Overview

overview

10

Static

static

1be90c7273...ea.exe

windows7_x64

10

1be90c7273...ea.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    120s
  • max time network
    160s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    19-02-2022 07:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1be90c72735d56e2f9ee9583d6bece1b9e6a78ecc475f08d6f133863b56256ea.exe

  • Size

    54KB

  • MD5

    c81424677bcfcf9eeafa3504d87e5c63

  • SHA1

    9393744eaf2cd526e3007a0363d2291faba236b2

  • SHA256

    1be90c72735d56e2f9ee9583d6bece1b9e6a78ecc475f08d6f133863b56256ea

  • SHA512

    4ac18a81065b70e44052705753e7d5bf5585e05db8618d2758434e7e126dda8b39c010d0521d237c440fe3da766f107992517a542ac9b8b11ac1f98f7958a6fc

Score
10/10
ransomwaresuricata

Malware Config

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-2329389628-4064185017-3901522362-1000\BackFiles_encoded01.txt

Ransom Note
[+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension .encoded01. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt 1-5 files for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You can open our site by the shortcut "SUPPORT (TOR_BROWSER)" created on the desktop. Also as the second option you can install the tor browser: a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website. Full link will be provided below. ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!! ----------------------------------------------------------------------------------------- Your ID: ivYTRlYfLdBVUjByXafcBOGYeQdILBqyPG51ODqyvHXDpi53YysD5mR8B0Nzlu8i744rMHlyTbo9ZxEJeZPtN7e7aREEKF6YNjxBCCqW5E7O2gsWYHVP6DEAXhQsxqhz2aYiZh9TF%2BN1KgZGfY%2BeceGQIH8%2BLRm2JXFBH36C7TzkyyJoZjEe9jM7VE8l6IRxwZgLI19RaPFfYgAMZtS2Ee%2BmfzdzLW%2BcMmB0PC%2FgjH3akiIneX5D%2FjtgBUk9uPcxvq4mBBdGaoMBOwcLDOCSSfu3Bn18K27fbjxjFEay1mrTt2p%2FH0wI4hckU0YNzL5j7M8VPVx1H7dYYBJISqLsZvidQDdzLW%2BTYRFHNRif%2BTbOuj00eGJs1mU%2BAEs4iMYF%2FZUkCjopRYAcMWRBHvOuTPy%2BJnZKfkz1fwRPHV%2FE7DTFj0c1LmdhmGMEXCE1874hur4AIF1pXOs0IBJITpzLPMPPY3EhU0qJFGRnNBjfkDzfmiMNO1Ze0kIuYT1hgccyy75fPxxFWJ43MXg2F%2BCLVr%2ByAyFxPhvFOw9DKkiw5RT%2BhHwtGnpvnHBgdjoon7FOu4sgM0B2Tf5bLWYNTpzuBeyuZBIEaUeyGAV4HSr%2FrTP6t3wNcXZK5Go%2FQ0l6pM8S6Jh3FyFGCOITNGERbuyzbvLPPChAdF7pVDZcA2rCyx3ZrmIBJUpLhHBgdkc29uxx0rZxFjB4G8BHB2I7Tr7AKuSaITIcKl2JYmdWAx7S6XXrsyUpfFhQs0cvAw1CxOBhv8FddD9qVPVnFEhBb5%2BTIbq6FAFfPhvFQjZjOCnDwmrhkHRwDnBhtjo9XDcv5LVn%2B4kedUVPY%2B5OPHpPfYbqdriwdxA%2BVFWULGBkRRLQn1e5qSkBanRe1W1lDhNms6FhzK9VFSVMaeJwYHYkGsLrQeGvYXdLVUjyOzBZAGOg5SXr0yEAJWlFvxEZeSt4lZ580M43Nk16fvZlA0M%2BVsPCMee4XR4BWFyCN3cCNBmC7kbjjwURXFF74FZyBThcobAFzcNkdCRHH7MEFFkRLOCaffiFCxA8b0%2FdXi4CK3zI7gPJtCIVMVp6uwJ3AjQpwJZw%2Bo9hd0tMHaI%2BEVAqNYPSZ%2FuCa2NkXUWlEzQFJg7GlHPOy2F3Tyhb%2F2AmTzZDlchqyYN9LhUvTOkwB14BCILuQrqYLDNGPhvBaw5YIGOV6hjflWZxYW5b6DAaBgUakY5Kwp8yB2BdWPJ%2FcgU4TZ3BIr6GYREvaViBAiQHNTzWiEzn2XcB Your support onion(TOR) url: http://chat5sqrnzqewampznybomgn4hf2m53tybkarxk4sfaktwt7oqpkcvyd.onion/gate.php?data=ivYTRlYfLdBVUjByXafcBOGYeQdILBqyPG51ODqyvHXDpi53YysD5mR8B0Nzlu8i744rMHlyTbo9ZxEJeZPtN7e7aREEKF6YNjxBCCqW5E7O2gsWYHVP6DEAXhQsxqhz2aYiZh9TF%2BN1KgZGfY%2BeceGQIH8%2BLRm2JXFBH36C7TzkyyJoZjEe9jM7VE8l6IRxwZgLI19RaPFfYgAMZtS2Ee%2BmfzdzLW%2BcMmB0PC%2FgjH3akiIneX5D%2FjtgBUk9uPcxvq4mBBdGaoMBOwcLDOCSSfu3Bn18K27fbjxjFEay1mrTt2p%2FH0wI4hckU0YNzL5j7M8VPVx1H7dYYBJISqLsZvidQDdzLW%2BTYRFHNRif%2BTbOuj00eGJs1mU%2BAEs4iMYF%2FZUkCjopRYAcMWRBHvOuTPy%2BJnZKfkz1fwRPHV%2FE7DTFj0c1LmdhmGMEXCE1874hur4AIF1pXOs0IBJITpzLPMPPY3EhU0qJFGRnNBjfkDzfmiMNO1Ze0kIuYT1hgccyy75fPxxFWJ43MXg2F%2BCLVr%2ByAyFxPhvFOw9DKkiw5RT%2BhHwtGnpvnHBgdjoon7FOu4sgM0B2Tf5bLWYNTpzuBeyuZBIEaUeyGAV4HSr%2FrTP6t3wNcXZK5Go%2FQ0l6pM8S6Jh3FyFGCOITNGERbuyzbvLPPChAdF7pVDZcA2rCyx3ZrmIBJUpLhHBgdkc29uxx0rZxFjB4G8BHB2I7Tr7AKuSaITIcKl2JYmdWAx7S6XXrsyUpfFhQs0cvAw1CxOBhv8FddD9qVPVnFEhBb5%2BTIbq6FAFfPhvFQjZjOCnDwmrhkHRwDnBhtjo9XDcv5LVn%2B4kedUVPY%2B5OPHpPfYbqdriwdxA%2BVFWULGBkRRLQn1e5qSkBanRe1W1lDhNms6FhzK9VFSVMaeJwYHYkGsLrQeGvYXdLVUjyOzBZAGOg5SXr0yEAJWlFvxEZeSt4lZ580M43Nk16fvZlA0M%2BVsPCMee4XR4BWFyCN3cCNBmC7kbjjwURXFF74FZyBThcobAFzcNkdCRHH7MEFFkRLOCaffiFCxA8b0%2FdXi4CK3zI7gPJtCIVMVp6uwJ3AjQpwJZw%2Bo9hd0tMHaI%2BEVAqNYPSZ%2FuCa2NkXUWlEzQFJg7GlHPOy2F3Tyhb%2F2AmTzZDlchqyYN9LhUvTOkwB14BCILuQrqYLDNGPhvBaw5YIGOV6hjflWZxYW5b6DAaBgUakY5Kwp8yB2BdWPJ%2FcgU4TZ3BIr6GYREvaViBAiQHNTzWiEzn2XcB
URLs

http://chat5sqrnzqewampznybomgn4hf2m53tybkarxk4sfaktwt7oqpkcvyd.onion/gate.php?data=ivYTRlYfLdBVUjByXafcBOGYeQdILBqyPG51ODqyvHXDpi53YysD5mR8B0Nzlu8i744rMHlyTbo9ZxEJeZPtN7e7aREEKF6YNjxBCCqW5E7O2gsWYHVP6DEAXhQsxqhz2aYiZh9TF%2BN1KgZGfY%2BeceGQIH8%2BLRm2JXFBH36C7TzkyyJoZjEe9jM7VE8l6IRxwZgLI19RaPFfYgAMZtS2Ee%2BmfzdzLW%2BcMmB0PC%2FgjH3akiIneX5D%2FjtgBUk9uPcxvq4mBBdGaoMBOwcLDOCSSfu3Bn18K27fbjxjFEay1mrTt2p%2FH0wI4hckU0YNzL5j7M8VPVx1H7dYYBJISqLsZvidQDdzLW%2BTYRFHNRif%2BTbOuj00eGJs1mU%2BAEs4iMYF%2FZUkCjopRYAcMWRBHvOuTPy%2BJnZKfkz1fwRPHV%2FE7DTFj0c1LmdhmGMEXCE1874hur4AIF1pXOs0IBJITpzLPMPPY3EhU0qJFGRnNBjfkDzfmiMNO1Ze0kIuYT1hgccyy75fPxxFWJ43MXg2F%2BCLVr%2ByAyFxPhvFOw9DKkiw5RT%2BhHwtGnpvnHBgdjoon7FOu4sgM0B2Tf5bLWYNTpzuBeyuZBIEaUeyGAV4HSr%2FrTP6t3wNcXZK5Go%2FQ0l6pM8S6Jh3FyFGCOITNGERbuyzbvLPPChAdF7pVDZcA2rCyx3ZrmIBJUpLhHBgdkc29uxx0rZxFjB4G8BHB2I7Tr7AKuSaITIcKl2JYmdWAx7S6XXrsyUpfFhQs0cvAw1CxOBhv8FddD9qVPVnFEhBb5%2BTIbq6FAFfPhvFQjZjOCnDwmrhkHRwDnBhtjo9XDcv5LVn%2B4kedUVPY%2B5OPHpPfYbqdriwdxA%2BVFWULGBkRRLQn1e5qSkBanRe1W1lDhNms6FhzK9VFSVMaeJwYHYkGsLrQeGvYXdLVUjyOzBZAGOg5SXr0yEAJWlFvxEZeSt4lZ580M43Nk16fvZlA0M%2BVsPCMee4XR4BWFyCN3cCNBmC7kbjjwURXFF74FZyBThcobAFzcNkdCRHH7MEFFkRLOCaffiFCxA8b0%2FdXi4CK3zI7gPJtCIVMVp6uwJ3AjQpwJZw%2Bo9hd0tMHaI%2BEVAqNYPSZ%2FuCa2NkXUWlEzQFJg7GlHPOy2F3Tyhb%2F2AmTzZDlchqyYN9LhUvTOkwB14BCILuQrqYLDNGPhvBaw5YIGOV6hjflWZxYW5b6DAaBgUakY5Kwp8yB2BdWPJ%2FcgU4TZ3BIr6GYREvaViBAiQHNTzWiEzn2XcB

Signatures

  • suricata: ET MALWARE Generic Request to gate.php Dotted-Quad

    suricata: ET MALWARE Generic Request to gate.php Dotted-Quad

    suricata
  • suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers

    suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers

    suricata
  • suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer

    suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer

    suricata
  • suricata: ET MALWARE WIN32/KOVTER.B Checkin

    suricata: ET MALWARE WIN32/KOVTER.B Checkin

    suricata
  • Drops desktop.ini file(s) 1 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

Processes

  • C:\Users\Admin\AppData\Local\Temp\1be90c72735d56e2f9ee9583d6bece1b9e6a78ecc475f08d6f133863b56256ea.exe
    "C:\Users\Admin\AppData\Local\Temp\1be90c72735d56e2f9ee9583d6bece1b9e6a78ecc475f08d6f133863b56256ea.exe"
    1⤵
    • Drops desktop.ini file(s)
    PID:1752

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1752-55-0x0000000076921000-0x0000000076923000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1752-56-0x0000000000FB0000-0x0000000000FC1000-memory.dmp
    Filesize

    68KB

    Download
  • memory/1752-57-0x00000000000E0000-0x00000000000FF000-memory.dmp
    Filesize

    124KB

    Download