Overview

overview

10

Static

static

sample.exe

windows7_x64

10

sample.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    141s
  • max time network
    169s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    17/02/2022, 18:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    sample.exe

  • Size

    30KB

  • MD5

    2222479d681f7a554976a9797f315fd2

  • SHA1

    d535dfc613ab1081dcf0bb9dd92c0f533fa3a6b5

  • SHA256

    af24612700c0105cf990148b19e5140314a55701c7022ccd2811e8ee29d68d74

  • SHA512

    5dbf583e232d662cebbc191e7e9b2c73bfd04e0c455f599b88c5428354f777ea4cf47b8a06551b34519912861d05d78c4b2e2159a6e330749a943c7476925fc4

Score
10/10
ransomwarespywarestealer

Malware Config

Extracted

Path

C:\restore-files.txt

Ransom Note
╔════════════════╗ ═╣ What happened? ╠═ ╚════════════════╝ All of your important files have been encrypted and all sensitive data was stolen. The only way to restore your files and keep your data from going public is to contact us. After a payment has been made you will be given access to decryption software. As a quarantee we will decrypt 3 files for free. If you don't contact us within 72 hours the price will be doubled. ╔══════════════╗ ═╣ Instructions ╠═ ╚══════════════╝ - Download qTOX messanger from https://qtox.github.io/ - Send message to this Tox ID: 3728E933284CE638D06FCF1CBE921096E102508BD370D6D23137D3271EE5733825F63F56805E Your message should contain your Unique Key: 53566134903697098455
URLs

https://qtox.github.io/

Signatures

  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • Modifies extensions of user files 10 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Windows directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies data under HKEY_USERS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\sample.exe
    "C:\Users\Admin\AppData\Local\Temp\sample.exe"
    1⤵
    • Modifies extensions of user files
    • Checks computer location settings
    • Drops startup file
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4752
    • C:\Users\Admin\AppData\Local\Temp\sample.exe
      "C:\Users\Admin\AppData\Local\Temp\sample.exe" 1
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4932
    • C:\Users\Admin\AppData\Local\Temp\sample.exe
      "C:\Users\Admin\AppData\Local\Temp\sample.exe" 0
      2⤵
        PID:3692
      • \??\c:\windows\system32\cmd.exe
        "c:\windows\system32\cmd.exe" /c taskkill /im sample.exe & del C:\Users\Admin\AppData\Local\Temp\sample.exe
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:216
        • C:\Windows\system32\taskkill.exe
          taskkill /im sample.exe
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4120
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:360
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
      1⤵
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:5024
    • C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
      C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
      1⤵
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:2412
    • C:\Windows\system32\backgroundTaskHost.exe
      "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:ShellFeedsUI.AppXnj65k2d1a1rnztt2t2nng5ctmk3e76pn.mca
      1⤵
        PID:1324
        • C:\Windows\system32\WerFault.exe
          C:\Windows\system32\WerFault.exe -u -p 1324 -s 2044
          2⤵
          • Program crash
          • Checks processor information in registry
          • Enumerates system info in registry
          PID:4736
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\restore-files.txt
        1⤵
          PID:1460
        • C:\Windows\system32\NOTEPAD.EXE
          "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\restore-files.txt
          1⤵
            PID:2008
          • C:\Windows\system32\NOTEPAD.EXE
            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\restore-files.txt
            1⤵
              PID:4932
            • C:\Windows\system32\WerFault.exe
              C:\Windows\system32\WerFault.exe -pss -s 440 -p 1324 -ip 1324
              1⤵
              • Suspicious use of NtCreateProcessExOtherParentProcess
              • Suspicious use of WriteProcessMemory
              PID:4464
            • C:\Windows\System32\svchost.exe
              C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
              1⤵
              • Modifies data under HKEY_USERS
              PID:4920

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • memory/3692-134-0x00007FF955023000-0x00007FF955025000-memory.dmp

              Filesize

              8KB

              Download

            • memory/4752-131-0x00000000002D0000-0x00000000002DE000-memory.dmp

              Filesize

              56KB

              Download

            • memory/4752-132-0x000000001AEF0000-0x000000001AEF2000-memory.dmp

              Filesize

              8KB

              Download

            • memory/4752-130-0x00007FF955023000-0x00007FF955025000-memory.dmp

              Filesize

              8KB

              Download

            • memory/4920-143-0x0000019B5CAE0000-0x0000019B5CAE4000-memory.dmp

              Filesize

              16KB

              Download

            • memory/4932-133-0x00007FF955023000-0x00007FF955025000-memory.dmp

              Filesize

              8KB

              Download

            • memory/4932-135-0x00000000025F0000-0x00000000025F2000-memory.dmp

              Filesize

              8KB

              Download

            • memory/5024-139-0x000001D689520000-0x000001D689524000-memory.dmp

              Filesize

              16KB

              Download

            • memory/5024-138-0x000001D686E20000-0x000001D686E30000-memory.dmp

              Filesize

              64KB

              Download

            • memory/5024-137-0x000001D6867A0000-0x000001D6867B0000-memory.dmp

              Filesize

              64KB

              Download