Analysis
-
max time kernel
160s -
max time network
149s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
24-01-2022 00:56
Static task
static1
Behavioral task
behavioral1
Sample
d7197385b0c0974393b22c837e9a41f052a3b5e8f0b320ebd13182b22275d678.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
d7197385b0c0974393b22c837e9a41f052a3b5e8f0b320ebd13182b22275d678.exe
Resource
win10-en-20211208
General
-
Target
d7197385b0c0974393b22c837e9a41f052a3b5e8f0b320ebd13182b22275d678.exe
-
Size
122KB
-
MD5
f821ddcd4fbd0eb32c5094c4286aee26
-
SHA1
6e0db38384f435d7a44589d44b46c65496d8fb29
-
SHA256
d7197385b0c0974393b22c837e9a41f052a3b5e8f0b320ebd13182b22275d678
-
SHA512
9be155c9fa4903950b755821384ec6f813b8c8a5893c866bcbcf394cca17b5896878e6fa6998b8b8d923e275c9c15d8fabad3d1b10940db6b802a040cd5a33a0
Malware Config
Extracted
C:\c7c8z82m-readme.txt
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/C24134F515F41C55
http://decoder.re/C24134F515F41C55
Signatures
-
Modifies Windows Firewall 1 TTPs
-
Modifies extensions of user files 5 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
d7197385b0c0974393b22c837e9a41f052a3b5e8f0b320ebd13182b22275d678.exedescription ioc process File renamed C:\Users\Admin\Pictures\ExpandInstall.png => \??\c:\users\admin\pictures\ExpandInstall.png.c7c8z82m d7197385b0c0974393b22c837e9a41f052a3b5e8f0b320ebd13182b22275d678.exe File renamed C:\Users\Admin\Pictures\ExpandReceive.raw => \??\c:\users\admin\pictures\ExpandReceive.raw.c7c8z82m d7197385b0c0974393b22c837e9a41f052a3b5e8f0b320ebd13182b22275d678.exe File renamed C:\Users\Admin\Pictures\UnlockCompress.crw => \??\c:\users\admin\pictures\UnlockCompress.crw.c7c8z82m d7197385b0c0974393b22c837e9a41f052a3b5e8f0b320ebd13182b22275d678.exe File renamed C:\Users\Admin\Pictures\CompareReset.tif => \??\c:\users\admin\pictures\CompareReset.tif.c7c8z82m d7197385b0c0974393b22c837e9a41f052a3b5e8f0b320ebd13182b22275d678.exe File renamed C:\Users\Admin\Pictures\DenyRegister.crw => \??\c:\users\admin\pictures\DenyRegister.crw.c7c8z82m d7197385b0c0974393b22c837e9a41f052a3b5e8f0b320ebd13182b22275d678.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
d7197385b0c0974393b22c837e9a41f052a3b5e8f0b320ebd13182b22275d678.exedescription ioc process File opened (read-only) \??\Y: d7197385b0c0974393b22c837e9a41f052a3b5e8f0b320ebd13182b22275d678.exe File opened (read-only) \??\D: d7197385b0c0974393b22c837e9a41f052a3b5e8f0b320ebd13182b22275d678.exe File opened (read-only) \??\E: d7197385b0c0974393b22c837e9a41f052a3b5e8f0b320ebd13182b22275d678.exe File opened (read-only) \??\K: d7197385b0c0974393b22c837e9a41f052a3b5e8f0b320ebd13182b22275d678.exe File opened (read-only) \??\Q: d7197385b0c0974393b22c837e9a41f052a3b5e8f0b320ebd13182b22275d678.exe File opened (read-only) \??\U: d7197385b0c0974393b22c837e9a41f052a3b5e8f0b320ebd13182b22275d678.exe File opened (read-only) \??\V: d7197385b0c0974393b22c837e9a41f052a3b5e8f0b320ebd13182b22275d678.exe File opened (read-only) \??\X: d7197385b0c0974393b22c837e9a41f052a3b5e8f0b320ebd13182b22275d678.exe File opened (read-only) \??\G: d7197385b0c0974393b22c837e9a41f052a3b5e8f0b320ebd13182b22275d678.exe File opened (read-only) \??\H: d7197385b0c0974393b22c837e9a41f052a3b5e8f0b320ebd13182b22275d678.exe File opened (read-only) \??\O: d7197385b0c0974393b22c837e9a41f052a3b5e8f0b320ebd13182b22275d678.exe File opened (read-only) \??\P: d7197385b0c0974393b22c837e9a41f052a3b5e8f0b320ebd13182b22275d678.exe File opened (read-only) \??\S: d7197385b0c0974393b22c837e9a41f052a3b5e8f0b320ebd13182b22275d678.exe File opened (read-only) \??\Z: d7197385b0c0974393b22c837e9a41f052a3b5e8f0b320ebd13182b22275d678.exe File opened (read-only) \??\A: d7197385b0c0974393b22c837e9a41f052a3b5e8f0b320ebd13182b22275d678.exe File opened (read-only) \??\F: d7197385b0c0974393b22c837e9a41f052a3b5e8f0b320ebd13182b22275d678.exe File opened (read-only) \??\I: d7197385b0c0974393b22c837e9a41f052a3b5e8f0b320ebd13182b22275d678.exe File opened (read-only) \??\L: d7197385b0c0974393b22c837e9a41f052a3b5e8f0b320ebd13182b22275d678.exe File opened (read-only) \??\W: d7197385b0c0974393b22c837e9a41f052a3b5e8f0b320ebd13182b22275d678.exe File opened (read-only) \??\B: d7197385b0c0974393b22c837e9a41f052a3b5e8f0b320ebd13182b22275d678.exe File opened (read-only) \??\J: d7197385b0c0974393b22c837e9a41f052a3b5e8f0b320ebd13182b22275d678.exe File opened (read-only) \??\M: d7197385b0c0974393b22c837e9a41f052a3b5e8f0b320ebd13182b22275d678.exe File opened (read-only) \??\N: d7197385b0c0974393b22c837e9a41f052a3b5e8f0b320ebd13182b22275d678.exe File opened (read-only) \??\R: d7197385b0c0974393b22c837e9a41f052a3b5e8f0b320ebd13182b22275d678.exe File opened (read-only) \??\T: d7197385b0c0974393b22c837e9a41f052a3b5e8f0b320ebd13182b22275d678.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
d7197385b0c0974393b22c837e9a41f052a3b5e8f0b320ebd13182b22275d678.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\903624185s03.bmp" d7197385b0c0974393b22c837e9a41f052a3b5e8f0b320ebd13182b22275d678.exe -
Drops file in Program Files directory 14 IoCs
Processes:
d7197385b0c0974393b22c837e9a41f052a3b5e8f0b320ebd13182b22275d678.exedescription ioc process File opened for modification \??\c:\program files\DisableComplete.odt d7197385b0c0974393b22c837e9a41f052a3b5e8f0b320ebd13182b22275d678.exe File opened for modification \??\c:\program files\ExitResolve.rtf d7197385b0c0974393b22c837e9a41f052a3b5e8f0b320ebd13182b22275d678.exe File opened for modification \??\c:\program files\RenameSave.mp2 d7197385b0c0974393b22c837e9a41f052a3b5e8f0b320ebd13182b22275d678.exe File opened for modification \??\c:\program files\StepClear.easmx d7197385b0c0974393b22c837e9a41f052a3b5e8f0b320ebd13182b22275d678.exe File opened for modification \??\c:\program files\InstallSplit.wdp d7197385b0c0974393b22c837e9a41f052a3b5e8f0b320ebd13182b22275d678.exe File opened for modification \??\c:\program files\UnregisterSet.ps1xml d7197385b0c0974393b22c837e9a41f052a3b5e8f0b320ebd13182b22275d678.exe File created \??\c:\program files\tmp d7197385b0c0974393b22c837e9a41f052a3b5e8f0b320ebd13182b22275d678.exe File created \??\c:\program files (x86)\c7c8z82m-readme.txt d7197385b0c0974393b22c837e9a41f052a3b5e8f0b320ebd13182b22275d678.exe File opened for modification \??\c:\program files\CheckpointRestore.3gp d7197385b0c0974393b22c837e9a41f052a3b5e8f0b320ebd13182b22275d678.exe File opened for modification \??\c:\program files\WatchSubmit.ppsx d7197385b0c0974393b22c837e9a41f052a3b5e8f0b320ebd13182b22275d678.exe File created \??\c:\program files\c7c8z82m-readme.txt d7197385b0c0974393b22c837e9a41f052a3b5e8f0b320ebd13182b22275d678.exe File created \??\c:\program files (x86)\tmp d7197385b0c0974393b22c837e9a41f052a3b5e8f0b320ebd13182b22275d678.exe File opened for modification \??\c:\program files\LimitHide.gif d7197385b0c0974393b22c837e9a41f052a3b5e8f0b320ebd13182b22275d678.exe File opened for modification \??\c:\program files\UnprotectMerge.mhtml d7197385b0c0974393b22c837e9a41f052a3b5e8f0b320ebd13182b22275d678.exe -
Drops file in Windows directory 13 IoCs
Processes:
netsh.exedescription ioc process File created C:\Windows\rescache\_merged\4272278488\30062976.pri netsh.exe File created C:\Windows\rescache\_merged\1601268389\1361672858.pri netsh.exe File created C:\Windows\rescache\_merged\4183903823\97717462.pri netsh.exe File created C:\Windows\rescache\_merged\1476457207\3533431084.pri netsh.exe File created C:\Windows\rescache\_merged\2878165772\1123312451.pri netsh.exe File created C:\Windows\rescache\_merged\81479705\3092222186.pri netsh.exe File created C:\Windows\rescache\_merged\2483382631\828754195.pri netsh.exe File created C:\Windows\rescache\_merged\3418783148\3128450559.pri netsh.exe File created C:\Windows\rescache\_merged\4185669309\1202008662.pri netsh.exe File created C:\Windows\rescache\_merged\1974107395\4149693858.pri netsh.exe File created C:\Windows\rescache\_merged\1301087654\4010849688.pri netsh.exe File created C:\Windows\rescache\_merged\3623239459\11870838.pri netsh.exe File created C:\Windows\rescache\_merged\423379043\3468251582.pri netsh.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
d7197385b0c0974393b22c837e9a41f052a3b5e8f0b320ebd13182b22275d678.exepid process 2420 d7197385b0c0974393b22c837e9a41f052a3b5e8f0b320ebd13182b22275d678.exe 2420 d7197385b0c0974393b22c837e9a41f052a3b5e8f0b320ebd13182b22275d678.exe 2420 d7197385b0c0974393b22c837e9a41f052a3b5e8f0b320ebd13182b22275d678.exe 2420 d7197385b0c0974393b22c837e9a41f052a3b5e8f0b320ebd13182b22275d678.exe 2420 d7197385b0c0974393b22c837e9a41f052a3b5e8f0b320ebd13182b22275d678.exe 2420 d7197385b0c0974393b22c837e9a41f052a3b5e8f0b320ebd13182b22275d678.exe 2420 d7197385b0c0974393b22c837e9a41f052a3b5e8f0b320ebd13182b22275d678.exe 2420 d7197385b0c0974393b22c837e9a41f052a3b5e8f0b320ebd13182b22275d678.exe 2420 d7197385b0c0974393b22c837e9a41f052a3b5e8f0b320ebd13182b22275d678.exe 2420 d7197385b0c0974393b22c837e9a41f052a3b5e8f0b320ebd13182b22275d678.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
d7197385b0c0974393b22c837e9a41f052a3b5e8f0b320ebd13182b22275d678.exevssvc.exedescription pid process Token: SeDebugPrivilege 2420 d7197385b0c0974393b22c837e9a41f052a3b5e8f0b320ebd13182b22275d678.exe Token: SeTakeOwnershipPrivilege 2420 d7197385b0c0974393b22c837e9a41f052a3b5e8f0b320ebd13182b22275d678.exe Token: SeBackupPrivilege 1300 vssvc.exe Token: SeRestorePrivilege 1300 vssvc.exe Token: SeAuditPrivilege 1300 vssvc.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
d7197385b0c0974393b22c837e9a41f052a3b5e8f0b320ebd13182b22275d678.exedescription pid process target process PID 2420 wrote to memory of 1352 2420 d7197385b0c0974393b22c837e9a41f052a3b5e8f0b320ebd13182b22275d678.exe netsh.exe PID 2420 wrote to memory of 1352 2420 d7197385b0c0974393b22c837e9a41f052a3b5e8f0b320ebd13182b22275d678.exe netsh.exe PID 2420 wrote to memory of 1352 2420 d7197385b0c0974393b22c837e9a41f052a3b5e8f0b320ebd13182b22275d678.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d7197385b0c0974393b22c837e9a41f052a3b5e8f0b320ebd13182b22275d678.exe"C:\Users\Admin\AppData\Local\Temp\d7197385b0c0974393b22c837e9a41f052a3b5e8f0b320ebd13182b22275d678.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall set rule group="Network Discovery" new enable=Yes2⤵
- Drops file in Windows directory
PID:1352
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:2876
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1300