6b2eef51eb8d2da78055f70b99a85766ba6731a99a5c1b90eaaa80a47ca42702

General

Target

6b2eef51eb8d2da78055f70b99a85766ba6731a99a5c1b90eaaa80a47ca42702.exe
Size

27KB
MD5

77b7e9ffa41774dd3b2947628ee4a6e1
SHA1

80cd3cda8a7794050d73a8c00e388b3ac27c2493
SHA256

6b2eef51eb8d2da78055f70b99a85766ba6731a99a5c1b90eaaa80a47ca42702
SHA512

ac13223c483cca0404974487825f82e3390041bc6d4d3896fe4b97898c1542bb83d7324fd71a0af0caed031aee75a46df00f1605bf8363b5024f284476ec09a7

Score

10^/10

evasion ransomware trojan

Malware Config

Extracted

Path

C:\Users\Admin\Links\HELP_DECRYPT_YOUR_FILES.txt

Ransom Note

Oops All Of your important files were encrypted Like document pictures videos etc.. Don't worry, you can return all your files! All your files, documents, photos, databases and other important files are encrypted by a strong encryption. How to recover files? RSA is a asymmetric cryptographic algorithm, you need one key for encryption and one key for decryption so you need private key to recover your files. It’s not possible to recover your files without private key. The only method of recovering files is to purchase an unique private key.Only we can give you this key and only we can recover your files. What guarantees you have? As evidence, you can send us 1 file to decrypt by email We will send you a recovery file Prove that we can decrypt your file Please You must follow these steps carefully to decrypt your files: Send $500 worth of bitcoin to wallet: bc1q6ug0vrxz66d564qznclu9yyyvn6zurskezmt64 after payment,we will send you Decryptor software contact email: CCWhite@onionmail.org Your personal ID: nF0jbQ9jJ2SkNrUdaSqAZiMKEa7opH2eDo7xKTfAIUqkry5EtaeSp7r1kJje1hIEhB65HuaombhB3t1g9aaYh82EJdp3l0MQLvhIuZ0YUPQvQ4NyKhjQttrovSDkJ5IMltMDyTNfzzWh7QbdaYqFVnTBgYD6C/fPtO+0HVv6Sm0=

Emails

CCWhite@onionmail.org

Signatures

UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 3 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

6b2eef51eb8d2da78055f70b99a85766ba6731a99a5c1b90eaaa80a47ca42702.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\NewConnect.png => C:\Users\Admin\Pictures\NewConnect.png.cantopen	6b2eef51eb8d2da78055f70b99a85766ba6731a99a5c1b90eaaa80a47ca42702.exe
File renamed	C:\Users\Admin\Pictures\RequestCopy.png => C:\Users\Admin\Pictures\RequestCopy.png.cantopen	6b2eef51eb8d2da78055f70b99a85766ba6731a99a5c1b90eaaa80a47ca42702.exe
File renamed	C:\Users\Admin\Pictures\SyncRead.raw => C:\Users\Admin\Pictures\SyncRead.raw.cantopen	6b2eef51eb8d2da78055f70b99a85766ba6731a99a5c1b90eaaa80a47ca42702.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

1952 vssadmin.exe
272 vssadmin.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1116 reg.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 1492 vssvc.exe
Token: SeRestorePrivilege 1492 vssvc.exe
Token: SeAuditPrivilege 1492 vssvc.exe

pid	process
1952	vssadmin.exe
272	vssadmin.exe

pid	process
1116	reg.exe

description	pid	process
Token: SeBackupPrivilege	1492	vssvc.exe
Token: SeRestorePrivilege	1492	vssvc.exe
Token: SeAuditPrivilege	1492	vssvc.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

6b2eef51eb8d2da78055f70b99a85766ba6731a99a5c1b90eaaa80a47ca42702.execmd.execmd.execmd.exe

description	pid	process	target process
PID 804 wrote to memory of 368	804	6b2eef51eb8d2da78055f70b99a85766ba6731a99a5c1b90eaaa80a47ca42702.exe	cmd.exe
PID 804 wrote to memory of 368	804	6b2eef51eb8d2da78055f70b99a85766ba6731a99a5c1b90eaaa80a47ca42702.exe	cmd.exe
PID 804 wrote to memory of 368	804	6b2eef51eb8d2da78055f70b99a85766ba6731a99a5c1b90eaaa80a47ca42702.exe	cmd.exe
PID 804 wrote to memory of 320	804	6b2eef51eb8d2da78055f70b99a85766ba6731a99a5c1b90eaaa80a47ca42702.exe	cmd.exe
PID 804 wrote to memory of 320	804	6b2eef51eb8d2da78055f70b99a85766ba6731a99a5c1b90eaaa80a47ca42702.exe	cmd.exe
PID 804 wrote to memory of 320	804	6b2eef51eb8d2da78055f70b99a85766ba6731a99a5c1b90eaaa80a47ca42702.exe	cmd.exe
PID 320 wrote to memory of 272	320	cmd.exe	vssadmin.exe
PID 320 wrote to memory of 272	320	cmd.exe	vssadmin.exe
PID 320 wrote to memory of 272	320	cmd.exe	vssadmin.exe
PID 368 wrote to memory of 1116	368	cmd.exe	reg.exe
PID 368 wrote to memory of 1116	368	cmd.exe	reg.exe
PID 368 wrote to memory of 1116	368	cmd.exe	reg.exe
PID 804 wrote to memory of 1548	804	6b2eef51eb8d2da78055f70b99a85766ba6731a99a5c1b90eaaa80a47ca42702.exe	cmd.exe
PID 804 wrote to memory of 1548	804	6b2eef51eb8d2da78055f70b99a85766ba6731a99a5c1b90eaaa80a47ca42702.exe	cmd.exe
PID 804 wrote to memory of 1548	804	6b2eef51eb8d2da78055f70b99a85766ba6731a99a5c1b90eaaa80a47ca42702.exe	cmd.exe
PID 1548 wrote to memory of 1952	1548	cmd.exe	vssadmin.exe
PID 1548 wrote to memory of 1952	1548	cmd.exe	vssadmin.exe
PID 1548 wrote to memory of 1952	1548	cmd.exe	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\6b2eef51eb8d2da78055f70b99a85766ba6731a99a5c1b90eaaa80a47ca42702.exe
"C:\Users\Admin\AppData\Local\Temp\6b2eef51eb8d2da78055f70b99a85766ba6731a99a5c1b90eaaa80a47ca42702.exe"
1⤵
- Modifies extensions of user files
- Suspicious use of WriteProcessMemory
PID:804

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" C:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 1 /f
2⤵
- Suspicious use of WriteProcessMemory
PID:368

C:\Windows\System32\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 1 /f
3⤵
- Modifies registry key
PID:1116

C:\Windows\system32\cmd.exe
"cmd.exe" /c vssadmin.exe delete shadows /all /quiet
2⤵
- Suspicious use of WriteProcessMemory
PID:320

C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:272

C:\Windows\system32\cmd.exe
"cmd.exe" /c vssadmin.exe delete shadows /all /quiet
2⤵
- Suspicious use of WriteProcessMemory
PID:1548

C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:1952

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1492

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

1

T1089

Modify Registry

2

T1112

File Deletion

2

T1107

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/804-54-0x00000000001F0000-0x00000000001FC000-memory.dmp

Filesize
48KB

Download
memory/804-55-0x000007FEF5253000-0x000007FEF5254000-memory.dmp

Filesize
4KB

Download
memory/804-56-0x000000001B340000-0x000000001B342000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing