Analysis

  • max time kernel
    136s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    17-06-2022 13:26

General

  • Target

    ab0aa003d7238940cbdf7393677f968c4a252516de7f0699cd4654abd2e7ae83.exe

  • Size

    137KB

  • MD5

    21d01fa87dfcaf971ff7b63a1a6fda94

  • SHA1

    f3caa9831fc715af4f47cd98803549902dffe30a

  • SHA256

    ab0aa003d7238940cbdf7393677f968c4a252516de7f0699cd4654abd2e7ae83

  • SHA512

    f89997f8c31d77029f1087257a5b24337f9989bebfbe4169067acae72a5dd50ce118d273fae00690ef2e2bf345901d723034992f53dd3e5b9df5cbe9be2e67fa

Malware Config

Extracted

Path

C:\7sc8022n-readme.txt

Ransom Note
---=== Welcome. Again. ===--- [-] Whats Happen? [-] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 7sc8022n. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [-] What guarantees? [-] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] Using a TOR browser! 1) Download and install TOR browser from this site: https://torproject.org/ 2) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/6C9400D6B3ACAF42 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: WKI6os5M627QmPElKvOFPLh6FyUSh/ijrRNqvWYoCNv9AFnI/lLHRf0pUqn7I2IV 3ay1O0Wtj/S2CSP6nmF2Yo7ef7v07yp8Ddd/q9Tm/UZsf0BTG+NITB/H1enNpCoR +U7R7S3G5IZG72/kQ6HohS6l54ORRGx7XggyAqIhsKTsKVLzQf8dfnruJX4cTSD2 6ulCOBexDIIFwJ5/Fn++oVfwDAvD9wyxxOGoMZZfLP6D7CH/fo+Ux2CsaQp94pMs rtlWzCnA65YUUAf/0G53vfcnwwQj7DErh37h87FX6M5rEWalbMIiqZ2O5sNFgJ0e gun8FbeZueYD4MtSHajcwZJgvpz0rSRvg9NJzGwvmMOQR5AC0UyuKiLk74aOlUel Yi8FUVbecm55H1cHW4YvLxsTNFyCVa6TJG1cYBcHd6uzcztS8zRHNr87KgUEUPhX T0L7Mp++BpQWzo+4tPQjj2eqhv/PVUXzWHeILRxVEOG4QSBcwAAZ/r5VRLyc+pi2 8RvO569HzY7pM91wsZABfdciJD1P6nFIfoGUWaCuDq8OVE6RB39S7KJast5kN5Pa MldwFWNqoRha0zGaH4N6vFretxhtYp1eeoe1eLeM+uvvxD0wXjRCfWidUXG/puNq fO1ZrWgmM7+xQWKo8IWIur/AOZJi5CZfhpLaIe1OZE8Fj/lntyg1DCkCfomLBCRd vgauoY0cNsUdNzBiow6JsOrVXK6nlfGKdOw4ywZXnfJEyOb0O14sOWkIVIPcye61 tFQEHUoI8enQ9T9JcGhn+paTBytnkc12U5UJIgmvGbbV1jVrnLpW9wdPo4pv/V9+ SwDN5ja577kxHpdv9wjyXg4FvDQH1R9nZ43BQA/WRms+EnxcraQMlE7Ccw0D8DE2 IvyTf7qovo4bz8FyffwYvEW5kLrA8216+xokibIAdqCFx9rapk5UlhoJ7p6lG5a8 VZ2hnKl708V7AmDrT4cDFzII2ZdLVSVY8Ukaq9OvpIQ5uxQTydAyddrhNCX9ROv0 mgt1nLGleG/UE0Ygpr4m20xiBgp3k9TWRd89QlGOBZ3ttKT/kCrFSds+iE95i008 O8MArt22eHs1ntX5nJ9Xle/8HISY6WSODAu8rMPhP9MsLIDMsoKfgpGntFuSvDvm Y4pL5CQw5XHtk0Aqr1fF18t9MS3qxYUKkOwe2FCWceI0zabCorXDxu6QjlXSTYOb 2yFmMNZFk3L5ZxhbkQJtQECrPnd0U6xajSBjFsahVpLqwpWmvJuDhq7XzXr6XVSh LZAPcWQvMBrm3/kWfHz5wKsKP8kr3EnQ ----------------------------------------------------------------------------------------- !!! DANGER !!! DON'T try to change files by yourself, DON'T use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/6C9400D6B3ACAF42

Signatures

  • Modifies extensions of user files 10 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Drops file in Program Files directory 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ab0aa003d7238940cbdf7393677f968c4a252516de7f0699cd4654abd2e7ae83.exe
    "C:\Users\Admin\AppData\Local\Temp\ab0aa003d7238940cbdf7393677f968c4a252516de7f0699cd4654abd2e7ae83.exe"
    1⤵
    • Modifies extensions of user files
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:3948
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:4828
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4884

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    Query Registry

    1
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    2
    T1082

    Collection

    Data from Local System

    1
    T1005

    Impact

    Defacement

    1
    T1491

    Replay Monitor

    Loading Replay Monitor...

    Downloads