Overview

overview

10

Static

static

ecfPJqv.exe

windows7_x64

10

ecfPJqv.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    147s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    14/02/2022, 15:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ecfPJqv.exe

  • Size

    53KB

  • MD5

    11fea5d1914bb2a69c21d33e4d57075e

  • SHA1

    0805389d789d5d7cc1445c0b49563f8646975613

  • SHA256

    9378b1a61cd599f6b2f21f7449d6cf35d260a7096aa1fdb9dfa2743457dfc9fc

  • SHA512

    43fd021fd27a2cb5d56da23ab5dfe27efce0d57252ae25f139277f90658f2350153c781433d2dd4913bb5f79660ce861613d31d143d3ed207bc7b42ad1854bbe

Score
10/10
evasionpersistenceransomware

Malware Config

Extracted

Path

C:\$Recycle.Bin\README_5326619.txt

Ransom Note
Ooops, your important files are encrypted. Your personal Id: miPvdwmABIEdOM0LLl0YKeqSNtHnv1clloxAncivcMQcVsvPkLKD68fYre2I8vPRYaHTlJV3DB1OidHXeuVeSHFXF47/rO2bvWNv2YKBDwSrXGvKhXCk0h4bzSYw05lh5tljWuT5K4S43/Q5fLi3LOkrny/aPIQSoxr6oBBH0qr39L3gxzytesNZJZf5iDb22sN01ckOAeKztfzuc7vW6YiU9dIML3XkG+oNpVJmBUrZy5gmR9+VMYKTQE6tAbNnkYz4jdU9ojEwz4mepUmHOnIWKIeRAasf4vO2U/B6GlHfSO6g1HELxL9TglnGbbq1vmjig/dezlXS5Is1Kqtw7w==&ZW4tVVNfNTMyNjYxOV9BZG1pbl8yLzE0LzIwMjIgMzo0MTo0MiBQTV9XaW4gN19ibHBvX2VjZlBKcXY= If you see this text, then your files are no longer accessible, because they have been encrypted. Perhaps you are busy looking for a way to recover your files, but don't waste your time. Nobody can recover your files without our decryption service. We guarantee that you can recover all your files safely and easily. All you need to do is submit the payment and purchase the decryption key. Please follow the instructions: 1. Send $300 worth of Bitcoin to following address: 33Ui4qyDn3UNJgjY8UJJLsC5xydbQTgQKP 2. Send your Bitcoin wallet ID and personal id to e-mail [email protected]. �����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������
Wallets

33Ui4qyDn3UNJgjY8UJJLsC5xydbQTgQKP

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Disables Task Manager via registry modification
    evasion
  • Modifies extensions of user files 2 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Deletes itself 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 26 IoCs
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies registry class 3 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ecfPJqv.exe
    "C:\Users\Admin\AppData\Local\Temp\ecfPJqv.exe"
    1⤵
    • Modifies extensions of user files
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Maps connected drives based on registry
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:856
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Roaming\delback.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:304
      • C:\Windows\system32\vssadmin.exe
        vssadmin delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:1700
      • C:\Windows\system32\bcdedit.exe
        bcdedit.exe /set {default} recoveryenabled no
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:556
      • C:\Windows\system32\bcdedit.exe
        bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:1500
    • C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\update.bat" "
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:672
      • C:\Windows\system32\PING.EXE
        ping -n 1 -w 5000 10.10.254.254
        3⤵
        • Runs ping.exe
        PID:1048
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1968
  • C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\README_5326619.txt
    1⤵
    • Opens file in notepad (likely ransom note)
    PID:1748
  • C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\V2F0Y2hHcmFudC5tcGVn
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2044
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\V2F0Y2hHcmFudC5tcGVn
      2⤵
        PID:364
    • C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\UHJvdGVjdEJhY2t1cC54bWw=
      1⤵
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2004
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\UHJvdGVjdEJhY2t1cC54bWw=
        2⤵
          PID:1252
      • C:\Windows\explorer.exe
        "C:\Windows\explorer.exe"
        1⤵
          PID:672
        • C:\Windows\system32\AUDIODG.EXE
          C:\Windows\system32\AUDIODG.EXE 0x508
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:236

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/856-53-0x00000000008B0000-0x00000000008C4000-memory.dmp

          Filesize

          80KB

          Download

        • memory/856-54-0x000007FEF5883000-0x000007FEF5884000-memory.dmp

          Filesize

          4KB

          Download

        • memory/856-55-0x000000001B2C0000-0x000000001B2C2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/856-56-0x000000001B2C6000-0x000000001B2E5000-memory.dmp

          Filesize

          124KB

          Download

        • memory/1748-59-0x000007FEFBE91000-0x000007FEFBE93000-memory.dmp

          Filesize

          8KB

          Download