6b2eef51eb8d2da78055f70b99a85766ba6731a99a5c1b90eaaa80a47ca42702

General

Target

6b2eef51eb8d2da78055f70b99a85766ba6731a99a5c1b90eaaa80a47ca42702.exe
Size

27KB
MD5

77b7e9ffa41774dd3b2947628ee4a6e1
SHA1

80cd3cda8a7794050d73a8c00e388b3ac27c2493
SHA256

6b2eef51eb8d2da78055f70b99a85766ba6731a99a5c1b90eaaa80a47ca42702
SHA512

ac13223c483cca0404974487825f82e3390041bc6d4d3896fe4b97898c1542bb83d7324fd71a0af0caed031aee75a46df00f1605bf8363b5024f284476ec09a7

Score

10^/10

evasion ransomware trojan

Malware Config

Extracted

Path

C:\Users\Admin\Links\HELP_DECRYPT_YOUR_FILES.txt

Ransom Note

Oops All Of your important files were encrypted Like document pictures videos etc.. Don't worry, you can return all your files! All your files, documents, photos, databases and other important files are encrypted by a strong encryption. How to recover files? RSA is a asymmetric cryptographic algorithm, you need one key for encryption and one key for decryption so you need private key to recover your files. It’s not possible to recover your files without private key. The only method of recovering files is to purchase an unique private key.Only we can give you this key and only we can recover your files. What guarantees you have? As evidence, you can send us 1 file to decrypt by email We will send you a recovery file Prove that we can decrypt your file Please You must follow these steps carefully to decrypt your files: Send $500 worth of bitcoin to wallet: bc1q6ug0vrxz66d564qznclu9yyyvn6zurskezmt64 after payment,we will send you Decryptor software contact email: [email protected] Your personal ID: nF0jbQ9jJ2SkNrUdaSqAZiMKEa7opH2eDo7xKTfAIUqkry5EtaeSp7r1kJje1hIEhB65HuaombhB3t1g9aaYh82EJdp3l0MQLvhIuZ0YUPQvQ4NyKhjQttrovSDkJ5IMltMDyTNfzzWh7QbdaYqFVnTBgYD6C/fPtO+0HVv6Sm0=

Emails

[email protected]

Signatures

UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 3 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\NewConnect.png => C:\Users\Admin\Pictures\NewConnect.png.cantopen	6b2eef51eb8d2da78055f70b99a85766ba6731a99a5c1b90eaaa80a47ca42702.exe
File renamed	C:\Users\Admin\Pictures\RequestCopy.png => C:\Users\Admin\Pictures\RequestCopy.png.cantopen	6b2eef51eb8d2da78055f70b99a85766ba6731a99a5c1b90eaaa80a47ca42702.exe
File renamed	C:\Users\Admin\Pictures\SyncRead.raw => C:\Users\Admin\Pictures\SyncRead.raw.cantopen	6b2eef51eb8d2da78055f70b99a85766ba6731a99a5c1b90eaaa80a47ca42702.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1952	vssadmin.exe
272	vssadmin.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1116	reg.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	1492	vssvc.exe
Token: SeRestorePrivilege	1492	vssvc.exe
Token: SeAuditPrivilege	1492	vssvc.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 804 wrote to memory of 368	804	6b2eef51eb8d2da78055f70b99a85766ba6731a99a5c1b90eaaa80a47ca42702.exe	27
PID 804 wrote to memory of 368	804	6b2eef51eb8d2da78055f70b99a85766ba6731a99a5c1b90eaaa80a47ca42702.exe	27
PID 804 wrote to memory of 368	804	6b2eef51eb8d2da78055f70b99a85766ba6731a99a5c1b90eaaa80a47ca42702.exe	27
PID 804 wrote to memory of 320	804	6b2eef51eb8d2da78055f70b99a85766ba6731a99a5c1b90eaaa80a47ca42702.exe	29
PID 804 wrote to memory of 320	804	6b2eef51eb8d2da78055f70b99a85766ba6731a99a5c1b90eaaa80a47ca42702.exe	29
PID 804 wrote to memory of 320	804	6b2eef51eb8d2da78055f70b99a85766ba6731a99a5c1b90eaaa80a47ca42702.exe	29
PID 320 wrote to memory of 272	320	cmd.exe	31
PID 320 wrote to memory of 272	320	cmd.exe	31
PID 320 wrote to memory of 272	320	cmd.exe	31
PID 368 wrote to memory of 1116	368	cmd.exe	32
PID 368 wrote to memory of 1116	368	cmd.exe	32
PID 368 wrote to memory of 1116	368	cmd.exe	32
PID 804 wrote to memory of 1548	804	6b2eef51eb8d2da78055f70b99a85766ba6731a99a5c1b90eaaa80a47ca42702.exe	35
PID 804 wrote to memory of 1548	804	6b2eef51eb8d2da78055f70b99a85766ba6731a99a5c1b90eaaa80a47ca42702.exe	35
PID 804 wrote to memory of 1548	804	6b2eef51eb8d2da78055f70b99a85766ba6731a99a5c1b90eaaa80a47ca42702.exe	35
PID 1548 wrote to memory of 1952	1548	cmd.exe	37
PID 1548 wrote to memory of 1952	1548	cmd.exe	37
PID 1548 wrote to memory of 1952	1548	cmd.exe	37

C:\Users\Admin\AppData\Local\Temp\6b2eef51eb8d2da78055f70b99a85766ba6731a99a5c1b90eaaa80a47ca42702.exe
"C:\Users\Admin\AppData\Local\Temp\6b2eef51eb8d2da78055f70b99a85766ba6731a99a5c1b90eaaa80a47ca42702.exe"
1⤵
- Modifies extensions of user files
- Suspicious use of WriteProcessMemory
PID:804
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" C:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 1 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:368
- - C:\Windows\System32\reg.exe
    C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:1116
- C:\Windows\system32\cmd.exe
  "cmd.exe" /c vssadmin.exe delete shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:320
- - C:\Windows\system32\vssadmin.exe
    vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:272
- C:\Windows\system32\cmd.exe
  "cmd.exe" /c vssadmin.exe delete shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1548
- - C:\Windows\system32\vssadmin.exe
    vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:1952

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1492

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

File Deletion

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/804-54-0x00000000001F0000-0x00000000001FC000-memory.dmp

Filesize
48KB

Download
memory/804-55-0x000007FEF5253000-0x000007FEF5254000-memory.dmp

Filesize
4KB

Download
memory/804-56-0x000000001B340000-0x000000001B342000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing