012532729ad9c1e9495a65d1961a9f66cb7b5ae6c6aa18b919241e0029091d42

Analysis

max time kernel
159s
max time network
142s
platform
windows7_x64
resource
win7-en-20211208
submitted
17/02/2022, 18:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sample.exe
Size

30KB
MD5

2222479d681f7a554976a9797f315fd2
SHA1

d535dfc613ab1081dcf0bb9dd92c0f533fa3a6b5
SHA256

af24612700c0105cf990148b19e5140314a55701c7022ccd2811e8ee29d68d74
SHA512

5dbf583e232d662cebbc191e7e9b2c73bfd04e0c455f599b88c5428354f777ea4cf47b8a06551b34519912861d05d78c4b2e2159a6e330749a943c7476925fc4

Score

10^/10

ransomware

Malware Config

Extracted

Path

C:\restore-files.txt

Ransom Note

╔════════════════╗ ═╣ What happened? ╠═ ╚════════════════╝ All of your important files have been encrypted and all sensitive data was stolen. The only way to restore your files and keep your data from going public is to contact us. After a payment has been made you will be given access to decryption software. As a quarantee we will decrypt 3 files for free. If you don't contact us within 72 hours the price will be doubled. ╔══════════════╗ ═╣ Instructions ╠═ ╚══════════════╝ - Download qTOX messanger from https://qtox.github.io/ - Send message to this Tox ID: 3728E933284CE638D06FCF1CBE921096E102508BD370D6D23137D3271EE5733825F63F56805E Your message should contain your Unique Key: 53566134903697098455

URLs

https://qtox.github.io/

Signatures

Modifies extensions of user files 8 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\DisableLock.tiff => C:\Users\Admin\Pictures\DisableLock.tiff.locked	sample.exe
File opened for modification	C:\Users\Admin\Pictures\DisableLock.tiff.locked	sample.exe
File renamed	C:\Users\Admin\Pictures\ExitRequest.png => C:\Users\Admin\Pictures\ExitRequest.png.locked	sample.exe
File opened for modification	C:\Users\Admin\Pictures\ExitRequest.png.locked	sample.exe
File renamed	C:\Users\Admin\Pictures\SubmitDisconnect.tiff => C:\Users\Admin\Pictures\SubmitDisconnect.tiff.locked	sample.exe
File opened for modification	C:\Users\Admin\Pictures\SubmitDisconnect.tiff.locked	sample.exe
File renamed	C:\Users\Admin\Pictures\DebugAssert.raw => C:\Users\Admin\Pictures\DebugAssert.raw.locked	sample.exe
File opened for modification	C:\Users\Admin\Pictures\DebugAssert.raw.locked	sample.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1396	sample.exe
1396	sample.exe
1396	sample.exe
1396	sample.exe
1396	sample.exe
1396	sample.exe
1396	sample.exe
1396	sample.exe
1396	sample.exe
1396	sample.exe
1396	sample.exe
1396	sample.exe
1396	sample.exe
1396	sample.exe
1396	sample.exe
1396	sample.exe
1396	sample.exe
1396	sample.exe
1396	sample.exe
1396	sample.exe
1396	sample.exe
1396	sample.exe
1396	sample.exe
1396	sample.exe
1396	sample.exe
1396	sample.exe
1396	sample.exe
1396	sample.exe
1396	sample.exe
1396	sample.exe
1396	sample.exe
1396	sample.exe
1396	sample.exe
1396	sample.exe
1396	sample.exe
1396	sample.exe
1396	sample.exe
1396	sample.exe
1396	sample.exe
1396	sample.exe
1396	sample.exe
1396	sample.exe
1396	sample.exe
1396	sample.exe
1396	sample.exe
1396	sample.exe
1396	sample.exe
1396	sample.exe
1396	sample.exe
1396	sample.exe
1396	sample.exe
1396	sample.exe
1396	sample.exe
1396	sample.exe
1396	sample.exe
1396	sample.exe
1396	sample.exe
1396	sample.exe
1396	sample.exe
1396	sample.exe
1396	sample.exe
1396	sample.exe
1396	sample.exe
1396	sample.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	780	sample.exe
Token: SeDebugPrivilege	1396	sample.exe
Token: SeBackupPrivilege	856	vssvc.exe
Token: SeRestorePrivilege	856	vssvc.exe
Token: SeAuditPrivilege	856	vssvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 780 wrote to memory of 1396	780	sample.exe	30
PID 780 wrote to memory of 1396	780	sample.exe	30
PID 780 wrote to memory of 1396	780	sample.exe	30
PID 780 wrote to memory of 1648	780	sample.exe	32
PID 780 wrote to memory of 1648	780	sample.exe	32
PID 780 wrote to memory of 1648	780	sample.exe	32

C:\Users\Admin\AppData\Local\Temp\sample.exe
"C:\Users\Admin\AppData\Local\Temp\sample.exe"
1⤵
- Modifies extensions of user files
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:780
- C:\Users\Admin\AppData\Local\Temp\sample.exe
  "C:\Users\Admin\AppData\Local\Temp\sample.exe" 1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1396
- C:\Users\Admin\AppData\Local\Temp\sample.exe
  "C:\Users\Admin\AppData\Local\Temp\sample.exe" 0
  2⤵
  PID:1648

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:856

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/780-55-0x000007FEF5783000-0x000007FEF5784000-memory.dmp

Filesize
4KB

Download
memory/780-56-0x0000000000A60000-0x0000000000A6E000-memory.dmp

Filesize
56KB

Download
memory/780-60-0x000000001A850000-0x000000001A852000-memory.dmp

Filesize
8KB

Download
memory/1396-57-0x000007FEF5783000-0x000007FEF5784000-memory.dmp

Filesize
4KB

Download
memory/1396-59-0x000000001B180000-0x000000001B182000-memory.dmp

Filesize
8KB

Download
memory/1648-58-0x000007FEF5783000-0x000007FEF5784000-memory.dmp

Filesize
4KB

Download