Analysis
-
max time kernel
118s -
max time network
121s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
10-02-2022 19:35
Static task
static1
Behavioral task
behavioral1
Sample
Ransom.exe
Resource
win7-en-20211208
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Ransom.exe
Resource
win10v2004-en-20220112
windows10-2004_x64
0 signatures
0 seconds
General
-
Target
Ransom.exe
-
Size
127KB
-
MD5
1f6297d8f742cb578bfa59735120326b
-
SHA1
ff6eca213cad5c2a139fc0dc0dc6a8e6d3df7b17
-
SHA256
3f843cbffeba010445dae2b171caaa99c6b56360de5407da71210d007fe26673
-
SHA512
f9ade063be2ae5861248472aff857b2e0506d4705ff779972ade7482bb7797521338dd9a842f048d5ba1697719b22a3ba596370c37f4352a2527dbe1997edfd1
Score
10/10
Malware Config
Extracted
Path
C:\Users\Admin\RECOVERY INFORMATION.txt
Ransom Note
YOUR FILES ARE ENCRYPTED !!!
TO DECRYPT, FOLLOW THE INSTRUCTIONS:
To recover data you need decrypt tool.
To get the decrypt tool you should:
1.In the letter include your personal ID! Send me this ID in your first email to me!
2.We can give you free test for decrypt few files (NOT VALUE) and assign the price for decryption all files!
3.After we send you instruction how to pay for decrypt tool and after payment you will receive a decryption tool!
4.We can decrypt few files in quality the evidence that we have the decoder.
CONTACT US:
[email protected]
YOUR PERSONAL ID: 6C1F23C5132C
�
Emails
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 1360 bcdedit.exe 1356 bcdedit.exe -
Modifies extensions of user files 10 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\RestoreStop.png => C:\Users\Admin\Pictures\RestoreStop.png.exploit Ransom.exe File renamed C:\Users\Admin\Pictures\SyncClear.crw => C:\Users\Admin\Pictures\SyncClear.crw.exploit Ransom.exe File opened for modification C:\Users\Admin\Pictures\SearchSync.tiff Ransom.exe File renamed C:\Users\Admin\Pictures\OutPublish.raw => C:\Users\Admin\Pictures\OutPublish.raw.exploit Ransom.exe File renamed C:\Users\Admin\Pictures\SaveClear.tif => C:\Users\Admin\Pictures\SaveClear.tif.exploit Ransom.exe File renamed C:\Users\Admin\Pictures\InvokePush.tiff => C:\Users\Admin\Pictures\InvokePush.tiff.exploit Ransom.exe File renamed C:\Users\Admin\Pictures\SearchSync.tiff => C:\Users\Admin\Pictures\SearchSync.tiff.exploit Ransom.exe File renamed C:\Users\Admin\Pictures\UnblockDeny.png => C:\Users\Admin\Pictures\UnblockDeny.png.exploit Ransom.exe File renamed C:\Users\Admin\Pictures\ConnectClose.tif => C:\Users\Admin\Pictures\ConnectClose.tif.exploit Ransom.exe File opened for modification C:\Users\Admin\Pictures\InvokePush.tiff Ransom.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\L: Ransom.exe File opened (read-only) \??\M: Ransom.exe File opened (read-only) \??\O: Ransom.exe File opened (read-only) \??\R: Ransom.exe File opened (read-only) \??\S: Ransom.exe File opened (read-only) \??\X: Ransom.exe File opened (read-only) \??\F: Ransom.exe File opened (read-only) \??\H: Ransom.exe File opened (read-only) \??\Z: Ransom.exe File opened (read-only) \??\U: Ransom.exe File opened (read-only) \??\V: Ransom.exe File opened (read-only) \??\B: Ransom.exe File opened (read-only) \??\Q: Ransom.exe File opened (read-only) \??\J: Ransom.exe File opened (read-only) \??\N: Ransom.exe File opened (read-only) \??\E: Ransom.exe File opened (read-only) \??\G: Ransom.exe File opened (read-only) \??\K: Ransom.exe File opened (read-only) \??\P: Ransom.exe File opened (read-only) \??\T: Ransom.exe File opened (read-only) \??\W: Ransom.exe File opened (read-only) \??\Y: Ransom.exe File opened (read-only) \??\A: Ransom.exe File opened (read-only) \??\I: Ransom.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.alert_5.5.0.165303.jar Ransom.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01239_.GIF Ransom.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\RECOVERY INFORMATION.txt Ransom.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-api.xml Ransom.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105504.WMF Ransom.exe File created C:\Program Files\VideoLAN\VLC\locale\uk\LC_MESSAGES\RECOVERY INFORMATION.txt Ransom.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Lisbon Ransom.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00687_.WMF Ransom.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-sampler.xml Ransom.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-api-caching.jar Ransom.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15061_.GIF Ransom.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGATNGET.DPV Ransom.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00045_.WMF Ransom.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03205I.JPG Ransom.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-10 Ransom.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02288_.WMF Ransom.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WNTER_01.MID Ransom.exe File created C:\Program Files (x86)\MSBuild\Microsoft\RECOVERY INFORMATION.txt Ransom.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-selector-api.jar Ransom.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\WZCNFLCT.CHM Ransom.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.Office.BusinessApplications.Runtime.xml Ransom.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Copenhagen Ransom.