Analysis

  • max time kernel
    166s
  • max time network
    169s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    05-02-2022 21:17

General

  • Target

    e8c6741d3d21068535fb6bb7fe676ecaa74eee06a655c7aa915fc39c0ee7ee16.exe

  • Size

    112KB

  • MD5

    9a7f87c91bf7e602055a5503e80e2313

  • SHA1

    193f407a2f0c7e1eaa65c54cd9115c418881de42

  • SHA256

    e8c6741d3d21068535fb6bb7fe676ecaa74eee06a655c7aa915fc39c0ee7ee16

  • SHA512

    d798b435a92b45ffcd747316f6080d787309a7bcedeb87e2677d57220a83db73f16edb5ddcc69c869c278e969c0391fa19663a29fb2a8c3949e6ecf980bca08d

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\# DECRYPT MY FILES #.txt

Ransom Note
C E R B E R ----------- Your documents, photos, databases and other important files have been encrypted! To decrypt your files follow the instructions: --------------------------------------------------------------------------------------- 1. Download and install the "Tor Browser" from https://www.torproject.org/ 2. Run it 3. In the "Tor Browser" open website: http://decrypttozxybarc.onion/4D00-C7F9-E141-0006-4699 4. Follow the instructions at this website --------------------------------------------------------------------------------------- �...Quod me non necat me fortiorem facit.�
URLs

http://decrypttozxybarc.onion/4D00-C7F9-E141-0006-4699

Signatures

  • Adds policy Run key to start application 2 TTPs 6 IoCs
  • Executes dropped EXE 5 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 24 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Kills process with taskkill 2 IoCs
  • Modifies Control Panel 12 IoCs
  • Modifies data under HKEY_USERS 45 IoCs
  • Modifies registry class 2 IoCs
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e8c6741d3d21068535fb6bb7fe676ecaa74eee06a655c7aa915fc39c0ee7ee16.exe
    "C:\Users\Admin\AppData\Local\Temp\e8c6741d3d21068535fb6bb7fe676ecaa74eee06a655c7aa915fc39c0ee7ee16.exe"
    1⤵
    • Adds policy Run key to start application
    • Drops startup file
    • Adds Run key to start application
    • Modifies Control Panel
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1216
    • C:\Users\Admin\AppData\Roaming\{521FF9CE-8547-58DC-1902-C6B9D9719592}\TSTheme.exe
      "C:\Users\Admin\AppData\Roaming\{521FF9CE-8547-58DC-1902-C6B9D9719592}\TSTheme.exe"
      2⤵
      • Adds policy Run key to start application
      • Executes dropped EXE
      • Checks computer location settings
      • Drops startup file
      • Adds Run key to start application
      • Modifies Control Panel
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:788
      • C:\Users\Admin\AppData\Roaming\{521FF9CE-8547-58DC-1902-C6B9D9719592}\TSTheme.exe
        "C:\Users\Admin\AppData\Roaming\{521FF9CE-8547-58DC-1902-C6B9D9719592}\TSTheme.exe" -watchdog
        3⤵
        • Adds policy Run key to start application
        • Executes dropped EXE
        • Adds Run key to start application
        • Modifies Control Panel
        • Suspicious use of AdjustPrivilegeToken
        PID:3444
      • C:\Users\Admin\AppData\Roaming\{521FF9CE-8547-58DC-1902-C6B9D9719592}\TSTheme.exe
        "C:\Users\Admin\AppData\Roaming\{521FF9CE-8547-58DC-1902-C6B9D9719592}\TSTheme.exe" -stat 82
        3⤵
        • Adds policy Run key to start application
        • Executes dropped EXE
        • Adds Run key to start application
        • Modifies Control Panel
        • Suspicious use of AdjustPrivilegeToken
        PID:3864
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt
        3⤵
          PID:396
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html
          3⤵
          • Enumerates system info in registry
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:3740
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffdf4d946f8,0x7ffdf4d94708,0x7ffdf4d94718
            4⤵
              PID:556
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2216,7243881755203823882,8208547225666045346,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2228 /prefetch:2
              4⤵
                PID:2796
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2216,7243881755203823882,8208547225666045346,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2560 /prefetch:8
                4⤵
                  PID:3512
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2216,7243881755203823882,8208547225666045346,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:3
                  4⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:2900
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,7243881755203823882,8208547225666045346,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3880 /prefetch:1
                  4⤵
                    PID:2484
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,7243881755203823882,8208547225666045346,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3812 /prefetch:1
                    4⤵
                      PID:1800
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2216,7243881755203823882,8208547225666045346,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5112 /prefetch:8
                      4⤵
                        PID:644
                    • C:\Windows\System32\WScript.exe
                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"
                      3⤵
                        PID:2912
                      • C:\Users\Admin\AppData\Roaming\{521FF9CE-8547-58DC-1902-C6B9D9719592}\TSTheme.exe
                        "C:\Users\Admin\AppData\Roaming\{521FF9CE-8547-58DC-1902-C6B9D9719592}\TSTheme.exe" -stat 82
                        3⤵
                        • Adds policy Run key to start application
                        • Executes dropped EXE
                        • Adds Run key to start application
                        • Modifies Control Panel
                        • Suspicious use of AdjustPrivilegeToken
                        PID:3140
                      • C:\Windows\system32\cmd.exe
                        /d /c taskkill /t /f /im "TSTheme.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{521FF9CE-8547-58DC-1902-C6B9D9719592}\TSTheme.exe" > NUL
                        3⤵
                          PID:1464
                          • C:\Windows\system32\taskkill.exe
                            taskkill /t /f /im "TSTheme.exe"
                            4⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1292
                          • C:\Windows\system32\PING.EXE
                            ping -n 1 127.0.0.1
                            4⤵
                            • Runs ping.exe
                            PID:332
                      • C:\Windows\SysWOW64\cmd.exe
                        /d /c taskkill /t /f /im "e8c6741d3d21068535fb6bb7fe676ecaa74eee06a655c7aa915fc39c0ee7ee16.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\e8c6741d3d21068535fb6bb7fe676ecaa74eee06a655c7aa915fc39c0ee7ee16.exe" > NUL
                        2⤵
                        • Suspicious use of WriteProcessMemory
                        PID:64
                        • C:\Windows\SysWOW64\taskkill.exe
                          taskkill /t /f /im "e8c6741d3d21068535fb6bb7fe676ecaa74eee06a655c7aa915fc39c0ee7ee16.exe"
                          3⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1548
                        • C:\Windows\SysWOW64\PING.EXE
                          ping -n 1 127.0.0.1
                          3⤵
                          • Runs ping.exe
                          PID:2728
                    • C:\Windows\system32\MusNotifyIcon.exe
                      %systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
                      1⤵
                      • Checks processor information in registry
                      PID:3012
                    • C:\Windows\System32\svchost.exe
                      C:\Windows\System32\svchost.exe -k NetworkService -p
                      1⤵
                      • Drops file in Windows directory
                      • Modifies data under HKEY_USERS
                      PID:2844
                    • C:\Users\Admin\AppData\Roaming\{521FF9CE-8547-58DC-1902-C6B9D9719592}\TSTheme.exe
                      C:\Users\Admin\AppData\Roaming\{521FF9CE-8547-58DC-1902-C6B9D9719592}\TSTheme.exe
                      1⤵
                      • Adds policy Run key to start application
                      • Executes dropped EXE
                      • Adds Run key to start application
                      • Modifies Control Panel
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1496
                    • C:\Windows\System32\CompPkgSrv.exe
                      C:\Windows\System32\CompPkgSrv.exe -Embedding
                      1⤵
                        PID:1224
                      • C:\Windows\system32\AUDIODG.EXE
                        C:\Windows\system32\AUDIODG.EXE 0x340 0x478
                        1⤵
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2972

                      Network

                      MITRE ATT&CK Enterprise v6

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GS28O9WE\json[1].json

                        MD5

                        0aa762bb10362f552b6144794a0d1888

                        SHA1

                        750eba61c566f9d0c9b2dd997c77f35a95c515b2

                        SHA256

                        5eafadbd4100539125257b4a3f3c4a8fe4fd33605fc8a9b52050d715475b4de4

                        SHA512

                        01a293bdfc4beebac42a0fcfb0fb1dfd52613b35b7de50e942c4638e008f8527fe37a29572a7612ead8b65ad41e848e12ec3258ca5c821030cba2b394805da16

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VMAZW8LB\json[2].json

                        MD5

                        0aa762bb10362f552b6144794a0d1888

                        SHA1

                        750eba61c566f9d0c9b2dd997c77f35a95c515b2

                        SHA256

                        5eafadbd4100539125257b4a3f3c4a8fe4fd33605fc8a9b52050d715475b4de4

                        SHA512

                        01a293bdfc4beebac42a0fcfb0fb1dfd52613b35b7de50e942c4638e008f8527fe37a29572a7612ead8b65ad41e848e12ec3258ca5c821030cba2b394805da16

                      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\TSTheme.lnk

                        MD5

                        600189afeea5abe7891cbba734f3dc1d

                        SHA1

                        b18d049a0f215c3a9333b47b1227bfe9d05496fd

                        SHA256

                        b51314cde55bcd8779e6f9b836dbeb4986a4d0ab362f801d3c4b13421216e582

                        SHA512

                        5436ab5aacceae76750275c92af78a04525f7938ddbe9091d818c989a0b0b841338c9316230cc6ff2badd4df6f9e9c8d0dd6ca5547e4973f846e87739396a2d4

                      • C:\Users\Admin\AppData\Roaming\{521FF9CE-8547-58DC-1902-C6B9D9719592}\TSTheme.exe

                        MD5

                        9a7f87c91bf7e602055a5503e80e2313

                        SHA1

                        193f407a2f0c7e1eaa65c54cd9115c418881de42

                        SHA256

                        e8c6741d3d21068535fb6bb7fe676ecaa74eee06a655c7aa915fc39c0ee7ee16

                        SHA512

                        d798b435a92b45ffcd747316f6080d787309a7bcedeb87e2677d57220a83db73f16edb5ddcc69c869c278e969c0391fa19663a29fb2a8c3949e6ecf980bca08d

                      • C:\Users\Admin\AppData\Roaming\{521FF9CE-8547-58DC-1902-C6B9D9719592}\TSTheme.exe

                        MD5

                        9a7f87c91bf7e602055a5503e80e2313

                        SHA1

                        193f407a2f0c7e1eaa65c54cd9115c418881de42

                        SHA256

                        e8c6741d3d21068535fb6bb7fe676ecaa74eee06a655c7aa915fc39c0ee7ee16

                        SHA512

                        d798b435a92b45ffcd747316f6080d787309a7bcedeb87e2677d57220a83db73f16edb5ddcc69c869c278e969c0391fa19663a29fb2a8c3949e6ecf980bca08d

                      • C:\Users\Admin\AppData\Roaming\{521FF9CE-8547-58DC-1902-C6B9D9719592}\TSTheme.exe

                        MD5

                        9a7f87c91bf7e602055a5503e80e2313

                        SHA1

                        193f407a2f0c7e1eaa65c54cd9115c418881de42

                        SHA256

                        e8c6741d3d21068535fb6bb7fe676ecaa74eee06a655c7aa915fc39c0ee7ee16

                        SHA512

                        d798b435a92b45ffcd747316f6080d787309a7bcedeb87e2677d57220a83db73f16edb5ddcc69c869c278e969c0391fa19663a29fb2a8c3949e6ecf980bca08d

                      • C:\Users\Admin\AppData\Roaming\{521FF9CE-8547-58DC-1902-C6B9D9719592}\TSTheme.exe

                        MD5

                        9a7f87c91bf7e602055a5503e80e2313

                        SHA1

                        193f407a2f0c7e1eaa65c54cd9115c418881de42

                        SHA256

                        e8c6741d3d21068535fb6bb7fe676ecaa74eee06a655c7aa915fc39c0ee7ee16

                        SHA512

                        d798b435a92b45ffcd747316f6080d787309a7bcedeb87e2677d57220a83db73f16edb5ddcc69c869c278e969c0391fa19663a29fb2a8c3949e6ecf980bca08d

                      • C:\Users\Admin\AppData\Roaming\{521FF9CE-8547-58DC-1902-C6B9D9719592}\TSTheme.exe

                        MD5

                        9a7f87c91bf7e602055a5503e80e2313

                        SHA1

                        193f407a2f0c7e1eaa65c54cd9115c418881de42

                        SHA256

                        e8c6741d3d21068535fb6bb7fe676ecaa74eee06a655c7aa915fc39c0ee7ee16

                        SHA512

                        d798b435a92b45ffcd747316f6080d787309a7bcedeb87e2677d57220a83db73f16edb5ddcc69c869c278e969c0391fa19663a29fb2a8c3949e6ecf980bca08d

                      • C:\Users\Admin\AppData\Roaming\{521FF9CE-8547-58DC-1902-C6B9D9719592}\TSTheme.exe

                        MD5

                        9a7f87c91bf7e602055a5503e80e2313

                        SHA1

                        193f407a2f0c7e1eaa65c54cd9115c418881de42

                        SHA256

                        e8c6741d3d21068535fb6bb7fe676ecaa74eee06a655c7aa915fc39c0ee7ee16

                        SHA512

                        d798b435a92b45ffcd747316f6080d787309a7bcedeb87e2677d57220a83db73f16edb5ddcc69c869c278e969c0391fa19663a29fb2a8c3949e6ecf980bca08d

                      • C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html

                        MD5

                        abd33592cd29f8777f13f40c6c6409aa

                        SHA1

                        34fa934085cc6c96ac7195c3161f19dd8aaf9a50

                        SHA256

                        2da1968d1233a2b7c40f180d21338844e612ee0829ed776c858143ce8ace0104

                        SHA512

                        cde5207f19e98312b4471ed11a368196b4a197eadeb5944ba38dedd1562052c01031109f511b19134cc6fe7e79bef6f35f516437f7356d44505e14675045d0cb

                      • C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt

                        MD5

                        523e376b4b8df1f406c91a86e35065af

                        SHA1

                        c518d4d24be784efd98e71058d50d4cac7389c51

                        SHA256

                        e43ac4c80828b01af555424306389b4a3dd2c83406ae67bf3cd4c016caa24e71

                        SHA512

                        32c6c61fcc5397512366335ea82a82c54084138d904cef0f13dce70fc7b8836a826b8e2750f0bb7851b86303158b7c493852b3d1d7e475545f0c1b139a4580aa

                      • C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs

                        MD5

                        e9ffd9f618cbf36ad6c910c161bb8080

                        SHA1

                        a702b4220bbded577b4b699611bb73593b12ae71

                        SHA256

                        020ca4b4574a40418b8aa4c2d74b0488e9d150e8d3f5e56e5c6dcca6f7dfaaac

                        SHA512

                        ee87264e384579df7b74d7ac08e9a490495efa34f1a99e2d4949cb76b839c165fbb281aacae25f4ab7e911401c7bfa3fba4b0e59dd492566985fb8dbd1cf1bef

                      • \??\pipe\LOCAL\crashpad_3740_KRWMZUGKFXSBJADN

                        MD5

                        d41d8cd98f00b204e9800998ecf8427e

                        SHA1

                        da39a3ee5e6b4b0d3255bfef95601890afd80709

                        SHA256

                        e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                        SHA512

                        cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                      • memory/3512-149-0x00007FFE12CA0000-0x00007FFE12CA1000-memory.dmp

                        Filesize

                        4KB