Analysis
-
max time kernel
148s -
max time network
166s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
03-06-2022 02:44
General
-
Target
36c3-malwarexchg-part3/DR_V2.exe
-
Size
201KB
-
MD5
4ba2e1d4cf7a86753f9f8174b3bc74c8
-
SHA1
742128fab2ad05f8f52a4c6f43b39a25fcc161a6
-
SHA256
66ee3840a9722d3912b73e477d1a11fd0e5468769ba17e5e71873fd519e76def
-
SHA512
83a596cdeec0c9560436ec8f10b5368ffc6c62a060e5fe3dcb628f3b76c2b659f57b0b9782c28b7f992e71aa9590b55ac622a38ef4ff33892129cb551346ef6e
Score
10/10
Malware Config
Extracted
Path
C:\Documents and Settings\read_me.txt
Ransom Note
?????????????????????????
??????DEATHRansom ???????
?????????????????????????
Hello dear friend,
Your files were encrypted!
You have only 12 hours to decrypt it
In case of no answer our team will delete your decryption password
Write back to our e-mail: deathransom@airmail.cc
In your message you have to write:
1. YOU LOCK-ID: J9EIHwke5UFxrpeq2ieFmHQYd9xRMkLnEHn030IZTXAtNOd5ds0VE7ZIF3KRwNx/yFPYOik5TD1j2R/jYuODA0C1pGPqnMbIn6JeZL88ws+SzBx9t3jODIAk9mfF9sj9DMRCBBDj3uyfWrKtcOz8O5qokXSDHB1fXJDfivM1FpgOQlXl1w57wQMWchGjW70NITUR6LZjcN5EUE8XttTSrKNBjY2ZjSrnXgvSIYBkR/hbLQv3jefZ+UJecFa2AK0f+0gA//1L+0D7+QUi4BIha6lx9GxxPOt71PLQ4Y6bs1L2kMF04AS4XcidjIgYINrPu1+xzs0YHQw/hAvhKYj5lAEQlay6PR2YUe/BinAdgZtvuzsdtaIzNnJ2fpypg4LqrDoMg/jvhoCgt1zJh8+NaU0QbOP2t1DmE3JsPzWcYrhAd/eQaRxvnDads+acmKomxl5fS8PZpLNxGnfPsqN8SHCOI/7AVo3aJEZ4DUXSJyS/IXTAbUXK8lcPMCZt+G+ncTxnHDHKfet0/LxSEglOi5er4apomsf1ZMP1b52l1IlV0dwrACDH9+XADtgD/7vcmq9EZZ/dZHe+5nZlMTSoENgs71682Hrnkl+EleWGmUwuEznYrBr/vf8bCXpjm0ryczOUEmgEs6hM6CanBdm9CQQc7MrM4fs4LtGlywo1YurNvbSwQMzq7syqyiczI5K+iPRfpLVRhf6e7ur0hcJTng==
2. Time when you have paid 0.1 btc to this bitcoin wallet:
1J9CG9KtJZVx1dHsVcSu8cxMTbLsqeXM5N
After payment our team will decrypt your files immediatly
Free decryption as guarantee:
1. File must be less than 1MB
2. Only .txt or .lnk files, no databases
3. Only 1 files
How to obtain bitcoin:
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.
https://localbitcoins.com/buy_bitcoins
Also you can find other places to buy Bitcoins and beginners guide here:
http://www.coindesk.com/information/how-can-i-buy-bitcoins/
Emails
deathransom@airmail.cc
Wallets
1J9CG9KtJZVx1dHsVcSu8cxMTbLsqeXM5N
Signatures
-
Drops desktop.ini file(s) 25 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\36c3-malwarexchg-part3\DR_V2.exe"C:\Users\Admin\AppData\Local\Temp\36c3-malwarexchg-part3\DR_V2.exe"1⤵
- Drops desktop.ini file(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3864 -s 12362⤵
- Program crash
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3864 -ip 38641⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3864-130-0x000000000517E000-0x0000000005188000-memory.dmpFilesize
40KB
-
memory/3864-131-0x0000000004FC0000-0x0000000004FCF000-memory.dmpFilesize
60KB
-
memory/3864-132-0x0000000000400000-0x0000000004E71000-memory.dmpFilesize
74.4MB