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\MANIFEST.MF Ransom.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPTSFrame.png Ransom.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099147.JPG Ransom.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\Process Library.fdt Ransom.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SCHOL_02.MID Ransom.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\TABMASK.BMP Ransom.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\RECOVERY INFORMATION.txt Ransom.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0281904.WMF Ransom.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\RECOVERY INFORMATION.txt Ransom.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Places\ALARM.WAV Ransom.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18210_.WMF Ransom.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382947.JPG Ransom.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\es\LC_MESSAGES\vlc.mo Ransom.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ExpenseReport.xltx Ransom.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\AssemblyInfoInternal.zip Ransom.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Black Tie.eftx Ransom.exe File opened for modification C:\Program Files\WriteRestart.xml Ransom.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR13F.GIF Ransom.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsPrintTemplate.html Ransom.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152708.WMF Ransom.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\ViewHeaderPreview.jpg Ransom.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif Ransom.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Kabul Ransom.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107290.WMF Ransom.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-annotations-common.xml Ransom.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\Interface.zip Ransom.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15058_.GIF Ransom.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00638_.WMF Ransom.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZY______.PFB Ransom.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\MET Ransom.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CATALOG.XML Ransom.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\DigSig.api Ransom.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Kentucky\Monticello Ransom.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT+8 Ransom.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18237_.WMF Ransom.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\WPULQT98.POC Ransom.exe File created C:\Program Files (x86)\RECOVERY INFORMATION.txt Ransom.exe File created C:\Program Files\Java\jre7\lib\zi\America\Kentucky\RECOVERY INFORMATION.txt Ransom.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Regular.otf Ransom.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+6 Ransom.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN00914_.WMF Ransom.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Yellowknife Ransom.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1164 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1472 Ransom.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 1472 Ransom.exe Token: SeDebugPrivilege 1472 Ransom.exe Token: SeBackupPrivilege 824 vssvc.exe Token: SeRestorePrivilege 824 vssvc.exe Token: SeAuditPrivilege 824 vssvc.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 1472 wrote to memory of 1164 1472 Ransom.exe 27 PID 1472 wrote to memory of 1164 1472 Ransom.exe 27 PID 1472 wrote to memory of 1164 1472 Ransom.exe 27 PID 1472 wrote to memory of 1164 1472 Ransom.exe 27 PID 1472 wrote to memory of 1668 1472 Ransom.exe 28 PID 1472 wrote to memory of 1668 1472 Ransom.exe 28 PID 1472 wrote to memory of 1668 1472 Ransom.exe 28 PID 1472 wrote to memory of 1668 1472 Ransom.exe 28 PID 1472 wrote to memory of 1548 1472 Ransom.exe 29 PID 1472 wrote to memory of 1548 1472 Ransom.exe 29 PID 1472 wrote to memory of 1548 1472 Ransom.exe 29 PID 1472 wrote to memory of 1548 1472 Ransom.exe 29 PID 1548 wrote to memory of 1360 1548 cmd.exe 33 PID 1548 wrote to memory of 1360 1548 cmd.exe 33 PID 1548 wrote to memory of 1360 1548 cmd.exe 33 PID 1668 wrote to memory of 1356 1668 cmd.exe 34 PID 1668 wrote to memory of 1356 1668 cmd.exe 34 PID 1668 wrote to memory of 1356 1668 cmd.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\Ransom.exe"C:\Users\Admin\AppData\Local\Temp\Ransom.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\Windows\system32\vssadmin.exe"C:\Windows\sysnative\vssadmin.exe" delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:1164
-
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c bcdedit /set {current} bootstatuspolicy ignoreallfailures2⤵
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Windows\system32\bcdedit.exebcdedit /set {current} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
PID:1356
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c bcdedit /set {current} recoveryenabled no2⤵
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Windows\system32\bcdedit.exebcdedit /set {current} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
PID:1360
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:824