Overview

overview

10

Static

static

d25kYWttd2thZAo.exe

windows7_x64

10

d25kYWttd2thZAo.exe

windows10_x64

10

Analysis

  • max time kernel
    62s
  • max time network
    67s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    12/12/2021, 13:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d25kYWttd2thZAo.exe

  • Size

    83KB

  • MD5

    7ade88674690aa74970c12608b23bb30

  • SHA1

    6522ee8ccc93ce3abec0a77a1732c15bb16a7ba0

  • SHA256

    6eeb20cc709a18bf8845f7b678967b7f0ff96475cf51a261da87244886bbfd2e

  • SHA512

    8849c9bfb8a7221c60ce1615e65e6af6c77739f1c5696a0d37ddcad374b8564e756373a20a27b5cb4f2c079b87111e26805bf857f22f57ce787f848a35522aca

Score
10/10
persistenceransomware

Malware Config

Extracted

Path

C:\restore_file.txt

Ransom Note
------------------------------------------------------------------------------- ----------- [ Hello! ] -------------> ****BY BLUE LOCKER**** What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted from your network and copied. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - a universal decoder. This program will restore your entire network. Follow our instructions below and you will recover all your data. If you continue to ignore this for a long time, we will start reporting the hack to mainstream media and posting your data to the dark web. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. email us. How to contact us? ---------------------------------------------- You can choose one of them: email : [email protected] qtox : 24C0CF90893D73BE99427731EFBA1A11C015D574EC433EA44908B6B6F20FB34AF56622F8A4E8 (download client from https://tox.chat) jabber : [email protected] (download client from https://www.xmpp.jp or https://xmpp.org/software/clients/ ) !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!
URLs

https://tox.chat

https://www.xmpp.jp

https://xmpp.org/software/clients/

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 1 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 45 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d25kYWttd2thZAo.exe
    "C:\Users\Admin\AppData\Local\Temp\d25kYWttd2thZAo.exe"
    1⤵
    • Modifies extensions of user files
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3672
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C wmic SHADOWCOPY DELETE
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:428
      • C:\Windows\SysWOW64\Wbem\WMIC.exe
        wmic SHADOWCOPY DELETE
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4244
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4332

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads