6a0d713e89b61a8709f8d55e19631ec31370d87880a478704609eee78ccd3c18

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-en-20211208
submitted
24/02/2022, 06:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe
Size

161KB
MD5

8e4fa69d87a6d3c6d7e6c699b25cc2ab
SHA1

e5981cfe6ded85b01b10f4b2a5fc2f8537a63b31
SHA256

6a0d713e89b61a8709f8d55e19631ec31370d87880a478704609eee78ccd3c18
SHA512

fd6ad515c7227a8525e3f3c7b390c547e86b43624424acb978e14d0a7dfa6a90f3cf95518a3b97509f36aed1eb3173dae9d31b6f23990abc232c9dcfb1245994

Score

10^/10

evasion ransomware

Malware Config

Extracted

Path

C:\Users\Admin\RECOVERY INFORMATION.txt

Ransom Note

YOUR FILES ARE ENCRYPTED !!! TO DECRYPT, FOLLOW THE INSTRUCTIONS: To recover data you need decrypt tool. To get the decrypt tool you should: 1.In the letter include your personal ID! Send me this ID in your first email to me! 2.We can give you free test for decrypt few files (NOT VALUE) and assign the price for decryption all files! 3.After we send you instruction how to pay for decrypt tool and after payment you will receive a decryption tool! 4.We can decrypt few files in quality the evidence that we have the decoder. CONTACT US: [email protected] [email protected] YOUR PERSONAL ID: B7B93E5E0B7F �

Emails

[email protected]

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
1772	bcdedit.exe
1096	bcdedit.exe

Modifies extensions of user files 1 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\WaitJoin.crw => C:\Users\Admin\Pictures\WaitJoin.crw.consultransom	8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe

Deletes itself 1 IoCs

pid	Process
524	cmd.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe
File opened (read-only)	\??\X:	8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe
File opened (read-only)	\??\J:	8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe
File opened (read-only)	\??\K:	8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe
File opened (read-only)	\??\L:	8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe
File opened (read-only)	\??\N:	8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe
File opened (read-only)	\??\T:	8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe
File opened (read-only)	\??\Y:	8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe
File opened (read-only)	\??\A:	8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe
File opened (read-only)	\??\B:	8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe
File opened (read-only)	\??\P:	8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe
File opened (read-only)	\??\R:	8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe
File opened (read-only)	\??\M:	8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe
File opened (read-only)	\??\Q:	8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe
File opened (read-only)	\??\U:	8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe
File opened (read-only)	\??\V:	8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe
File opened (read-only)	\??\F:	8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe
File opened (read-only)	\??\G:	8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe
File opened (read-only)	\??\H:	8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe
File opened (read-only)	\??\I:	8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe
File opened (read-only)	\??\W:	8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe
File opened (read-only)	\??\Z:	8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe
File opened (read-only)	\??\E:	8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe
File opened (read-only)	\??\O:	8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-windows_ja.jar	8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-search.xml	8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\utilityfunctions.js	8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\eclipse.inf	8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_VelvetRose.gif	8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01247U.BMP	8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\SIDBAR98.POC	8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-filesystems.xml	8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsViewAttachmentIconsMask.bmp	8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-application_ja.jar	8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\UCT	8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\MSPUB.DEV_COL.HXT	8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Tongatapu	8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Assets.accdt	8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21366_.GIF	8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\HEADER.GIF	8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15134_.GIF	8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\RECOVERY INFORMATION.txt	8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\RECOVERY INFORMATION.txt	8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-applemenu.xml	8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ExecutiveReport.dotx	8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe
File opened for modification	C:\Program Files\7-Zip\Lang\en.ttt	8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\text_renderer\RECOVERY INFORMATION.txt	8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-host-remote.xml	8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04267_.WMF	8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18216_.WMF	8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD01074_.WMF	8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01748_.GIF	8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099199.GIF	8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fontconfig.properties.src	8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings\org.eclipse.equinox.p2.artifact.repository.prefs	8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Pitcairn	8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105412.WMF	8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectStatusIcons.jpg	8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\DataType\Start End Dates.accft	8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\feature.xml	8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jmx.xml	8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\OriginMergeLetter.Dotx	8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02288_.WMF	8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe
File created	C:\Program Files\VideoLAN\VLC\locale\de\LC_MESSAGES\RECOVERY INFORMATION.txt	8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\ENVELOPE.XML	8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01294_.GIF	8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.nl_ja_4.4.0.v20140623020002.jar	8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.scheduler.nl_zh_4.4.0.v20140623020002.jar	8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Pyongyang	8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\MSPUB.DEV_F_COL.HXK	8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSOUTL.OLB	8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_FileHigh.jpg	8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\LTHD98.POC	8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nn.txt	8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\intf\modules\httprequests.luac	8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe
File created	C:\Program Files\DVD Maker\ja-JP\RECOVERY INFORMATION.txt	8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Gaza	8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14831_.GIF	8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0301044.WMF	8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Places\TOOT.WAV	8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107282.WMF	8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR37F.GIF	8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21520_.GIF	8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105338.WMF	8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0106572.WMF	8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SL01565_.WMF	8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ro\LC_MESSAGES\RECOVERY INFORMATION.txt	8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_Groove.gif	8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1468	vssadmin.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1380	PING.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
900	8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	900	8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe
Token: SeDebugPrivilege	900	8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe
Token: SeBackupPrivilege	1748	vssvc.exe
Token: SeRestorePrivilege	1748	vssvc.exe
Token: SeAuditPrivilege	1748	vssvc.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 900 wrote to memory of 1468	900	8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe	27
PID 900 wrote to memory of 1468	900	8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe	27
PID 900 wrote to memory of 1468	900	8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe	27
PID 900 wrote to memory of 1468	900	8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe	27
PID 900 wrote to memory of 656	900	8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe	29
PID 900 wrote to memory of 656	900	8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe	29
PID 900 wrote to memory of 656	900	8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe	29
PID 900 wrote to memory of 656	900	8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe	29
PID 900 wrote to memory of 760	900	8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe	30
PID 900 wrote to memory of 760	900	8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe	30
PID 900 wrote to memory of 760	900	8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe	30
PID 900 wrote to memory of 760	900	8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe	30
PID 760 wrote to memory of 1772	760	cmd.exe	33
PID 760 wrote to memory of 1772	760	cmd.exe	33
PID 760 wrote to memory of 1772	760	cmd.exe	33
PID 656 wrote to memory of 1096	656	cmd.exe	34
PID 656 wrote to memory of 1096	656	cmd.exe	34
PID 656 wrote to memory of 1096	656	cmd.exe	34
PID 900 wrote to memory of 524	900	8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe	42
PID 900 wrote to memory of 524	900	8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe	42
PID 900 wrote to memory of 524	900	8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe	42
PID 900 wrote to memory of 524	900	8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe	42
PID 524 wrote to memory of 1380	524	cmd.exe	44
PID 524 wrote to memory of 1380	524	cmd.exe	44
PID 524 wrote to memory of 1380	524	cmd.exe	44

C:\Users\Admin\AppData\Local\Temp\8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe
"C:\Users\Admin\AppData\Local\Temp\8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe"
1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:900
- C:\Windows\system32\vssadmin.exe
  "C:\Windows\sysnative\vssadmin.exe" delete shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:1468
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c bcdedit /set {current} bootstatuspolicy ignoreallfailures
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:656
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {current} bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1096
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c bcdedit /set {current} recoveryenabled no
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:760
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {current} recoveryenabled no
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1772
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\8e4fa69d87a6d3c6d7e6c699b25cc2ab.exe" >> NUL
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:524
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:1380