13f476ec8dba856b93c2b799dbf9994191d14e9dbc2c6d75c9ec3d8054144b3f

Analysis

max time kernel
124s
max time network
110s
platform
windows7_x64
resource
win7-20220414-en
submitted
03-06-2022 02:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

36c3-malwarexchg-part3/DR_V2.exe
Size

201KB
MD5

4ba2e1d4cf7a86753f9f8174b3bc74c8
SHA1

742128fab2ad05f8f52a4c6f43b39a25fcc161a6
SHA256

66ee3840a9722d3912b73e477d1a11fd0e5468769ba17e5e71873fd519e76def
SHA512

83a596cdeec0c9560436ec8f10b5368ffc6c62a060e5fe3dcb628f3b76c2b659f57b0b9782c28b7f992e71aa9590b55ac622a38ef4ff33892129cb551346ef6e

Score

10^/10

ransomware

Malware Config

Extracted

Path

C:\Documents and Settings\read_me.txt

Ransom Note

????????????????????????? ??????DEATHRansom ??????? ????????????????????????? Hello dear friend, Your files were encrypted! You have only 12 hours to decrypt it In case of no answer our team will delete your decryption password Write back to our e-mail: deathransom@airmail.cc In your message you have to write: 1. YOU LOCK-ID: qDAoWjigsgNyx787tXTkPDeEW6Igjp0hWJNpFubW9yAK+rpw+pZszIucJgewgVo9bRmpcrlpqvnB/t76j36yLh8SyqweLjxWotjSoL0ETObBYyCujoU4MUJZPMp9MpU9YISo337D7zizgfayCSS2sxKGmykeU+2NLTGn7rbXaSpq8cdDBTOvwn7ANbZ9XQN2nrdM30H1piGChvlLe885Qs9c3Hoxi17uT+p2N7CktEpNd+xSDkfi0Y+BSJSM6mzvs8F0yvFHA4xyMX/Cwoau/n7+f8cOzDzv/YeTVO91p9njz2JEMTECjBQ2fy3LyImmmVvAy6YG7+gfzfHVtH98uD4nfOWx8n77KJCxUdAefubwtafkfGSX4LX279FL4x78abb0tAhBdMxizIVBNyRdsr0B7iDJzNw8NVrxaI8xUWz/KGVhnqSLMtvU9c4ztDJ7RrciFDS63MTMWv3UQUEQg5vJIxlotw+NhQnEt8YiHbB1llMgHnYz/BPWXM1KRRUCGbdLW00zHmt3yksJQ2mUXUELkOmBfUUR00cU9yudynBabnb117GlzbwHxNCsKTb0DJzyz+RqLnMoL4d8Dm3A20+HOtUcrb7SS/qfZ4fAvb9QSfk5MMBnKq+MwtDBQl2VTXcMTwVkL54aVLax3PWn3LllcIMXzCALcTIb5wk59WSmvHo3TssIX8BTMIMahtUi4fxg2WJL8LFYsJdh6UnFOQ== 2. Time when you have paid 0.1 btc to this bitcoin wallet: 1J9CG9KtJZVx1dHsVcSu8cxMTbLsqeXM5N After payment our team will decrypt your files immediatly Free decryption as guarantee: 1. File must be less than 1MB 2. Only .txt or .lnk files, no databases 3. Only 1 files How to obtain bitcoin: The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/

Emails

deathransom@airmail.cc

Wallets

1J9CG9KtJZVx1dHsVcSu8cxMTbLsqeXM5N

Signatures

Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
ransomware

Processes:

DR_V2.exe

description ioc process

File opened for modification C:\Users\Admin\Pictures\ResumeUnpublish.tiff DR_V2.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\ResumeUnpublish.tiff	DR_V2.exe

Drops desktop.ini file(s) 26 IoCs

Processes:

DR_V2.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	DR_V2.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	DR_V2.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	DR_V2.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	DR_V2.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	DR_V2.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	DR_V2.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	DR_V2.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	DR_V2.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	DR_V2.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	DR_V2.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	DR_V2.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	DR_V2.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	DR_V2.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	DR_V2.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	DR_V2.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	DR_V2.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	DR_V2.exe
File opened for modification	C:\Users\Public\desktop.ini	DR_V2.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	DR_V2.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	DR_V2.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	DR_V2.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	DR_V2.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	DR_V2.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	DR_V2.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	DR_V2.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	DR_V2.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

vssvc.exeAUDIODG.EXE

description	pid	process
Token: SeBackupPrivilege	1652	vssvc.exe
Token: SeRestorePrivilege	1652	vssvc.exe
Token: SeAuditPrivilege	1652	vssvc.exe
Token: 33	664	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	664	AUDIODG.EXE
Token: 33	664	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	664	AUDIODG.EXE

C:\Users\Admin\AppData\Local\Temp\36c3-malwarexchg-part3\DR_V2.exe
"C:\Users\Admin\AppData\Local\Temp\36c3-malwarexchg-part3\DR_V2.exe"
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
PID:972

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1652

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3f0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:664

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/972-54-0x00000000764C1000-0x00000000764C3000-memory.dmp

Filesize
8KB

Download
memory/972-55-0x000000000502E000-0x0000000005037000-memory.dmp

Filesize
36KB

Download
memory/972-56-0x0000000000220000-0x000000000022F000-memory.dmp

Filesize
60KB

Download
memory/972-57-0x0000000000400000-0x0000000004E71000-memory.dmp

Filesize
74.4MB

Download
memory/972-58-0x000000000502E000-0x0000000005037000-memory.dmp

Filesize
36KB

Download
memory/972-59-0x0000000000400000-0x0000000004E71000-memory.dmp

Filesize
74.4MB

Download