7862d6e083c5792c40a6a570c1d3824ddab12cebc902ea965393fe057b717c0a

General

Target

7862d6e083c5792c40a6a570c1d3824ddab12cebc902ea965393fe057b717c0a.exe
Size

586KB
MD5

55b95e36469a3600abb995e58f61d4c9
SHA1

de6717493246599d8702e7d1fd6914aab5bd015d
SHA256

7862d6e083c5792c40a6a570c1d3824ddab12cebc902ea965393fe057b717c0a
SHA512

9b2eceff54340057b3eae7391b7c5205c3b2d6d13299b4b918fb1d1a5f6f1006079fc4c58b9dd589738927cf0580f5050c4e61448dd82a8d089f2ea9ddcb5e0a

Score

10^/10

ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\!-Recovery_Instructions-!.txt

Ransom Note

! YOUR NETWORK HAS BEEN COMPROMISED ! All your important files have been encrypted! ANY ATTEMPT TO RESTORE A FILE WITH THIRD-PARTY SOFTWARE WILL PERMANENTLY CORRUPT IT. No software available on internet can help you. We are the only ones able to solve your problem. We gathered data from different segment of your network. These data are currently stored on a private server and will be immediately destroyed after your payment. If you decide to not pay, we will keep your data stored and contact press or re-seller or expose it on our partner's website. We only seek money and do not want to damage your reputation or prevent your business from running. If you take wise choice to pay, all of this will be solved very soon and smoothly. You will can send us 2-3 non-important files and we will decrypt it for free to prove we are able to give your files back. Contact us. restoreassistance_net@wholeness.business restoreassistance_net@decorous.cyou In the subject write - id-VA994b5ede65

Emails

restoreassistance_net@wholeness.business

restoreassistance_net@decorous.cyou

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 11 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

7862d6e083c5792c40a6a570c1d3824ddab12cebc902ea965393fe057b717c0a.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\CheckpointRegister.tif => C:\Users\Admin\Pictures\CheckpointRegister.tif.SunnyDay	7862d6e083c5792c40a6a570c1d3824ddab12cebc902ea965393fe057b717c0a.exe
File renamed	C:\Users\Admin\Pictures\GetApprove.raw => C:\Users\Admin\Pictures\GetApprove.raw.SunnyDay	7862d6e083c5792c40a6a570c1d3824ddab12cebc902ea965393fe057b717c0a.exe
File renamed	C:\Users\Admin\Pictures\ShowMerge.tif => C:\Users\Admin\Pictures\ShowMerge.tif.SunnyDay	7862d6e083c5792c40a6a570c1d3824ddab12cebc902ea965393fe057b717c0a.exe
File renamed	C:\Users\Admin\Pictures\UnpublishPop.raw => C:\Users\Admin\Pictures\UnpublishPop.raw.SunnyDay	7862d6e083c5792c40a6a570c1d3824ddab12cebc902ea965393fe057b717c0a.exe
File renamed	C:\Users\Admin\Pictures\WriteRepair.png => C:\Users\Admin\Pictures\WriteRepair.png.SunnyDay	7862d6e083c5792c40a6a570c1d3824ddab12cebc902ea965393fe057b717c0a.exe
File renamed	C:\Users\Admin\Pictures\CloseSwitch.tif => C:\Users\Admin\Pictures\CloseSwitch.tif.SunnyDay	7862d6e083c5792c40a6a570c1d3824ddab12cebc902ea965393fe057b717c0a.exe
File renamed	C:\Users\Admin\Pictures\MeasureCopy.crw => C:\Users\Admin\Pictures\MeasureCopy.crw.SunnyDay	7862d6e083c5792c40a6a570c1d3824ddab12cebc902ea965393fe057b717c0a.exe
File renamed	C:\Users\Admin\Pictures\RevokeClose.tif => C:\Users\Admin\Pictures\RevokeClose.tif.SunnyDay	7862d6e083c5792c40a6a570c1d3824ddab12cebc902ea965393fe057b717c0a.exe
File renamed	C:\Users\Admin\Pictures\SaveUnprotect.png => C:\Users\Admin\Pictures\SaveUnprotect.png.SunnyDay	7862d6e083c5792c40a6a570c1d3824ddab12cebc902ea965393fe057b717c0a.exe
File renamed	C:\Users\Admin\Pictures\SubmitDisconnect.raw => C:\Users\Admin\Pictures\SubmitDisconnect.raw.SunnyDay	7862d6e083c5792c40a6a570c1d3824ddab12cebc902ea965393fe057b717c0a.exe
File renamed	C:\Users\Admin\Pictures\WaitSave.crw => C:\Users\Admin\Pictures\WaitSave.crw.SunnyDay	7862d6e083c5792c40a6a570c1d3824ddab12cebc902ea965393fe057b717c0a.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

7862d6e083c5792c40a6a570c1d3824ddab12cebc902ea965393fe057b717c0a.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	7862d6e083c5792c40a6a570c1d3824ddab12cebc902ea965393fe057b717c0a.exe

Drops desktop.ini file(s) 25 IoCs

Processes:

7862d6e083c5792c40a6a570c1d3824ddab12cebc902ea965393fe057b717c0a.exe

description	ioc	process
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	7862d6e083c5792c40a6a570c1d3824ddab12cebc902ea965393fe057b717c0a.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	7862d6e083c5792c40a6a570c1d3824ddab12cebc902ea965393fe057b717c0a.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	7862d6e083c5792c40a6a570c1d3824ddab12cebc902ea965393fe057b717c0a.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	7862d6e083c5792c40a6a570c1d3824ddab12cebc902ea965393fe057b717c0a.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	7862d6e083c5792c40a6a570c1d3824ddab12cebc902ea965393fe057b717c0a.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	7862d6e083c5792c40a6a570c1d3824ddab12cebc902ea965393fe057b717c0a.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	7862d6e083c5792c40a6a570c1d3824ddab12cebc902ea965393fe057b717c0a.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	7862d6e083c5792c40a6a570c1d3824ddab12cebc902ea965393fe057b717c0a.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	7862d6e083c5792c40a6a570c1d3824ddab12cebc902ea965393fe057b717c0a.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	7862d6e083c5792c40a6a570c1d3824ddab12cebc902ea965393fe057b717c0a.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	7862d6e083c5792c40a6a570c1d3824ddab12cebc902ea965393fe057b717c0a.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	7862d6e083c5792c40a6a570c1d3824ddab12cebc902ea965393fe057b717c0a.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	7862d6e083c5792c40a6a570c1d3824ddab12cebc902ea965393fe057b717c0a.exe
File opened for modification	C:\Users\Public\desktop.ini	7862d6e083c5792c40a6a570c1d3824ddab12cebc902ea965393fe057b717c0a.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	7862d6e083c5792c40a6a570c1d3824ddab12cebc902ea965393fe057b717c0a.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	7862d6e083c5792c40a6a570c1d3824ddab12cebc902ea965393fe057b717c0a.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	7862d6e083c5792c40a6a570c1d3824ddab12cebc902ea965393fe057b717c0a.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	7862d6e083c5792c40a6a570c1d3824ddab12cebc902ea965393fe057b717c0a.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	7862d6e083c5792c40a6a570c1d3824ddab12cebc902ea965393fe057b717c0a.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	7862d6e083c5792c40a6a570c1d3824ddab12cebc902ea965393fe057b717c0a.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	7862d6e083c5792c40a6a570c1d3824ddab12cebc902ea965393fe057b717c0a.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	7862d6e083c5792c40a6a570c1d3824ddab12cebc902ea965393fe057b717c0a.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	7862d6e083c5792c40a6a570c1d3824ddab12cebc902ea965393fe057b717c0a.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	7862d6e083c5792c40a6a570c1d3824ddab12cebc902ea965393fe057b717c0a.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	7862d6e083c5792c40a6a570c1d3824ddab12cebc902ea965393fe057b717c0a.exe

Drops file in Windows directory 23 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\SoftwareDistribution\Download\d60cb501610b6a66743c55eade3ef996\CsA9z1\SlUHUPO8bKnA\BITCA20.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\9d6172fa1dc41a48846593219fc6519f\BITCA8E.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\ca4af4339884f7018bf988ecac7702ff\BIT3053.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\ca4af4339884f7018bf988ecac7702ff\BIT316E.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\ca4af4339884f7018bf988ecac7702ff\BIT3374.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\9d6172fa1dc41a48846593219fc6519f\BITC934.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d60cb501610b6a66743c55eade3ef996\f3535a3b47819a04c6d5ee18905493be086e801e	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\9d6172fa1dc41a48846593219fc6519f\BIT29E8.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\7752a73587b3362d505a041fe7f69ecd\F2WKV54ysEMEW9U+EfiUeJcNcgfNL4pMC5NmE0a3mAg=	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\ca4af4339884f7018bf988ecac7702ff\BIT3401.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\7752a73587b3362d505a041fe7f69ecd\BIT3942.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d60cb501610b6a66743c55eade3ef996\BITCAAE.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d60cb501610b6a66743c55eade3ef996\CsA9z1\SlUHUPO8bKnA\BITD127.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\9d6172fa1dc41a48846593219fc6519f\BIT2A76.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\ca4af4339884f7018bf988ecac7702ff\9+dL4Puh6FM8puPxsBEX86BMeGqpuC0b7gf2fD9DLLo=	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\7752a73587b3362d505a041fe7f69ecd\BIT3100.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\7752a73587b3362d505a041fe7f69ecd\BIT318E.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\7752a73587b3362d505a041fe7f69ecd\af66e12c1bb9d8519da21259d0fcd88c247cb4f1	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\9d6172fa1dc41a48846593219fc6519f\Cmn5TH6S2lFFnfMN8MLr2EoNUIAGzQo2UUjHGMEC99A=	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d60cb501610b6a66743c55eade3ef996\CsA9z1\SlUHUPO8bKnA\5ondRmJ90JlkPETuN535TWk=	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\9d6172fa1dc41a48846593219fc6519f\e1a85885fd4453165061351651289cce8f8590c4	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d60cb501610b6a66743c55eade3ef996\BIT23CD.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\ca4af4339884f7018bf988ecac7702ff\612ad442b8740f4c57b8c84e6bf465ba4699118c	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2244 timeout.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

