012532729ad9c1e9495a65d1961a9f66cb7b5ae6c6aa18b919241e0029091d42

General

Target

sample.exe
Size

30KB
MD5

2222479d681f7a554976a9797f315fd2
SHA1

d535dfc613ab1081dcf0bb9dd92c0f533fa3a6b5
SHA256

af24612700c0105cf990148b19e5140314a55701c7022ccd2811e8ee29d68d74
SHA512

5dbf583e232d662cebbc191e7e9b2c73bfd04e0c455f599b88c5428354f777ea4cf47b8a06551b34519912861d05d78c4b2e2159a6e330749a943c7476925fc4

Score

10^/10

ransomware spyware stealer

Malware Config

Extracted

Path

C:\restore-files.txt

Ransom Note

╔════════════════╗ ═╣ What happened? ╠═ ╚════════════════╝ All of your important files have been encrypted and all sensitive data was stolen. The only way to restore your files and keep your data from going public is to contact us. After a payment has been made you will be given access to decryption software. As a quarantee we will decrypt 3 files for free. If you don't contact us within 72 hours the price will be doubled. ╔══════════════╗ ═╣ Instructions ╠═ ╚══════════════╝ - Download qTOX messanger from https://qtox.github.io/ - Send message to this Tox ID: 3728E933284CE638D06FCF1CBE921096E102508BD370D6D23137D3271EE5733825F63F56805E Your message should contain your Unique Key: 53566134903697098455

URLs

https://qtox.github.io/

Signatures

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 4464 created 1324 4464 WerFault.exe backgroundTaskHost.exe

description	pid	process	target process
PID 4464 created 1324	4464	WerFault.exe	backgroundTaskHost.exe

Modifies extensions of user files 10 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

sample.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\SaveExpand.png.locked	sample.exe
File renamed	C:\Users\Admin\Pictures\UnblockSkip.raw => C:\Users\Admin\Pictures\UnblockSkip.raw.locked	sample.exe
File opened for modification	C:\Users\Admin\Pictures\ConfirmUnpublish.tif.locked	sample.exe
File renamed	C:\Users\Admin\Pictures\ConvertToSwitch.raw => C:\Users\Admin\Pictures\ConvertToSwitch.raw.locked	sample.exe
File opened for modification	C:\Users\Admin\Pictures\ConvertToSwitch.raw.locked	sample.exe
File renamed	C:\Users\Admin\Pictures\SaveExpand.png => C:\Users\Admin\Pictures\SaveExpand.png.locked	sample.exe
File opened for modification	C:\Users\Admin\Pictures\UnblockSkip.raw.locked	sample.exe
File renamed	C:\Users\Admin\Pictures\CompareGroup.png => C:\Users\Admin\Pictures\CompareGroup.png.locked	sample.exe
File opened for modification	C:\Users\Admin\Pictures\CompareGroup.png.locked	sample.exe
File renamed	C:\Users\Admin\Pictures\ConfirmUnpublish.tif => C:\Users\Admin\Pictures\ConfirmUnpublish.tif.locked	sample.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

sample.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation sample.exe
Drops startup file 1 IoCs

Processes:

sample.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\restore-files.txt sample.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	sample.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\restore-files.txt	sample.exe

Drops file in Windows directory 8 IoCs

Processes:

TiWorker.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4736 1324 WerFault.exe backgroundTaskHost.exe

pid	pid_target	process	target process
4736	1324	WerFault.exe	backgroundTaskHost.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

4120 taskkill.exe
Modifies data under HKEY_USERS 1 IoCs

Processes:

svchost.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe

pid	process
4120	taskkill.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

sample.exe

pid	process
4932	sample.exe
4932	sample.exe
4932	sample.exe
4932	sample.exe
4932	sample.exe
4932	sample.exe
4932	sample.exe
4932	sample.exe
4932	sample.exe
4932	sample.exe
4932	sample.exe
4932	sample.exe
4932	sample.exe
4932	sample.exe
4932	sample.exe
4932	sample.exe
4932	sample.exe
4932	sample.exe
4932	sample.exe
4932	sample.exe
4932	sample.exe
4932	sample.exe
4932	sample.exe
4932	sample.exe
4932	sample.exe
4932	sample.exe
4932	sample.exe
4932	sample.exe
4932	sample.exe
4932	sample.exe
4932	sample.exe
4932	sample.exe
4932	sample.exe
4932	sample.exe
4932	sample.exe
4932	sample.exe
4932	sample.exe
4932	sample.exe
4932	sample.exe
4932	sample.exe
4932	sample.exe
4932	sample.exe
4932	sample.exe
4932	sample.exe
4932	sample.exe
4932	sample.exe
4932	sample.exe
4932	sample.exe
4932	sample.exe
4932	sample.exe
4932	sample.exe
4932	sample.exe
4932	sample.exe
4932	sample.exe
4932	sample.exe
4932	sample.exe
4932	sample.exe
4932	sample.exe
4932	sample.exe
4932	sample.exe
4932	sample.exe
4932	sample.exe
4932	sample.exe
4932	sample.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

