627ede421ee51a7153ee896f657169665c1e9f79ef0ba4af1f6450d816900cbb

Resubmissions

04-05-2022 18:54

220504-xkbmesedd4 10

03-05-2022 21:06

220503-zx5r5sfcam 10

Analysis

max time kernel
44s
max time network
46s
platform
windows7_x64
resource
win7-20220414-en
submitted
04-05-2022 18:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

627ede421ee51a7153ee896f657169665c1e9f79ef0ba4af1f6450d816900cbb.exe
Size

220KB
MD5

adc3438992114c797a33b0a2ed415185
SHA1

568979d0548bef3a113fd03f75b6d1c64aa4e0d9
SHA256

627ede421ee51a7153ee896f657169665c1e9f79ef0ba4af1f6450d816900cbb
SHA512

1f3d7551ee1621641b98da20dbc6444e6845af5fdc63f04339c5ab4a5d57fe12465e328edc91fd57c87c9ce64da89a0c8cbf155d0a3214d9a03c395812bfebf0

Score

10^/10

ransomware

Malware Config

Extracted

Path

C:\Restore_My_Files.txt

Ransom Note

### What happened? #### !!!Your files are encrypted!!! *All your files are protected by strong encryption with RSA-2048.* *There is no public decryption software.* *We have successfully stolen your confidential document data, finances, emails, employee information, customers, research and development products...* #### What is the price? *The price depends on how fast you can write to us.* *After payment, we will send you the decryption tool which will decrypt all your files.* #### What should I do? *There is only one way to get your files back -->>Contact us, pay and get decryption software.* *If you decline payment, we will share your data files with the world.* *You can browse your data breach here: http://vbfqeh5nugm6r2u2qvghsdxm3fotf5wbxb5ltv6vw77vus5frdpuaiid.onion* (you should download and install TOR browser first hxxps://torproject.org) #### !!!Decryption Guaranteed!!! *Free decryption As a guarantee, you can send us up to 3 free decrypted files before payment.* #### !!!Contact us!!! email: [email protected] #### !!!Warning!!! *Do not attempt to decrypt your data using third-party software, this may result in permanent data loss.* *Decrypting your files with the help of a third party may result in a price increase (they charge us a fee), or you may fall victim to a scam.* *Don't try to delete programs or run antivirus tools. It won't work.* *Attempting to self-decrypt the file will result in the loss of your data.*

Emails

[email protected]

URLs

http://vbfqeh5nugm6r2u2qvghsdxm3fotf5wbxb5ltv6vw77vus5frdpuaiid.onion*

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 15 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\TestEnter.tiff	627ede421ee51a7153ee896f657169665c1e9f79ef0ba4af1f6450d816900cbb.exe
File renamed	C:\Users\Admin\Pictures\TestEnter.tiff => C:\Users\Admin\Pictures\TestEnter.tiff.pandora	627ede421ee51a7153ee896f657169665c1e9f79ef0ba4af1f6450d816900cbb.exe
File renamed	C:\Users\Admin\Pictures\UninstallConnect.tif => C:\Users\Admin\Pictures\UninstallConnect.tif.pandora	627ede421ee51a7153ee896f657169665c1e9f79ef0ba4af1f6450d816900cbb.exe
File renamed	C:\Users\Admin\Pictures\ResetSend.tiff => C:\Users\Admin\Pictures\ResetSend.tiff.pandora	627ede421ee51a7153ee896f657169665c1e9f79ef0ba4af1f6450d816900cbb.exe
File renamed	C:\Users\Admin\Pictures\DisableHide.png => C:\Users\Admin\Pictures\DisableHide.png.pandora	627ede421ee51a7153ee896f657169665c1e9f79ef0ba4af1f6450d816900cbb.exe
File renamed	C:\Users\Admin\Pictures\NewConvertTo.tif => C:\Users\Admin\Pictures\NewConvertTo.tif.pandora	627ede421ee51a7153ee896f657169665c1e9f79ef0ba4af1f6450d816900cbb.exe
File renamed	C:\Users\Admin\Pictures\PushSend.tif => C:\Users\Admin\Pictures\PushSend.tif.pandora	627ede421ee51a7153ee896f657169665c1e9f79ef0ba4af1f6450d816900cbb.exe
File renamed	C:\Users\Admin\Pictures\CompareAdd.raw => C:\Users\Admin\Pictures\CompareAdd.raw.pandora	627ede421ee51a7153ee896f657169665c1e9f79ef0ba4af1f6450d816900cbb.exe
File renamed	C:\Users\Admin\Pictures\DenyOpen.tiff => C:\Users\Admin\Pictures\DenyOpen.tiff.pandora	627ede421ee51a7153ee896f657169665c1e9f79ef0ba4af1f6450d816900cbb.exe
File renamed	C:\Users\Admin\Pictures\GroupConfirm.crw => C:\Users\Admin\Pictures\GroupConfirm.crw.pandora	627ede421ee51a7153ee896f657169665c1e9f79ef0ba4af1f6450d816900cbb.exe
File renamed	C:\Users\Admin\Pictures\WatchPublish.tiff => C:\Users\Admin\Pictures\WatchPublish.tiff.pandora	627ede421ee51a7153ee896f657169665c1e9f79ef0ba4af1f6450d816900cbb.exe
File renamed	C:\Users\Admin\Pictures\BackupSet.raw => C:\Users\Admin\Pictures\BackupSet.raw.pandora	627ede421ee51a7153ee896f657169665c1e9f79ef0ba4af1f6450d816900cbb.exe
File opened for modification	C:\Users\Admin\Pictures\ResetSend.tiff	627ede421ee51a7153ee896f657169665c1e9f79ef0ba4af1f6450d816900cbb.exe
File opened for modification	C:\Users\Admin\Pictures\WatchPublish.tiff	627ede421ee51a7153ee896f657169665c1e9f79ef0ba4af1f6450d816900cbb.exe
File opened for modification	C:\Users\Admin\Pictures\DenyOpen.tiff	627ede421ee51a7153ee896f657169665c1e9f79ef0ba4af1f6450d816900cbb.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	\??\M:\$RECYCLE.BIN\S-1-5-21-1083475884-596052423-1669053738-1000\desktop.ini	a.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	a.exe
File opened (read-only)	\??\J:	a.exe
File opened (read-only)	\??\J:	627ede421ee51a7153ee896f657169665c1e9f79ef0ba4af1f6450d816900cbb.exe
File opened (read-only)	\??\P:	627ede421ee51a7153ee896f657169665c1e9f79ef0ba4af1f6450d816900cbb.exe
File opened (read-only)	\??\W:	a.exe
File opened (read-only)	\??\E:	627ede421ee51a7153ee896f657169665c1e9f79ef0ba4af1f6450d816900cbb.exe
File opened (read-only)	\??\H:	627ede421ee51a7153ee896f657169665c1e9f79ef0ba4af1f6450d816900cbb.exe
File opened (read-only)	\??\Z:	627ede421ee51a7153ee896f657169665c1e9f79ef0ba4af1f6450d816900cbb.exe
File opened (read-only)	\??\I:	a.exe
File opened (read-only)	\??\A:	a.exe
File opened (read-only)	\??\A:	627ede421ee51a7153ee896f657169665c1e9f79ef0ba4af1f6450d816900cbb.exe
File opened (read-only)	\??\T:	a.exe
File opened (read-only)	\??\R:	a.exe
File opened (read-only)	\??\X:	627ede421ee51a7153ee896f657169665c1e9f79ef0ba4af1f6450d816900cbb.exe
File opened (read-only)	\??\U:	a.exe
File opened (read-only)	\??\I:	a.exe
File opened (read-only)	\??\F:	a.exe
File opened (read-only)	\??\T:	a.exe
File opened (read-only)	\??\P:	a.exe
File opened (read-only)	\??\B:	627ede421ee51a7153ee896f657169665c1e9f79ef0ba4af1f6450d816900cbb.exe
File opened (read-only)	\??\Q:	a.exe
File opened (read-only)	\??\F:	a.exe
File opened (read-only)	\??\X:	a.exe
File opened (read-only)	\??\V:	a.exe
File opened (read-only)	\??\T:	627ede421ee51a7153ee896f657169665c1e9f79ef0ba4af1f6450d816900cbb.exe
File opened (read-only)	\??\F:	627ede421ee51a7153ee896f657169665c1e9f79ef0ba4af1f6450d816900cbb.exe
File opened (read-only)	\??\N:	627ede421ee51a7153ee896f657169665c1e9f79ef0ba4af1f6450d816900cbb.exe
File opened (read-only)	\??\E:	a.exe
File opened (read-only)	\??\A:	a.exe
File opened (read-only)	\??\S:	a.exe
File opened (read-only)	\??\N:	a.exe
File opened (read-only)	\??\W:	627ede421ee51a7153ee896f657169665c1e9f79ef0ba4af1f6450d816900cbb.exe
File opened (read-only)	\??\J:	a.exe
File opened (read-only)	\??\Z:	a.exe
File opened (read-only)	\??\O:	a.exe
File opened (read-only)	\??\G:	a.exe
File opened (read-only)	\??\L:	a.exe
File opened (read-only)	\??\X:	a.exe
File opened (read-only)	\??\Z:	a.exe
File opened (read-only)	\??\S:	a.exe
File opened (read-only)	\??\V:	a.exe
File opened (read-only)	\??\B:	a.exe
File opened (read-only)	\??\R:	627ede421ee51a7153ee896f657169665c1e9f79ef0ba4af1f6450d816900cbb.exe
File opened (read-only)	\??\G:	627ede421ee51a7153ee896f657169665c1e9f79ef0ba4af1f6450d816900cbb.exe
File opened (read-only)	\??\V:	627ede421ee51a7153ee896f657169665c1e9f79ef0ba4af1f6450d816900cbb.exe
File opened (read-only)	\??\K:	a.exe
File opened (read-only)	\??\O:	627ede421ee51a7153ee896f657169665c1e9f79ef0ba4af1f6450d816900cbb.exe
File opened (read-only)	\??\Q:	a.exe
File opened (read-only)	\??\W:	a.exe
File opened (read-only)	\??\G:	a.exe
File opened (read-only)	\??\K:	a.exe
File opened (read-only)	\??\Q:	627ede421ee51a7153ee896f657169665c1e9f79ef0ba4af1f6450d816900cbb.exe
File opened (read-only)	\??\Y:	a.exe
File opened (read-only)	\??\L:	a.exe
File opened (read-only)	\??\Y:	a.exe
File opened (read-only)	\??\H:	a.exe
File opened (read-only)	\??\S:	627ede421ee51a7153ee896f657169665c1e9f79ef0ba4af1f6450d816900cbb.exe
File opened (read-only)	\??\R:	a.exe
File opened (read-only)	\??\P:	a.exe
File opened (read-only)	\??\B:	a.exe
File opened (read-only)	\??\E:	a.exe
File opened (read-only)	\??\M:	a.exe
File opened (read-only)	\??\U:	a.exe
File opened (read-only)	\??\I:	627ede421ee51a7153ee896f657169665c1e9f79ef0ba4af1f6450d816900cbb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 3 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1484	vssadmin.exe
1224	vssadmin.exe
1848	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1864	627ede421ee51a7153ee896f657169665c1e9f79ef0ba4af1f6450d816900cbb.exe
1864	627ede421ee51a7153ee896f657169665c1e9f79ef0ba4af1f6450d816900cbb.exe
1864	627ede421ee51a7153ee896f657169665c1e9f79ef0ba4af1f6450d816900cbb.exe
1864	627ede421ee51a7153ee896f657169665c1e9f79ef0ba4af1f6450d816900cbb.exe
1864	627ede421ee51a7153ee896f657169665c1e9f79ef0ba4af1f6450d816900cbb.exe
1864	627ede421ee51a7153ee896f657169665c1e9f79ef0ba4af1f6450d816900cbb.exe
1864	627ede421ee51a7153ee896f657169665c1e9f79ef0ba4af1f6450d816900cbb.exe
1864	627ede421ee51a7153ee896f657169665c1e9f79ef0ba4af1f6450d816900cbb.exe
1864	627ede421ee51a7153ee896f657169665c1e9f79ef0ba4af1f6450d816900cbb.exe
1864	627ede421ee51a7153ee896f657169665c1e9f79ef0ba4af1f6450d816900cbb.exe
1864	627ede421ee51a7153ee896f657169665c1e9f79ef0ba4af1f6450d816900cbb.exe
1864	627ede421ee51a7153ee896f657169665c1e9f79ef0ba4af1f6450d816900cbb.exe
1864	627ede421ee51a7153ee896f657169665c1e9f79ef0ba4af1f6450d816900cbb.exe
1864	627ede421ee51a7153ee896f657169665c1e9f79ef0ba4af1f6450d816900cbb.exe
1864	627ede421ee51a7153ee896f657169665c1e9f79ef0ba4af1f6450d816900cbb.exe
1864	627ede421ee51a7153ee896f657169665c1e9f79ef0ba4af1f6450d816900cbb.exe
1864	627ede421ee51a7153ee896f657169665c1e9f79ef0ba4af1f6450d816900cbb.exe
1864	627ede421ee51a7153ee896f657169665c1e9f79ef0ba4af1f6450d816900cbb.exe
1864	627ede421ee51a7153ee896f657169665c1e9f79ef0ba4af1f6450d816900cbb.exe
1864	627ede421ee51a7153ee896f657169665c1e9f79ef0ba4af1f6450d816900cbb.exe
1864	627ede421ee51a7153ee896f657169665c1e9f79ef0ba4af1f6450d816900cbb.exe
1864	627ede421ee51a7153ee896f657169665c1e9f79ef0ba4af1f6450d816900cbb.exe
1864	627ede421ee51a7153ee896f657169665c1e9f79ef0ba4af1f6450d816900cbb.exe
1864	627ede421ee51a7153ee896f657169665c1e9f79ef0ba4af1f6450d816900cbb.exe
1864	627ede421ee51a7153ee896f657169665c1e9f79ef0ba4af1f6450d816900cbb.exe
1864	627ede421ee51a7153ee896f657169665c1e9f79ef0ba4af1f6450d816900cbb.exe
1864	627ede421ee51a7153ee896f657169665c1e9f79ef0ba4af1f6450d816900cbb.exe
1864	627ede421ee51a7153ee896f657169665c1e9f79ef0ba4af1f6450d816900cbb.exe
1864	627ede421ee51a7153ee896f657169665c1e9f79ef0ba4af1f6450d816900cbb.exe
1864	627ede421ee51a7153ee896f657169665c1e9f79ef0ba4af1f6450d816900cbb.exe
1864	627ede421ee51a7153ee896f657169665c1e9f79ef0ba4af1f6450d816900cbb.exe
1608	a.exe
1608	a.exe
1608	a.exe
1608	a.exe
1608	a.exe
1608	a.exe
1608	a.exe
1608	a.exe
1608	a.exe
1608	a.exe
1608	a.exe
1608	a.exe
1608	a.exe
1608	a.exe
1608	a.exe
1608	a.exe
1608	a.exe
1608	a.exe
1608	a.exe
1608	a.exe
1608	a.exe
1608	a.exe
1608	a.exe
1608	a.exe
1608	a.exe
1608	a.exe
1608	a.exe
1608	a.exe
1608	a.exe
1608	a.exe
580	a.exe
580	a.exe
580	a.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1864	627ede421ee51a7153ee896f657169665c1e9f79ef0ba4af1f6450d816900cbb.exe
Token: SeBackupPrivilege	1820	vssvc.exe
Token: SeRestorePrivilege	1820	vssvc.exe
Token: SeAuditPrivilege	1820	vssvc.exe
Token: 33	856	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	856	AUDIODG.EXE
Token: 33	856	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	856	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1608	a.exe
Token: SeIncBasePriorityPrivilege	580	a.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1864 wrote to memory of 1228	1864	627ede421ee51a7153ee896f657169665c1e9f79ef0ba4af1f6450d816900cbb.exe	29
PID 1864 wrote to memory of 1228	1864	627ede421ee51a7153ee896f657169665c1e9f79ef0ba4af1f6450d816900cbb.exe	29
PID 1864 wrote to memory of 1228	1864	627ede421ee51a7153ee896f657169665c1e9f79ef0ba4af1f6450d816900cbb.exe	29
PID 1228 wrote to memory of 1484	1228	cmd.exe	31
PID 1228 wrote to memory of 1484	1228	cmd.exe	31
PID 1228 wrote to memory of 1484	1228	cmd.exe	31
PID 1608 wrote to memory of 1548	1608	a.exe	41
PID 1608 wrote to memory of 1548	1608	a.exe	41
PID 1608 wrote to memory of 1548	1608	a.exe	41
PID 1548 wrote to memory of 1224	1548	cmd.exe	43
PID 1548 wrote to memory of 1224	1548	cmd.exe	43
PID 1548 wrote to memory of 1224	1548	cmd.exe	43
PID 580 wrote to memory of 1380	580	a.exe	48
PID 580 wrote to memory of 1380	580	a.exe	48
PID 580 wrote to memory of 1380	580	a.exe	48
PID 1380 wrote to memory of 1848	1380	cmd.exe	50
PID 1380 wrote to memory of 1848	1380	cmd.exe	50
PID 1380 wrote to memory of 1848	1380	cmd.exe	50

