e097cde0f76df948f039584045acfa6bd7ef863141560815d12c3c6e6452dce4

Analysis

max time kernel
242s
max time network
144s
platform
windows7_x64
resource
win7-en-20211208
submitted
13/02/2022, 03:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

xxx.exe
Size

38KB
MD5

2e936942613b9ef1a90b5216ef830fbf
SHA1

32c2ecf9703aec725034ab4a8a4c7b2944c1f0b7
SHA256

e097cde0f76df948f039584045acfa6bd7ef863141560815d12c3c6e6452dce4
SHA512

e0c456502fb397b212fd480cda44cb404bfde11e1392842d4b81059881e3db8f93d8b72bbdb7d35a95680f89ee91022b7662a1902dc6e21be86db0f3c4389e27

Score

10^/10

ransomware

Malware Config

Extracted

Path

C:\NOKOYAWA_readme.txt

Ransom Note

Dear usernamme, your files were encrypted, some are compromised. Be sure, you can't restore it without our help. You need a private key that only we have. Contact us to reach an agreement or we will leak your black shit to media: [email protected] [email protected] 亲爱的用户名，您的文件已加密，有些已被泄露。请确保，如果没有我们的帮助，您将无法恢复它。您需要一个只有我们拥有的私钥。联系我们以达成协议，否则我们会将您的黑屎泄露给媒体： [email protected] [email protected]

Emails

[email protected]

Signatures

Modifies extensions of user files 6 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\UseRestart.png => C:\Users\Admin\Pictures\UseRestart.png.NOKOYAWA	xxx.exe
File renamed	C:\Users\Admin\Pictures\DebugEdit.raw => C:\Users\Admin\Pictures\DebugEdit.raw.NOKOYAWA	xxx.exe
File opened for modification	C:\Users\Admin\Pictures\PushCompress.tiff	xxx.exe
File renamed	C:\Users\Admin\Pictures\MoveInvoke.raw => C:\Users\Admin\Pictures\MoveInvoke.raw.NOKOYAWA	xxx.exe
File renamed	C:\Users\Admin\Pictures\PushCompress.tiff => C:\Users\Admin\Pictures\PushCompress.tiff.NOKOYAWA	xxx.exe
File renamed	C:\Users\Admin\Pictures\SaveRestore.png => C:\Users\Admin\Pictures\SaveRestore.png.NOKOYAWA	xxx.exe

Drops desktop.ini file(s) 13 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	xxx.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	xxx.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	xxx.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	xxx.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	xxx.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	xxx.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	xxx.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	xxx.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	xxx.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	xxx.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	xxx.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	xxx.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	xxx.exe

C:\Users\Admin\AppData\Local\Temp\xxx.exe
"C:\Users\Admin\AppData\Local\Temp\xxx.exe"
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
PID:1944

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads