Overview

overview

10

Static

static

quickbuck.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    268s
  • max time network
    278s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    09-06-2022 04:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    quickbuck.exe

  • Size

    3.0MB

  • MD5

    5764e41fede27bf9c984242c2b7bfd33

  • SHA1

    e5b4178bdebf7a59e97c56235cff472b18440359

  • SHA256

    1283836cc0ed21b535ca654611d87e766538b81b02e61289ecc94188602aaf2a

  • SHA512

    a3610ca12b1ebfd0a618fae7c0e8f655d879156a0b850c4dd8e0e8827d6719f67ad5facad7496aac3adcafbf79f0195adb5ab62d900202f07ed4ec380e516379

Score
10/10
hiveransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\ransomware-simulator-note.txt

Family

hive

Ransom Note
Your network has been breached and all data were encrypted. Personal data, financial reports and important documents are ready to disclose.To decrypt all the data or to prevent exfiltrated files to be disclosed at http://thisisafakeonionaddress.onion/ you will need to purchase our decryption software.Please contact our sales department at: REDACTED Login: REDACTED Password: REDACTED To get access to .onion websites download and install Tor Browser at: https://www.torproject.org/ (Tor Browser is not related to us) Follow the guidelines below to avoid losing your data: – Do not shutdown or reboot your computers, unmount external storages. – Do not try to decrypt data using third party software. It may cause irreversible damage. – Do not fool yourself. Encryption has perfect secrecy and it’s impossible to decrypt without knowing the key. – Do not modify, rename or delete *.key.k6thw files. Your data will be undecryptable. – Do not modify or rename encrypted files. You will lose them. – Do not report to authorities. The negotiation process will be terminated immediately and the key will be erased. – Do not reject to purchase. Your sensitive data will be publicly disclosed.
URLs

http://thisisafakeonionaddress.onion/

Signatures

  • Hive

    A ransomware written in Golang first seen in June 2021.

    ransomwarehive
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Executes dropped EXE 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 29 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 35 IoCs
  • Suspicious use of SendNotifyMessage 35 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\quickbuck.exe
    "C:\Users\Admin\AppData\Local\Temp\quickbuck.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:2272
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:2720
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:3636
      • C:\Users\Admin\AppData\Local\Temp\quickbuck.exe
        quickbuck.exe
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:5036
      • C:\Users\Admin\AppData\Local\Temp\quickbuck.exe
        quickbuck.exe run
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:224
        • C:\Users\Admin\AppData\Local\Temp\WINWORD.EXE
          C:\Users\Admin\AppData\Local\Temp\WINWORD.EXE stage quickbuck.exe run --disable-macro-simulation
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:4532
          • C:\Windows\system32\cmd.exe
            cmd.exe /c "quickbuck.exe run --disable-macro-simulation"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2104
            • C:\Users\Admin\AppData\Local\Temp\quickbuck.exe
              quickbuck.exe run --disable-macro-simulation
              5⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:3240
              • C:\Windows\system32\vssadmin.exe
                vssadmin delete shadows /for=norealvolume /all /quiet
                6⤵
                • Interacts with shadow copies
                PID:2256
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /4
      1⤵
      • Checks SCSI registry key(s)
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:5028
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3624
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\ransomware-simulator-note.txt
      1⤵
        PID:4592
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\ransomware-simulator-note.txt
        1⤵
          PID:3212

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\WINWORD.EXE
          Filesize

          3.0MB

          MD5

          5764e41fede27bf9c984242c2b7bfd33

          SHA1

          e5b4178bdebf7a59e97c56235cff472b18440359

          SHA256

          1283836cc0ed21b535ca654611d87e766538b81b02e61289ecc94188602aaf2a

          SHA512

          a3610ca12b1ebfd0a618fae7c0e8f655d879156a0b850c4dd8e0e8827d6719f67ad5facad7496aac3adcafbf79f0195adb5ab62d900202f07ed4ec380e516379

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\WINWORD.EXE
          Filesize

          3.0MB

          MD5

          5764e41fede27bf9c984242c2b7bfd33

          SHA1

          e5b4178bdebf7a59e97c56235cff472b18440359

          SHA256

          1283836cc0ed21b535ca654611d87e766538b81b02e61289ecc94188602aaf2a

          SHA512

          a3610ca12b1ebfd0a618fae7c0e8f655d879156a0b850c4dd8e0e8827d6719f67ad5facad7496aac3adcafbf79f0195adb5ab62d900202f07ed4ec380e516379

          Download Submit

        • C:\Users\Admin\Desktop\ransomware-simulator-note.txt
          Filesize

          1KB

          MD5

          79cc7032c1e40b959f09bdab991dadde

          SHA1

          6b3f5b9902856f7a72efad1a781ecc4debcaec95

          SHA256

          f292053578c0c2e0feefae5e6d64091c74d3e6de693801feed19fa2f8614321d

          SHA512

          a46cf65089a71c1e2b280795cf44be51565da8ae11382061f719712b0644339319bbecb59879eb3df5dcef4b892be6b9a6ab82a78cde628ca533256891891ce6

          Download Submit