Analysis

  • max time kernel
    4294177s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20220223-en
  • submitted
    06-03-2022 01:52

General

  • Target

    91fe89eafca829107a5e80c6f7e875d72dbbfde7441961d6168709f5a42b4553.exe

  • Size

    4.6MB

  • MD5

    1d8710fba67b6869c39e236680693173

  • SHA1

    813915a095895988679753cb6d7248eaf9dd00be

  • SHA256

    91fe89eafca829107a5e80c6f7e875d72dbbfde7441961d6168709f5a42b4553

  • SHA512

    a316da3f52c509f0f595b93faf047ce56e9721795fe1f1e76aa0045225f8d412cb8718025f7501fa6b97616990fcbe01d240ec4d1c78ab62e8a652a7627d99f9

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\HOW TO RESTORE YOUR FILES.TXT

Ransom Note
Hello! All your files are encrypted and only I can decrypt them. Contact me: [email protected] or [email protected] Write me if you want to return your files - I can do it very quickly! The header of letter must contain extension of encrypted files. I'm always reply within 24 hours. If not - check spam folder, resend your letter or try send letter from another email service. Attention! Do not rename or edit encrypted files: you may have permanent data loss. To prove that I can recover your files, I am ready to decrypt any three files (less than 1Mb) for free (except databases, Excel and backups) HURRY UP! ! ! ! If you do not email me in the next 48 hours then your data may be lost permanently ! ! !

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies extensions of user files 15 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops file in Program Files directory 64 IoCs
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\91fe89eafca829107a5e80c6f7e875d72dbbfde7441961d6168709f5a42b4553.exe
    "C:\Users\Admin\AppData\Local\Temp\91fe89eafca829107a5e80c6f7e875d72dbbfde7441961d6168709f5a42b4553.exe"
    1⤵
    • Modifies extensions of user files
    • Drops startup file
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:1668
    • C:\Windows\system32\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\uldysykn.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:980
      • C:\Windows\system32\sc.exe
        SC QUERY
        3⤵
          PID:1144
        • C:\Windows\system32\findstr.exe
          FINDSTR SERVICE_NAME
          3⤵
            PID:576
        • C:\Windows\system32\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\rdshpjakjorkshltt.bat
          2⤵
            PID:1344
          • C:\Windows\system32\cmd.exe
            cmd /c C:\Users\Admin\AppData\Local\Temp\qigwob.bat
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:984
            • C:\Windows\system32\vssadmin.exe
              vssadmin delete shadows /all /quiet
              3⤵
              • Interacts with shadow copies
              PID:1792
          • C:\Windows\system32\cmd.exe
            cmd /c C:\Users\Admin\AppData\Local\Temp\fmoseqmmdjtswot.bat
            2⤵
              PID:1072
          • C:\Windows\system32\vssvc.exe
            C:\Windows\system32\vssvc.exe
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1568

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads