Overview

overview

10

Static

static

Taleb.Ransom.exe

windows7_x64

10

Taleb.Ransom.exe

windows10-2004_x64

10

Resubmissions

25-03-2022 06:59

220325-hsddnafgel 10

08-03-2022 23:12

220308-263p9abfb4 8

Analysis

  • max time kernel
    321s
  • max time network
    275s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220310-en
  • submitted
    25-03-2022 06:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Taleb.Ransom.exe

  • Size

    10.8MB

  • MD5

    ac09b7550eda13e03a55448fd8367e2d

  • SHA1

    8266a12669a4a3952cb9af86e75ed74c27c71013

  • SHA256

    4b78968928cfa5437ffdd56a39a5ea8c10a7b6dc5d3f342d003260088876b3cf

  • SHA512

    44cace3038bd96fa36a9d3b16251573f625f5e7cb53f0233d87f6e8ab564e731bd8719088feec44f47a460c0a096b964c2c0e77f3f1c371b773e66407aef5d29

Score
10/10
evasionransomware

Malware Config

Extracted

Path

C:\Decryption-Guide.txt

Ransom Note
Your Files Are Has Been Locked Your Files Has Been Encrypted with cryptography Algorithm If You Need Your Files And They are Important to You, Dont be shy Send Me an Email Send Test File + The Key File on Your System (File Exist in C:/ProgramData example : RSAKEY-SE-24r6t523 pr RSAKEY.KEY) to Make Sure Your Files Can be Restored Make an Agreement on Price with me and Pay Get Decryption Tool + RSA Key AND Instruction For Decryption Process Attention: 1- Do Not Rename or Modify The Files (You May loose That file) 2- Do Not Try To Use 3rd Party Apps or Recovery Tools ( if You want to do that make an copy from Files and try on them and Waste Your time ) 3-Do not Reinstall Operation System(Windows) You may loose the key File and Loose Your Files 4-Do Not Always Trust to Middle mans and negotiators (some of them are good but some of them agree on 4000usd for example and Asked 10000usd From Client) this Was happened Your Case ID :MJ-DT1743028965 OUR Email :Folperdock@gmail.com
Emails

Folperdock@gmail.com

Signatures

  • Modifies Windows Firewall 1 TTPs
    evasion
  • Drops desktop.ini file(s) 5 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 64 IoCs
  • NTFS ADS 2 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Taleb.Ransom.exe
    "C:\Users\Admin\AppData\Local\Temp\Taleb.Ransom.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3528
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c net stop MSDTC
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4224
      • C:\Windows\SysWOW64\net.exe
        net stop MSDTC
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:620
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop MSDTC
          4⤵
            PID:1248
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
        2⤵
          PID:3288
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no
          2⤵
            PID:2264
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet
            2⤵
              PID:4592
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:2340
              • C:\Windows\SysWOW64\net.exe
                net stop SQLSERVERAGENT
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:3868
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop SQLSERVERAGENT
                  4⤵
                    PID:912
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:4804
                • C:\Windows\SysWOW64\net.exe
                  net stop MSSQLSERVER
                  3⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1444
                  • C:\Windows\SysWOW64\net1.exe
                    C:\Windows\system32\net1 stop MSSQLSERVER
                    4⤵
                      PID:1856
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c net stop vds
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2268
                  • C:\Windows\SysWOW64\net.exe
                    net stop vds
                    3⤵
                    • Suspicious use of WriteProcessMemory
                    PID:5112
                    • C:\Windows\SysWOW64\net1.exe
                      C:\Windows\system32\net1 stop vds
                      4⤵
                        PID:1004
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off
                    2⤵
                    • Suspicious use of WriteProcessMemory
                    PID:4672
                    • C:\Windows\SysWOW64\netsh.exe
                      netsh advfirewall set currentprofile state off
                      3⤵
                        PID:1740
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c netsh firewall set opmode mode=disable
                      2⤵
                      • Suspicious use of WriteProcessMemory
                      PID:3892
                      • C:\Windows\SysWOW64\netsh.exe
                        netsh firewall set opmode mode=disable
                        3⤵
                          PID:4556
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c net stop SQLWriter
                        2⤵
                        • Suspicious use of WriteProcessMemory
                        PID:3736
                        • C:\Windows\SysWOW64\net.exe
                          net stop SQLWriter
                          3⤵
                          • Suspicious use of WriteProcessMemory
                          PID:1856
                          • C:\Windows\SysWOW64\net1.exe
                            C:\Windows\system32\net1 stop SQLWriter
                            4⤵
                              PID:688
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c net stop SQLBrowser
                          2⤵
                            PID:1316
                            • C:\Windows\SysWOW64\net.exe
                              net stop SQLBrowser
                              3⤵
                                PID:4944
                                • C:\Windows\SysWOW64\net1.exe
                                  C:\Windows\system32\net1 stop SQLBrowser
                                  4⤵
                                    PID:5036
                              • C:\Windows\SysWOW64\cmd.exe
                                C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
                                2⤵
                                  PID:416
                                  • C:\Windows\SysWOW64\net.exe
                                    net stop MSSQLSERVER
                                    3⤵
                                      PID:2252
                                      • C:\Windows\SysWOW64\net1.exe
                                        C:\Windows\system32\net1 stop MSSQLSERVER
                                        4⤵
                                          PID:60
                                    • C:\Windows\SysWOW64\cmd.exe
                                      C:\Windows\system32\cmd.exe /c net stop MSSQL$CONTOSO1
                                      2⤵
                                        PID:4228
                                        • C:\Windows\SysWOW64\net.exe
                                          net stop MSSQL$CONTOSO1
                                          3⤵
                                            PID:2208
                                            • C:\Windows\SysWOW64\net1.exe
                                              C:\Windows\system32\net1 stop MSSQL$CONTOSO1
                                              4⤵
                                                PID:4068

                                        Network

                                        MITRE ATT&CK Matrix ATT&CK v6

                                        Initial Access

                                        Execution

                                        Persistence

                                        Modify Existing Service

                                        1
                                        T1031

                                        Privilege Escalation

                                        Defense Evasion

                                        Credential Access

                                        Discovery

                                        Lateral Movement

                                        Collection

                                        Exfiltration

                                        Command and Control

                                        Impact

                                        Replay Monitor

                                        Loading Replay Monitor...

                                        Downloads

                                        • memory/60-161-0x0000000000000000-mapping.dmp
                                          Download
                                        • memory/416-159-0x0000000000000000-mapping.dmp
                                          Download
                                        • memory/620-135-0x0000000000000000-mapping.dmp
                                          Download
                                        • memory/688-155-0x0000000000000000-mapping.dmp
                                          Download
                                        • memory/912-142-0x0000000000000000-mapping.dmp
                                          Download
                                        • memory/1004-148-0x0000000000000000-mapping.dmp
                                          Download
                                        • memory/1248-136-0x0000000000000000-mapping.dmp
                                          Download
                                        • memory/1316-156-0x0000000000000000-mapping.dmp
                                          Download
                                        • memory/1444-144-0x0000000000000000-mapping.dmp
                                          Download
                                        • memory/1740-150-0x0000000000000000-mapping.dmp
                                          Download
                                        • memory/1856-145-0x0000000000000000-mapping.dmp
                                          Download
                                        • memory/1856-154-0x0000000000000000-mapping.dmp
                                          Download
                                        • memory/2208-163-0x0000000000000000-mapping.dmp
                                          Download
                                        • memory/2252-160-0x0000000000000000-mapping.dmp
                                          Download
                                        • memory/2264-138-0x0000000000000000-mapping.dmp
                                          Download
                                        • memory/2268-146-0x0000000000000000-mapping.dmp
                                          Download
                                        • memory/2340-140-0x0000000000000000-mapping.dmp
                                          Download
                                        • memory/3288-137-0x0000000000000000-mapping.dmp
                                          Download
                                        • memory/3736-153-0x0000000000000000-mapping.dmp
                                          Download
                                        • memory/3868-141-0x0000000000000000-mapping.dmp
                                          Download
                                        • memory/3892-151-0x0000000000000000-mapping.dmp
                                          Download
                                        • memory/4068-164-0x0000000000000000-mapping.dmp
                                          Download
                                        • memory/4224-134-0x0000000000000000-mapping.dmp
                                          Download
                                        • memory/4228-162-0x0000000000000000-mapping.dmp
                                          Download
                                        • memory/4556-152-0x0000000000000000-mapping.dmp
                                          Download
                                        • memory/4592-139-0x0000000000000000-mapping.dmp
                                          Download
                                        • memory/4672-149-0x0000000000000000-mapping.dmp
                                          Download
                                        • memory/4804-143-0x0000000000000000-mapping.dmp
                                          Download
                                        • memory/4944-157-0x0000000000000000-mapping.dmp
                                          Download
                                        • memory/5036-158-0x0000000000000000-mapping.dmp
                                          Download
                                        • memory/5112-147-0x0000000000000000-mapping.dmp
                                          Download