5076 vssadmin.exe

pid	process
2244	timeout.exe

pid	process
5076	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

7862d6e083c5792c40a6a570c1d3824ddab12cebc902ea965393fe057b717c0a.exe

pid	process
1916	7862d6e083c5792c40a6a570c1d3824ddab12cebc902ea965393fe057b717c0a.exe
1916	7862d6e083c5792c40a6a570c1d3824ddab12cebc902ea965393fe057b717c0a.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 2748 vssvc.exe
Token: SeRestorePrivilege 2748 vssvc.exe
Token: SeAuditPrivilege 2748 vssvc.exe

description	pid	process
Token: SeBackupPrivilege	2748	vssvc.exe
Token: SeRestorePrivilege	2748	vssvc.exe
Token: SeAuditPrivilege	2748	vssvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

7862d6e083c5792c40a6a570c1d3824ddab12cebc902ea965393fe057b717c0a.execmd.exe

description	pid	process	target process
PID 1916 wrote to memory of 5076	1916	7862d6e083c5792c40a6a570c1d3824ddab12cebc902ea965393fe057b717c0a.exe	vssadmin.exe
PID 1916 wrote to memory of 5076	1916	7862d6e083c5792c40a6a570c1d3824ddab12cebc902ea965393fe057b717c0a.exe	vssadmin.exe
PID 1916 wrote to memory of 3168	1916	7862d6e083c5792c40a6a570c1d3824ddab12cebc902ea965393fe057b717c0a.exe	cmd.exe
PID 1916 wrote to memory of 3168	1916	7862d6e083c5792c40a6a570c1d3824ddab12cebc902ea965393fe057b717c0a.exe	cmd.exe
PID 3168 wrote to memory of 2244	3168	cmd.exe	timeout.exe
PID 3168 wrote to memory of 2244	3168	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\7862d6e083c5792c40a6a570c1d3824ddab12cebc902ea965393fe057b717c0a.exe
"C:\Users\Admin\AppData\Local\Temp\7862d6e083c5792c40a6a570c1d3824ddab12cebc902ea965393fe057b717c0a.exe"
1⤵
- Modifies extensions of user files
- Checks computer location settings
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1916

C:\Windows\SYSTEM32\vssadmin.exe
vssadmin delete shadows /all /quiet
2⤵
- Interacts with shadow copies
PID:5076

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout 1 && del "C:\Users\Admin\AppData\Local\Temp\7862d6e083c5792c40a6a570c1d3824ddab12cebc902ea965393fe057b717c0a.exe" >> NUL
2⤵
- Suspicious use of WriteProcessMemory
PID:3168

C:\Windows\system32\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:2244

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2748

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
- Drops file in Windows directory
PID:556

C:\Windows\System32\Upfc.exe
C:\Windows\System32\Upfc.exe /launchtype periodic /cv vnmZEoxk7k6Jz+G579WJCg.0
1⤵
PID:1632

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/556-134-0x00000151AB740000-0x00000151AB750000-memory.dmp

Filesize
64KB

Download
memory/556-135-0x00000151AB7A0000-0x00000151AB7B0000-memory.dmp

Filesize
64KB

Download
memory/556-136-0x00000151AE620000-0x00000151AE621000-memory.dmp

Filesize
4KB

Download
memory/556-137-0x00000151AE6C0000-0x00000151AE6C4000-memory.dmp

Filesize
16KB

Download
memory/556-138-0x00000151AE6C0000-0x00000151AE6C4000-memory.dmp

Filesize
16KB

Download
memory/556-139-0x00000151AE810000-0x00000151AE814000-memory.dmp

Filesize
16KB

Download
memory/556-140-0x00000151AE810000-0x00000151AE814000-memory.dmp

Filesize
16KB

Download
memory/556-141-0x00000151AE780000-0x00000151AE784000-memory.dmp

Filesize
16KB

Download
memory/556-142-0x00000151AECE0000-0x00000151AECE4000-memory.dmp

Filesize
16KB

Download
memory/556-143-0x00000151AECE0000-0x00000151AECE4000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads