Analysis
-
max time kernel
112s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
25-06-2022 08:29
Static task
static1
Behavioral task
behavioral1
Sample
6ff8946c265263670540c1d7d9122ed7ead84f7fa898e2bd5a718211b2c384e2.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
6ff8946c265263670540c1d7d9122ed7ead84f7fa898e2bd5a718211b2c384e2.exe
Resource
win10v2004-20220414-en
General
-
Target
6ff8946c265263670540c1d7d9122ed7ead84f7fa898e2bd5a718211b2c384e2.exe
-
Size
164KB
-
MD5
68e56a7c328917186ab66b526bb456a6
-
SHA1
ad3df656c2700e551376751c3202c260ad26eccb
-
SHA256
6ff8946c265263670540c1d7d9122ed7ead84f7fa898e2bd5a718211b2c384e2
-
SHA512
43ef8c3b8829ff599aaf4c141d78f84f022f03a05d881ced50f1b2ee175cb12a376124f5d0f283c95b35c587061f6813da827dca03c5f2294c6cc49caecaa4ef
Malware Config
Extracted
C:\8q1g3-readme.txt
http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/7C3D8C22D76EC643
http://decryptor.top/7C3D8C22D76EC643
Signatures
-
Modifies extensions of user files 5 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
6ff8946c265263670540c1d7d9122ed7ead84f7fa898e2bd5a718211b2c384e2.exedescription ioc process File opened for modification \??\c:\users\admin\pictures\MergeJoin.tiff 6ff8946c265263670540c1d7d9122ed7ead84f7fa898e2bd5a718211b2c384e2.exe File renamed C:\Users\Admin\Pictures\CloseDisconnect.crw => \??\c:\users\admin\pictures\CloseDisconnect.crw.8q1g3 6ff8946c265263670540c1d7d9122ed7ead84f7fa898e2bd5a718211b2c384e2.exe File renamed C:\Users\Admin\Pictures\RepairResume.png => \??\c:\users\admin\pictures\RepairResume.png.8q1g3 6ff8946c265263670540c1d7d9122ed7ead84f7fa898e2bd5a718211b2c384e2.exe File renamed C:\Users\Admin\Pictures\UnregisterStart.raw => \??\c:\users\admin\pictures\UnregisterStart.raw.8q1g3 6ff8946c265263670540c1d7d9122ed7ead84f7fa898e2bd5a718211b2c384e2.exe File renamed C:\Users\Admin\Pictures\MergeJoin.tiff => \??\c:\users\admin\pictures\MergeJoin.tiff.8q1g3 6ff8946c265263670540c1d7d9122ed7ead84f7fa898e2bd5a718211b2c384e2.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
6ff8946c265263670540c1d7d9122ed7ead84f7fa898e2bd5a718211b2c384e2.exedescription ioc process File opened (read-only) \??\N: 6ff8946c265263670540c1d7d9122ed7ead84f7fa898e2bd5a718211b2c384e2.exe File opened (read-only) \??\P: 6ff8946c265263670540c1d7d9122ed7ead84f7fa898e2bd5a718211b2c384e2.exe File opened (read-only) \??\U: 6ff8946c265263670540c1d7d9122ed7ead84f7fa898e2bd5a718211b2c384e2.exe File opened (read-only) \??\W: 6ff8946c265263670540c1d7d9122ed7ead84f7fa898e2bd5a718211b2c384e2.exe File opened (read-only) \??\Y: 6ff8946c265263670540c1d7d9122ed7ead84f7fa898e2bd5a718211b2c384e2.exe File opened (read-only) \??\A: 6ff8946c265263670540c1d7d9122ed7ead84f7fa898e2bd5a718211b2c384e2.exe File opened (read-only) \??\B: 6ff8946c265263670540c1d7d9122ed7ead84f7fa898e2bd5a718211b2c384e2.exe File opened (read-only) \??\K: 6ff8946c265263670540c1d7d9122ed7ead84f7fa898e2bd5a718211b2c384e2.exe File opened (read-only) \??\Z: 6ff8946c265263670540c1d7d9122ed7ead84f7fa898e2bd5a718211b2c384e2.exe File opened (read-only) \??\R: 6ff8946c265263670540c1d7d9122ed7ead84f7fa898e2bd5a718211b2c384e2.exe File opened (read-only) \??\V: 6ff8946c265263670540c1d7d9122ed7ead84f7fa898e2bd5a718211b2c384e2.exe File opened (read-only) \??\J: 6ff8946c265263670540c1d7d9122ed7ead84f7fa898e2bd5a718211b2c384e2.exe File opened (read-only) \??\L: 6ff8946c265263670540c1d7d9122ed7ead84f7fa898e2bd5a718211b2c384e2.exe File opened (read-only) \??\Q: 6ff8946c265263670540c1d7d9122ed7ead84f7fa898e2bd5a718211b2c384e2.exe File opened (read-only) \??\F: 6ff8946c265263670540c1d7d9122ed7ead84f7fa898e2bd5a718211b2c384e2.exe File opened (read-only) \??\O: 6ff8946c265263670540c1d7d9122ed7ead84f7fa898e2bd5a718211b2c384e2.exe File opened (read-only) \??\I: 6ff8946c265263670540c1d7d9122ed7ead84f7fa898e2bd5a718211b2c384e2.exe File opened (read-only) \??\M: 6ff8946c265263670540c1d7d9122ed7ead84f7fa898e2bd5a718211b2c384e2.exe File opened (read-only) \??\S: 6ff8946c265263670540c1d7d9122ed7ead84f7fa898e2bd5a718211b2c384e2.exe File opened (read-only) \??\T: 6ff8946c265263670540c1d7d9122ed7ead84f7fa898e2bd5a718211b2c384e2.exe File opened (read-only) \??\X: 6ff8946c265263670540c1d7d9122ed7ead84f7fa898e2bd5a718211b2c384e2.exe File opened (read-only) \??\E: 6ff8946c265263670540c1d7d9122ed7ead84f7fa898e2bd5a718211b2c384e2.exe File opened (read-only) \??\G: 6ff8946c265263670540c1d7d9122ed7ead84f7fa898e2bd5a718211b2c384e2.exe File opened (read-only) \??\H: 6ff8946c265263670540c1d7d9122ed7ead84f7fa898e2bd5a718211b2c384e2.exe File opened (read-only) \??\D: 6ff8946c265263670540c1d7d9122ed7ead84f7fa898e2bd5a718211b2c384e2.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
6ff8946c265263670540c1d7d9122ed7ead84f7fa898e2bd5a718211b2c384e2.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\y89r306m.bmp" 6ff8946c265263670540c1d7d9122ed7ead84f7fa898e2bd5a718211b2c384e2.exe -
Drops file in Program Files directory 26 IoCs
Processes:
6ff8946c265263670540c1d7d9122ed7ead84f7fa898e2bd5a718211b2c384e2.exedescription ioc process File opened for modification \??\c:\program files\PublishSubmit.ods 6ff8946c265263670540c1d7d9122ed7ead84f7fa898e2bd5a718211b2c384e2.exe File opened for modification \??\c:\program files\ReceiveDebug.mp3 6ff8946c265263670540c1d7d9122ed7ead84f7fa898e2bd5a718211b2c384e2.exe File opened for modification \??\c:\program files\RemoveStep.avi 6ff8946c265263670540c1d7d9122ed7ead84f7fa898e2bd5a718211b2c384e2.exe File opened for modification \??\c:\program files\ShowCopy.js 6ff8946c265263670540c1d7d9122ed7ead84f7fa898e2bd5a718211b2c384e2.exe File opened for modification \??\c:\program files\UninstallCheckpoint.vdx 6ff8946c265263670540c1d7d9122ed7ead84f7fa898e2bd5a718211b2c384e2.exe File opened for modification \??\c:\program files\BlockEnable.au3 6ff8946c265263670540c1d7d9122ed7ead84f7fa898e2bd5a718211b2c384e2.exe File opened for modification \??\c:\program files\ConvertToOpen.ADTS 6ff8946c265263670540c1d7d9122ed7ead84f7fa898e2bd5a718211b2c384e2.exe File opened for modification \??\c:\program files\ExpandUpdate.png 6ff8946c265263670540c1d7d9122ed7ead84f7fa898e2bd5a718211b2c384e2.exe File opened for modification \??\c:\program files\WriteDismount.scf 6ff8946c265263670540c1d7d9122ed7ead84f7fa898e2bd5a718211b2c384e2.exe File opened for modification \??\c:\program files\ExpandProtect.ttf 6ff8946c265263670540c1d7d9122ed7ead84f7fa898e2bd5a718211b2c384e2.exe File opened for modification \??\c:\program files\PublishUnlock.midi 6ff8946c265263670540c1d7d9122ed7ead84f7fa898e2bd5a718211b2c384e2.exe File opened for modification \??\c:\program files\ResolveTrace.rm 6ff8946c265263670540c1d7d9122ed7ead84f7fa898e2bd5a718211b2c384e2.exe File opened for modification \??\c:\program files\StartSuspend.xhtml 6ff8946c265263670540c1d7d9122ed7ead84f7fa898e2bd5a718211b2c384e2.exe File opened for modification \??\c:\program files\StepRedo.3gp2 6ff8946c265263670540c1d7d9122ed7ead84f7fa898e2bd5a718211b2c384e2.exe File created \??\c:\program files\8q1g3-readme.txt 6ff8946c265263670540c1d7d9122ed7ead84f7fa898e2bd5a718211b2c384e2.exe File created \??\c:\program files (x86)\8q1g3-readme.txt 6ff8946c265263670540c1d7d9122ed7ead84f7fa898e2bd5a718211b2c384e2.exe File opened for modification \??\c:\program files\AddSave.edrwx 6ff8946c265263670540c1d7d9122ed7ead84f7fa898e2bd5a718211b2c384e2.exe File opened for modification \??\c:\program files\NewCompress.mpeg3 6ff8946c265263670540c1d7d9122ed7ead84f7fa898e2bd5a718211b2c384e2.exe File opened for modification \??\c:\program files\ReceiveConfirm.xltx 6ff8946c265263670540c1d7d9122ed7ead84f7fa898e2bd5a718211b2c384e2.exe File opened for modification \??\c:\program files\UndoPop.wax 6ff8946c265263670540c1d7d9122ed7ead84f7fa898e2bd5a718211b2c384e2.exe File opened for modification \??\c:\program files\ClearUnpublish.mpe 6ff8946c265263670540c1d7d9122ed7ead84f7fa898e2bd5a718211b2c384e2.exe File opened for modification \??\c:\program files\CompressConvertFrom.txt 6ff8946c265263670540c1d7d9122ed7ead84f7fa898e2bd5a718211b2c384e2.exe File opened for modification \??\c:\program files\DismountEnable.zip 6ff8946c265263670540c1d7d9122ed7ead84f7fa898e2bd5a718211b2c384e2.exe File opened for modification \??\c:\program files\ApproveCompress.rle 6ff8946c265263670540c1d7d9122ed7ead84f7fa898e2bd5a718211b2c384e2.exe File opened for modification \??\c:\program files\BackupAdd.DVR 6ff8946c265263670540c1d7d9122ed7ead84f7fa898e2bd5a718211b2c384e2.exe File opened for modification \??\c:\program files\OpenDismount.vssx 6ff8946c265263670540c1d7d9122ed7ead84f7fa898e2bd5a718211b2c384e2.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
6ff8946c265263670540c1d7d9122ed7ead84f7fa898e2bd5a718211b2c384e2.exepowershell.exepid process 4352 6ff8946c265263670540c1d7d9122ed7ead84f7fa898e2bd5a718211b2c384e2.exe 4352 6ff8946c265263670540c1d7d9122ed7ead84f7fa898e2bd5a718211b2c384e2.exe 4152 powershell.exe 4152 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
powershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 4152 powershell.exe Token: SeBackupPrivilege 1824 vssvc.exe Token: SeRestorePrivilege 1824 vssvc.exe Token: SeAuditPrivilege 1824 vssvc.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
6ff8946c265263670540c1d7d9122ed7ead84f7fa898e2bd5a718211b2c384e2.exedescription pid process target process PID 4352 wrote to memory of 4152 4352 6ff8946c265263670540c1d7d9122ed7ead84f7fa898e2bd5a718211b2c384e2.exe powershell.exe PID 4352 wrote to memory of 4152 4352 6ff8946c265263670540c1d7d9122ed7ead84f7fa898e2bd5a718211b2c384e2.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6ff8946c265263670540c1d7d9122ed7ead84f7fa898e2bd5a718211b2c384e2.exe"C:\Users\Admin\AppData\Local\Temp\6ff8946c265263670540c1d7d9122ed7ead84f7fa898e2bd5a718211b2c384e2.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4152-130-0x0000000000000000-mapping.dmp
-
memory/4152-131-0x00000294AD580000-0x00000294AD5A2000-memory.dmpFilesize
136KB
-
memory/4152-132-0x00007FF877C00000-0x00007FF8786C1000-memory.dmpFilesize
10.8MB
-
memory/4152-133-0x00007FF877C00000-0x00007FF8786C1000-memory.dmpFilesize
10.8MB