Overview

overview

10

Static

static

ecfPJqv.exe

windows7_x64

10

ecfPJqv.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    14-02-2022 15:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ecfPJqv.exe

  • Size

    53KB

  • MD5

    11fea5d1914bb2a69c21d33e4d57075e

  • SHA1

    0805389d789d5d7cc1445c0b49563f8646975613

  • SHA256

    9378b1a61cd599f6b2f21f7449d6cf35d260a7096aa1fdb9dfa2743457dfc9fc

  • SHA512

    43fd021fd27a2cb5d56da23ab5dfe27efce0d57252ae25f139277f90658f2350153c781433d2dd4913bb5f79660ce861613d31d143d3ed207bc7b42ad1854bbe

Score
10/10
evasionpersistenceransomware

Malware Config

Extracted

Path

C:\$Recycle.Bin\README_7639322.txt

Ransom Note
Ooops, your important files are encrypted. Your personal Id: eCWUVkbhLdcs0hkrcpL8Qc17pjCYeaqf77ms8COqk5sa71WfPo33oYhztUn+ytkuPnciXjk9tZsY//TxHfDuHN56Lz1/L/7RQA3WuRpTnpTFQFTl4iP+JovFo46gWXQFbKDOTgnelRy6XxranDgJTUGq744mu5zuXGeLwBHIifAxAvbBesuao1SkIGifHaVcDebfQfRtVXaGxw8IW1luOqD0cLE7WLPhjvG8o/p680q+b/ZPBryMQpWdDaR+BEfLeuU5bqjniVUPK05VfR1rydJmrqkLQ6pICr5QKUvmtNVRsdgmINlH1qcHheMPF4BRdWMgimE44J210ggYW3F+ag==&ZW4tVVNfNzYzOTMyMl9BZG1pbl8yLzE0LzIwMjIgNDo0MTo0MCBQTV9XaW4gMTBfYmxwb19lY2ZQSnF2 If you see this text, then your files are no longer accessible, because they have been encrypted. Perhaps you are busy looking for a way to recover your files, but don't waste your time. Nobody can recover your files without our decryption service. We guarantee that you can recover all your files safely and easily. All you need to do is submit the payment and purchase the decryption key. Please follow the instructions: 1. Send $300 worth of Bitcoin to following address: 33Ui4qyDn3UNJgjY8UJJLsC5xydbQTgQKP 2. Send your Bitcoin wallet ID and personal id to e-mail wowsmith123456@posteo.net. �����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������
Emails

wowsmith123456@posteo.net

Wallets

33Ui4qyDn3UNJgjY8UJJLsC5xydbQTgQKP

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Disables Task Manager via registry modification
    evasion
  • Modifies extensions of user files 2 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 25 IoCs
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies data under HKEY_USERS 51 IoCs
  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ecfPJqv.exe
    "C:\Users\Admin\AppData\Local\Temp\ecfPJqv.exe"
    1⤵
    • Modifies extensions of user files
    • Checks computer location settings
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Maps connected drives based on registry
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3636
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Roaming\delback.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3616
      • C:\Windows\system32\vssadmin.exe
        vssadmin delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:2644
      • C:\Windows\system32\bcdedit.exe
        bcdedit.exe /set {default} recoveryenabled no
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:3716
      • C:\Windows\system32\bcdedit.exe
        bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:3200
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\update.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3244
      • C:\Windows\system32\PING.EXE
        ping -n 1 -w 5000 10.10.254.254
        3⤵
        • Runs ping.exe
        PID:3828
  • C:\Windows\system32\MusNotifyIcon.exe
    %systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
    1⤵
    • Checks processor information in registry
    PID:864
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k NetworkService -p
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    PID:1928
  • C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
    C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:3460
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
      PID:1060
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\README_7639322.txt
      1⤵
      • Opens file in notepad (likely ransom note)
      PID:1568

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    File Deletion

    2
    T1107

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    3
    T1012

    System Information Discovery

    4
    T1082

    Peripheral Device Discovery

    1
    T1120

    Remote System Discovery

    1
    T1018

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Inhibit System Recovery

    3
    T1490

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\update.bat
      MD5

      d7e130066bfb1bdeed398db9e46ed158

      SHA1

      284944a9518de2bd875d67c1b7cd9230ac5f090c

      SHA256

      54937b7b28a10c0826e67d5caa2e5f99a003c8d39b133a85c712d9f2c29b58d8

      SHA512

      5e532fc09403dc4df423f4554b61b4688ca37fbcfac15b74c50904a9fabde7b59ce1f0b521ebf55d2c09e5d901d355a1e16641304220861ecf807ccaf8b0468b

      Download Submit
    • C:\Users\Admin\AppData\Roaming\delback.bat
      MD5

      2450c91afcc2d4cc3dea374820bed314

      SHA1

      dd1b61d0aa6d1769018c1d3144de9bb960a64d3c

      SHA256

      4f157084c6e48b547e698ed83ae9a853a4db4b7a115249db272e3eb93316f7df

      SHA512

      b0b21d16b7f35bfc5526ed07407ec85a221a7a036827b65dce0a449d02a31f3f6f5ce2fbf94f0af01ce4a248b27ccf5f287dd2746ee423766be8d366f78ccc91

      Download Submit
    • C:\Users\Admin\Desktop\README_7639322.txt
      MD5

      035fd3c76cf48c384688fef958f4b35d

      SHA1

      c1a32d5229dba9d7be240b3b11641102f122a467

      SHA256

      9937a07de5507fcf1789f11d7ead370c2dfd7a80c0cb2a786a9fd8ea3af7723b

      SHA512

      d6b6ed2f50f7941ae4b85cf280731880ab2ae6545b755e6c53f39a41f24b4f08ecf9129ca0e11836d12d52acdef0505897d785b84e7699c3a947159da3a98461

      Download Submit
    • C:\Users\All Users\USOShared\Logs\User\NotifyIcon.7e7e6638-492c-4946-8981-d9c0872e8251.1.etl
      MD5

      1828f210c0f4df1b61a6004e5a705bcd

      SHA1

      78deb67b99ee9a5b7b716fe0f03712c3c78cf208

      SHA256

      87900a52483224d0e542c8748b24f52f17155357d49cba202f8c946ca520bddc

      SHA512

      2f9da7cce6f5ff6cd943f38af78c3928e3ba7a7a5082ef1dbaeadd3203097ef1de6c43e9eb12d83a6e1a3a7106584a788094bbc31c87f8fa26b06111f0f92e60

      Download Submit
    • memory/3636-133-0x00007FFAB0E63000-0x00007FFAB0E65000-memory.dmp
      Filesize

      8KB

      Download
    • memory/3636-134-0x00000000002A0000-0x00000000002B4000-memory.dmp
      Filesize

      80KB

      Download
    • memory/3636-135-0x000000001BBC0000-0x000000001BBC2000-memory.dmp
      Filesize

      8KB

      Download