C:\Users\Admin\AppData\Local\Temp\627ede421ee51a7153ee896f657169665c1e9f79ef0ba4af1f6450d816900cbb.exe
"C:\Users\Admin\AppData\Local\Temp\627ede421ee51a7153ee896f657169665c1e9f79ef0ba4af1f6450d816900cbb.exe"
1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1864
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1228
- - C:\Windows\system32\vssadmin.exe
    vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:1484

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1820

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:544

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x544
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:856

C:\Users\Admin\AppData\Local\Temp\a.exe
"C:\Users\Admin\AppData\Local\Temp\a.exe"
1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1608
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1548
- - C:\Windows\system32\vssadmin.exe
    vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:1224

C:\Users\Admin\AppData\Local\Temp\a.exe
"C:\Users\Admin\AppData\Local\Temp\a.exe"
1⤵
PID:236

C:\Users\Admin\AppData\Local\Temp\a.exe
"C:\Users\Admin\AppData\Local\Temp\a.exe"
1⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:580
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1380
- - C:\Windows\system32\vssadmin.exe
    vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:1848

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

\??\M:\$RECYCLE.BIN\S-1-5-21-1083475884-596052423-1669053738-1000\desktop.ini

Filesize
129B

MD5
a526b9e7c716b3489d8cc062fbce4005

SHA1
2df502a944ff721241be20a9e449d2acd07e0312

SHA256
e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066

SHA512
d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88

Download Submit
memory/1864-54-0x000007FEFBF91000-0x000007FEFBF93000-memory.dmp

Filesize
8KB

Download