Resubmissions
20-01-2022 19:26
220120-x5jhrsbcdl 1017-01-2022 16:56
220117-vf67esbcd8 1017-01-2022 16:16
220117-tqyscsbedr 1009-12-2021 23:18
211209-299yqseee9 1Analysis
-
max time kernel
1203s -
max time network
756s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
17-01-2022 16:16
General
-
Target
3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe
-
Size
2.2MB
-
MD5
aea5d3cced6725f37e2c3797735e6467
-
SHA1
087497940a41d96e4e907b6dc92f75f4a38d861a
-
SHA256
3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83
-
SHA512
5489753ae1c3ba0dbd3e0ce1b78b0ccba045e534e77fb87c80d56b16229f928c46a15721020142bbc6bd4d1ba5c295f4bec3596efa7b46c906889c156dadbd66
Score
10/10
Malware Config
Extracted
Path
\??\Z:\RECOVER-sykffle-FILES.txt
Ransom Note
>> Introduction
Important files on your system was ENCRYPTED and now they have have "sykffle" extension.
In order to recover your files you need to follow instructions below.
>> Sensitive Data
Sensitive data on your system was DOWNLOADED and it will be PUBLISHED if you refuse to cooperate.
Data includes:
- Employees personal data, CVs, DL, SSN.
- Complete network map including credentials for local and remote services.
- Financial information including clients data, bills, budgets, annual reports, bank statements.
- Complete datagrams/schemas/drawings for manufacturing in solidworks format
- And more...
Private preview is published here: http://zujgzbu5y64xbmvc42addp4lxkoosb4tslf5mehnh7pvqjpwxn5gokyd.onion/b21e1fb6-ff88-425b-8339-3523179a1e3e/886cf430a907bbe9a3fd38fb704d524dbd199c1b042ad6f65dc72ad78704e21
>> CAUTION
DO NOT MODIFY FILES YOURSELF.
DO NOT USE THIRD PARTY SOFTWARE TO RESTORE YOUR DATA.
YOU MAY DAMAGE YOUR FILES, IT WILL RESULT IN PERMANENT DATA LOSS.
YOUR DATA IS STRONGLY ENCRYPTED, YOU CAN NOT DECRYPT IT WITHOUT CIPHER KEY.
>> Recovery procedure
Follow these simple steps to get in touch and recover your data:
1) Download and install Tor Browser from: https://torproject.org/
2) Navigate to: http://mu75ltv3lxd24dbyu6gtvmnwybecigs5auki7fces437xvvflzva2nqd.onion/?access-key=GfjBJOpvNRomDHpgsWFmQevkENCHPGoFVXNvOwZ5qtw6SKG8kCp%2FQXB0CKxe6xRLJeFStrmxxrCbQi69Lel21pyJ91hmeQKjk%2Ben10Sqh2b01bhXSjaFMUD0e5%2BXGhwxDwqQoRUyKT7vev%2BM9KxFzS8VnaZiT9nCM3z26ET%2Fd3GfFWYXI3ecK8mMbLKf1%2BWlmff363dOih4kRUyk8hEabXK3EYFMuN5cVuR%2FI3J8sLIeeDJ9DizQRIUd2lRlXAFjX0z6sIOWNrj0YJ7tdcSzU5t2y015GAfb3D4L0XlSBjONqAY%2BwKQqk6XQ3TonZw39LdyjfbJQcyfc6uxssBhoUA%3D%3D
URLs
http://zujgzbu5y64xbmvc42addp4lxkoosb4tslf5mehnh7pvqjpwxn5gokyd.onion/b21e1fb6-ff88-425b-8339-3523179a1e3e/886cf430a907bbe9a3fd38fb704d524dbd199c1b042ad6f65dc72ad78704e21
http://mu75ltv3lxd24dbyu6gtvmnwybecigs5auki7fces437xvvflzva2nqd.onion/?access-key=GfjBJOpvNRomDHpgsWFmQevkENCHPGoFVXNvOwZ5qtw6SKG8kCp%2FQXB0CKxe6xRLJeFStrmxxrCbQi69Lel21pyJ91hmeQKjk%2Ben10Sqh2b01bhXSjaFMUD0e5%2BXGhwxDwqQoRUyKT7vev%2BM9KxFzS8VnaZiT9nCM3z26ET%2Fd3GfFWYXI3ecK8mMbLKf1%2BWlmff363dOih4kRUyk8hEabXK3EYFMuN5cVuR%2FI3J8sLIeeDJ9DizQRIUd2lRlXAFjX0z6sIOWNrj0YJ7tdcSzU5t2y015GAfb3D4L0XlSBjONqAY%2BwKQqk6XQ3TonZw39LdyjfbJQcyfc6uxssBhoUA%3D%3D
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 13 IoCs
Ransomware generally changes the extension on encrypted files.
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
-
Drops file in Windows directory 2 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Modifies Control Panel 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 48 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exeC:\Users\Admin\AppData\Local\Temp\3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe --help1⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exeC:\Users\Admin\AppData\Local\Temp\3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe --help2⤵
-
C:\Users\Admin\AppData\Local\Temp\3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exeC:\Users\Admin\AppData\Local\Temp\3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe -help2⤵
-
C:\Users\Admin\AppData\Local\Temp\3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exeC:\Users\Admin\AppData\Local\Temp\3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe -help2⤵
-
C:\Users\Admin\AppData\Local\Temp\3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exeC:\Users\Admin\AppData\Local\Temp\3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe -help2⤵
-
C:\Users\Admin\AppData\Local\Temp\3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exeC:\Users\Admin\AppData\Local\Temp\3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe -help2⤵
-
C:\Users\Admin\AppData\Local\Temp\3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exeC:\Users\Admin\AppData\Local\Temp\3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe --help2⤵
-
C:\Users\Admin\AppData\Local\Temp\3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exeC:\Users\Admin\AppData\Local\Temp\3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe --help2⤵
-
C:\Users\Admin\AppData\Local\Temp\3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exeC:\Users\Admin\AppData\Local\Temp\3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe -help2⤵
-
C:\Users\Admin\AppData\Local\Temp\3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exeC:\Users\Admin\AppData\Local\Temp\3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe -u2⤵
-
C:\Users\Admin\AppData\Local\Temp\3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exeC:\Users\Admin\AppData\Local\Temp\3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe --ui2⤵
-
C:\Users\Admin\AppData\Local\Temp\3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exeC:\Users\Admin\AppData\Local\Temp\3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe -v2⤵
-
C:\Users\Admin\AppData\Local\Temp\3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exeC:\Users\Admin\AppData\Local\Temp\3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe --version2⤵
-
C:\Users\Admin\AppData\Local\Temp\moo.exemoo -v2⤵
-
C:\Users\Admin\AppData\Local\Temp\moo.exemoo -h2⤵
-
C:\Users\Admin\AppData\Local\Temp\moo.exemoo --help2⤵
-
C:\Users\Admin\AppData\Local\Temp\moo.exemoo --ui2⤵
-
C:\Users\Admin\AppData\Local\Temp\moo.exemoo -V2⤵
-
C:\Users\Admin\AppData\Local\Temp\moo.exemoo -v -a monkeynuts2⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c "wmic csproduct get UUID"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic csproduct get UUID4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c "fsutil behavior set SymlinkEvaluation R2L:1"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\fsutil.exefsutil behavior set SymlinkEvaluation R2L:14⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c "fsutil behavior set SymlinkEvaluation R2R:1"3⤵
-
C:\Windows\SysWOW64\fsutil.exefsutil behavior set SymlinkEvaluation R2R:14⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c "reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters /v MaxMpxCt /d 65535 /t REG_DWORD /f"3⤵
-
C:\Windows\SysWOW64\reg.exereg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters /v MaxMpxCt /d 65535 /t REG_DWORD /f4⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /c "vssadmin.exe delete shadows /all /quiet"3⤵
-
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c "arp -a"3⤵
-
C:\Windows\SysWOW64\ARP.EXEarp -a4⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /c "vssadmin.exe delete shadows /all /quiet"3⤵
-
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\notepad.exe"C:\Windows\system32\notepad.exe"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/684-124-0x0000000000000000-mapping.dmp
-
memory/936-129-0x0000000000000000-mapping.dmp
-
memory/1328-132-0x0000000000000000-mapping.dmp
-
memory/1336-130-0x0000000000000000-mapping.dmp
-
memory/1688-134-0x0000000000000000-mapping.dmp
-
memory/1776-119-0x0000000000000000-mapping.dmp
-
memory/1848-143-0x0000000000000000-mapping.dmp
-
memory/2012-131-0x0000000000000000-mapping.dmp
-
memory/2024-146-0x0000000000000000-mapping.dmp
-
memory/2044-140-0x0000000000000000-mapping.dmp
-
memory/2052-118-0x0000000000000000-mapping.dmp
-
memory/2064-116-0x0000000000000000-mapping.dmp
-
memory/2096-125-0x0000000000000000-mapping.dmp
-
memory/2220-137-0x0000000000000000-mapping.dmp
-
memory/2260-135-0x0000000000000000-mapping.dmp
-
memory/2488-139-0x0000000000000000-mapping.dmp
-
memory/2624-128-0x0000000000000000-mapping.dmp
-
memory/2708-133-0x0000000000000000-mapping.dmp
-
memory/2780-136-0x0000000000000000-mapping.dmp
-
memory/3032-142-0x0000000000000000-mapping.dmp
-
memory/3216-141-0x0000000000000000-mapping.dmp
-
memory/3380-121-0x0000000000000000-mapping.dmp
-
memory/3544-126-0x0000000000000000-mapping.dmp
-
memory/3576-145-0x0000000000000000-mapping.dmp
-
memory/3592-123-0x0000000000000000-mapping.dmp
-
memory/3628-138-0x0000000000000000-mapping.dmp
-
memory/3780-117-0x0000000000000000-mapping.dmp
-
memory/3784-144-0x0000000000000000-mapping.dmp
-
memory/3792-120-0x0000000000000000-mapping.dmp
-
memory/3948-115-0x0000000000000000-mapping.dmp
-
memory/3968-122-0x0000000000000000-mapping.dmp
-
memory/4088-127-0x0000000000000000-mapping.dmp