Overview

overview

10

Static

static

10

91fe89eafc...53.exe

windows7_x64

10

91fe89eafc...53.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    134s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    06-03-2022 01:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    91fe89eafca829107a5e80c6f7e875d72dbbfde7441961d6168709f5a42b4553.exe

  • Size

    4.6MB

  • MD5

    1d8710fba67b6869c39e236680693173

  • SHA1

    813915a095895988679753cb6d7248eaf9dd00be

  • SHA256

    91fe89eafca829107a5e80c6f7e875d72dbbfde7441961d6168709f5a42b4553

  • SHA512

    a316da3f52c509f0f595b93faf047ce56e9721795fe1f1e76aa0045225f8d412cb8718025f7501fa6b97616990fcbe01d240ec4d1c78ab62e8a652a7627d99f9

Score
10/10
ransomwarespywarestealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\HOW TO RESTORE YOUR FILES.TXT

Ransom Note
Hello! All your files are encrypted and only I can decrypt them. Contact me: [email protected] or [email protected] Write me if you want to return your files - I can do it very quickly! The header of letter must contain extension of encrypted files. I'm always reply within 24 hours. If not - check spam folder, resend your letter or try send letter from another email service. Attention! Do not rename or edit encrypted files: you may have permanent data loss. To prove that I can recover your files, I am ready to decrypt any three files (less than 1Mb) for free (except databases, Excel and backups) HURRY UP! ! ! ! If you do not email me in the next 48 hours then your data may be lost permanently ! ! !

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 5 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Drops startup file 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Program Files directory 64 IoCs
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\91fe89eafca829107a5e80c6f7e875d72dbbfde7441961d6168709f5a42b4553.exe
    "C:\Users\Admin\AppData\Local\Temp\91fe89eafca829107a5e80c6f7e875d72dbbfde7441961d6168709f5a42b4553.exe"
    1⤵
    • Modifies extensions of user files
    • Drops startup file
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:1556
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kljtwksw.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1824
      • C:\Windows\system32\sc.exe
        SC QUERY
        3⤵
          PID:2572
        • C:\Windows\system32\findstr.exe
          FINDSTR SERVICE_NAME
          3⤵
            PID:2580
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nlxtbhxhcfoccsdu.bat
          2⤵
            PID:2756
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dkklgbvfgc.bat
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:260
            • C:\Windows\system32\vssadmin.exe
              vssadmin delete shadows /all /quiet
              3⤵
              • Interacts with shadow copies
              PID:2148
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cnvfbatf.bat
            2⤵
              PID:4464
          • C:\Windows\system32\vssvc.exe
            C:\Windows\system32\vssvc.exe
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:3512

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads