Overview

overview

10

Static

static

e8c6741d3d...16.exe

windows7_x64

10

e8c6741d3d...16.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    166s
  • max time network
    169s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    05-02-2022 21:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e8c6741d3d21068535fb6bb7fe676ecaa74eee06a655c7aa915fc39c0ee7ee16.exe

  • Size

    112KB

  • MD5

    9a7f87c91bf7e602055a5503e80e2313

  • SHA1

    193f407a2f0c7e1eaa65c54cd9115c418881de42

  • SHA256

    e8c6741d3d21068535fb6bb7fe676ecaa74eee06a655c7aa915fc39c0ee7ee16

  • SHA512

    d798b435a92b45ffcd747316f6080d787309a7bcedeb87e2677d57220a83db73f16edb5ddcc69c869c278e969c0391fa19663a29fb2a8c3949e6ecf980bca08d

Score
10/10
discoverypersistenceransomware

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\# DECRYPT MY FILES #.txt

Ransom Note
C E R B E R ----------- Your documents, photos, databases and other important files have been encrypted! To decrypt your files follow the instructions: --------------------------------------------------------------------------------------- 1. Download and install the "Tor Browser" from https://www.torproject.org/ 2. Run it 3. In the "Tor Browser" open website: http://decrypttozxybarc.onion/4D00-C7F9-E141-0006-4699 4. Follow the instructions at this website --------------------------------------------------------------------------------------- �...Quod me non necat me fortiorem facit.�
URLs

http://decrypttozxybarc.onion/4D00-C7F9-E141-0006-4699

Signatures

  • Adds policy Run key to start application 2 TTPs 6 IoCs
    persistence
  • Executes dropped EXE 5 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 24 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Kills process with taskkill 2 IoCs
    evasion
  • Modifies Control Panel 12 IoCs
    evasion
  • Modifies data under HKEY_USERS 45 IoCs
  • Modifies registry class 2 IoCs
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e8c6741d3d21068535fb6bb7fe676ecaa74eee06a655c7aa915fc39c0ee7ee16.exe
    "C:\Users\Admin\AppData\Local\Temp\e8c6741d3d21068535fb6bb7fe676ecaa74eee06a655c7aa915fc39c0ee7ee16.exe"
    1⤵
    • Adds policy Run key to start application
    • Drops startup file
    • Adds Run key to start application
    • Modifies Control Panel
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1216
    • C:\Users\Admin\AppData\Roaming\{521FF9CE-8547-58DC-1902-C6B9D9719592}\TSTheme.exe
      "C:\Users\Admin\AppData\Roaming\{521FF9CE-8547-58DC-1902-C6B9D9719592}\TSTheme.exe"
      2⤵
      • Adds policy Run key to start application
      • Executes dropped EXE
      • Checks computer location settings
      • Drops startup file
      • Adds Run key to start application
      • Modifies Control Panel
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:788
      • C:\Users\Admin\AppData\Roaming\{521FF9CE-8547-58DC-1902-C6B9D9719592}\TSTheme.exe
        "C:\Users\Admin\AppData\Roaming\{521FF9CE-8547-58DC-1902-C6B9D9719592}\TSTheme.exe" -watchdog
        3⤵
        • Adds policy Run key to start application
        • Executes dropped EXE
        • Adds Run key to start application
        • Modifies Control Panel
        • Suspicious use of AdjustPrivilegeToken
        PID:3444
      • C:\Users\Admin\AppData\Roaming\{521FF9CE-8547-58DC-1902-C6B9D9719592}\TSTheme.exe
        "C:\Users\Admin\AppData\Roaming\{521FF9CE-8547-58DC-1902-C6B9D9719592}\TSTheme.exe" -stat 82
        3⤵
        • Adds policy Run key to start application
        • Executes dropped EXE
        • Adds Run key to start application
        • Modifies Control Panel
        • Suspicious use of AdjustPrivilegeToken
        PID:3864
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt
        3⤵
          PID:396
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
          3⤵
          • Enumerates system info in registry
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:3740
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffdf4d946f8,0x7ffdf4d94708,0x7ffdf4d94718
            4⤵
              PID:556
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2216,7243881755203823882,8208547225666045346,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2228 /prefetch:2
              4⤵
                PID:2796
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2216,7243881755203823882,8208547225666045346,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2560 /prefetch:8
                4⤵
                  PID:3512
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2216,7243881755203823882,8208547225666045346,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:3
                  4⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:2900
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,7243881755203823882,8208547225666045346,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3880 /prefetch:1
                  4⤵
                    PID:2484
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,7243881755203823882,8208547225666045346,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3812 /prefetch:1
                    4⤵
                      PID:1800
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2216,7243881755203823882,8208547225666045346,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5112 /prefetch:8
                      4⤵
                        PID:644
                    • C:\Windows\System32\WScript.exe
                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"
                      3⤵
                        PID:2912
                      • C:\Users\Admin\AppData\Roaming\{521FF9CE-8547-58DC-1902-C6B9D9719592}\TSTheme.exe
                        "C:\Users\Admin\AppData\Roaming\{521FF9CE-8547-58DC-1902-C6B9D9719592}\TSTheme.exe" -stat 82
                        3⤵
                        • Adds policy Run key to start application
                        • Executes dropped EXE
                        • Adds Run key to start application
                        • Modifies Control Panel
                        • Suspicious use of AdjustPrivilegeToken
                        PID:3140
                      • C:\Windows\system32\cmd.exe
                        /d /c taskkill /t /f /im "TSTheme.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{521FF9CE-8547-58DC-1902-C6B9D9719592}\TSTheme.exe" > NUL
                        3⤵
                          PID:1464
                          • C:\Windows\system32\taskkill.exe
                            taskkill /t /f /im "TSTheme.exe"
                            4⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1292
                          • C:\Windows\system32\PING.EXE
                            ping -n 1 127.0.0.1
                            4⤵
                            • Runs ping.exe
                            PID:332
                      • C:\Windows\SysWOW64\cmd.exe
                        /d /c taskkill /t /f /im "e8c6741d3d21068535fb6bb7fe676ecaa74eee06a655c7aa915fc39c0ee7ee16.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\e8c6741d3d21068535fb6bb7fe676ecaa74eee06a655c7aa915fc39c0ee7ee16.exe" > NUL
                        2⤵
                        • Suspicious use of WriteProcessMemory
                        PID:64
                        • C:\Windows\SysWOW64\taskkill.exe
                          taskkill /t /f /im "e8c6741d3d21068535fb6bb7fe676ecaa74eee06a655c7aa915fc39c0ee7ee16.exe"
                          3⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1548
                        • C:\Windows\SysWOW64\PING.EXE
                          ping -n 1 127.0.0.1
                          3⤵
                          • Runs ping.exe
                          PID:2728
                    • C:\Windows\system32\MusNotifyIcon.exe
                      %systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
                      1⤵
                      • Checks processor information in registry
                      PID:3012
                    • C:\Windows\System32\svchost.exe
                      C:\Windows\System32\svchost.exe -k NetworkService -p
                      1⤵
                      • Drops file in Windows directory
                      • Modifies data under HKEY_USERS
                      PID:2844
                    • C:\Users\Admin\AppData\Roaming\{521FF9CE-8547-58DC-1902-C6B9D9719592}\TSTheme.exe
                      C:\Users\Admin\AppData\Roaming\{521FF9CE-8547-58DC-1902-C6B9D9719592}\TSTheme.exe
                      1⤵
                      • Adds policy Run key to start application
                      • Executes dropped EXE
                      • Adds Run key to start application
                      • Modifies Control Panel
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1496
                    • C:\Windows\System32\CompPkgSrv.exe
                      C:\Windows\System32\CompPkgSrv.exe -Embedding
                      1⤵
                        PID:1224
                      • C:\Windows\system32\AUDIODG.EXE
                        C:\Windows\system32\AUDIODG.EXE 0x340 0x478
                        1⤵
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2972

                      Network

                      MITRE ATT&CK Enterprise v6

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • memory/3512-149-0x00007FFE12CA0000-0x00007FFE12CA1000-memory.dmp

                        Filesize

                        4KB

                        Download