Analysis

  • max time kernel
    117s
  • max time network
    117s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    15-12-2021 06:21

General

  • Target

    63b6a51be736d253e26011f19bd16006d7093839b345363ef238eafcfe5e7e85.exe

  • Size

    25KB

  • MD5

    a22ca06bb3a58d4ca2bca856434b96f3

  • SHA1

    4a12e232b2442746334ef5d94fab4c3577b33de7

  • SHA256

    63b6a51be736d253e26011f19bd16006d7093839b345363ef238eafcfe5e7e85

  • SHA512

    e0f22e150d52b22a2033a4e9a8f99f2d17a2eb496d039b11ef217a94c711f51db4f5b07d941335ace99c10d824fc547494b2b3ee2458c8239853d4780fe283c1

Score
10/10

Malware Config

Extracted

Path

C:\Help Restore Your Files.txt

Ransom Note
All of your files have been encrypted! The harddisks of your computer have been encrypted with an military grade encryption algorithm. There is no way to restore your data without a special software Doydo. To purchase your key and restore your data, please follow these three easy: 1. The price for the software is $300 dollars USD. Payment can be made in Bitcoin only. 2. Bitcoin Address: 3JG36KY6abZTnHBdQCon1hheC3Wa2bdyqs 3. Once paid, send proof of payment: Email: [email protected] You receive your key in 20 minutes: To make sure we have the decryptor and it works, you can send an email: [email protected] and decrypt a file for free. But this file shouldn't be of any value! Warning: do not turn off your pc! If you abort this process, you could destroy all of your data! Please ensure that your power cable is plugged in!
Wallets

3JG36KY6abZTnHBdQCon1hheC3Wa2bdyqs

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies extensions of user files 8 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\63b6a51be736d253e26011f19bd16006d7093839b345363ef238eafcfe5e7e85.exe
    "C:\Users\Admin\AppData\Local\Temp\63b6a51be736d253e26011f19bd16006d7093839b345363ef238eafcfe5e7e85.exe"
    1⤵
    • Modifies extensions of user files
    • Enumerates connected drives
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1612
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1748
      • C:\Windows\system32\vssadmin.exe
        vssadmin.exe delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:844
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1084
      • C:\Windows\system32\vssadmin.exe
        vssadmin.exe delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:1528
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:816

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/844-57-0x0000000000000000-mapping.dmp

  • memory/1084-58-0x0000000000000000-mapping.dmp

  • memory/1528-59-0x0000000000000000-mapping.dmp

  • memory/1612-55-0x0000000075AC1000-0x0000000075AC3000-memory.dmp

    Filesize

    8KB

  • memory/1748-56-0x0000000000000000-mapping.dmp