Analysis
-
max time kernel
147s -
max time network
126s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
14-02-2022 15:41
Static task
static1
Behavioral task
behavioral1
Sample
ecfPJqv.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
ecfPJqv.exe
Resource
win10v2004-en-20220112
General
-
Target
ecfPJqv.exe
-
Size
53KB
-
MD5
11fea5d1914bb2a69c21d33e4d57075e
-
SHA1
0805389d789d5d7cc1445c0b49563f8646975613
-
SHA256
9378b1a61cd599f6b2f21f7449d6cf35d260a7096aa1fdb9dfa2743457dfc9fc
-
SHA512
43fd021fd27a2cb5d56da23ab5dfe27efce0d57252ae25f139277f90658f2350153c781433d2dd4913bb5f79660ce861613d31d143d3ed207bc7b42ad1854bbe
Malware Config
Extracted
C:\$Recycle.Bin\README_5326619.txt
wowsmith123456@posteo.net
33Ui4qyDn3UNJgjY8UJJLsC5xydbQTgQKP
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 556 bcdedit.exe 1500 bcdedit.exe -
Disables Task Manager via registry modification
-
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
ecfPJqv.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\TestPing.tiff ecfPJqv.exe File opened for modification C:\Users\Admin\Pictures\RepairEdit.tiff ecfPJqv.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 672 cmd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
ecfPJqv.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ecfPJqv.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Adobe\\ecfPJqv.exe" ecfPJqv.exe -
Drops desktop.ini file(s) 26 IoCs
Processes:
ecfPJqv.exedescription ioc process File created C:\Users\Public\Music\desktop.ini ecfPJqv.exe File created C:\Users\Public\Recorded TV\Sample Media\desktop.ini ecfPJqv.exe File created C:\Users\Admin\Contacts\desktop.ini ecfPJqv.exe File created C:\Users\Admin\Documents\desktop.ini ecfPJqv.exe File created C:\Users\Admin\Searches\desktop.ini ecfPJqv.exe File created C:\Users\Admin\Videos\desktop.ini ecfPJqv.exe File created C:\Users\Public\Downloads\desktop.ini ecfPJqv.exe File created C:\Users\Public\Desktop\desktop.ini ecfPJqv.exe File created C:\Users\Public\Documents\desktop.ini ecfPJqv.exe File created C:\Users\Public\Pictures\Sample Pictures\desktop.ini ecfPJqv.exe File created C:\Users\Admin\Favorites\desktop.ini ecfPJqv.exe File created C:\Users\Admin\Favorites\Links\desktop.ini ecfPJqv.exe File created C:\Users\Admin\Favorites\Links for United States\desktop.ini ecfPJqv.exe File created C:\Users\Admin\Links\desktop.ini ecfPJqv.exe File created C:\Users\Admin\Pictures\desktop.ini ecfPJqv.exe File created C:\Users\Public\Videos\desktop.ini ecfPJqv.exe File created C:\Users\Public\Videos\Sample Videos\desktop.ini ecfPJqv.exe File created C:\Users\Admin\Saved Games\desktop.ini ecfPJqv.exe File created C:\Users\Public\desktop.ini ecfPJqv.exe File created C:\Users\Public\Libraries\desktop.ini ecfPJqv.exe File created C:\Users\Public\Pictures\desktop.ini ecfPJqv.exe File created C:\Users\Admin\Desktop\desktop.ini ecfPJqv.exe File created C:\Users\Admin\Downloads\desktop.ini ecfPJqv.exe File created C:\Users\Admin\Music\desktop.ini ecfPJqv.exe File created C:\Users\Public\Music\Sample Music\desktop.ini ecfPJqv.exe File created C:\Users\Public\Recorded TV\desktop.ini ecfPJqv.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
ecfPJqv.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum ecfPJqv.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 ecfPJqv.exe -
Drops file in Program Files directory 2 IoCs
