Analysis
-
max time kernel
50s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
08-03-2022 23:12
General
-
Target
Taleb.Ransom.exe
-
Size
10.8MB
-
MD5
ac09b7550eda13e03a55448fd8367e2d
-
SHA1
8266a12669a4a3952cb9af86e75ed74c27c71013
-
SHA256
4b78968928cfa5437ffdd56a39a5ea8c10a7b6dc5d3f342d003260088876b3cf
-
SHA512
44cace3038bd96fa36a9d3b16251573f625f5e7cb53f0233d87f6e8ab564e731bd8719088feec44f47a460c0a096b964c2c0e77f3f1c371b773e66407aef5d29
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs
-
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
-
Drops startup file 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 64 IoCs
-
Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory 1 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 64 IoCs
-
Program crash 4 IoCs
-
NTFS ADS 23 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Taleb.Ransom.exe"C:\Users\Admin\AppData\Local\Temp\Taleb.Ransom.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop MSDTC2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop MSDTC3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSDTC4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop SQLSERVERAGENT3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLSERVERAGENT4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop MSSQLSERVER2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop MSSQLSERVER3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLSERVER4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop vds2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop vds3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop vds4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set currentprofile state off3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh firewall set opmode mode=disable2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode mode=disable3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop SQLWriter2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop SQLWriter3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLWriter4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop SQLBrowser2⤵
-
C:\Windows\SysWOW64\net.exenet stop SQLBrowser3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLBrowser4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop MSSQLSERVER2⤵
-
C:\Windows\SysWOW64\net.exenet stop MSSQLSERVER3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLSERVER4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop MSSQL$CONTOSO12⤵
-
C:\Windows\SysWOW64\net.exenet stop MSSQL$CONTOSO13⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$CONTOSO14⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 408 -p 3024 -ip 30241⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3024 -s 35121⤵
- Program crash
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 260 -s 43882⤵
- Program crash
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 420 -p 260 -ip 2601⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3800 -s 32402⤵
- Program crash
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3800 -s 32402⤵
- Program crash
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 524 -p 3800 -ip 38001⤵
-
C:\Windows\System32\Upfc.exeC:\Windows\System32\Upfc.exe /launchtype periodic /cv g9ZCCWuZ6Uy/TtqUQ/6RDA.01⤵
-
C:\Windows\system32\werfault.exewerfault.exe /hc /shared Global\55b3e50313b342ab9ec1ad5e6d8b8b85 /t 3224 /p 3800 47961⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000001.db.(MJ-GL6271085349)(Folperdock@gmail.com).GodoxMD5
eb9ac9c5288452d88125defb3eb255a4
SHA102823aff2e56959e2981b11cca7cc94702247058
SHA2566ff6a6f1690a1f907ba939c0ba03df6664d00e6f92e333c98d74d42846c3c098
