f32f50289e094e4ad347912d4a13edf1ba4ee273a9f330d2d6e81226a1ffe6eb

General

Target

ecfPJqv.exe
Size

53KB
MD5

11fea5d1914bb2a69c21d33e4d57075e
SHA1

0805389d789d5d7cc1445c0b49563f8646975613
SHA256

9378b1a61cd599f6b2f21f7449d6cf35d260a7096aa1fdb9dfa2743457dfc9fc
SHA512

43fd021fd27a2cb5d56da23ab5dfe27efce0d57252ae25f139277f90658f2350153c781433d2dd4913bb5f79660ce861613d31d143d3ed207bc7b42ad1854bbe

Score

10^/10

evasion persistence ransomware

Malware Config

Extracted

Path

C:\$Recycle.Bin\README_5326619.txt

Ransom Note

Ooops, your important files are encrypted. Your personal Id: miPvdwmABIEdOM0LLl0YKeqSNtHnv1clloxAncivcMQcVsvPkLKD68fYre2I8vPRYaHTlJV3DB1OidHXeuVeSHFXF47/rO2bvWNv2YKBDwSrXGvKhXCk0h4bzSYw05lh5tljWuT5K4S43/Q5fLi3LOkrny/aPIQSoxr6oBBH0qr39L3gxzytesNZJZf5iDb22sN01ckOAeKztfzuc7vW6YiU9dIML3XkG+oNpVJmBUrZy5gmR9+VMYKTQE6tAbNnkYz4jdU9ojEwz4mepUmHOnIWKIeRAasf4vO2U/B6GlHfSO6g1HELxL9TglnGbbq1vmjig/dezlXS5Is1Kqtw7w==&ZW4tVVNfNTMyNjYxOV9BZG1pbl8yLzE0LzIwMjIgMzo0MTo0MiBQTV9XaW4gN19ibHBvX2VjZlBKcXY= If you see this text, then your files are no longer accessible, because they have been encrypted. Perhaps you are busy looking for a way to recover your files, but don't waste your time. Nobody can recover your files without our decryption service. We guarantee that you can recover all your files safely and easily. All you need to do is submit the payment and purchase the decryption key. Please follow the instructions: 1. Send $300 worth of Bitcoin to following address: 33Ui4qyDn3UNJgjY8UJJLsC5xydbQTgQKP 2. Send your Bitcoin wallet ID and personal id to e-mail wowsmith123456@posteo.net. ��

Emails

wowsmith123456@posteo.net

Wallets

33Ui4qyDn3UNJgjY8UJJLsC5xydbQTgQKP

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

556 bcdedit.exe
1500 bcdedit.exe
Disables Task Manager via registry modification
evasion

pid	process
556	bcdedit.exe
1500	bcdedit.exe

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

ecfPJqv.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\TestPing.tiff	ecfPJqv.exe
File opened for modification	C:\Users\Admin\Pictures\RepairEdit.tiff	ecfPJqv.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

672 cmd.exe

pid	process
672	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ecfPJqv.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ecfPJqv.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Adobe\\ecfPJqv.exe"	ecfPJqv.exe

Drops desktop.ini file(s) 26 IoCs

Processes:

ecfPJqv.exe

description	ioc	process
File created	C:\Users\Public\Music\desktop.ini	ecfPJqv.exe
File created	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	ecfPJqv.exe
File created	C:\Users\Admin\Contacts\desktop.ini	ecfPJqv.exe
File created	C:\Users\Admin\Documents\desktop.ini	ecfPJqv.exe
File created	C:\Users\Admin\Searches\desktop.ini	ecfPJqv.exe
File created	C:\Users\Admin\Videos\desktop.ini	ecfPJqv.exe
File created	C:\Users\Public\Downloads\desktop.ini	ecfPJqv.exe
File created	C:\Users\Public\Desktop\desktop.ini	ecfPJqv.exe
File created	C:\Users\Public\Documents\desktop.ini	ecfPJqv.exe
File created	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	ecfPJqv.exe
File created	C:\Users\Admin\Favorites\desktop.ini	ecfPJqv.exe
File created	C:\Users\Admin\Favorites\Links\desktop.ini	ecfPJqv.exe
File created	C:\Users\Admin\Favorites\Links for United States\desktop.ini	ecfPJqv.exe
File created	C:\Users\Admin\Links\desktop.ini	ecfPJqv.exe
File created	C:\Users\Admin\Pictures\desktop.ini	ecfPJqv.exe
File created	C:\Users\Public\Videos\desktop.ini	ecfPJqv.exe
File created	C:\Users\Public\Videos\Sample Videos\desktop.ini	ecfPJqv.exe
File created	C:\Users\Admin\Saved Games\desktop.ini	ecfPJqv.exe
File created	C:\Users\Public\desktop.ini	ecfPJqv.exe
File created	C:\Users\Public\Libraries\desktop.ini	ecfPJqv.exe
File created	C:\Users\Public\Pictures\desktop.ini	ecfPJqv.exe
File created	C:\Users\Admin\Desktop\desktop.ini	ecfPJqv.exe
File created	C:\Users\Admin\Downloads\desktop.ini	ecfPJqv.exe
File created	C:\Users\Admin\Music\desktop.ini	ecfPJqv.exe
File created	C:\Users\Public\Music\Sample Music\desktop.ini	ecfPJqv.exe
File created	C:\Users\Public\Recorded TV\desktop.ini	ecfPJqv.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

ecfPJqv.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	ecfPJqv.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	ecfPJqv.exe

Drops file in Program Files directory 2 IoCs

Processes:

ecfPJqv.exe

description ioc process

File created C:\Program Files (x86)\README_5326619.txt ecfPJqv.exe
File created C:\Program Files\README_5326619.txt ecfPJqv.exe
Drops file in Windows directory 1 IoCs

Processes:

ecfPJqv.exe

description ioc process

File created C:\Windows\README_5326619.txt ecfPJqv.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1700 vssadmin.exe

description	ioc	process
File created	C:\Program Files (x86)\README_5326619.txt	ecfPJqv.exe
File created	C:\Program Files\README_5326619.txt	ecfPJqv.exe

description	ioc	process
File created	C:\Windows\README_5326619.txt	ecfPJqv.exe

pid	process
1700	vssadmin.exe

Modifies registry class 3 IoCs

Processes:

rundll32.exerundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_Classes\Local Settings	rundll32.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

1748 NOTEPAD.EXE
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1048 PING.EXE

pid	process
1748	NOTEPAD.EXE

pid	process
1048	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ecfPJqv.exe

pid	process
856	ecfPJqv.exe
856	ecfPJqv.exe
856	ecfPJqv.exe
856	ecfPJqv.exe
856	ecfPJqv.exe
856	ecfPJqv.exe
856	ecfPJqv.exe
856	ecfPJqv.exe
856	ecfPJqv.exe
856	ecfPJqv.exe
856	ecfPJqv.exe
856	ecfPJqv.exe
856	ecfPJqv.exe
856	ecfPJqv.exe
856	ecfPJqv.exe
856	ecfPJqv.exe
856	ecfPJqv.exe
856	ecfPJqv.exe
856	ecfPJqv.exe
856	ecfPJqv.exe
856	ecfPJqv.exe
856	ecfPJqv.exe
856	ecfPJqv.exe
856	ecfPJqv.exe
856	ecfPJqv.exe
856	ecfPJqv.exe
856	ecfPJqv.exe
856	ecfPJqv.exe
856	ecfPJqv.exe
856	ecfPJqv.exe
856	ecfPJqv.exe
856	ecfPJqv.exe
856	ecfPJqv.exe
856	ecfPJqv.exe
856	ecfPJqv.exe
856	ecfPJqv.exe
856	ecfPJqv.exe
856	ecfPJqv.exe
856	ecfPJqv.exe
856	ecfPJqv.exe
856	ecfPJqv.exe
856	ecfPJqv.exe
856	ecfPJqv.exe
856	ecfPJqv.exe
856	ecfPJqv.exe
856	ecfPJqv.exe
856	ecfPJqv.exe
856	ecfPJqv.exe
856	ecfPJqv.exe
856	ecfPJqv.exe
856	ecfPJqv.exe
856	ecfPJqv.exe
856	ecfPJqv.exe
856	ecfPJqv.exe
856	ecfPJqv.exe
856	ecfPJqv.exe
856	ecfPJqv.exe
856	ecfPJqv.exe
856	ecfPJqv.exe
856	ecfPJqv.exe
856	ecfPJqv.exe
856	ecfPJqv.exe
856	ecfPJqv.exe
856	ecfPJqv.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

ecfPJqv.exevssvc.exeAUDIODG.EXE

description	pid	process
Token: SeDebugPrivilege	856	ecfPJqv.exe
Token: SeBackupPrivilege	1968	vssvc.exe
Token: SeRestorePrivilege	1968	vssvc.exe
Token: SeAuditPrivilege	1968	vssvc.exe
Token: 33	236	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	236	AUDIODG.EXE
Token: 33	236	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	236	AUDIODG.EXE

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

ecfPJqv.execmd.execmd.exerundll32.exerundll32.exe

description	pid	process	target process
PID 856 wrote to memory of 304	856	ecfPJqv.exe	cmd.exe
PID 856 wrote to memory of 304	856	ecfPJqv.exe	cmd.exe
PID 856 wrote to memory of 304	856	ecfPJqv.exe	cmd.exe
PID 856 wrote to memory of 672	856	ecfPJqv.exe	cmd.exe
PID 856 wrote to memory of 672	856	ecfPJqv.exe	cmd.exe
PID 856 wrote to memory of 672	856	ecfPJqv.exe	cmd.exe
PID 856 wrote to memory of 672	856	ecfPJqv.exe	cmd.exe
PID 856 wrote to memory of 672	856	ecfPJqv.exe	cmd.exe
PID 304 wrote to memory of 1700	304	cmd.exe	vssadmin.exe
PID 304 wrote to memory of 1700	304	cmd.exe	vssadmin.exe
PID 304 wrote to memory of 1700	304	cmd.exe	vssadmin.exe
PID 672 wrote to memory of 1048	672	cmd.exe	PING.EXE
PID 672 wrote to memory of 1048	672	cmd.exe	PING.EXE
PID 672 wrote to memory of 1048	672	cmd.exe	PING.EXE
PID 304 wrote to memory of 556	304	cmd.exe	bcdedit.exe
PID 304 wrote to memory of 556	304	cmd.exe	bcdedit.exe
PID 304 wrote to memory of 556	304	cmd.exe	bcdedit.exe
PID 304 wrote to memory of 1500	304	cmd.exe	bcdedit.exe
PID 304 wrote to memory of 1500	304	cmd.exe	bcdedit.exe
PID 304 wrote to memory of 1500	304	cmd.exe	bcdedit.exe
PID 2044 wrote to memory of 364	2044	rundll32.exe	NOTEPAD.EXE
PID 2044 wrote to memory of 364	2044	rundll32.exe	NOTEPAD.EXE
PID 2044 wrote to memory of 364	2044	rundll32.exe	NOTEPAD.EXE
PID 2004 wrote to memory of 1252	2004	rundll32.exe	NOTEPAD.EXE
PID 2004 wrote to memory of 1252	2004	rundll32.exe	NOTEPAD.EXE
PID 2004 wrote to memory of 1252	2004	rundll32.exe	NOTEPAD.EXE

C:\Users\Admin\AppData\Local\Temp\ecfPJqv.exe
"C:\Users\Admin\AppData\Local\Temp\ecfPJqv.exe"
1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Drops desktop.ini file(s)
- Maps connected drives based on registry
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:856

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Roaming\delback.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:304

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:1700

C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} recoveryenabled no
3⤵
- Modifies boot configuration data using bcdedit
PID:556

C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
3⤵
- Modifies boot configuration data using bcdedit
PID:1500

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\update.bat" "
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:672

C:\Windows\system32\PING.EXE
ping -n 1 -w 5000 10.10.254.254
3⤵
- Runs ping.exe
PID:1048

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1968

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\README_5326619.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1748

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\V2F0Y2hHcmFudC5tcGVn
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2044

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\V2F0Y2hHcmFudC5tcGVn
2⤵
PID:364

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\UHJvdGVjdEJhY2t1cC54bWw=
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2004

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\UHJvdGVjdEJhY2t1cC54bWw=
2⤵
PID:1252

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:672

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x508
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:236

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

2

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

3

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\update.bat
MD5
d7e130066bfb1bdeed398db9e46ed158

SHA1
284944a9518de2bd875d67c1b7cd9230ac5f090c

SHA256
54937b7b28a10c0826e67d5caa2e5f99a003c8d39b133a85c712d9f2c29b58d8

SHA512
5e532fc09403dc4df423f4554b61b4688ca37fbcfac15b74c50904a9fabde7b59ce1f0b521ebf55d2c09e5d901d355a1e16641304220861ecf807ccaf8b0468b

Download Submit
C:\Users\Admin\AppData\Roaming\delback.bat
MD5
2450c91afcc2d4cc3dea374820bed314

SHA1
dd1b61d0aa6d1769018c1d3144de9bb960a64d3c

SHA256
4f157084c6e48b547e698ed83ae9a853a4db4b7a115249db272e3eb93316f7df

SHA512
b0b21d16b7f35bfc5526ed07407ec85a221a7a036827b65dce0a449d02a31f3f6f5ce2fbf94f0af01ce4a248b27ccf5f287dd2746ee423766be8d366f78ccc91

Download Submit
C:\Users\Admin\Desktop\README_5326619.txt
MD5
64ae0e16a4f7e8de66f5daca71041e72

SHA1
8f865faca743b24e69f170c639ef49b14a4b2709

SHA256
1e98f33437fcce7f569a5c474c6f0e37d93a54d6574567ffa2c96fc05e2b5955

SHA512
8c1f4febfa60e840fdff3dc87f1a6655528e2d3c714cce634169956521e9b2b92d9bdd9486dea2c6cafcf90f817d25f5e442aa925e28a173071c1bf1bebc2a79

Download Submit
C:\Users\Admin\Desktop\UHJvdGVjdEJhY2t1cC54bWw=
MD5
7e517afc93c80256ebbde8875304b1b3

SHA1
af43d4d8ce7816fc04f630eab484ee4aaca7ceae

SHA256
33c460e696257685b1d86e35852af3cd2638fcbc55fd10a3f3c4ff4ab361439a

SHA512
9b1868143d7258717a43a9481c135f75df11cbc38f318cfc770edeea8c9035fe85d4b94d638da93bd583340c5d3bdbb01b278cf5a84a084d2cacb29e6ec2db78

Download Submit
C:\Users\Admin\Desktop\V2F0Y2hHcmFudC5tcGVn
MD5
76580dce81fe3e4766c835634295b009

SHA1
0e91b381ffc2da14ca10640bdfe7ae3e9b64100f

SHA256
fb334c322a2c74eba9fdb7af495188d071282aae77244e41d35842cf0de040d6

SHA512
79f1688578be5c3b22abd716bcdad0390bcab0652497b0c98e2f1e53b1d539a770bf43ece6f24d5f4580b78562e6b685766b89e6b36e0d6cd30a4489bc652648

Download Submit
memory/856-53-0x00000000008B0000-0x00000000008C4000-memory.dmp

Filesize
80KB

Download
memory/856-54-0x000007FEF5883000-0x000007FEF5884000-memory.dmp

Filesize
4KB

Download
memory/856-55-0x000000001B2C0000-0x000000001B2C2000-memory.dmp

Filesize
8KB

Download
memory/856-56-0x000000001B2C6000-0x000000001B2E5000-memory.dmp

Filesize
124KB

Download
memory/1748-59-0x000007FEFBE91000-0x000007FEFBE93000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads