Analysis
-
max time kernel
173s -
max time network
185s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
28-01-2022 03:19
General
-
Target
9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe
-
Size
73KB
-
MD5
1c021f42e3a138060e1d298726d1579f
-
SHA1
54e3384fb68fde6fc711491e8072781e3910156a
-
SHA256
9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c
-
SHA512
5ee344d17b5e9a2285258b8e16253263ebb856167b36e7679e602c041c2320c10a7182a7cb5c14f59fe3117a981e96fdff6fa7dc2c2194e90a6f659de143c101
Score
10/10
Malware Config
Extracted
Path
C:\odt\How_to_recovery.txt
Ransom Note
F5721E1E5D0B5A60998168818C573450D28684A7CC0E357AC5FEAE6DDF4AD54D
3055C38B717593BF62BC17B4C353AAC119047C989B5395EEDFF838482715B665
3415C4B517FE72C0D8A29074F670655D9E8A99534632515D5059F066C6D7D9B4
72C83493CE02A5A1013FAB5A0C8E71705EE05FF91BE2D8C63DCA7CF23F8B7F88
DFB579467D960A9458134C9871EB328F54D93397857CA3517E2503D307E98C4D
9431EE5883CC3ABA12C676B558B517C332A3F2A16BC8CE736152E597EC4EA6EA
85F23D6F47E43761B33072C07258025650F596E221423F89A6CA19F556F1B172
F7FD2DFDBD697DC03242B2A4C7ACEF9BEDB336324086B72ABC299E89E39828E7
0CE2CD7E6D9900C0F96DE824EEDB0D12B2999813991DD15E03275DD0070F3810
6B5D0B0E5E6910E6B851FDF69AF50E233276FF3487B2A96CEEC3C11DC44A0454
6EE82BE48679C136B82DC21C50FBD5F3DC5E5F585CA5DBE783D8798E0697DC1D
41D8E369496110B1F7F982724C14B82C41626F2F63C1A4144D86688FB46EA25C
D87E0B936A7B93E324BE74470BCCED6EB7B631F503A2776F09841B85573FFD3A
A9D978B8CCCC3FA24B545CF91C4CD0E4F12E9B2B5ED57E5274BBEF6F8EB792FB
150AE3EBB31B154C2FC0708089DB69DA979AFFE7F3AAF649AEA7DC2B87726DB0
9F402A0F53EDFE8EE00CB80DC8FDB96898F3303092DAF69CC347A63C9AAB26B6
939EEE725164548C7A18C8F0CEFE24C35CEAD344D700AF467FBD50BBB3304924
03F5E54DB7B652E350E5E512A1C1D97984E326F3A2A1B42EE2C0CB5A04C03E0D
00B62F8F3842E935FA7703AC9ACAC10B3D750158018D08E8FB6C7F2D93A087BC
EAB387099C9A62A351304341182AD077C8222E7FDB4CD18FA492BE8E73F77310
330B18B7F930656EBBB779DD8021AA5CE3BECC753648EA7EE8BEFC66CCC2ED3D
43CAD24B9664D5452B1A9E3FFEDA4F2320870C1E118BD19CD8C0063ACDB0EB33
D91D638BF93127E9E541E9CA366A40A87277F905BD47A4C30428294F32871645
C48DEAD7D94051EE9C3C8948E45675D31A3E4D9A6F4EDBFE0976B01348EBC16B
E1C24D006574C3881E8D4D094E76B1056A8470FABA90AF89871E54D5D8E28C62
92318AD6F1841801C9
Contact us for price and get decryption software.
Note that this server is available via Tor browser only Follow the instructions to open the link:
qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion
1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.
2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.
3. Now you have Tor browser. In the Tor Browser open qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion
4. Start a chat and follow the further instructions.
If you can not use the above link, use the email:
ithelp02@decorous.cyou
ithelp02@wholeness.business
* To contact us, create a new free email account on the site: protonmail.com
IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.
���������������
Emails
ithelp02@decorous.cyou
ithelp02@wholeness.business
URLs
http://qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Drops desktop.ini file(s) 29 IoCs
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Program Files directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 11 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe"C:\Users\Admin\AppData\Local\Temp\9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe"1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f reg add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" cd %userprofile%\documents\ attrib Default.rdp -s -h del Default.rdp for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f reg add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" cd %userprofile%\documents\ attrib Default.rdp -s -h del Default.rdp for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\9c73dc281f90a01ff3c8013c297a76319b77f24360de3ee1623a4356126d796c.exe > nul2⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken