7159a202d1129ee4685bc305f4c5a1b8ce664a129257af0a95acadc9b22b23d4

General

Target

sample.exe
Size

79KB
MD5

8373085c527b21c1b76748d65aac4d19
SHA1

9f87288ce3c3dcb182bb468a348813f08be3b42b
SHA256

25835a890a218fd26bfd8b23696576402b5eb8a4c9af4a51529e14c4f00a9cce
SHA512

fafccdb48a7c3b2c0efecf5934936e9faafec90619b657c3b525e61b4611870432fc0695f2d108438730d93d8b7832a90d50191c48f43fe6cb1f2f38caa717aa

Score

10^/10

ransomware

Malware Config

Extracted

Path

C:\How To Decrypt.txt

Ransom Note

Blaze Ransomware Your data are stolen and encrypted The data will be published on TOR website http://imugmohnfb6akqz7jb6rqjusiwgnthjgm37mjygondgkwwyw3hwudkqd.onion if you do not pay the ransom You can contact us and decrypt one file for free. [email protected] Caution!! Do not modify encrypted files, otherwise you may lose all your files forever!

Emails

[email protected]

URLs

http://imugmohnfb6akqz7jb6rqjusiwgnthjgm37mjygondgkwwyw3hwudkqd.onion

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 6 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\ConfirmFind.tif.blaze	sample.exe
File renamed	C:\Users\Admin\Pictures\RedoWrite.tif => C:\Users\Admin\Pictures\RedoWrite.tif.blaze	sample.exe
File opened for modification	C:\Users\Admin\Pictures\RedoWrite.tif.blaze	sample.exe
File renamed	C:\Users\Admin\Pictures\ResolveGroup.raw => C:\Users\Admin\Pictures\ResolveGroup.raw.blaze	sample.exe
File opened for modification	C:\Users\Admin\Pictures\ResolveGroup.raw.blaze	sample.exe
File renamed	C:\Users\Admin\Pictures\ConfirmFind.tif => C:\Users\Admin\Pictures\ConfirmFind.tif.blaze	sample.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	sample.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	sample.exe
File opened (read-only)	\??\R:	sample.exe
File opened (read-only)	\??\A:	sample.exe
File opened (read-only)	\??\S:	sample.exe
File opened (read-only)	\??\J:	sample.exe
File opened (read-only)	\??\K:	sample.exe
File opened (read-only)	\??\X:	sample.exe
File opened (read-only)	\??\B:	sample.exe
File opened (read-only)	\??\E:	sample.exe
File opened (read-only)	\??\T:	sample.exe
File opened (read-only)	\??\U:	sample.exe
File opened (read-only)	\??\I:	sample.exe
File opened (read-only)	\??\F:	sample.exe
File opened (read-only)	\??\Z:	sample.exe
File opened (read-only)	\??\M:	sample.exe
File opened (read-only)	\??\Y:	sample.exe
File opened (read-only)	\??\P:	sample.exe
File opened (read-only)	\??\G:	sample.exe
File opened (read-only)	\??\V:	sample.exe
File opened (read-only)	\??\Q:	sample.exe
File opened (read-only)	\??\W:	sample.exe
File opened (read-only)	\??\O:	sample.exe
File opened (read-only)	\??\H:	sample.exe
File opened (read-only)	\??\L:	sample.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
4624	vssadmin.exe
1368	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3392	sample.exe
3392	sample.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	4016	vssvc.exe
Token: SeRestorePrivilege	4016	vssvc.exe
Token: SeAuditPrivilege	4016	vssvc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3392 wrote to memory of 4224	3392	sample.exe	78
PID 3392 wrote to memory of 4224	3392	sample.exe	78
PID 4224 wrote to memory of 1368	4224	cmd.exe	80
PID 4224 wrote to memory of 1368	4224	cmd.exe	80
PID 3392 wrote to memory of 3156	3392	sample.exe	84
PID 3392 wrote to memory of 3156	3392	sample.exe	84
PID 3156 wrote to memory of 4624	3156	cmd.exe	86
PID 3156 wrote to memory of 4624	3156	cmd.exe	86

C:\Users\Admin\AppData\Local\Temp\sample.exe
"C:\Users\Admin\AppData\Local\Temp\sample.exe"
1⤵
- Modifies extensions of user files
- Checks computer location settings
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3392
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4224
- - C:\Windows\system32\vssadmin.exe
    vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:1368
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3156
- - C:\Windows\system32\vssadmin.exe
    vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:4624