Overview

overview

10

Static

static

10

91fe89eafc...53.exe

windows7_x64

10

91fe89eafc...53.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    4294177s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20220223-en
  • submitted
    06-03-2022 01:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    91fe89eafca829107a5e80c6f7e875d72dbbfde7441961d6168709f5a42b4553.exe

  • Size

    4.6MB

  • MD5

    1d8710fba67b6869c39e236680693173

  • SHA1

    813915a095895988679753cb6d7248eaf9dd00be

  • SHA256

    91fe89eafca829107a5e80c6f7e875d72dbbfde7441961d6168709f5a42b4553

  • SHA512

    a316da3f52c509f0f595b93faf047ce56e9721795fe1f1e76aa0045225f8d412cb8718025f7501fa6b97616990fcbe01d240ec4d1c78ab62e8a652a7627d99f9

Score
10/10
ransomwarespywarestealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\HOW TO RESTORE YOUR FILES.TXT

Ransom Note
Hello! All your files are encrypted and only I can decrypt them. Contact me: [email protected] or [email protected] Write me if you want to return your files - I can do it very quickly! The header of letter must contain extension of encrypted files. I'm always reply within 24 hours. If not - check spam folder, resend your letter or try send letter from another email service. Attention! Do not rename or edit encrypted files: you may have permanent data loss. To prove that I can recover your files, I am ready to decrypt any three files (less than 1Mb) for free (except databases, Excel and backups) HURRY UP! ! ! ! If you do not email me in the next 48 hours then your data may be lost permanently ! ! !

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 15 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Program Files directory 64 IoCs
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\91fe89eafca829107a5e80c6f7e875d72dbbfde7441961d6168709f5a42b4553.exe
    "C:\Users\Admin\AppData\Local\Temp\91fe89eafca829107a5e80c6f7e875d72dbbfde7441961d6168709f5a42b4553.exe"
    1⤵
    • Modifies extensions of user files
    • Drops startup file
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:1668
    • C:\Windows\system32\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\uldysykn.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:980
      • C:\Windows\system32\sc.exe
        SC QUERY
        3⤵
          PID:1144
        • C:\Windows\system32\findstr.exe
          FINDSTR SERVICE_NAME
          3⤵
            PID:576
        • C:\Windows\system32\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\rdshpjakjorkshltt.bat
          2⤵
            PID:1344
          • C:\Windows\system32\cmd.exe
            cmd /c C:\Users\Admin\AppData\Local\Temp\qigwob.bat
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:984
            • C:\Windows\system32\vssadmin.exe
              vssadmin delete shadows /all /quiet
              3⤵
              • Interacts with shadow copies
              PID:1792
          • C:\Windows\system32\cmd.exe
            cmd /c C:\Users\Admin\AppData\Local\Temp\fmoseqmmdjtswot.bat
            2⤵
              PID:1072
          • C:\Windows\system32\vssvc.exe
            C:\Windows\system32\vssvc.exe
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1568

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\qigwob.bat
            MD5

            2202e846ba05d7f0bb20adbc5249c359

            SHA1

            4115d2d15614503456aea14db61d71a756cc7b8c

            SHA256

            0965cb8ee38adedd9ba06bdad9220a35890c2df0e4c78d0559cd6da653bf740f

            SHA512

            cd6ce6d89a8e5f75724405bc2694b706819c3c554b042075d5eb47fdb75653235160ac8a85e7425a49d98f25b3886faaaec5599bcf66d20bf6115dc3af4ba9c7

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\uldysykn.bat
            MD5

            55310bb774fff38cca265dbc70ad6705

            SHA1

            cb8d76e9fd38a0b253056e5f204dab5441fe932b

            SHA256

            1fbdb97893d09d59575c3ef95df3c929fe6b6ddf1b273283e4efadf94cdc802d

            SHA512

            40e5a5e8454ca3eaac36d732550e2c5d869a235e3bbc4d31c4afa038fe4e06f782fa0885e876ad8119be766477fdcc12c1d5d04d53cf6b324e366b5351fc7cd4

            Download Submit