Overview

overview

10

Static

static

7862d6e083...0a.exe

windows7_x64

10

7862d6e083...0a.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    4294180s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20220311-en
  • submitted
    22/03/2022, 12:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7862d6e083c5792c40a6a570c1d3824ddab12cebc902ea965393fe057b717c0a.exe

  • Size

    586KB

  • MD5

    55b95e36469a3600abb995e58f61d4c9

  • SHA1

    de6717493246599d8702e7d1fd6914aab5bd015d

  • SHA256

    7862d6e083c5792c40a6a570c1d3824ddab12cebc902ea965393fe057b717c0a

  • SHA512

    9b2eceff54340057b3eae7391b7c5205c3b2d6d13299b4b918fb1d1a5f6f1006079fc4c58b9dd589738927cf0580f5050c4e61448dd82a8d089f2ea9ddcb5e0a

Score
10/10
ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\!-Recovery_Instructions-!.txt

Ransom Note
! YOUR NETWORK HAS BEEN COMPROMISED ! All your important files have been encrypted! ANY ATTEMPT TO RESTORE A FILE WITH THIRD-PARTY SOFTWARE WILL PERMANENTLY CORRUPT IT. No software available on internet can help you. We are the only ones able to solve your problem. We gathered data from different segment of your network. These data are currently stored on a private server and will be immediately destroyed after your payment. If you decide to not pay, we will keep your data stored and contact press or re-seller or expose it on our partner's website. We only seek money and do not want to damage your reputation or prevent your business from running. If you take wise choice to pay, all of this will be solved very soon and smoothly. You will can send us 2-3 non-important files and we will decrypt it for free to prove we are able to give your files back. Contact us. [email protected] [email protected] In the subject write - id-VAa87a901aef

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 8 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Deletes itself 1 IoCs
  • Drops desktop.ini file(s) 26 IoCs
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7862d6e083c5792c40a6a570c1d3824ddab12cebc902ea965393fe057b717c0a.exe
    "C:\Users\Admin\AppData\Local\Temp\7862d6e083c5792c40a6a570c1d3824ddab12cebc902ea965393fe057b717c0a.exe"
    1⤵
    • Modifies extensions of user files
    • Drops desktop.ini file(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:576
    • C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      2⤵
      • Interacts with shadow copies
      PID:1016
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c timeout 1 && del "C:\Users\Admin\AppData\Local\Temp\7862d6e083c5792c40a6a570c1d3824ddab12cebc902ea965393fe057b717c0a.exe" >> NUL
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:1108
      • C:\Windows\system32\timeout.exe
        timeout 1
        3⤵
        • Delays execution with timeout.exe
        PID:1152
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2016

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/576-54-0x000007FEFBE01000-0x000007FEFBE03000-memory.dmp

    Filesize

    8KB

    Download