Processes:
ecfPJqv.exedescription ioc process File created C:\Program Files (x86)\README_5326619.txt ecfPJqv.exe File created C:\Program Files\README_5326619.txt ecfPJqv.exe -
Drops file in Windows directory 1 IoCs
Processes:
ecfPJqv.exedescription ioc process File created C:\Windows\README_5326619.txt ecfPJqv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1700 vssadmin.exe -
Modifies registry class 3 IoCs
Processes:
rundll32.exerundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_Classes\Local Settings rundll32.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 1748 NOTEPAD.EXE -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
ecfPJqv.exepid process 856 ecfPJqv.exe 856 ecfPJqv.exe 856 ecfPJqv.exe 856 ecfPJqv.exe 856 ecfPJqv.exe 856 ecfPJqv.exe 856 ecfPJqv.exe 856 ecfPJqv.exe 856 ecfPJqv.exe 856 ecfPJqv.exe 856 ecfPJqv.exe 856 ecfPJqv.exe 856 ecfPJqv.exe 856 ecfPJqv.exe 856 ecfPJqv.exe 856 ecfPJqv.exe 856 ecfPJqv.exe 856 ecfPJqv.exe 856 ecfPJqv.exe 856 ecfPJqv.exe 856 ecfPJqv.exe 856 ecfPJqv.exe 856 ecfPJqv.exe 856 ecfPJqv.exe 856 ecfPJqv.exe 856 ecfPJqv.exe 856 ecfPJqv.exe 856 ecfPJqv.exe 856 ecfPJqv.exe 856 ecfPJqv.exe 856 ecfPJqv.exe 856 ecfPJqv.exe 856 ecfPJqv.exe 856 ecfPJqv.exe 856 ecfPJqv.exe 856 ecfPJqv.exe 856 ecfPJqv.exe 856 ecfPJqv.exe 856 ecfPJqv.exe 856 ecfPJqv.exe 856 ecfPJqv.exe 856 ecfPJqv.exe 856 ecfPJqv.exe 856 ecfPJqv.exe 856 ecfPJqv.exe 856 ecfPJqv.exe 856 ecfPJqv.exe 856 ecfPJqv.exe 856 ecfPJqv.exe 856 ecfPJqv.exe 856 ecfPJqv.exe 856 ecfPJqv.exe 856 ecfPJqv.exe 856 ecfPJqv.exe 856 ecfPJqv.exe 856 ecfPJqv.exe 856 ecfPJqv.exe 856 ecfPJqv.exe 856 ecfPJqv.exe 856 ecfPJqv.exe 856 ecfPJqv.exe 856 ecfPJqv.exe 856 ecfPJqv.exe 856 ecfPJqv.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
ecfPJqv.exevssvc.exeAUDIODG.EXEdescription pid process Token: SeDebugPrivilege 856 ecfPJqv.exe Token: SeBackupPrivilege 1968 vssvc.exe Token: SeRestorePrivilege 1968 vssvc.exe Token: SeAuditPrivilege 1968 vssvc.exe Token: 33 236 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 236 AUDIODG.EXE Token: 33 236 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 236 AUDIODG.EXE -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
ecfPJqv.execmd.execmd.exerundll32.exerundll32.exedescription pid process target process PID 856 wrote to memory of 304 856 ecfPJqv.exe cmd.exe PID 856 wrote to memory of 304 856 ecfPJqv.exe cmd.exe PID 856 wrote to memory of 304 856 ecfPJqv.exe cmd.exe PID 856 wrote to memory of 672 856 ecfPJqv.exe cmd.exe PID 856 wrote to memory of 672 856 ecfPJqv.exe cmd.exe PID 856 wrote to memory of 672 856 ecfPJqv.exe cmd.exe PID 856 wrote to memory of 672 856 ecfPJqv.exe cmd.exe PID 856 wrote to memory of 672 856 ecfPJqv.exe cmd.exe PID 304 wrote to memory of 1700 304 cmd.exe vssadmin.exe PID 304 wrote to memory of 1700 304 cmd.exe vssadmin.exe PID 304 wrote to memory of 1700 304 cmd.exe vssadmin.exe PID 672 wrote to memory of 1048 672 cmd.exe PING.EXE PID 672 wrote to memory of 1048 672 cmd.exe PING.EXE PID 672 wrote to memory of 1048 672 cmd.exe PING.EXE PID 304 wrote to memory of 556 304 cmd.exe bcdedit.exe PID 304 wrote to memory of 556 304 cmd.exe bcdedit.exe PID 304 wrote to memory of 556 304 cmd.exe bcdedit.exe PID 304 wrote to memory of 1500 304 cmd.exe bcdedit.exe PID 304 wrote to memory of 1500 304 cmd.exe bcdedit.exe PID 304 wrote to memory of 1500 304 cmd.exe bcdedit.exe PID 2044 wrote to memory of 364 2044 rundll32.exe NOTEPAD.EXE PID 2044 wrote to memory of 364 2044 rundll32.exe NOTEPAD.EXE PID 2044 wrote to memory of 364 2044 rundll32.exe NOTEPAD.EXE PID 2004 wrote to memory of 1252 2004 rundll32.exe NOTEPAD.EXE PID 2004 wrote to memory of 1252 2004 rundll32.exe NOTEPAD.EXE PID 2004 wrote to memory of 1252 2004 rundll32.exe NOTEPAD.