Analysis
-
max time kernel
158s -
max time network
175s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
11-02-2022 07:12
General
-
Target
11949277110bec29845393d9f8b8967768d40671d93b9bf0a50310c5100938c4.exe
-
Size
52KB
-
MD5
87a0b1a60ce2615b080323b04abd0f1e
-
SHA1
343d23a10893dfca3628b28aedfb17477353fc84
-
SHA256
11949277110bec29845393d9f8b8967768d40671d93b9bf0a50310c5100938c4
-
SHA512
225852730b08b3ea39e84de8190af25b33c6403943435ed21e4bd315e74d77a734238936fb099d374524a83ae5398458d28333687ca785bdfec2f07accd5e133
Score
10/10
Malware Config
Extracted
Path
C:\PLEASE READ THIS.TXT
Ransom Note
Your personal ID :
����������51 F1 0C 16 25 BC 7C 99 57 A9 37 D1 AE 9C 47 47
C0 64 31 A3 E5 9E 3E 52 75 BA 3E 20 73 E0 62 4B
EA 96 F3 48 5B A4 BB 5C 67 26 BE BD E4 8A 4C E1
D7 8A CB 2C 3F B9 40 71 39 23 F6 74 56 D3 F1 16
30 94 83 A2 D1 FC 38 BE 5F E5 FA 48 4B EE E1 CF
F2 59 AC D6 B5 47 8F 5C 1A 4A C0 26 8D B0 57 F3
14 C2 4B 94 64 04 B0 B3 21 48 24 50 76 C5 17 E6
E4 C5 82 85 CC 7B A7 88 17 BB B5 DF 74 C7 B2 24
BF ED E8 D1 45 AD 7B EF 28 21 4F 84 DC 92 07 4A
6C 61 BA 41 0D ED A2 1D 86 B7 DF DF 42 D8 7D B4
4C C2 2F D8 41 1A BC D3 CC CD 35 77 21 06 34 45
AB 38 B8 E5 65 A2 FB 3E 0E 8E 0E F4 EF 0F 42 27
6B 6E D6 BD D8 8B 5E 3A 41 84 F1 85 56 6C C0 71
3E 56 E6 7A 4F 1C 9A 34 66 64 DE 51 8D 82 A2 4C
2C B6 86 73 A9 D9 75 08 CA B1 8F 1B 13 FE A3 B7
21 33 CE 1F A3 3B 8C 0E 3D C4 A2 3C 13 00 70 A3
* No data from your computer has been stolen or deleted.
* Follow the instructions to restore the files.
* How to get the automatic decryptor:
1)Contact us by e-mail: [email protected]. In the letter, indicate your personal identifier (look at the beginning of this document)
and the external ip-address of the computer on which the encrypted files are located.
2)After answering your request, our operator will give you further instructions that will show what to do next
(the answer you will receive as soon as possible)
**Send a copy of the letter to Second email address : [email protected]
* Free decryption as guarantee!
Before paying you can send us up to 5 files for free decryption.
The total size of files must be less than 5 Mb (non archived), and files should not contain
valuable information (databases, backups, large excel sheets, etc.).
ATTENTION !!!
* Do not rename encrypted files.
* Do not try to decrypt your data using third party software, it may cause permanent data loss.
* Decryption of your files with the help of third parties may cause increased price
(they add their fee to our) or you can become a victim of a scam.
* If you do not receive a reply within 12 hours, create an account on Gmail.com and try again.
or just check your email spam.�����������
Signatures
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Drops desktop.ini file(s) 9 IoCs
-
Drops file in Windows directory 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\11949277110bec29845393d9f8b8967768d40671d93b9bf0a50310c5100938c4.exe"C:\Users\Admin\AppData\Local\Temp\11949277110bec29845393d9f8b8967768d40671d93b9bf0a50310c5100938c4.exe"1⤵
- Adds Run key to start application
- Drops desktop.ini file(s)
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
16KB