Overview

overview

10

Static

static

sample.exe

windows7_x64

10

sample.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    14-06-2022 07:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    sample.exe

  • Size

    452KB

  • MD5

    aa8a80fba6bf763cf203df243cc67e32

  • SHA1

    5472dedcc20a5b341c11834799901bbb06080bfd

  • SHA256

    1f0841edf877133a15a931a6d98eb84d83657b9f64e4395fdbf4988b1579073d

  • SHA512

    58ae8e054df8f0d8b7a686d1a95d094ebb8330531da6ecf2d43b3b278a6b3c0378aa5c2609c36f0a4f1e96a204def392a6b6e5ae92c46be5c9a6ff1234b9f89f

Score
10/10
ransomware

Malware Config

Extracted

Path

C:\TEMP\readmee.txt

Ransom Note
Good day! If you are reading this letter, then most likely you are simply out of luck and you have my virus on your computer. Your computer was infected with my virus. All your files on your PC were copied to my server. I have a complete copy of all your data including: passwords from sites, correspondence in social networks. photos taken with your webcam and video recording from your webcam Your files have turned into lock.file and only I can decrypt them I also have full access to your computer, and I can see everything you do on the Internet. My virus has deleted and encrypted your files on your PC, I can return all these files to you. I am asking for a modest $ 200 dollars ransom to my bitcoin wallet BTC Adress 13WDsG32nT9TvaK2uc24Pk8WLLejKTPXJL You can buy bitcoin on a cryptocurrency exchange, on exchange sites, or through a request in a google search engine As soon as I receive the translation from you. I will return all your files to you and leave you alone forever. The virus will be removed from your PC automatically after you pay 200 $ Attention!!! If you refuse to pay me. I will sell all your data on the shady forums. Your photos, videos, webcam recordings and everything else. The choice is yours :-)
Wallets

13WDsG32nT9TvaK2uc24Pk8WLLejKTPXJL

Signatures

  • Executes dropped EXE 2 IoCs
  • Drops startup file 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Opens file in notepad (likely ransom note) 7 IoCs
    ransomware
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SetWindowsHookEx 26 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\sample.exe
    "C:\Users\Admin\AppData\Local\Temp\sample.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1392
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\avtzap.bat" "
      2⤵
      • Drops startup file
      PID:1952
    • C:\Users\Admin\AppData\Local\Temp\zzz.exe
      "C:\Users\Admin\AppData\Local\Temp\zzz.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1108
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\TEMP\sait.VBS"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:904
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\TEMP\sait.bat" "
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1220
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe" http://openff.sytes.net/
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:568
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:568 CREDAT:275457 /prefetch:2
              6⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:856
          • C:\Windows\SysWOW64\NOTEPAD.EXE
            "C:\Windows\system32\NOTEPAD.EXE" C:\TEMP\readmee.txt
            5⤵
            • Opens file in notepad (likely ransom note)
            PID:696
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\TEMP\sait.bat" "
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:288
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe" http://openff.sytes.net/
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1208
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1208 CREDAT:275457 /prefetch:2
              6⤵
              • Suspicious use of SetWindowsHookEx
              PID:436
          • C:\Windows\SysWOW64\NOTEPAD.EXE
            "C:\Windows\system32\NOTEPAD.EXE" C:\TEMP\readmee.txt
            5⤵
            • Opens file in notepad (likely ransom note)
            • Suspicious use of FindShellTrayWindow
            PID:1668
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\TEMP\sait.bat" "
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1552
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe" http://openff.sytes.net/
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:240
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:240 CREDAT:275457 /prefetch:2
              6⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:1688
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:240 CREDAT:472068 /prefetch:2
              6⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:2076
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:240 CREDAT:3486728 /prefetch:2
              6⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:2240
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:240 CREDAT:209941 /prefetch:2
              6⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:2400
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:240 CREDAT:1192976 /prefetch:2
              6⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:2708
          • C:\Windows\SysWOW64\NOTEPAD.EXE
            "C:\Windows\system32\NOTEPAD.EXE" C:\TEMP\readmee.txt
            5⤵
            • Opens file in notepad (likely ransom note)
            PID:1012
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x1b8
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1804
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zzz.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zzz.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:704
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\TEMP\sait.VBS"
      2⤵
        PID:1968
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\TEMP\sait.bat" "
          3⤵
            PID:1648
            • C:\Windows\SysWOW64\NOTEPAD.EXE
              "C:\Windows\system32\NOTEPAD.EXE" C:\TEMP\readmee.txt
              4⤵
              • Opens file in notepad (likely ransom note)
              PID:2092
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c ""C:\TEMP\sait.bat" "
            3⤵
              PID:2200
              • C:\Windows\SysWOW64\NOTEPAD.EXE
                "C:\Windows\system32\NOTEPAD.EXE" C:\TEMP\readmee.txt
                4⤵
                • Opens file in notepad (likely ransom note)
                PID:2252
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c ""C:\TEMP\sait.bat" "
              3⤵
                PID:2356
                • C:\Windows\SysWOW64\NOTEPAD.EXE
                  "C:\Windows\system32\NOTEPAD.EXE" C:\TEMP\readmee.txt
                  4⤵
                  • Opens file in notepad (likely ransom note)
                  PID:2412
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c ""C:\TEMP\sait.bat" "
                3⤵
                  PID:2512
                  • C:\Windows\SysWOW64\NOTEPAD.EXE
                    "C:\Windows\system32\NOTEPAD.EXE" C:\TEMP\readmee.txt
                    4⤵
                    • Opens file in notepad (likely ransom note)
                    PID:2560

            Network

            MITRE ATT&CK Matrix ATT&CK v6

            Initial Access

            Execution

            Persistence

            Privilege Escalation

            Defense Evasion

            Modify Registry

            1
            T1112

            Credential Access

            Discovery

            System Information Discovery

            1
            T1082

            Lateral Movement

            Collection

            Exfiltration

            Command and Control

            Impact

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\TEMP\readmee.txt
              Filesize

              1KB

              MD5

              3cf268847ff191b38301b7ba494a9e9e

              SHA1

              b43e62f74ca751e589dfe3cbad95c5cf6dc40412

              SHA256

              e8185df72b73f746eab586b1cfd28fa2c9aa2c87e2e763579213aa39b402ceb6

              SHA512

              2279151d5938dffb97d6d9d520a4a25301c98828aa6eb66949a6898ccd1652b033a1eedb940ea9d5b5895986cd48a399f9bc0d0c003aaf46cef41279aba0c8f5

              Download Submit
            • C:\TEMP\sait.VBS
              Filesize

              41KB

              MD5

              c4033520521cba801391480c11693390

              SHA1

              ed72adab6fe63ff888be022899455d471ce73318

              SHA256

              1b0d802605c8526efff650bfad7e25bccd5235128463ffe7ab174d21ee830202

              SHA512

              5de22b59da8e170f009e88e12d03090bc090ff7b402d432adc2fd3aa87c83e5e58423c4682631be87a1d950061d80f3ba8f1a8d2141e91087b76ff5f95dfd7a0

              Download Submit
            • C:\TEMP\sait.bat
              Filesize

              59B

              MD5

              e64113f4aea4af810e0ae0cf058d76c1

              SHA1

              a4f103754b39ffd38a0d2e4f11699ff5e25de721

              SHA256

              b39e17b6e906c3923a037b9c69e4acbaf23a879f01147d23302e19c05ee94b4a

              SHA512

              be25307634106d92442455aa604e2bc89bca5d483ab947c7457bd1918eff3d359a4b61833dfb1e0bff1a8a74fee0de2d9b024e32711078d1c7a9806891ce91ef

              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{6AE431E1-EBC4-11EC-A33B-DE95627D9645}.dat
              Filesize

              5KB

              MD5

              fea854706f656319959ccca2924a1b74

              SHA1

              9411e0108d383b5bd45936dff441bc6fc2d96dd1

              SHA256

              f8585fdbdfe533b4b573027a202866826c9f3ee73570d74fba9cd10706539356

              SHA512

              87617be45769f3d961bd119babfad96f3941ffb494955c8abbfd45f8357943130f9acd9269ab77ed08e23edfdc527c53e9d30f9aafb6536624c6bbd0a17d7edd

              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\RecoveryStore.{74E63720-BC2F-11EC-93B8-F2122C6314CC}.dat
              Filesize

              5KB

              MD5

              d761593a0eaa26a2f852ea975c24ac4e

              SHA1

              49bff74ae5c7547b4a0903c7a500fdd82cac07b0

              SHA256

              36f89dc9d801ba33a37534cb1bdf8913bd6133b8d8209c39bebf332ead75f6f4

              SHA512

              bd6c73911635f73dcf67f7f30dfc8fb7b2f33a4b87a77b0f4adef94a6031fd6b99ccc6c899266914c066f8c37505167fa9e9bfef68e6b1949877c745cd6f9c36

              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\{95C1ACD0-EBC4-11EC-A33B-DE95627D9645}.dat
              Filesize

              4KB

              MD5

              a56127707fee1a23b87078874708ff76

              SHA1

              5ce56de25dc3ce530f9aabaa09d654e4f17d521a

              SHA256

              3bc80262acd43e75d9f19f6ad1b6b4dfc94e44fb666a7f50d244e78ded1bed28

              SHA512

              0979087fc3da77ff5be3526ee432599ce3c6a23e28a6997a1f19efcfef8acad7c60bee535fa8a9c64d60c9672fcc89e12b78c76b775aaa8f125e15c4568ade8b

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\avtzap.bat
              Filesize

              98B

              MD5

              138e66bda2b8088226002ac13ceb7d7a

              SHA1

              1ed9e1b1658d8d41c0933aa1e0ba5d566577ff8a

              SHA256

              5cba178a4165b1bc977be7c94a9f70555305a049a7fee3c3ca883530e7e8a302

              SHA512

              d831da3e5759127a2a823a5ddf26d62bc3a2c801f25105a22653acc67ba45a469514928648143599fff780c3ac5e32aee91f24460982153d595768b07b6e7c75

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\zzz.exe
              Filesize

              295KB

              MD5

              8b2d6697c9056128cabfb8f6c3207602

              SHA1

              2ed8110f2c15a453982b3953ece44555919e123e

              SHA256

              a61deb915fad30c8c34dc1bbf895f72376adf24d0711115ece52f675fd10b045

              SHA512

              80a498763ea04dbb275e177a2f9330d49f63dde3b609fbd469f440a36235747cf932cf92c790fb511980a543807b2178b30bc0c61cae87552bf53d96634a2d11

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\zzz.exe
              Filesize

              295KB

              MD5

              8b2d6697c9056128cabfb8f6c3207602

              SHA1

              2ed8110f2c15a453982b3953ece44555919e123e

              SHA256

              a61deb915fad30c8c34dc1bbf895f72376adf24d0711115ece52f675fd10b045

              SHA512

              80a498763ea04dbb275e177a2f9330d49f63dde3b609fbd469f440a36235747cf932cf92c790fb511980a543807b2178b30bc0c61cae87552bf53d96634a2d11

              Download Submit
            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\4V1I7HJI.txt
              Filesize

              600B

              MD5

              9f79e6d66c4a36228151c75b684b6c59

              SHA1

              a05119c0f9b5edb2aa4e04aef6f0c940a7f228fc

              SHA256

              45305b7eea91a488574c6e295f4830895ad0177c183ab856bd9d79df81907e8a

              SHA512

              bf46e66f3062a217d7e0ddfcda9abb425849b1c145585b6c72119f7ca4c3646dca88e09955d9fd60e7eae1bf6edc5a3908f05e1cfe2edc3e896c1b596967aa30

              Download Submit
            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\28c8b86deab549a1.customDestinations-ms
              Filesize

              4KB

              MD5

              18bdf821f8d4d9a04b437d7f167ddb1c

              SHA1

              f71f91b6ae54f97d3d7c3a1fbfe160b7769c7d4d

              SHA256

              b18ab3ceadb2bf0e1481648011085d7f1167ab66b8ffd6b195b32f217c05915f

              SHA512

              bdb8031b77a91ca5470e19257e2d4ff3148d2f840296f95a5692c57a54e108158057e5dd59af5612ab857d042e61b6397e39c54ec402bc1ce53a93cb553fbfa9

              Download Submit
            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zzz.exe
              Filesize

              295KB

              MD5

              8b2d6697c9056128cabfb8f6c3207602

              SHA1

              2ed8110f2c15a453982b3953ece44555919e123e

              SHA256

              a61deb915fad30c8c34dc1bbf895f72376adf24d0711115ece52f675fd10b045

              SHA512

              80a498763ea04dbb275e177a2f9330d49f63dde3b609fbd469f440a36235747cf932cf92c790fb511980a543807b2178b30bc0c61cae87552bf53d96634a2d11

              Download Submit
            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zzz.exe
              Filesize

              295KB

              MD5

              8b2d6697c9056128cabfb8f6c3207602

              SHA1

              2ed8110f2c15a453982b3953ece44555919e123e

              SHA256

              a61deb915fad30c8c34dc1bbf895f72376adf24d0711115ece52f675fd10b045

              SHA512

              80a498763ea04dbb275e177a2f9330d49f63dde3b609fbd469f440a36235747cf932cf92c790fb511980a543807b2178b30bc0c61cae87552bf53d96634a2d11

              Download Submit
            • \Users\Admin\AppData\Local\Temp\zzz.exe
              Filesize

              295KB

              MD5

              8b2d6697c9056128cabfb8f6c3207602

              SHA1

              2ed8110f2c15a453982b3953ece44555919e123e

              SHA256

              a61deb915fad30c8c34dc1bbf895f72376adf24d0711115ece52f675fd10b045

              SHA512

              80a498763ea04dbb275e177a2f9330d49f63dde3b609fbd469f440a36235747cf932cf92c790fb511980a543807b2178b30bc0c61cae87552bf53d96634a2d11

              Download Submit
            • \Users\Admin\AppData\Local\Temp\zzz.exe
              Filesize

              295KB

              MD5

              8b2d6697c9056128cabfb8f6c3207602

              SHA1

              2ed8110f2c15a453982b3953ece44555919e123e

              SHA256

              a61deb915fad30c8c34dc1bbf895f72376adf24d0711115ece52f675fd10b045

              SHA512

              80a498763ea04dbb275e177a2f9330d49f63dde3b609fbd469f440a36235747cf932cf92c790fb511980a543807b2178b30bc0c61cae87552bf53d96634a2d11

              Download Submit
            • \Users\Admin\AppData\Local\Temp\zzz.exe
              Filesize

              295KB

              MD5

              8b2d6697c9056128cabfb8f6c3207602

              SHA1

              2ed8110f2c15a453982b3953ece44555919e123e

              SHA256

              a61deb915fad30c8c34dc1bbf895f72376adf24d0711115ece52f675fd10b045

              SHA512

              80a498763ea04dbb275e177a2f9330d49f63dde3b609fbd469f440a36235747cf932cf92c790fb511980a543807b2178b30bc0c61cae87552bf53d96634a2d11

              Download Submit
            • memory/288-74-0x0000000000000000-mapping.dmp
              Download
            • memory/696-70-0x0000000000000000-mapping.dmp
              Download
            • memory/904-64-0x0000000000000000-mapping.dmp
              Download
            • memory/1012-84-0x0000000000000000-mapping.dmp
              Download
            • memory/1108-61-0x0000000000000000-mapping.dmp
              Download
            • memory/1220-68-0x0000000000000000-mapping.dmp
              Download
            • memory/1392-54-0x0000000074DE1000-0x0000000074DE3000-memory.dmp
              Filesize

              8KB

              Download
            • memory/1552-82-0x0000000000000000-mapping.dmp
              Download
            • memory/1648-91-0x0000000000000000-mapping.dmp
              Download
            • memory/1668-76-0x0000000000000000-mapping.dmp
              Download
            • memory/1952-55-0x0000000000000000-mapping.dmp
              Download
            • memory/1968-89-0x0000000000000000-mapping.dmp
              Download
            • memory/2092-93-0x0000000000000000-mapping.dmp
              Download
            • memory/2200-95-0x0000000000000000-mapping.dmp
              Download
            • memory/2252-97-0x0000000000000000-mapping.dmp
              Download
            • memory/2356-99-0x0000000000000000-mapping.dmp
              Download
            • memory/2412-101-0x0000000000000000-mapping.dmp
              Download
            • memory/2512-103-0x0000000000000000-mapping.dmp
              Download
            • memory/2560-105-0x0000000000000000-mapping.dmp
              Download