Overview

overview

10

Static

static

ecfPJqv.exe

windows7_x64

10

ecfPJqv.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    14/02/2022, 15:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ecfPJqv.exe

  • Size

    53KB

  • MD5

    11fea5d1914bb2a69c21d33e4d57075e

  • SHA1

    0805389d789d5d7cc1445c0b49563f8646975613

  • SHA256

    9378b1a61cd599f6b2f21f7449d6cf35d260a7096aa1fdb9dfa2743457dfc9fc

  • SHA512

    43fd021fd27a2cb5d56da23ab5dfe27efce0d57252ae25f139277f90658f2350153c781433d2dd4913bb5f79660ce861613d31d143d3ed207bc7b42ad1854bbe

Score
10/10
evasionpersistenceransomware

Malware Config

Extracted

Path

C:\$Recycle.Bin\README_7639322.txt

Ransom Note
Ooops, your important files are encrypted. Your personal Id: eCWUVkbhLdcs0hkrcpL8Qc17pjCYeaqf77ms8COqk5sa71WfPo33oYhztUn+ytkuPnciXjk9tZsY//TxHfDuHN56Lz1/L/7RQA3WuRpTnpTFQFTl4iP+JovFo46gWXQFbKDOTgnelRy6XxranDgJTUGq744mu5zuXGeLwBHIifAxAvbBesuao1SkIGifHaVcDebfQfRtVXaGxw8IW1luOqD0cLE7WLPhjvG8o/p680q+b/ZPBryMQpWdDaR+BEfLeuU5bqjniVUPK05VfR1rydJmrqkLQ6pICr5QKUvmtNVRsdgmINlH1qcHheMPF4BRdWMgimE44J210ggYW3F+ag==&ZW4tVVNfNzYzOTMyMl9BZG1pbl8yLzE0LzIwMjIgNDo0MTo0MCBQTV9XaW4gMTBfYmxwb19lY2ZQSnF2 If you see this text, then your files are no longer accessible, because they have been encrypted. Perhaps you are busy looking for a way to recover your files, but don't waste your time. Nobody can recover your files without our decryption service. We guarantee that you can recover all your files safely and easily. All you need to do is submit the payment and purchase the decryption key. Please follow the instructions: 1. Send $300 worth of Bitcoin to following address: 33Ui4qyDn3UNJgjY8UJJLsC5xydbQTgQKP 2. Send your Bitcoin wallet ID and personal id to e-mail [email protected]. �����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������
Wallets

33Ui4qyDn3UNJgjY8UJJLsC5xydbQTgQKP

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Disables Task Manager via registry modification
    evasion
  • Modifies extensions of user files 2 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 25 IoCs
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies data under HKEY_USERS 51 IoCs
  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ecfPJqv.exe
    "C:\Users\Admin\AppData\Local\Temp\ecfPJqv.exe"
    1⤵
    • Modifies extensions of user files
    • Checks computer location settings
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Maps connected drives based on registry
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3636
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Roaming\delback.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3616
      • C:\Windows\system32\vssadmin.exe
        vssadmin delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:2644
      • C:\Windows\system32\bcdedit.exe
        bcdedit.exe /set {default} recoveryenabled no
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:3716
      • C:\Windows\system32\bcdedit.exe
        bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:3200
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\update.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3244
      • C:\Windows\system32\PING.EXE
        ping -n 1 -w 5000 10.10.254.254
        3⤵
        • Runs ping.exe
        PID:3828
  • C:\Windows\system32\MusNotifyIcon.exe
    %systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
    1⤵
    • Checks processor information in registry
    PID:864
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k NetworkService -p
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    PID:1928
  • C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
    C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:3460
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
      PID:1060
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\README_7639322.txt
      1⤵
      • Opens file in notepad (likely ransom note)
      PID:1568

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/3636-133-0x00007FFAB0E63000-0x00007FFAB0E65000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3636-134-0x00000000002A0000-0x00000000002B4000-memory.dmp

      Filesize

      80KB

      Download

    • memory/3636-135-0x000000001BBC0000-0x000000001BBC2000-memory.dmp

      Filesize

      8KB

      Download