Overview

overview

10

Static

static

10

bf9f31608d...1f.exe

windows7_x64

10

bf9f31608d...1f.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    06-03-2022 05:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bf9f31608deb672c319e79660504179b7f5c837cb5a5a21fed94bb8b7555401f.exe

  • Size

    2.7MB

  • MD5

    e3383885e03608cd7784ba4690493e26

  • SHA1

    b87077a44d2a2e75a3ded415feea4056be1559f0

  • SHA256

    bf9f31608deb672c319e79660504179b7f5c837cb5a5a21fed94bb8b7555401f

  • SHA512

    e957d2582e13a998cf3dc165be7a3852df19f469f212411545bc73afb36944be842826c0105045d47d9b4e9ef52f26f0612ce83ca37064efb567a3a420efb93f

Score
10/10
ransomwarespywarestealer

Malware Config

Extracted

Path

C:\Unlock_All_Files.txt

Ransom Note
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Hack For Life <<<<<<<<<<<<<<<<<<<<<<<<<<<<<< All Your Files Has Been Locked! If you think you can decrypt the files we would be happy :) But all your files are protected by strong encryption with AES RSA 256 using military-grade encryption algorithm Video Decrypt: Due to the deletion of video on video sharing sites You can download and watch the video from the link below: https://drive.google.com/file/d/1L1qeBgY_AfjYVgO8FEZsViJxK4TBWXZI/view What does this mean ? This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them. You Can Send some Files that not Contains Valuable Data To make Sure That Your Files Can be Back with our Tool Your unique Id : ERSHGVROWVEJMHAB Contact : [email protected] or https://t.me/filedecrypt002 What are the guarantees that I can decrypt my files after paying the ransom? Your main guarantee is the ability to decrypt test files. This means that we can decrypt all your files after paying the ransom. We have no reason to deceive you after receiving the ransom, since we are not barbarians and moreover it will harm our business. You Have 2days to Decide to Pay after 2 Days Decryption Price will Be Double And after 1 week it will be triple Try to Contact late and You will know Therefore, we recommend that you make payment within a few hours. Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Again, we emphasize that no one can decrypt files, so don't be a victim of fraud. It's just a business Warning : If you email us late You may miss the Decrypt program Because our emails are blocked quickly So it is better as soon as they read email Email us ;) You Can Learn How to Buy Bitcoin From This links Below https://localbitcoins.com/buy_bitcoins https://www.coindesk.com/information/how-can-i-buy-bitcoins https://www.bestbitcoinexchange.io >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Hack For Security <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
URLs

https://drive.google.com/file/d/1L1qeBgY_AfjYVgO8FEZsViJxK4TBWXZI/view

https://t.me/filedecrypt002

https://www.bestbitcoinexchange.io

Signatures

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Program Files directory 64 IoCs
  • Program crash 5 IoCs
  • Enumerates system info in registry 2 TTPs 10 IoCs
  • Kills process with taskkill 3 IoCs
    evasion
  • Modifies registry class 64 IoCs
  • Runs net.exe
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\bf9f31608deb672c319e79660504179b7f5c837cb5a5a21fed94bb8b7555401f.exe
    "C:\Users\Admin\AppData\Local\Temp\bf9f31608deb672c319e79660504179b7f5c837cb5a5a21fed94bb8b7555401f.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:1944
    • C:\Windows\system32\cmd.exe
      cmd /C "taskkill /F /IM sqlservr.exe /T"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1932
      • C:\Windows\system32\taskkill.exe
        taskkill /F /IM sqlservr.exe /T
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2188
    • C:\Windows\system32\cmd.exe
      cmd /C "taskkill /F /IM sqlceip.exe /T"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3096
      • C:\Windows\system32\taskkill.exe
        taskkill /F /IM sqlceip.exe /T
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3776
    • C:\Windows\system32\cmd.exe
      cmd /C "taskkill /F /IM sqlwriter.exe /T"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3480
      • C:\Windows\system32\taskkill.exe
        taskkill /F /IM sqlwriter.exe /T
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1948
    • C:\Windows\system32\cmd.exe
      cmd /C "rmdir C:\Users\Admin\AppData /s /q"
      2⤵
        PID:2408
      • C:\Windows\system32\cmd.exe
        cmd /C "rmdir C:\Users\Default\AppData /s /q"
        2⤵
          PID:792
        • C:\Windows\system32\cmd.exe
          cmd /C "rmdir C:\Users\Public\AppData /s /q"
          2⤵
            PID:1272
          • C:\Windows\system32\cmd.exe
            cmd /C "attrib +h +s Encrypt.exe"
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:1188
            • C:\Windows\system32\attrib.exe
              attrib +h +s Encrypt.exe
              3⤵
              • Views/modifies file attributes
              PID:2108
          • C:\Windows\system32\cmd.exe
            cmd /C "net stop MSSQL$SQLEXPRESS"
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:364
            • C:\Windows\system32\net.exe
              net stop MSSQL$SQLEXPRESS
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:2844
              • C:\Windows\system32\net1.exe
                C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS
                4⤵
                  PID:3500
            • C:\Windows\system32\cmd.exe
              cmd /C "rmdir C:\$Recycle.Bin /s /q"
              2⤵
                PID:1812
            • C:\Windows\system32\rundll32.exe
              "C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.Search_cw5n1h2txyewy
              1⤵
                PID:3744
              • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                1⤵
                • Enumerates system info in registry
                • Modifies registry class
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SetWindowsHookEx
                PID:2760
                • C:\Windows\system32\WerFault.exe
                  C:\Windows\system32\WerFault.exe -u -p 2760 -s 3940
                  2⤵
                  • Program crash
                  PID:2952
              • C:\Windows\system32\WerFault.exe
                C:\Windows\system32\WerFault.exe -pss -s 408 -p 2760 -ip 2760
                1⤵
                  PID:3404
                • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                  1⤵
                  • Enumerates system info in registry
                  • Modifies registry class
                  • Suspicious use of SetWindowsHookEx
                  PID:3864
                  • C:\Windows\system32\WerFault.exe
                    C:\Windows\system32\WerFault.exe -u -p 3864 -s 3904
                    2⤵
                    • Program crash
                    PID:3940
                • C:\Windows\system32\WerFault.exe
                  C:\Windows\system32\WerFault.exe -pss -s 520 -p 3864 -ip 3864
                  1⤵
                    PID:2752
                  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                    1⤵
                    • Enumerates system info in registry
                    • Modifies registry class
                    • Suspicious use of SetWindowsHookEx
                    PID:1956
                    • C:\Windows\system32\WerFault.exe
                      C:\Windows\system32\WerFault.exe -u -p 1956 -s 3880
                      2⤵
                      • Program crash
                      PID:3284
                  • C:\Windows\system32\WerFault.exe
                    C:\Windows\system32\WerFault.exe -pss -s 540 -p 1956 -ip 1956
                    1⤵
                      PID:3448
                    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                      1⤵
                      • Enumerates system info in registry
                      • Modifies registry class
                      • Suspicious use of SetWindowsHookEx
                      PID:1880
                      • C:\Windows\system32\WerFault.exe
                        C:\Windows\system32\WerFault.exe -u -p 1880 -s 3888
                        2⤵
                        • Program crash
                        PID:2544
                    • C:\Windows\system32\WerFault.exe
                      C:\Windows\system32\WerFault.exe -pss -s 496 -p 1880 -ip 1880
                      1⤵
                        PID:3344
                      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                        1⤵
                        • Enumerates system info in registry
                        • Modifies registry class
                        • Suspicious use of FindShellTrayWindow
                        • Suspicious use of SetWindowsHookEx
                        PID:3008
                        • C:\Windows\system32\WerFault.exe
                          C:\Windows\system32\WerFault.exe -u -p 3008 -s 3932
                          2⤵
                          • Program crash
                          PID:680
                      • C:\Windows\system32\WerFault.exe
                        C:\Windows\system32\WerFault.exe -pss -s 504 -p 3008 -ip 3008
                        1⤵
                          PID:2396
                        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                          1⤵
                            PID:452

                          Network

                          MITRE ATT&CK Enterprise v6

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads