Overview
overview
10Static
static
1036c3-malwa.../1.exe
windows7_x64
1036c3-malwa.../1.exe
windows10-2004_x64
1036c3-malwa...86.exe
windows7_x64
1036c3-malwa...86.exe
windows10-2004_x64
1036c3-malwa...52.dll
windows7_x64
136c3-malwa...52.dll
windows10-2004_x64
636c3-malwa...V2.exe
windows7_x64
1036c3-malwa...V2.exe
windows10-2004_x64
1036c3-malwa....9.exe
windows7_x64
1036c3-malwa....9.exe
windows10-2004_x64
1036c3-malwa...aa.exe
windows7_x64
1036c3-malwa...aa.exe
windows10-2004_x64
1036c3-malwa...ty.exe
windows7_x64
1036c3-malwa...ty.exe
windows10-2004_x64
10Analysis
-
max time kernel
116s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
03-06-2022 02:44
Static task
static1
Behavioral task
behavioral1
Sample
36c3-malwarexchg-part3/1.exe
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
36c3-malwarexchg-part3/1.exe
Resource
win10v2004-20220414-en
windows10-2004_x64
0 signatures
0 seconds
Behavioral task
behavioral3
Sample
36c3-malwarexchg-part3/5oaxnx86.exe
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral4
Sample
36c3-malwarexchg-part3/5oaxnx86.exe
Resource
win10v2004-20220414-en
windows10-2004_x64
0 signatures
0 seconds
Behavioral task
behavioral5
Sample
36c3-malwarexchg-part3/6cb6fda0b353d411a30c5b945e53ea52.dll
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral6
Sample
36c3-malwarexchg-part3/6cb6fda0b353d411a30c5b945e53ea52.dll
Resource
win10v2004-20220414-en
windows10-2004_x64
0 signatures
0 seconds
Behavioral task
behavioral7
Sample
36c3-malwarexchg-part3/DR_V2.exe
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral8
Sample
36c3-malwarexchg-part3/DR_V2.exe
Resource
win10v2004-20220414-en
windows10-2004_x64
0 signatures
0 seconds
Behavioral task
behavioral9
Sample
36c3-malwarexchg-part3/GandCrabV5.0.9.exe
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral10
Sample
36c3-malwarexchg-part3/GandCrabV5.0.9.exe
Resource
win10v2004-20220414-en
windows10-2004_x64
0 signatures
0 seconds
Behavioral task
behavioral11
Sample
36c3-malwarexchg-part3/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral12
Sample
36c3-malwarexchg-part3/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Resource
win10v2004-20220414-en
windows10-2004_x64
0 signatures
0 seconds
Behavioral task
behavioral13
Sample
36c3-malwarexchg-part3/pinebook-sality.exe
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
General
-
Target
36c3-malwarexchg-part3/5oaxnx86.exe
-
Size
1.1MB
-
MD5
6b91b9d9660180bc67106a78ad63ab1c
-
SHA1
68ae10ad50721aa915944020cfe1eaa30d28c6e1
-
SHA256
2a1eca5bba62227a6d1f4fb1686b8c65ba2e6fbdc457de6f6771df72d30e8023
-
SHA512
e5aab3db9dfdc1449d6dbec83930936acd881885bcca84786309bb4ae3d9d47ef02ccde86e30ff6c182bff9557545afb7b6ef785ef5b2cd6baf11e5b8bbc0036
Score
10/10
Malware Config
Extracted
Path
C:\Program Files\7-Zip\Lang\README_5OAXN_DATA.txt
Ransom Note
Hello!
Your all your files are encrypted and only I can decrypt them. Contact for me e-mail:
[email protected] or [email protected]
Write me if you want to return your files - I can do it very quickly!
The header of the letter must contain the extension of the encryptor
Do not rename encrypted files.
You may lose your files permanently.
You may be a victim of fraud.
To prove that I can recover your files, I am ready to decrypt any three files for free (except databases, Excel and backups)
!!! Do not turn off or restart the NAS equipment. This will result in data loss !!!
Signatures
-
Modifies extensions of user files 12 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File opened for modification C:\Users\Admin\Pictures\ConfirmReceive.tiff 5oaxnx86.exe File renamed C:\Users\Admin\Pictures\ConfirmReceive.tiff => C:\Users\Admin\Pictures\ConfirmReceive.tiff.5oaxn 5oaxnx86.exe File renamed C:\Users\Admin\Pictures\DismountOut.tif => C:\Users\Admin\Pictures\DismountOut.tif.5oaxn 5oaxnx86.exe File opened for modification C:\Users\Admin\Pictures\FindSwitch.tiff 5oaxnx86.exe File opened for modification C:\Users\Admin\Pictures\FindSwitch.tiff.5oaxn 5oaxnx86.exe File opened for modification C:\Users\Admin\Pictures\RemoveUnlock.crw.5oaxn 5oaxnx86.exe File opened for modification C:\Users\Admin\Pictures\SubmitAssert.png.5oaxn 5oaxnx86.exe File opened for modification C:\Users\Admin\Pictures\ConfirmReceive.tiff.5oaxn 5oaxnx86.exe File opened for modification C:\Users\Admin\Pictures\DismountOut.tif.5oaxn 5oaxnx86.exe File renamed C:\Users\Admin\Pictures\FindSwitch.tiff => C:\Users\Admin\Pictures\FindSwitch.tiff.5oaxn 5oaxnx86.exe File renamed C:\Users\Admin\Pictures\RemoveUnlock.crw => C:\Users\Admin\Pictures\RemoveUnlock.crw.5oaxn 5oaxnx86.exe File renamed C:\Users\Admin\Pictures\SubmitAssert.png => C:\Users\Admin\Pictures\SubmitAssert.png.5oaxn 5oaxnx86.exe -
resource yara_rule behavioral4/memory/4732-131-0x0000000000400000-0x00000000006BE000-memory.dmp upx behavioral4/memory/4732-132-0x0000000000400000-0x00000000006BE000-memory.dmp upx behavioral4/memory/4732-134-0x0000000000400000-0x00000000006BE000-memory.dmp upx -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\README_5OAXN_DATA.txt 5oaxnx86.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\README_5OAXN_DATA.txt 5oaxnx86.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest4-ul-oob.xrm-ms 5oaxnx86.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\cgg\LC_MESSAGES\vlc.mo 5oaxnx86.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\dark\s_listview_18.svg 5oaxnx86.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeBadge.scale-125.png 5oaxnx86.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\bin\startNetworkServer.bat 5oaxnx86.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG.HXS.5oaxn 5oaxnx86.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-black\SmallTile.scale-100.png 5oaxnx86.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Cultures\OFFICE.ODF.5oaxn 5oaxnx86.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\S_IlluEmptyFolder_160.svg.5oaxn 5oaxnx86.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\amd64\jvm.cfg 5oaxnx86.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp4-ul-oob.xrm-ms.5oaxn 5oaxnx86.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] 5oaxnx86.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_sortedby_18.svg 5oaxnx86.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\zh-cn\ui-strings.js.5oaxn 5oaxnx86.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\it-it\ui-strings.js.5oaxn 5oaxnx86.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Grace-ul-oob.xrm-ms 5oaxnx86.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\MTEXTRA.TTF.5oaxn 5oaxnx86.exe File created C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\README_5OAXN_DATA.txt 5oaxnx86.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.renderers.swt.nl_ja_4.4.0.v20140623020002.jar 5oaxnx86.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\stream_config_window.html 5oaxnx86.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\sv-se\ui-strings.js.5oaxn 5oaxnx86.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\comment.svg.5oaxn 5oaxnx86.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ro-ro\README_5OAXN_DATA.txt 5oaxnx86.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ro-ro\README_5OAXN_DATA.txt 5oaxnx86.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-openide-options.xml 5oaxnx86.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL096.XML 5oaxnx86.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\es-ES\MSFT_PackageManagement.schema.mfl 5oaxnx86.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-72_contrast-white.png 5oaxnx86.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\ContactPhoto.scale-100.png 5oaxnx86.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\uk-ua\ui-strings.js.5oaxn 5oaxnx86.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\MyriadPro-BoldIt.otf.5oaxn 5oaxnx86.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Trial-ul-oob.xrm-ms.5oaxn 5oaxnx86.exe File opened for modification C:\Program Files\UnregisterResume.kix.5oaxn 5oaxnx86.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\WideTile.scale-100_contrast-white.png 5oaxnx86.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Trial-ppd.xrm-ms.5oaxn 5oaxnx86.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\OFFSYMSL.TTF 5oaxnx86.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\playlist\vimeo.luac.5oaxn 5oaxnx86.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Lighting\Dark\Silhouette.png 5oaxnx86.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-80.png 5oaxnx86.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_cs.jar 5oaxnx86.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.garbagecollector.nl_ja_4.4.0.v20140623020002.jar.5oaxn 5oaxnx86.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-openide-loaders.jar 5oaxnx86.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\sk-sk\ui-strings.js 5oaxnx86.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\sl-si\ui-strings.js.5oaxn 5oaxnx86.exe File created C:\Program Files (x86)\Adobe\README_5OAXN_DATA.txt 5oaxnx86.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-black\README_5OAXN_DATA.txt 5oaxnx86.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\fi-fi\ui-strings.js.5oaxn 5oaxnx86.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ru-ru\ui-strings.js 5oaxnx86.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-white_scale-180.png 5oaxnx86.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ro-ro\ui-strings.js 5oaxnx86.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\fr-fr\ui-strings.js.5oaxn 5oaxnx86.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\README_5OAXN_DATA.txt 5oaxnx86.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-compat.xml.5oaxn 5oaxnx86.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_COL.HXT.5oaxn 5oaxnx86.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] 5oaxnx86.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\lo-LA\README_5OAXN_DATA.txt 5oaxnx86.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\StopwatchSmallTile.contrast-black_scale-100.png 5oaxnx86.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Advanced-Dark.scale-100.png 5oaxnx86.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarBadge.scale-400.png 5oaxnx86.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailSplashLogo.scale-100.png 5oaxnx86.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.greychartplugin_5.5.0.165303.jar 5oaxnx86.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-black_scale-180.png 5oaxnx86.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\LibrarySquare71x71Logo.scale-125_contrast-black.png 5oaxnx86.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\aic_file_icons.png 5oaxnx86.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 5092 sc.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 4128 PING.EXE -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4732 wrote to memory of 5092 4732 5oaxnx86.exe 81 PID 4732 wrote to memory of 5092 4732 5oaxnx86.exe 81 PID 4732 wrote to memory of 5092 4732 5oaxnx86.exe 81 PID 4732 wrote to memory of 4828 4732 5oaxnx86.exe 91 PID 4732 wrote to memory of 4828 4732 5oaxnx86.exe 91 PID 4732 wrote to memory of 4828 4732 5oaxnx86.exe 91 PID 4828 wrote to memory of 4128 4828 CMD.exe 93 PID 4828 wrote to memory of 4128 4828 CMD.exe 93 PID 4828 wrote to memory of 4128 4828 CMD.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\36c3-malwarexchg-part3\5oaxnx86.exe"C:\Users\Admin\AppData\Local\Temp\36c3-malwarexchg-part3\5oaxnx86.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4732 -
C:\Windows\SysWOW64\sc.exesc queryex type= service2⤵
- Launches sc.exe
PID:5092
-
-
C:\Windows\SysWOW64\CMD.exeCMD /C PING 127.0.0.1 & DEL /F C:\Users\Admin\AppData\Local\Temp\36c3-malwarexchg-part3\5oaxnx86.exe2⤵
- Suspicious use of WriteProcessMemory
PID:4828 -
C:\Windows\SysWOW64\PING.EXEPING 127.0.0.13⤵
- Runs ping.exe
PID:4128
-
-