sample.exesample.exevssvc.exetaskkill.exesvchost.exeTiWorker.exe

description	pid	process
Token: SeDebugPrivilege	4752	sample.exe
Token: SeDebugPrivilege	4932	sample.exe
Token: SeBackupPrivilege	360	vssvc.exe
Token: SeRestorePrivilege	360	vssvc.exe
Token: SeAuditPrivilege	360	vssvc.exe
Token: SeDebugPrivilege	4120	taskkill.exe
Token: SeShutdownPrivilege	5024	svchost.exe
Token: SeCreatePagefilePrivilege	5024	svchost.exe
Token: SeShutdownPrivilege	5024	svchost.exe
Token: SeCreatePagefilePrivilege	5024	svchost.exe
Token: SeShutdownPrivilege	5024	svchost.exe
Token: SeCreatePagefilePrivilege	5024	svchost.exe
Token: SeSecurityPrivilege	2412	TiWorker.exe
Token: SeRestorePrivilege	2412	TiWorker.exe
Token: SeBackupPrivilege	2412	TiWorker.exe
Token: SeBackupPrivilege	2412	TiWorker.exe
Token: SeRestorePrivilege	2412	TiWorker.exe
Token: SeSecurityPrivilege	2412	TiWorker.exe
Token: SeBackupPrivilege	2412	TiWorker.exe
Token: SeRestorePrivilege	2412	TiWorker.exe
Token: SeSecurityPrivilege	2412	TiWorker.exe
Token: SeBackupPrivilege	2412	TiWorker.exe
Token: SeRestorePrivilege	2412	TiWorker.exe
Token: SeSecurityPrivilege	2412	TiWorker.exe
Token: SeBackupPrivilege	2412	TiWorker.exe
Token: SeRestorePrivilege	2412	TiWorker.exe
Token: SeSecurityPrivilege	2412	TiWorker.exe
Token: SeBackupPrivilege	2412	TiWorker.exe
Token: SeRestorePrivilege	2412	TiWorker.exe
Token: SeSecurityPrivilege	2412	TiWorker.exe
Token: SeBackupPrivilege	2412	TiWorker.exe
Token: SeRestorePrivilege	2412	TiWorker.exe
Token: SeSecurityPrivilege	2412	TiWorker.exe
Token: SeBackupPrivilege	2412	TiWorker.exe
Token: SeRestorePrivilege	2412	TiWorker.exe
Token: SeSecurityPrivilege	2412	TiWorker.exe
Token: SeBackupPrivilege	2412	TiWorker.exe
Token: SeRestorePrivilege	2412	TiWorker.exe
Token: SeSecurityPrivilege	2412	TiWorker.exe
Token: SeBackupPrivilege	2412	TiWorker.exe
Token: SeRestorePrivilege	2412	TiWorker.exe
Token: SeSecurityPrivilege	2412	TiWorker.exe
Token: SeBackupPrivilege	2412	TiWorker.exe
Token: SeRestorePrivilege	2412	TiWorker.exe
Token: SeSecurityPrivilege	2412	TiWorker.exe
Token: SeBackupPrivilege	2412	TiWorker.exe
Token: SeRestorePrivilege	2412	TiWorker.exe
Token: SeSecurityPrivilege	2412	TiWorker.exe
Token: SeBackupPrivilege	2412	TiWorker.exe
Token: SeRestorePrivilege	2412	TiWorker.exe
Token: SeSecurityPrivilege	2412	TiWorker.exe
Token: SeBackupPrivilege	2412	TiWorker.exe
Token: SeRestorePrivilege	2412	TiWorker.exe
Token: SeSecurityPrivilege	2412	TiWorker.exe
Token: SeBackupPrivilege	2412	TiWorker.exe
Token: SeRestorePrivilege	2412	TiWorker.exe
Token: SeSecurityPrivilege	2412	TiWorker.exe
Token: SeBackupPrivilege	2412	TiWorker.exe
Token: SeRestorePrivilege	2412	TiWorker.exe
Token: SeSecurityPrivilege	2412	TiWorker.exe
Token: SeBackupPrivilege	2412	TiWorker.exe
Token: SeRestorePrivilege	2412	TiWorker.exe
Token: SeSecurityPrivilege	2412	TiWorker.exe
Token: SeBackupPrivilege	2412	TiWorker.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

sample.execmd.exeWerFault.exe

description	pid	process	target process
PID 4752 wrote to memory of 4932	4752	sample.exe	sample.exe
PID 4752 wrote to memory of 4932	4752	sample.exe	sample.exe
PID 4752 wrote to memory of 3692	4752	sample.exe	sample.exe
PID 4752 wrote to memory of 3692	4752	sample.exe	sample.exe
PID 4752 wrote to memory of 216	4752	sample.exe	cmd.exe
PID 4752 wrote to memory of 216	4752	sample.exe	cmd.exe
PID 216 wrote to memory of 4120	216	cmd.exe	taskkill.exe
PID 216 wrote to memory of 4120	216	cmd.exe	taskkill.exe
PID 4464 wrote to memory of 1324	4464	WerFault.exe	backgroundTaskHost.exe
PID 4464 wrote to memory of 1324	4464	WerFault.exe	backgroundTaskHost.exe

C:\Users\Admin\AppData\Local\Temp\sample.exe
"C:\Users\Admin\AppData\Local\Temp\sample.exe"
1⤵
- Modifies extensions of user files
- Checks computer location settings
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4752

C:\Users\Admin\AppData\Local\Temp\sample.exe
"C:\Users\Admin\AppData\Local\Temp\sample.exe" 1
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4932

C:\Users\Admin\AppData\Local\Temp\sample.exe
"C:\Users\Admin\AppData\Local\Temp\sample.exe" 0
2⤵
PID:3692

\??\c:\windows\system32\cmd.exe
"c:\windows\system32\cmd.exe" /c taskkill /im sample.exe & del C:\Users\Admin\AppData\Local\Temp\sample.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:216

C:\Windows\system32\taskkill.exe
taskkill /im sample.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4120

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:360

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5024

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2412

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:ShellFeedsUI.AppXnj65k2d1a1rnztt2t2nng5ctmk3e76pn.mca
1⤵
PID:1324

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1324 -s 2044
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:4736

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\restore-files.txt
1⤵
PID:1460

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\restore-files.txt
1⤵
PID:2008

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\restore-files.txt
1⤵
PID:4932

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 440 -p 1324 -ip 1324
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:4464

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
- Modifies data under HKEY_USERS
PID:4920

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sample.exe.log
MD5
f437fa309f8420b8c8a80dc74e0777a4

SHA1
2446dc98ad7cb68d1ec02134b757d924cc199112

SHA256
a76e4e7c609062c5cc5efa194b3c8810fecfeab64a4188e74573b32048044517

SHA512
1f2879534a1598e91a026757965a34c7314dd19c3bb5dc4c0e5bcf3bbfaf453069566a8adf0c4d2779532ad849146148de9ec842ea0d5e97166fe67990959ff5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\restore-files.txt
MD5
d9d69c22ab9b0fbe3b11890d42fb7438

SHA1
21de50a41825b6303d35b7d185f54875291db7ef

SHA256
1bd03097772c0fbc09da7c128e39c7dcf666cae8304da29222814c1bfcd6dee2

SHA512
d6c6579e6c05da216c73fa4473cfc6abf572b43f3dadbe9e5728547b2640ddb770100b90e387dfb83a55d0d78a29b7562dc2f017949795abf80400b8ad072111

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\restore-files.txt
MD5
d9d69c22ab9b0fbe3b11890d42fb7438

SHA1
21de50a41825b6303d35b7d185f54875291db7ef

SHA256
1bd03097772c0fbc09da7c128e39c7dcf666cae8304da29222814c1bfcd6dee2

SHA512
d6c6579e6c05da216c73fa4473cfc6abf572b43f3dadbe9e5728547b2640ddb770100b90e387dfb83a55d0d78a29b7562dc2f017949795abf80400b8ad072111

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\restore-files.txt
MD5
d9d69c22ab9b0fbe3b11890d42fb7438

SHA1
21de50a41825b6303d35b7d185f54875291db7ef

SHA256
1bd03097772c0fbc09da7c128e39c7dcf666cae8304da29222814c1bfcd6dee2

SHA512
d6c6579e6c05da216c73fa4473cfc6abf572b43f3dadbe9e5728547b2640ddb770100b90e387dfb83a55d0d78a29b7562dc2f017949795abf80400b8ad072111

Download Submit
C:\Users\Public\Desktop\restore-files.txt
MD5
d9d69c22ab9b0fbe3b11890d42fb7438

SHA1
21de50a41825b6303d35b7d185f54875291db7ef

SHA256
1bd03097772c0fbc09da7c128e39c7dcf666cae8304da29222814c1bfcd6dee2

SHA512
d6c6579e6c05da216c73fa4473cfc6abf572b43f3dadbe9e5728547b2640ddb770100b90e387dfb83a55d0d78a29b7562dc2f017949795abf80400b8ad072111

Download Submit
memory/3692-134-0x00007FF955023000-0x00007FF955025000-memory.dmp

Filesize
8KB

Download
memory/4752-131-0x00000000002D0000-0x00000000002DE000-memory.dmp

Filesize
56KB

Download
memory/4752-132-0x000000001AEF0000-0x000000001AEF2000-memory.dmp

Filesize
8KB

Download
memory/4752-130-0x00007FF955023000-0x00007FF955025000-memory.dmp

Filesize
8KB

Download
memory/4920-143-0x0000019B5CAE0000-0x0000019B5CAE4000-memory.dmp

Filesize
16KB

Download
memory/4932-133-0x00007FF955023000-0x00007FF955025000-memory.dmp

Filesize
8KB

Download
memory/4932-135-0x00000000025F0000-0x00000000025F2000-memory.dmp

Filesize
8KB

Download
memory/5024-139-0x000001D689520000-0x000001D689524000-memory.dmp

Filesize
16KB

Download
memory/5024-138-0x000001D686E20000-0x000001D686E30000-memory.dmp

Filesize
64KB

Download
memory/5024-137-0x000001D6867A0000-0x000001D6867B0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads