Overview

overview

10

Static

static

6b2eef51eb...02.exe

windows7_x64

10

6b2eef51eb...02.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    173s
  • max time network
    174s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    15/02/2022, 08:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6b2eef51eb8d2da78055f70b99a85766ba6731a99a5c1b90eaaa80a47ca42702.exe

  • Size

    27KB

  • MD5

    77b7e9ffa41774dd3b2947628ee4a6e1

  • SHA1

    80cd3cda8a7794050d73a8c00e388b3ac27c2493

  • SHA256

    6b2eef51eb8d2da78055f70b99a85766ba6731a99a5c1b90eaaa80a47ca42702

  • SHA512

    ac13223c483cca0404974487825f82e3390041bc6d4d3896fe4b97898c1542bb83d7324fd71a0af0caed031aee75a46df00f1605bf8363b5024f284476ec09a7

Score
10/10
evasionransomwaretrojan

Malware Config

Extracted

Path

C:\Users\Admin\Links\HELP_DECRYPT_YOUR_FILES.txt

Ransom Note
Oops All Of your important files were encrypted Like document pictures videos etc.. Don't worry, you can return all your files! All your files, documents, photos, databases and other important files are encrypted by a strong encryption. How to recover files? RSA is a asymmetric cryptographic algorithm, you need one key for encryption and one key for decryption so you need private key to recover your files. It’s not possible to recover your files without private key. The only method of recovering files is to purchase an unique private key.Only we can give you this key and only we can recover your files. What guarantees you have? As evidence, you can send us 1 file to decrypt by email We will send you a recovery file Prove that we can decrypt your file Please You must follow these steps carefully to decrypt your files: Send $500 worth of bitcoin to wallet: bc1q6ug0vrxz66d564qznclu9yyyvn6zurskezmt64 after payment,we will send you Decryptor software contact email: [email protected] Your personal ID: sQ21fcXpFQ/6l6KURgxOAYnyNSJcluR22jzU4w8j6/pRXJMgQlW/AaNGvlALjHtvnsvmTvnMd7Eu6yp0pKn28Qq7S0lK80w9xOge0gfdSExpIeDlarqx2bw9y2bPW42qge/BDkkB95xLCbn/u/pTc0vR85EZaMdyOOBNszVFd9w=

Signatures

  • UAC bypass 3 TTPs
    evasiontrojan
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 5 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies data under HKEY_USERS 50 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6b2eef51eb8d2da78055f70b99a85766ba6731a99a5c1b90eaaa80a47ca42702.exe
    "C:\Users\Admin\AppData\Local\Temp\6b2eef51eb8d2da78055f70b99a85766ba6731a99a5c1b90eaaa80a47ca42702.exe"
    1⤵
    • Modifies extensions of user files
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1872
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" C:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 1 /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1160
      • C:\Windows\System32\reg.exe
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 1 /f
        3⤵
        • Modifies registry key
        PID:3368
    • C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /c vssadmin.exe delete shadows /all /quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1956
      • C:\Windows\system32\vssadmin.exe
        vssadmin.exe delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:3276
    • C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /c vssadmin.exe delete shadows /all /quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3720
      • C:\Windows\system32\vssadmin.exe
        vssadmin.exe delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:3236
  • C:\Windows\system32\MusNotifyIcon.exe
    %systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
    1⤵
    • Checks processor information in registry
    PID:3312
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2728
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k NetworkService -p
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    PID:3344
  • C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
    C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:2156

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1872-130-0x00007FFAB0593000-0x00007FFAB0595000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1872-131-0x0000000000D50000-0x0000000000D5C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/1872-132-0x000000001E3E0000-0x000000001E3E2000-memory.dmp

    Filesize

    8KB

    Download