Overview

overview

10

Static

static

3d7cf20ca6...in.exe

windows7_x64

10

3d7cf20ca6...in.exe

windows10-2004_x64

1

Resubmissions

20/01/2022, 19:26

220120-x5jhrsbcdl 10

17/01/2022, 16:56

220117-vf67esbcd8 10

17/01/2022, 16:16

220117-tqyscsbedr 10

09/12/2021, 23:18

211209-299yqseee9 1

Analysis

  • max time kernel
    614s
  • max time network
    613s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    20/01/2022, 19:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe

  • Size

    2.2MB

  • MD5

    aea5d3cced6725f37e2c3797735e6467

  • SHA1

    087497940a41d96e4e907b6dc92f75f4a38d861a

  • SHA256

    3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83

  • SHA512

    5489753ae1c3ba0dbd3e0ce1b78b0ccba045e534e77fb87c80d56b16229f928c46a15721020142bbc6bd4d1ba5c295f4bec3596efa7b46c906889c156dadbd66

Score
10/10
ransomware

Malware Config

Extracted

Path

C:\RECOVER-sykffle-FILES.txt

Ransom Note
>> Introduction Important files on your system was ENCRYPTED and now they have have "sykffle" extension. In order to recover your files you need to follow instructions below. >> Sensitive Data Sensitive data on your system was DOWNLOADED and it will be PUBLISHED if you refuse to cooperate. Data includes: - Employees personal data, CVs, DL, SSN. - Complete network map including credentials for local and remote services. - Financial information including clients data, bills, budgets, annual reports, bank statements. - Complete datagrams/schemas/drawings for manufacturing in solidworks format - And more... Private preview is published here: http://zujgzbu5y64xbmvc42addp4lxkoosb4tslf5mehnh7pvqjpwxn5gokyd.onion/b21e1fb6-ff88-425b-8339-3523179a1e3e/886cf430a907bbe9a3fd38fb704d524dbd199c1b042ad6f65dc72ad78704e21 >> CAUTION DO NOT MODIFY FILES YOURSELF. DO NOT USE THIRD PARTY SOFTWARE TO RESTORE YOUR DATA. YOU MAY DAMAGE YOUR FILES, IT WILL RESULT IN PERMANENT DATA LOSS. YOUR DATA IS STRONGLY ENCRYPTED, YOU CAN NOT DECRYPT IT WITHOUT CIPHER KEY. >> Recovery procedure Follow these simple steps to get in touch and recover your data: 1) Download and install Tor Browser from: https://torproject.org/ 2) Navigate to: http://mu75ltv3lxd24dbyu6gtvmnwybecigs5auki7fces437xvvflzva2nqd.onion/?access-key=I2Bz00rK6fkXUoQuur4TTgimmKtGOY7E7vPSTRpLMtdcJORjeK56V2Ihp8exfrrQF0AwekitMld5dPD%2B5OoHEoHZ08%2FHwP3loiz0s3FfYW5HByxYyOJDiGWf%2Fni4GArvDFUB8S7tz9KNDdlACA5ocrQ6P%2FfKvWKojMNC8Kb%2BwDLAqTsD7vTsaIqcM7nbrB3NixH0XfbvT96ix56LoZfj7SM%2FTneVcDLe7uGxxP1Fk8vBbR586TX4rlkTITOSaWBHHFDokbXzuj1S9AMgfWRNB%2FJAlX0wWUe9LjoTbzrxQ1JzYy%2BhO8HMwQHbg9oYbeu%2Ft2PGmialmLXay6qmFtG0sw%3D%3D
URLs

http://zujgzbu5y64xbmvc42addp4lxkoosb4tslf5mehnh7pvqjpwxn5gokyd.onion/b21e1fb6-ff88-425b-8339-3523179a1e3e/886cf430a907bbe9a3fd38fb704d524dbd199c1b042ad6f65dc72ad78704e21

http://mu75ltv3lxd24dbyu6gtvmnwybecigs5auki7fces437xvvflzva2nqd.onion/?access-key=I2Bz00rK6fkXUoQuur4TTgimmKtGOY7E7vPSTRpLMtdcJORjeK56V2Ihp8exfrrQF0AwekitMld5dPD%2B5OoHEoHZ08%2FHwP3loiz0s3FfYW5HByxYyOJDiGWf%2Fni4GArvDFUB8S7tz9KNDdlACA5ocrQ6P%2FfKvWKojMNC8Kb%2BwDLAqTsD7vTsaIqcM7nbrB3NixH0XfbvT96ix56LoZfj7SM%2FTneVcDLe7uGxxP1Fk8vBbR586TX4rlkTITOSaWBHHFDokbXzuj1S9AMgfWRNB%2FJAlX0wWUe9LjoTbzrxQ1JzYy%2BhO8HMwQHbg9oYbeu%2Ft2PGmialmLXay6qmFtG0sw%3D%3D

Extracted

Path

C:\Users\Default\Desktop\RECOVER-sykffle-FILES.txt

Ransom Note
>> Introduction Important files on your system was ENCRYPTED and now they have have "sykffle" extension. In order to recover your files you need to follow instructions below. >> Sensitive Data Sensitive data on your system was DOWNLOADED and it will be PUBLISHED if you refuse to cooperate. Data includes: - Employees personal data, CVs, DL, SSN. - Complete network map including credentials for local and remote services. - Financial information including clients data, bills, budgets, annual reports, bank statements. - Complete datagrams/schemas/drawings for manufacturing in solidworks format - And more... Private preview is published here: http://zujgzbu5y64xbmvc42addp4lxkoosb4tslf5mehnh7pvqjpwxn5gokyd.onion/b21e1fb6-ff88-425b-8339-3523179a1e3e/886cf430a907bbe9a3fd38fb704d524dbd199c1b042ad6f65dc72ad78704e21 >> CAUTION DO NOT MODIFY FILES YOURSELF. DO NOT USE THIRD PARTY SOFTWARE TO RESTORE YOUR DATA. YOU MAY DAMAGE YOUR FILES, IT WILL RESULT IN PERMANENT DATA LOSS. YOUR DATA IS STRONGLY ENCRYPTED, YOU CAN NOT DECRYPT IT WITHOUT CIPHER KEY. >> Recovery procedure Follow these simple steps to get in touch and recover your data: 1) Download and install Tor Browser from: https://torproject.org/ 2) Navigate to: http://mu75ltv3lxd24dbyu6gtvmnwybecigs5auki7fces437xvvflzva2nqd.onion/?access-key=PuYbvuWqm82inTx%2BR30ukdymXFnJt5ik6Hg7z6tl%2BURykiNjZXqFnb0cJE7%2FUQf3wQddW5Omw9cjD8vt6w61RkTDZ08XcQKe4QikIKFqh5mQJNRZ8ZU%2F6mBcntlSdfVup1STyCgYT2a1%2B9RBetFcMG8tnJfAD6JewbD7q4AZVg%2BBDni4NF%2BVxCT9swjoesVRdX%2FtoEpD6UAkc%2Bt4urXr217P0vNTCihZV1bVznP3kSMRbZa%2BqNULSj8BqsHjXgudpCgcRrw%2FIkcmKFvtyJEUhRMRiQF2VL5kv%2FGO%2BjuoxmnR9yQR6iPdFkWL4r9Ib7GAMhkmMq2vuB4P88WtPREEvg%3D%3D
URLs

http://zujgzbu5y64xbmvc42addp4lxkoosb4tslf5mehnh7pvqjpwxn5gokyd.onion/b21e1fb6-ff88-425b-8339-3523179a1e3e/886cf430a907bbe9a3fd38fb704d524dbd199c1b042ad6f65dc72ad78704e21

http://mu75ltv3lxd24dbyu6gtvmnwybecigs5auki7fces437xvvflzva2nqd.onion/?access-key=PuYbvuWqm82inTx%2BR30ukdymXFnJt5ik6Hg7z6tl%2BURykiNjZXqFnb0cJE7%2FUQf3wQddW5Omw9cjD8vt6w61RkTDZ08XcQKe4QikIKFqh5mQJNRZ8ZU%2F6mBcntlSdfVup1STyCgYT2a1%2B9RBetFcMG8tnJfAD6JewbD7q4AZVg%2BBDni4NF%2BVxCT9swjoesVRdX%2FtoEpD6UAkc%2Bt4urXr217P0vNTCihZV1bVznP3kSMRbZa%2BqNULSj8BqsHjXgudpCgcRrw%2FIkcmKFvtyJEUhRMRiQF2VL5kv%2FGO%2BjuoxmnR9yQR6iPdFkWL4r9Ib7GAMhkmMq2vuB4P88WtPREEvg%3D%3D

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 19 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Interacts with shadow copies 2 TTPs 3 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Control Panel 1 IoCs
    evasion
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe"
    1⤵
      PID:1600
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:568
      • C:\Users\Admin\AppData\Local\Temp\3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe
        3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe
        2⤵
        • Suspicious behavior: CmdExeWriteProcessMemorySpam
        PID:584
      • C:\Users\Admin\AppData\Local\Temp\3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe
        3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe --help
        2⤵
        • Suspicious behavior: CmdExeWriteProcessMemorySpam
        PID:1864
      • C:\Users\Admin\AppData\Local\Temp\3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe
        3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe -a access_token -v -u
        2⤵
        • Modifies extensions of user files
        • Enumerates connected drives
        • Suspicious behavior: CmdExeWriteProcessMemorySpam
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1584
        • C:\Windows\SysWOW64\cmd.exe
          "cmd" /c "wmic csproduct get UUID"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1628
          • C:\Windows\SysWOW64\Wbem\WMIC.exe
            wmic csproduct get UUID
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:836
        • C:\Windows\SysWOW64\cmd.exe
          "cmd" /c "fsutil behavior set SymlinkEvaluation R2L:1"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1952
          • C:\Windows\SysWOW64\fsutil.exe
            fsutil behavior set SymlinkEvaluation R2L:1
            4⤵
              PID:2020
          • C:\Windows\SysWOW64\cmd.exe
            "cmd" /c "fsutil behavior set SymlinkEvaluation R2R:1"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:776
            • C:\Windows\SysWOW64\fsutil.exe
              fsutil behavior set SymlinkEvaluation R2R:1
              4⤵
                PID:1956
            • C:\Windows\system32\cmd.exe
              "cmd" /c "vssadmin.exe delete shadows /all /quiet"
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:920
              • C:\Windows\system32\vssadmin.exe
                vssadmin.exe delete shadows /all /quiet
                4⤵
                • Interacts with shadow copies
                PID:1748
            • C:\Windows\SysWOW64\cmd.exe
              "cmd" /c "reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters /v MaxMpxCt /d 65535 /t REG_DWORD /f"
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:1796
              • C:\Windows\SysWOW64\reg.exe
                reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters /v MaxMpxCt /d 65535 /t REG_DWORD /f
                4⤵
                  PID:1752
              • C:\Windows\SysWOW64\cmd.exe
                "cmd" /c "arp -a"
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:1664
                • C:\Windows\SysWOW64\ARP.EXE
                  arp -a
                  4⤵
                    PID:1764
              • C:\Users\Admin\AppData\Local\Temp\3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe
                3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83.bin.exe -a access_token -v -u -l log.txt
                2⤵
                • Sets desktop wallpaper using registry
                • Modifies Control Panel
                • Suspicious behavior: CmdExeWriteProcessMemorySpam
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of WriteProcessMemory
                PID:932
                • C:\Windows\SysWOW64\cmd.exe
                  "cmd" /c "wmic csproduct get UUID"
                  3⤵
                    PID:1956
                    • C:\Windows\SysWOW64\Wbem\WMIC.exe
                      wmic csproduct get UUID
                      4⤵
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1960
                  • C:\Windows\SysWOW64\cmd.exe
                    "cmd" /c "fsutil behavior set SymlinkEvaluation R2L:1"
                    3⤵
                      PID:1772
                      • C:\Windows\SysWOW64\fsutil.exe
                        fsutil behavior set SymlinkEvaluation R2L:1
                        4⤵
                          PID:212
                      • C:\Windows\SysWOW64\cmd.exe
                        "cmd" /c "fsutil behavior set SymlinkEvaluation R2R:1"
                        3⤵
                          PID:220
                          • C:\Windows\SysWOW64\fsutil.exe
                            fsutil behavior set SymlinkEvaluation R2R:1
                            4⤵
                              PID:1308
                          • C:\Windows\SysWOW64\cmd.exe
                            "cmd" /c "reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters /v MaxMpxCt /d 65535 /t REG_DWORD /f"
                            3⤵
                              PID:1616
                              • C:\Windows\SysWOW64\reg.exe
                                reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters /v MaxMpxCt /d 65535 /t REG_DWORD /f
                                4⤵
                                  PID:1504
                              • C:\Windows\system32\cmd.exe
                                "cmd" /c "vssadmin.exe delete shadows /all /quiet"
                                3⤵
                                  PID:1748
                                  • C:\Windows\system32\vssadmin.exe
                                    vssadmin.exe delete shadows /all /quiet
                                    4⤵
                                    • Interacts with shadow copies
                                    PID:1572
                                • C:\Windows\SysWOW64\cmd.exe
                                  "cmd" /c "arp -a"
                                  3⤵
                                    PID:1992
                                    • C:\Windows\SysWOW64\ARP.EXE
                                      arp -a
                                      4⤵
                                        PID:548
                                    • C:\Windows\system32\cmd.exe
                                      "cmd" /c "vssadmin.exe delete shadows /all /quiet"
                                      3⤵
                                        PID:1316
                                        • C:\Windows\system32\vssadmin.exe
                                          vssadmin.exe delete shadows /all /quiet
                                          4⤵
                                          • Interacts with shadow copies
                                          PID:1768
                                  • C:\Windows\system32\vssvc.exe
                                    C:\Windows\system32\vssvc.exe
                                    1⤵
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:1700
                                  • C:\Windows\system32\vssvc.exe
                                    C:\Windows\system32\vssvc.exe
                                    1⤵
                                      PID:304
                                    • C:\Windows\explorer.exe
                                      "C:\Windows\explorer.exe"
                                      1⤵
                                        PID:1700
                                      • C:\Windows\system32\vssvc.exe
                                        C:\Windows\system32\vssvc.exe
                                        1⤵
                                          PID:1860
                                        • C:\Windows\system32\AUDIODG.EXE
                                          C:\Windows\system32\AUDIODG.EXE 0x4f4
                                          1⤵
                                            PID:216
                                          • C:\Windows\system32\NOTEPAD.EXE
                                            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\log.txt
                                            1⤵
                                            • Opens file in notepad (likely ransom note)
                                            PID:1252
                                          • C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
                                            "C:\Program Files\Windows NT\Accessories\WORDPAD.EXE" "C:\Users\Admin\AppData\Local\Temp\log.txt"
                                            1⤵
                                            • Suspicious use of FindShellTrayWindow
                                            • Suspicious use of SetWindowsHookEx
                                            PID:1544

                                          Network

                                          MITRE ATT&CK Enterprise v6

                                          Replay Monitor

                                          Loading Replay Monitor...

                                          Downloads

                                          • memory/1544-120-0x00000000020B0000-0x00000000020B1000-memory.dmp

                                            Filesize

                                            4KB

                                            Download

                                          • memory/1700-117-0x000007FEFB611000-0x000007FEFB613000-memory.dmp

                                            Filesize

                                            8KB

                                            Download