e26b2ffb2ee711fc7b04d62911580560794ee4fa9b7fcfade65ee6ff2eed0274

Resubmissions

21/06/2022, 11:45

220621-nwv1rsfeg2 10

01/06/2022, 14:14

220601-rjzpzacfhn 10

Analysis

max time kernel
39s
max time network
42s
platform
windows7_x64
resource
win7-20220414-en
submitted
01/06/2022, 14:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

z7w3x.exe
Size

621KB
MD5

753585e5e099b192cf8d7593dd5ef4bf
SHA1

68c5d6b38c9dd9e9e1e888386025352811147028
SHA256

e26b2ffb2ee711fc7b04d62911580560794ee4fa9b7fcfade65ee6ff2eed0274
SHA512

de96554eaa3971672f05228d26fc6cbe98c8a5b31d35b21c92256c4dfee24ec81a708d601e0be4b80a0a365f620e4b0582f6fcc950f29df2ed6233c8314494ce

Score

10^/10

discovery persistence ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\Horse.txt

Ransom Note

::: Hello my dear friend ::: Unfortunately for you, a major IT security weakness left you open to attack, your files have been encrypted If you want to restore them,write to our skype - HORSEMAGYAR DECRYPTION Also you can write ICQ live chat which works 24/7 @HORSEMAGYAR Install ICQ software on your PC https://icq.com/windows/ or on your mobile phone search in Appstore / Google market ICQ Write to our ICQ @HORSEMAGYAR https://icq.im/HORSEMAGYAR If we not reply in 6 hours you can write to our mail but use it only if previous methods not working - [email protected] Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * We are always ready to cooperate and find the best way to solve your problem. * The faster you write, the more favorable the conditions will be for you. * Our company values its reputation. We give all guarantees of your files decryption,such as test decryption some of them We respect your time and waiting for respond from your side tell your MachineID: V1LAU0DEV1 and LaunchID: 6670d80773 Sensitive data on your system was DOWNLOADED. If you DON'T WANT your sensitive data to be PUBLISHED you have to act quickly. Data includes: - Employees personal data, CVs, DL, SSN. - Complete network map including credentials for local and remote services. - Private financial information including: clients data, bills, budgets, annual reports, bank statements. - Manufacturing documents including: datagrams, schemas, drawings in solidworks format - And more...

Emails

[email protected]

URLs

https://icq.com/windows/

https://icq.im/HORSEMAGYAR

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 1 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\ResumeUnpublish.tiff	z7w3x.exe

Deletes itself 1 IoCs

pid	Process
1736	cmd.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
820	icacls.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run	z7w3x.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSFEEditor = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\z7w3x.exe\" e"	z7w3x.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	\??\E:\$RECYCLE.BIN\S-1-5-21-1083475884-596052423-1669053738-1000\desktop.ini	z7w3x.exe

Enumerates connected drives 3 TTPs 18 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	z7w3x.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\D:	z7w3x.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1400	timeout.exe

Interacts with shadow copies 2 TTPs 14 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
760	vssadmin.exe
1676	vssadmin.exe
1992	vssadmin.exe
1020	vssadmin.exe
1280	vssadmin.exe
1592	vssadmin.exe
664	vssadmin.exe
2016	vssadmin.exe
1876	vssadmin.exe
1236	vssadmin.exe
1368	vssadmin.exe
1528	vssadmin.exe
1336	vssadmin.exe
788	vssadmin.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1396	powershell.exe
1416	z7w3x.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeBackupPrivilege	108	vssvc.exe
Token: SeRestorePrivilege	108	vssvc.exe
Token: SeAuditPrivilege	108	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1712	wmic.exe
Token: SeSecurityPrivilege	1712	wmic.exe
Token: SeTakeOwnershipPrivilege	1712	wmic.exe
Token: SeLoadDriverPrivilege	1712	wmic.exe
Token: SeSystemProfilePrivilege	1712	wmic.exe
Token: SeSystemtimePrivilege	1712	wmic.exe
Token: SeProfSingleProcessPrivilege	1712	wmic.exe
Token: SeIncBasePriorityPrivilege	1712	wmic.exe
Token: SeCreatePagefilePrivilege	1712	wmic.exe
Token: SeBackupPrivilege	1712	wmic.exe
Token: SeRestorePrivilege	1712	wmic.exe
Token: SeShutdownPrivilege	1712	wmic.exe
Token: SeDebugPrivilege	1712	wmic.exe
Token: SeSystemEnvironmentPrivilege	1712	wmic.exe
Token: SeRemoteShutdownPrivilege	1712	wmic.exe
Token: SeUndockPrivilege	1712	wmic.exe
Token: SeManageVolumePrivilege	1712	wmic.exe
Token: 33	1712	wmic.exe
Token: 34	1712	wmic.exe
Token: 35	1712	wmic.exe
Token: SeIncreaseQuotaPrivilege	1712	wmic.exe
Token: SeSecurityPrivilege	1712	wmic.exe
Token: SeTakeOwnershipPrivilege	1712	wmic.exe
Token: SeLoadDriverPrivilege	1712	wmic.exe
Token: SeSystemProfilePrivilege	1712	wmic.exe
Token: SeSystemtimePrivilege	1712	wmic.exe
Token: SeProfSingleProcessPrivilege	1712	wmic.exe
Token: SeIncBasePriorityPrivilege	1712	wmic.exe
Token: SeCreatePagefilePrivilege	1712	wmic.exe
Token: SeBackupPrivilege	1712	wmic.exe
Token: SeRestorePrivilege	1712	wmic.exe
Token: SeShutdownPrivilege	1712	wmic.exe
Token: SeDebugPrivilege	1712	wmic.exe
Token: SeSystemEnvironmentPrivilege	1712	wmic.exe
Token: SeRemoteShutdownPrivilege	1712	wmic.exe
Token: SeUndockPrivilege	1712	wmic.exe
Token: SeManageVolumePrivilege	1712	wmic.exe
Token: 33	1712	wmic.exe
Token: 34	1712	wmic.exe
Token: 35	1712	wmic.exe
Token: SeDebugPrivilege	1396	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1416 wrote to memory of 964	1416	z7w3x.exe	27
PID 1416 wrote to memory of 964	1416	z7w3x.exe	27
PID 1416 wrote to memory of 964	1416	z7w3x.exe	27
PID 1416 wrote to memory of 964	1416	z7w3x.exe	27
PID 1416 wrote to memory of 1528	1416	z7w3x.exe	28
PID 1416 wrote to memory of 1528	1416	z7w3x.exe	28
PID 1416 wrote to memory of 1528	1416	z7w3x.exe	28
PID 1416 wrote to memory of 1528	1416	z7w3x.exe	28
PID 964 wrote to memory of 1736	964	net.exe	31
PID 964 wrote to memory of 1736	964	net.exe	31
PID 964 wrote to memory of 1736	964	net.exe	31
PID 964 wrote to memory of 1736	964	net.exe	31
PID 1416 wrote to memory of 1960	1416	z7w3x.exe	33
PID 1416 wrote to memory of 1960	1416	z7w3x.exe	33
PID 1416 wrote to memory of 1960	1416	z7w3x.exe	33
PID 1416 wrote to memory of 1960	1416	z7w3x.exe	33
PID 1416 wrote to memory of 1712	1416	z7w3x.exe	35
PID 1416 wrote to memory of 1712	1416	z7w3x.exe	35
PID 1416 wrote to memory of 1712	1416	z7w3x.exe	35
PID 1416 wrote to memory of 1712	1416	z7w3x.exe	35
PID 1416 wrote to memory of 1992	1416	z7w3x.exe	38
PID 1416 wrote to memory of 1992	1416	z7w3x.exe	38
PID 1416 wrote to memory of 1992	1416	z7w3x.exe	38
PID 1416 wrote to memory of 1992	1416	z7w3x.exe	38
PID 1416 wrote to memory of 760	1416	z7w3x.exe	40
PID 1416 wrote to memory of 760	1416	z7w3x.exe	40
PID 1416 wrote to memory of 760	1416	z7w3x.exe	40
PID 1416 wrote to memory of 760	1416	z7w3x.exe	40
PID 1416 wrote to memory of 1676	1416	z7w3x.exe	42
PID 1416 wrote to memory of 1676	1416	z7w3x.exe	42
PID 1416 wrote to memory of 1676	1416	z7w3x.exe	42
PID 1416 wrote to memory of 1676	1416	z7w3x.exe	42
PID 1416 wrote to memory of 664	1416	z7w3x.exe	44
PID 1416 wrote to memory of 664	1416	z7w3x.exe	44
PID 1416 wrote to memory of 664	1416	z7w3x.exe	44
PID 1416 wrote to memory of 664	1416	z7w3x.exe	44
PID 1416 wrote to memory of 2016	1416	z7w3x.exe	46
PID 1416 wrote to memory of 2016	1416	z7w3x.exe	46
PID 1416 wrote to memory of 2016	1416	z7w3x.exe	46
PID 1416 wrote to memory of 2016	1416	z7w3x.exe	46
PID 1416 wrote to memory of 1336	1416	z7w3x.exe	48
PID 1416 wrote to memory of 1336	1416	z7w3x.exe	48
PID 1416 wrote to memory of 1336	1416	z7w3x.exe	48
PID 1416 wrote to memory of 1336	1416	z7w3x.exe	48
PID 1416 wrote to memory of 1020	1416	z7w3x.exe	50
PID 1416 wrote to memory of 1020	1416	z7w3x.exe	50
PID 1416 wrote to memory of 1020	1416	z7w3x.exe	50
PID 1416 wrote to memory of 1020	1416	z7w3x.exe	50
PID 1416 wrote to memory of 1280	1416	z7w3x.exe	52
PID 1416 wrote to memory of 1280	1416	z7w3x.exe	52
PID 1416 wrote to memory of 1280	1416	z7w3x.exe	52
PID 1416 wrote to memory of 1280	1416	z7w3x.exe	52
PID 1416 wrote to memory of 1876	1416	z7w3x.exe	54
PID 1416 wrote to memory of 1876	1416	z7w3x.exe	54
PID 1416 wrote to memory of 1876	1416	z7w3x.exe	54
PID 1416 wrote to memory of 1876	1416	z7w3x.exe	54
PID 1416 wrote to memory of 1236	1416	z7w3x.exe	56
PID 1416 wrote to memory of 1236	1416	z7w3x.exe	56
PID 1416 wrote to memory of 1236	1416	z7w3x.exe	56
PID 1416 wrote to memory of 1236	1416	z7w3x.exe	56
PID 1416 wrote to memory of 1592	1416	z7w3x.exe	58
PID 1416 wrote to memory of 1592	1416	z7w3x.exe	58
PID 1416 wrote to memory of 1592	1416	z7w3x.exe	58
PID 1416 wrote to memory of 1592	1416	z7w3x.exe	58

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	z7w3x.exe

C:\Users\Admin\AppData\Local\Temp\z7w3x.exe
"C:\Users\Admin\AppData\Local\Temp\z7w3x.exe"
1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1416
- C:\Windows\SysWOW64\net.exe
  net stop VSS & sc config VSS start= disabled
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:964
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop VSS & sc config VSS start= disabled
    3⤵
    PID:1736
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin delete shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:1528
- C:\Windows\SysWOW64\sc.exe
  sc config VSS start= Demand & net start VSS
  2⤵
  PID:1960
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic.exe SHADOWCOPY delete /nointeractive
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1712
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:1992
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:760
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:1676
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:664
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:2016
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:1336
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:1020
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:1280
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:1876
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:1236
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:1592
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:1368
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:788
- C:\Windows\SysWOW64\icacls.exe
  icacls.exe "{A-Z}:" /grant {Username}:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:820
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1396
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c timeout 1 && del "C:\Users\Admin\AppData\Local\Temp\z7w3x.exe" >> NUL
  2⤵
  - Deletes itself
  PID:1736
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1400

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:108

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1396-84-0x00000000743E0000-0x0000000074405000-memory.dmp

Filesize
148KB

Download
memory/1396-87-0x0000000071830000-0x00000000719CE000-memory.dmp

Filesize
1.6MB

Download
memory/1396-94-0x0000000073DA0000-0x000000007434B000-memory.dmp

Filesize
5.7MB

Download
memory/1396-93-0x0000000071220000-0x0000000071756000-memory.dmp

Filesize
5.2MB

Download
memory/1396-92-0x0000000070FF0000-0x0000000071104000-memory.dmp

Filesize
1.1MB

Download
memory/1396-91-0x0000000071110000-0x0000000071214000-memory.dmp

Filesize
1.0MB

Download
memory/1396-89-0x0000000073D70000-0x0000000073D9D000-memory.dmp

Filesize
180KB

Download
memory/1396-90-0x0000000071760000-0x0000000071823000-memory.dmp

Filesize
780KB

Download
memory/1396-88-0x0000000071B00000-0x000000007237A000-memory.dmp

Filesize
8.5MB

Download
memory/1396-86-0x00000000719D0000-0x0000000071A6C000-memory.dmp

Filesize
624KB

Download
memory/1396-76-0x0000000073DA0000-0x000000007434B000-memory.dmp

Filesize
5.7MB

Download
memory/1396-77-0x0000000072E10000-0x0000000073908000-memory.dmp

Filesize
11.0MB

Download
memory/1396-79-0x0000000070990000-0x0000000070FE1000-memory.dmp

Filesize
6.3MB

Download
memory/1396-78-0x0000000072670000-0x0000000072E0C000-memory.dmp

Filesize
7.6MB

Download
memory/1396-80-0x0000000072E10000-0x0000000073908000-memory.dmp

Filesize
11.0MB

Download
memory/1396-81-0x0000000074460000-0x00000000744E1000-memory.dmp

Filesize
516KB

Download
memory/1396-82-0x0000000073920000-0x0000000073B55000-memory.dmp

Filesize
2.2MB

Download
memory/1396-83-0x0000000074410000-0x000000007445B000-memory.dmp

Filesize
300KB

Download
memory/1396-85-0x0000000071A70000-0x0000000071AF5000-memory.dmp

Filesize
532KB

Download
memory/1416-54-0x00000000764C1000-0x00000000764C3000-memory.dmp

Filesize
8KB

Download