Resubmissions

20-01-2022 19:26

220120-x5jhrsbcdl 10

17-01-2022 16:56

220117-vf67esbcd8 10

17-01-2022 16:16

220117-tqyscsbedr 10

09-12-2021 23:18

211209-299yqseee9 1

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    17-01-2022 16:56

General

  • Target

    3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe

  • Size

    2.2MB

  • MD5

    aea5d3cced6725f37e2c3797735e6467

  • SHA1

    087497940a41d96e4e907b6dc92f75f4a38d861a

  • SHA256

    3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83

  • SHA512

    5489753ae1c3ba0dbd3e0ce1b78b0ccba045e534e77fb87c80d56b16229f928c46a15721020142bbc6bd4d1ba5c295f4bec3596efa7b46c906889c156dadbd66

Score
10/10

Malware Config

Extracted

Path

C:\RECOVER-sykffle-FILES.txt

Ransom Note
>> Introduction Important files on your system was ENCRYPTED and now they have have "sykffle" extension. In order to recover your files you need to follow instructions below. >> Sensitive Data Sensitive data on your system was DOWNLOADED and it will be PUBLISHED if you refuse to cooperate. Data includes: - Employees personal data, CVs, DL, SSN. - Complete network map including credentials for local and remote services. - Financial information including clients data, bills, budgets, annual reports, bank statements. - Complete datagrams/schemas/drawings for manufacturing in solidworks format - And more... Private preview is published here: http://zujgzbu5y64xbmvc42addp4lxkoosb4tslf5mehnh7pvqjpwxn5gokyd.onion/b21e1fb6-ff88-425b-8339-3523179a1e3e/886cf430a907bbe9a3fd38fb704d524dbd199c1b042ad6f65dc72ad78704e21 >> CAUTION DO NOT MODIFY FILES YOURSELF. DO NOT USE THIRD PARTY SOFTWARE TO RESTORE YOUR DATA. YOU MAY DAMAGE YOUR FILES, IT WILL RESULT IN PERMANENT DATA LOSS. YOUR DATA IS STRONGLY ENCRYPTED, YOU CAN NOT DECRYPT IT WITHOUT CIPHER KEY. >> Recovery procedure Follow these simple steps to get in touch and recover your data: 1) Download and install Tor Browser from: https://torproject.org/ 2) Navigate to: http://mu75ltv3lxd24dbyu6gtvmnwybecigs5auki7fces437xvvflzva2nqd.onion/?access-key=LWJr7bVcSMGcY5YdPVmFb0ZON%2BF7%2Bau322FPnwcE9LwdS6oF%2BqsTezNE%2BJ3CeIrVWP04sFKfZyDthKAU9FNF54clf32wnXRakIh6nUeIjJL4Gn%2FYPHs5cVfPKaMFdTRGKKFP1JWeQ2Fne7wWRfD0eCgmTAKCagsjtwAQMfzZJfV1wKtj%2BRVh87pyjXP%2BA1G7IBmjVgEbLP1dWQR4XdYwvaaM%2FE1ge51BV3MJEcg5rHmsnCK%2BFjqDeJR5sEbdckGW7cxZ1aVBMAScg8WU%2FI3uFbntzOvipK4%2BFofW0p81%2F23Ssz7qmAQuRCEYcLWT0nt87F%2Fq6HYV09Q9YoOjlrvPKw%3D%3D
URLs

http://zujgzbu5y64xbmvc42addp4lxkoosb4tslf5mehnh7pvqjpwxn5gokyd.onion/b21e1fb6-ff88-425b-8339-3523179a1e3e/886cf430a907bbe9a3fd38fb704d524dbd199c1b042ad6f65dc72ad78704e21

http://mu75ltv3lxd24dbyu6gtvmnwybecigs5auki7fces437xvvflzva2nqd.onion/?access-key=LWJr7bVcSMGcY5YdPVmFb0ZON%2BF7%2Bau322FPnwcE9LwdS6oF%2BqsTezNE%2BJ3CeIrVWP04sFKfZyDthKAU9FNF54clf32wnXRakIh6nUeIjJL4Gn%2FYPHs5cVfPKaMFdTRGKKFP1JWeQ2Fne7wWRfD0eCgmTAKCagsjtwAQMfzZJfV1wKtj%2BRVh87pyjXP%2BA1G7IBmjVgEbLP1dWQR4XdYwvaaM%2FE1ge51BV3MJEcg5rHmsnCK%2BFjqDeJR5sEbdckGW7cxZ1aVBMAScg8WU%2FI3uFbntzOvipK4%2BFofW0p81%2F23Ssz7qmAQuRCEYcLWT0nt87F%2Fq6HYV09Q9YoOjlrvPKw%3D%3D

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies extensions of user files 21 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies Control Panel 1 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe"
    1⤵
      PID:1504
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      1⤵
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:668
      • C:\Users\Admin\AppData\Local\Temp\woof.exe
        woof --ui
        2⤵
        • Suspicious behavior: CmdExeWriteProcessMemorySpam
        PID:1532
      • C:\Users\Admin\AppData\Local\Temp\woof.exe
        woof --UI
        2⤵
        • Suspicious behavior: CmdExeWriteProcessMemorySpam
        PID:396
      • C:\Users\Admin\AppData\Local\Temp\woof.exe
        woof.exe -V
        2⤵
        • Suspicious behavior: CmdExeWriteProcessMemorySpam
        PID:1664
      • C:\Users\Admin\AppData\Local\Temp\woof.exe
        woof.exe --version
        2⤵
        • Suspicious behavior: CmdExeWriteProcessMemorySpam
        PID:1668
      • C:\Users\Admin\AppData\Local\Temp\woof.exe
        woof.exe -asdfadsfadsf
        2⤵
        • Modifies extensions of user files
        • Enumerates connected drives
        • Sets desktop wallpaper using registry
        • Modifies Control Panel
        • Suspicious behavior: CmdExeWriteProcessMemorySpam
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:240
        • C:\Windows\SysWOW64\cmd.exe
          "cmd" /c "wmic csproduct get UUID"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1164
          • C:\Windows\SysWOW64\Wbem\WMIC.exe
            wmic csproduct get UUID
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1372
        • C:\Windows\SysWOW64\cmd.exe
          "cmd" /c "fsutil behavior set SymlinkEvaluation R2L:1"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2016
          • C:\Windows\SysWOW64\fsutil.exe
            fsutil behavior set SymlinkEvaluation R2L:1
            4⤵
              PID:1560
          • C:\Windows\SysWOW64\cmd.exe
            "cmd" /c "fsutil behavior set SymlinkEvaluation R2R:1"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:1748
            • C:\Windows\SysWOW64\fsutil.exe
              fsutil behavior set SymlinkEvaluation R2R:1
              4⤵
                PID:1588
            • C:\Windows\SysWOW64\cmd.exe
              "cmd" /c "reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters /v MaxMpxCt /d 65535 /t REG_DWORD /f"
              3⤵
                PID:1920
                • C:\Windows\SysWOW64\reg.exe
                  reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters /v MaxMpxCt /d 65535 /t REG_DWORD /f
                  4⤵
                    PID:980
                • C:\Windows\system32\cmd.exe
                  "cmd" /c "vssadmin.exe delete shadows /all /quiet"
                  3⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1736
                  • C:\Windows\system32\vssadmin.exe
                    vssadmin.exe delete shadows /all /quiet
                    4⤵
                    • Interacts with shadow copies
                    PID:1648
                • C:\Windows\SysWOW64\cmd.exe
                  "cmd" /c "arp -a"
                  3⤵
                  • Suspicious use of WriteProcessMemory
                  PID:808
                  • C:\Windows\SysWOW64\ARP.EXE
                    arp -a
                    4⤵
                      PID:1556
                  • C:\Windows\system32\cmd.exe
                    "cmd" /c "vssadmin.exe delete shadows /all /quiet"
                    3⤵
                      PID:1944
                      • C:\Windows\system32\vssadmin.exe
                        vssadmin.exe delete shadows /all /quiet
                        4⤵
                        • Interacts with shadow copies
                        PID:1340
                • C:\Windows\system32\vssvc.exe
                  C:\Windows\system32\vssvc.exe
                  1⤵
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1604
                • C:\Windows\system32\vssvc.exe
                  C:\Windows\system32\vssvc.exe
                  1⤵
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1628

                Network

                MITRE ATT&CK Matrix ATT&CK v6

                Defense Evasion

                File Deletion

                2
                T1107

                Modify Registry

                1
                T1112

                Discovery

                Query Registry

                1
                T1012

                Peripheral Device Discovery

                1
                T1120

                System Information Discovery

                1
                T1082

                Impact

                Inhibit System Recovery

                2
                T1490

                Defacement

                1
                T1491

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • memory/240-58-0x0000000000000000-mapping.dmp
                • memory/396-55-0x0000000000000000-mapping.dmp
                • memory/808-68-0x0000000000000000-mapping.dmp
                • memory/1164-59-0x0000000000000000-mapping.dmp
                • memory/1340-71-0x0000000000000000-mapping.dmp
                • memory/1372-60-0x0000000000000000-mapping.dmp
                • memory/1532-54-0x0000000000000000-mapping.dmp
                • memory/1556-69-0x0000000000000000-mapping.dmp
                • memory/1560-62-0x0000000000000000-mapping.dmp
                • memory/1588-64-0x0000000000000000-mapping.dmp
                • memory/1648-67-0x0000000000000000-mapping.dmp
                • memory/1664-56-0x0000000000000000-mapping.dmp
                • memory/1668-57-0x0000000000000000-mapping.dmp
                • memory/1736-65-0x0000000000000000-mapping.dmp
                • memory/1748-63-0x0000000000000000-mapping.dmp
                • memory/1920-66-0x0000000000000000-mapping.dmp
                • memory/1944-70-0x0000000000000000-mapping.dmp
                • memory/2016-61-0x0000000000000000-mapping.dmp