SHA512f2330c56c213e451bffc23cb59e21bb8d2dfecd77a94bc251af779806c5c6151aacd784b63b5c21a68d5ceb5558fd2a9a97b2e5ac7f4f677285ff74ca28c748c
-
C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db.(MJ-GL6271085349)(Folperdock@gmail.com).GodoxMD5
0fd105c8d3976035dd91489d203c6e40
SHA1b5ba687dedbfec08bf27b5a76f0502bffbeaf14b
SHA256fa11a6a522545f6930dbc9d2c9e399c57f869c2e2d555b30b36f47cf1eb0338c
SHA512e2d746179368646d8e13f1460c02918c312f39d2dbf0b2aafaf1b45417d72bf6214015c0ca9f54a2e95fb13a3acae74d71d2d47b0931245fdc9a94ee0a97aa2f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{03BA58C4-B905-4D30-88C9-B63C603DA134}.3.ver0x0000000000000001.db.(MJ-GL6271085349)(Folperdock@gmail.com).GodoxMD5
e336c1aa1286cc67bba93a7f15b7c868
SHA184707ec5491931e42d0d46e437a6df4c44f7dd8a
SHA2562f32567d28a746360823b447754b2b3113dc9b44b34a514feeab1882ede4a69e
SHA512ab29bf2d2f1fa26497ffa938650e60bfeb69e926c7fa865f71931bc818c4c21ba2c423fcf48eb510c1fce6701e20f6f61e9abf9d2d2ebc935fd28725df9ef89c
-
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\INetCache\8E2QZIJ1\2KtaRlE2T-3Ka6lY0tZmJymDTbI.br[1].jsMD5
82ef77c6e17ea148f8f4fe8e90605243
SHA1daa8f0522deb7e6821981a8b4d9ce8a848cfa011
SHA2568c91b11e5cd6d848e6f6bcb98fcbc196975d6940a369601f813f734b3eff5baf
SHA512bba6f8126462c897bea22f74fb8f7e297266ddf52114aaf65f1e33e9f20f547a878e45023c7fdf5b54488342a78a36f2c1fa0f44aa63b7e03a3744ad6ccc2f54
-
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\INetCache\8E2QZIJ1\onra7PQl9o5bYT2lASI1BE4DDEs[1].cssMD5
d167f317b3da20c8cb7f24e078e0358a
SHA1d44ed3ec2cde263c53a1ba3c94b402410a636c5f
SHA256be2e9b42fc02b16643c01833de7d1c14d8790ecc4355c76529a41fa2f7d3efad
SHA512afc65b0fa648d49a5eb896be60331aa222301894e228fe5684399e9276342f6510773dffa3e7e75b8d6197bc51c732bc7fd7518e593ecd20c4884c47058d46d8
-
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\INetCache\8E2QZIJ1\skw3l0TgcFrjj1cp1h8JBca96sY.br[1].jsMD5
581c936e1eec854f9b2724b0b4660cee
SHA1c5e29de11572ef7f421784ce3486824f8c208a6c
SHA2563e1c601edf28f103e09d91e201475346206614f988f09324122f8c726d533d03
SHA5122b2692969afb8243b4eebeb264acf2a5f9c47709f5bad29239fb9768d65f2012932f2eeb60ff8192fc0c141a71b03ab3d72181a0c272ae28b8c14eebd779fa05
-
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\INetCache\L9S5YI1K\7Y7GIdHwvb_FHuCBnybcAmLO7GY.br[1].jsMD5
90d86fb0a928bb7c9a01d80461d47ece
SHA16a99eab11457b7a260116fee80e159e415cc5c8f
SHA25657d8d759bd33872fbe7f8befb4c78215d2a7530d278ee683f6981ad5dd4a87d7
SHA512057d156845a8be99d048c02a98138baa68a2e3947bea8b3881570986925cd98010227549f6de58c9c9581d55c5ec5cb50297638baab21cbea85ce723c65f5487
-
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\INetCache\L9S5YI1K\Q_Il7chHPMYT2eCRltgjWoFBVCM.br[1].jsMD5
216f829b14a19d49ea0eb603dc20e488
SHA1a7c3a29beba72db8184c4f6ed83f15e5ce4e7e12
SHA2560ad101b5900ce2930cc6667b23ac31e20a0a303baaca1b0cc3b26ce47b4859fa
SHA5124df3bc3d2faf7fbb556d9578c4544efaa39383c9bb97e36a6febabf2f401205da7f137c5a06521338060d78edda6c292912eeb9dafc25dc80d2f15694c17ec92
-
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\INetCache\L9S5YI1K\U006EeMfq1iK7IAAM8DJcfY519o[1].cssMD5
17d579f86147ac3b11056da41a9d5e89
SHA1a2b67ea1edfaa6591541d9169bdd0b91efa1efbb
SHA256b0595825dff390fcf05e06dd2d9e52a8fd1f0fba04c53a56fd38b0faedaf1fdb
SHA512f54c5ec8ee0d5544589880bdce0a7ac3858bab338c75231d39a13c6df1ddfbfa8868645822380fceb65c265ab85415786c9fd6a16710c2580a627f14220d702e
-
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\INetCache\L9S5YI1K\_l3DVy25sXN8ng62gqnfnQBYJYw.br[1].jsMD5
4e32f497c5f67b97d2abe445987c4185
SHA1bf917079aa4307f972eae3a1e2bd0564efa4ac27
SHA256c147eb197b363608f64a6641951f8a47c15a788302a32691862e40cc91b04424
SHA512a32e65fc301d913cde891708c69de328cb58a716264d1097b0e71ab0ed177bec254d75a4093a27b994eb5df402d48c4ccde742f3ca5ce2d52ab21807db055bdb
-
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\INetCache\L9S5YI1K\o3B8xuieIQmkMJPWlwYh5DxkeP8[1].jsMD5
31cefcb444a0695172432c919034ec51
SHA13b20547c24f5409f010e4e8212c29bdd35517c2f
SHA256d93cf40ccb66e1a745c64a9173db1bcdf5486ad926048a435e8a56dce2206d34
SHA512a1e06154d12f2fd2d7e731dd06394b29135a16c56b0551b8e539617e82a800982aa1839ad947dabdb9e672c5f24688f22ebd60c989ed67b2cc53f3bf6d6a97cc
-
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\INetCache\MJMBLR41\MEzdwlE2xiDDSN5OAHo-0SlFLUo[1].cssMD5
c8c5a113a6a3f8dff5d12e7415ceb05f
SHA1603632354b0b93e93ad604de078bdf2638c05365
SHA256b73cef51ff5a9c8675d15f6535213fdffea54d253c227d8a99ccb3ad7f009b00
SHA512312d25236f28dc62b215917a1842cde4b235343b38b1788808c23e751bee9d0cf8c0f1d2bbdb6b43684b34014afb20c9c04373c62cf11364b183fdba001a8195
-
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\INetCache\MJMBLR41\O1l_m38HiTRZRFSw38qlt64VPAw.br[1].jsMD5
f53dd0dd5b313798d35da8c74eb7d94b
SHA1439d88351b215fc98d5b8d4f7015ced29405af05
SHA256c180cf18d39928ee2db2040e0453cc0b60e6246421875aa501f141537c0acf21
SHA512daa72e171f5c41f3bffec45cdc261751734e222d58155f106e038c9e022d511ee2630fedbe9302f0d9b7142a4957fed68a2e7d49d2729c513fe52b39815ec129
-
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\INetCache\MJMBLR41\QzzWO8WNEVeuGs6-1Sv6FbuwNoI.br[1].jsMD5
c67ad2232a0d1d0b2d640075b5e014a9
SHA1349733d854c9a1e5d35334588f9ac1a28a81b0b9
SHA256bd1ecaf6e5f0681930758486beeb6c134ed2e0c79e0efa8fd005becec6aed04b
SHA5127aee7abd96b21faf9106e72643227e24fed0c089039b028ea37688dbea57b00c297865cd82270f45484b98ce11ae0de76781713bcc1c99e74838da488abf32f4
-
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\INetCache\Q5MJBNZQ\5C6Y35wFCJ-8USK_QYy6-0Tpjxo.br[1].jsMD5
8b2d92541a7744a334ad6a2471b37f1f
SHA1626291635bfe9e55156313fba19b461e239e7ab2
SHA256c6a8ff887000a5ddd53cd69f559329d0e1b4742d22929efbad1f741f9fe28dc8
SHA512551124075d59fd3a66dbc3feba7b458e003133c3cecf0e85bcc92c069fa4efb806248cffa24dd619b90b88c1aa203b7cd33e50bcad7ac2edae4a2c3ae67a05c1
-
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\INetCache\Q5MJBNZQ\QNBBNqWD9F_Blep-UqQSqnMp-FI[1].cssMD5
77373397a17bd1987dfca2e68d022ecf
SHA11294758879506eff3a54aac8d2b59df17b831978
SHA256a319af2e953e7afda681b85a62f629a5c37344af47d2fcd23ab45e1d99497f13
SHA512a177f5c25182c62211891786a8f78b2a1caec078c512fc39600809c22b41477c1e8b7a3cf90c88bbbe6869ea5411dd1343cad9a23c6ce1502c439a6d1779ea1b
-
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\INetCache\Q5MJBNZQ\_6kcejpIrJTtxudclBiss_A-0_g[1].cssMD5
5fa42803ad27f35eef70ccfb471435d5
SHA1fe74ed39acfc0e18885dbf1c61b04d87e44bdeb6
SHA256f611daf8888d818ab050660b581cf108816c7141f2f8d3fbff3deb7b3448c1b4
SHA5126ad4793ae7834d9fc019f2df535a58e34fd8da2cf9d280770003690777d13ade78a3065af4a7f8fcdf8e80b880c0f9f39ea42a65a8924e2a64fed102116a13d9
-
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\INetCache\Q5MJBNZQ\yZOHjNAWOKsDHcLtW3zFb_T4Q-8.br[1].jsMD5
0aa78ca3869d05ed1fec567cadcc304b
SHA1e1c98304d16093b2d72b31e135ae63f1e44a215f
SHA2561213304ea13c0aef11a5cd91b7b7372ce6b9dd1f8afcfbfdb932524431d12eba
SHA512320f10eeb72ca5206fbf2a9cf40b2b3d2a5b9f0526f073cb0cfde8a5a26a48cfc8d41ff023a2c41f2bc3c6ddbfe0004d75c18c53a2501d24ef904fc69b72a39c
-
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\3ZL5QLBD\www.bing[1].xmlMD5
ada190715b62346d15b547d960f7884e
SHA140daeb601f7b6135f2c594256341048ed6f06bec
SHA2566d6fee41f7e87c3d67bc7b1d9b05ef54c16af714d1074d12acc60396e7ada55e
SHA512a8f627077438d73879aca90c78ebe66b6f60ce12591b8c36ae8ab68ab4d0a7d2320e994fe80e24828cc3ffbdef27889eb2b183aef7814d2d647ff18663b9961f