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\ecfPJqv.exe"C:\Users\Admin\AppData\Local\Temp\ecfPJqv.exe"1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Drops desktop.ini file(s)
- Maps connected drives based on registry
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Roaming\delback.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\update.bat" "2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping -n 1 -w 5000 10.10.254.2543⤵
- Runs ping.exe
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\README_5326619.txt1⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\V2F0Y2hHcmFudC5tcGVn1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\V2F0Y2hHcmFudC5tcGVn2⤵
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\UHJvdGVjdEJhY2t1cC54bWw=1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\UHJvdGVjdEJhY2t1cC54bWw=2⤵
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5081⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\update.batMD5
d7e130066bfb1bdeed398db9e46ed158
SHA1284944a9518de2bd875d67c1b7cd9230ac5f090c
SHA25654937b7b28a10c0826e67d5caa2e5f99a003c8d39b133a85c712d9f2c29b58d8
SHA5125e532fc09403dc4df423f4554b61b4688ca37fbcfac15b74c50904a9fabde7b59ce1f0b521ebf55d2c09e5d901d355a1e16641304220861ecf807ccaf8b0468b
-
C:\Users\Admin\AppData\Roaming\delback.batMD5
2450c91afcc2d4cc3dea374820bed314
SHA1dd1b61d0aa6d1769018c1d3144de9bb960a64d3c
SHA2564f157084c6e48b547e698ed83ae9a853a4db4b7a115249db272e3eb93316f7df
SHA512b0b21d16b7f35bfc5526ed07407ec85a221a7a036827b65dce0a449d02a31f3f6f5ce2fbf94f0af01ce4a248b27ccf5f287dd2746ee423766be8d366f78ccc91
-
C:\Users\Admin\Desktop\README_5326619.txtMD5
64ae0e16a4f7e8de66f5daca71041e72
SHA18f865faca743b24e69f170c639ef49b14a4b2709
SHA2561e98f33437fcce7f569a5c474c6f0e37d93a54d6574567ffa2c96fc05e2b5955
SHA5128c1f4febfa60e840fdff3dc87f1a6655528e2d3c714cce634169956521e9b2b92d9bdd9486dea2c6cafcf90f817d25f5e442aa925e28a173071c1bf1bebc2a79
-
C:\Users\Admin\Desktop\UHJvdGVjdEJhY2t1cC54bWw=MD5
7e517afc93c80256ebbde8875304b1b3
SHA1af43d4d8ce7816fc04f630eab484ee4aaca7ceae
SHA25633c460e696257685b1d86e35852af3cd2638fcbc55fd10a3f3c4ff4ab361439a
SHA5129b1868143d7258717a43a9481c135f75df11cbc38f318cfc770edeea8c9035fe85d4b94d638da93bd583340c5d3bdbb01b278cf5a84a084d2cacb29e6ec2db78
-
C:\Users\Admin\Desktop\V2F0Y2hHcmFudC5tcGVnMD5
76580dce81fe3e4766c835634295b009
SHA10e91b381ffc2da14ca10640bdfe7ae3e9b64100f
SHA256fb334c322a2c74eba9fdb7af495188d071282aae77244e41d35842cf0de040d6
SHA51279f1688578be5c3b22abd716bcdad0390bcab0652497b0c98e2f1e53b1d539a770bf43ece6f24d5f4580b78562e6b685766b89e6b36e0d6cd30a4489bc652648
-
memory/856-53-0x00000000008B0000-0x00000000008C4000-memory.dmpFilesize
80KB
-
memory/856-54-0x000007FEF5883000-0x000007FEF5884000-memory.dmpFilesize
4KB
-
memory/856-55-0x000000001B2C0000-0x000000001B2C2000-memory.dmpFilesize
8KB
-
memory/856-56-0x000000001B2C6000-0x000000001B2E5000-memory.dmpFilesize
124KB
-
memory/1748-59-0x000007FEFBE91000-0x000007FEFBE93000-memory.dmpFilesize
8KB