	d25kYWttd2thZAo.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\IA32.api	d25kYWttd2thZAo.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_corner_bottom_right.png	d25kYWttd2thZAo.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\en-US\js\restore_file.txt	d25kYWttd2thZAo.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derby.war	d25kYWttd2thZAo.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyclient.jar	d25kYWttd2thZAo.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\gadget.xml	d25kYWttd2thZAo.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\modern_settings.png	d25kYWttd2thZAo.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.w3c.dom.svg_1.1.0.v201011041433.jar	d25kYWttd2thZAo.exe
File created	C:\Program Files\Common Files\System\Ole DB\restore_file.txt	d25kYWttd2thZAo.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\content-types.properties	d25kYWttd2thZAo.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.base.nl_ja_4.4.0.v20140623020002.jar	d25kYWttd2thZAo.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\restore_file.txt	d25kYWttd2thZAo.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Yellowknife	d25kYWttd2thZAo.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Auckland	d25kYWttd2thZAo.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToNotesBackground_PAL.wmv	d25kYWttd2thZAo.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\restore_file.txt	d25kYWttd2thZAo.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\cs.pak	d25kYWttd2thZAo.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\js\restore_file.txt	d25kYWttd2thZAo.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\on_desktop\restore_file.txt	d25kYWttd2thZAo.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\ECLIPSE_.SF	d25kYWttd2thZAo.exe
File opened for modification	C:\Program Files\Java\jre7\lib\alt-rt.jar	d25kYWttd2thZAo.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationRight_ButtonGraphic.png	d25kYWttd2thZAo.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_bottom.png	d25kYWttd2thZAo.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.directorywatcher_1.1.0.v20131211-1531.jar	d25kYWttd2thZAo.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT+6	d25kYWttd2thZAo.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\pdf.gif	d25kYWttd2thZAo.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\restore_file.txt	d25kYWttd2thZAo.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\restore_file.txt	d25kYWttd2thZAo.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\settings.html	d25kYWttd2thZAo.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_snow.png	d25kYWttd2thZAo.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\requests\vlm.xml	d25kYWttd2thZAo.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\release	d25kYWttd2thZAo.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1900	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1532	d25kYWttd2thZAo.exe
1532	d25kYWttd2thZAo.exe
1532	d25kYWttd2thZAo.exe
1532	d25kYWttd2thZAo.exe
1532	d25kYWttd2thZAo.exe
1532	d25kYWttd2thZAo.exe
1532	d25kYWttd2thZAo.exe
1532	d25kYWttd2thZAo.exe
1532	d25kYWttd2thZAo.exe
1532	d25kYWttd2thZAo.exe
1532	d25kYWttd2thZAo.exe
1532	d25kYWttd2thZAo.exe
1532	d25kYWttd2thZAo.exe
1532	d25kYWttd2thZAo.exe
1532	d25kYWttd2thZAo.exe
1532	d25kYWttd2thZAo.exe
1532	d25kYWttd2thZAo.exe
1532	d25kYWttd2thZAo.exe
1532	d25kYWttd2thZAo.exe
1532	d25kYWttd2thZAo.exe
1532	d25kYWttd2thZAo.exe
1532	d25kYWttd2thZAo.exe
1532	d25kYWttd2thZAo.exe
1532	d25kYWttd2thZAo.exe
1532	d25kYWttd2thZAo.exe
1532	d25kYWttd2thZAo.exe
1532	d25kYWttd2thZAo.exe
1532	d25kYWttd2thZAo.exe
1532	d25kYWttd2thZAo.exe
1532	d25kYWttd2thZAo.exe
1532	d25kYWttd2thZAo.exe
1532	d25kYWttd2thZAo.exe
1532	d25kYWttd2thZAo.exe
1532	d25kYWttd2thZAo.exe
1532	d25kYWttd2thZAo.exe
1532	d25kYWttd2thZAo.exe
1532	d25kYWttd2thZAo.exe
1532	d25kYWttd2thZAo.exe
1532	d25kYWttd2thZAo.exe
1532	d25kYWttd2thZAo.exe
1532	d25kYWttd2thZAo.exe
1532	d25kYWttd2thZAo.exe
1532	d25kYWttd2thZAo.exe
1532	d25kYWttd2thZAo.exe
1532	d25kYWttd2thZAo.exe
1532	d25kYWttd2thZAo.exe
1532	d25kYWttd2thZAo.exe
1532	d25kYWttd2thZAo.exe
1532	d25kYWttd2thZAo.exe
1532	d25kYWttd2thZAo.exe
1532	d25kYWttd2thZAo.exe
1532	d25kYWttd2thZAo.exe
1532	d25kYWttd2thZAo.exe
1532	d25kYWttd2thZAo.exe
1532	d25kYWttd2thZAo.exe
1532	d25kYWttd2thZAo.exe
1532	d25kYWttd2thZAo.exe
1532	d25kYWttd2thZAo.exe
1532	d25kYWttd2thZAo.exe
1532	d25kYWttd2thZAo.exe
1532	d25kYWttd2thZAo.exe
1532	d25kYWttd2thZAo.exe
1532	d25kYWttd2thZAo.exe
1532	d25kYWttd2thZAo.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	268	WMIC.exe
Token: SeSecurityPrivilege	268	WMIC.exe
Token: SeTakeOwnershipPrivilege	268	WMIC.exe
Token: SeLoadDriverPrivilege	268	WMIC.exe
Token: SeSystemProfilePrivilege	268	WMIC.exe
Token: SeSystemtimePrivilege	268	WMIC.exe
Token: SeProfSingleProcessPrivilege	268	WMIC.exe
Token: SeIncBasePriorityPrivilege	268	WMIC.exe
Token: SeCreatePagefilePrivilege	268	WMIC.exe
Token: SeBackupPrivilege	268	WMIC.exe
Token: SeRestorePrivilege	268	WMIC.exe
Token: SeShutdownPrivilege	268	WMIC.exe
Token: SeDebugPrivilege	268	WMIC.exe
Token: SeSystemEnvironmentPrivilege	268	WMIC.exe
Token: SeRemoteShutdownPrivilege	268	WMIC.exe
Token: SeUndockPrivilege	268	WMIC.exe
Token: SeManageVolumePrivilege	268	WMIC.exe
Token: 33	268	WMIC.exe
Token: 34	268	WMIC.exe
Token: 35	268	WMIC.exe
Token: SeIncreaseQuotaPrivilege	268	WMIC.exe
Token: SeSecurityPrivilege	268	WMIC.exe
Token: SeTakeOwnershipPrivilege	268	WMIC.exe
Token: SeLoadDriverPrivilege	268	WMIC.exe
Token: SeSystemProfilePrivilege	268	WMIC.exe
Token: SeSystemtimePrivilege	268	WMIC.exe
Token: SeProfSingleProcessPrivilege	268	WMIC.exe
Token: SeIncBasePriorityPrivilege	268	WMIC.exe
Token: SeCreatePagefilePrivilege	268	WMIC.exe
Token: SeBackupPrivilege	268	WMIC.exe
Token: SeRestorePrivilege	268	WMIC.exe
Token: SeShutdownPrivilege	268	WMIC.exe
Token: SeDebugPrivilege	268	WMIC.exe
Token: SeSystemEnvironmentPrivilege	268	WMIC.exe
Token: SeRemoteShutdownPrivilege	268	WMIC.exe
Token: SeUndockPrivilege	268	WMIC.exe
Token: SeManageVolumePrivilege	268	WMIC.exe
Token: 33	268	WMIC.exe
Token: 34	268	WMIC.exe
Token: 35	268	WMIC.exe
Token: SeBackupPrivilege	1328	vssvc.exe
Token: SeRestorePrivilege	1328	vssvc.exe
Token: SeAuditPrivilege	1328	vssvc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1900	NOTEPAD.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1532 wrote to memory of 1776	1532	d25kYWttd2thZAo.exe	27
PID 1532 wrote to memory of 1776	1532	d25kYWttd2thZAo.exe	27
PID 1532 wrote to memory of 1776	1532	d25kYWttd2thZAo.exe	27
PID 1532 wrote to memory of 1776	1532	d25kYWttd2thZAo.exe	27
PID 1776 wrote to memory of 268	1776	cmd.exe	29
PID 1776 wrote to memory of 268	1776	cmd.exe	29
PID 1776 wrote to memory of 268	1776	cmd.exe	29
PID 1776 wrote to memory of 268	1776	cmd.exe	29

C:\Users\Admin\AppData\Local\Temp\d25kYWttd2thZAo.exe
"C:\Users\Admin\AppData\Local\Temp\d25kYWttd2thZAo.exe"
1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1532
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C wmic SHADOWCOPY DELETE
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1776
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic SHADOWCOPY DELETE
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:268

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1328

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\restore_file.txt
1⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of FindShellTrayWindow
PID:1900

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1532-54-0x0000000076C61000-0x0000000076C63000-memory.dmp

Filesize
8KB

Download
memory/1900-57-0x000007FEFC321000-0x000007FEFC323000-memory.dmp

Filesize
8KB

Download