3921cb707f4e47deafff47d53d066217f4fe97546f7427ecb2c0fca1ce015a3a

Analysis

max time kernel
151s
max time network
133s
platform
windows7_x64
resource
win7-20220414-en
submitted
25-06-2022 17:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3921cb707f4e47deafff47d53d066217f4fe97546f7427ecb2c0fca1ce015a3a.exe
Size

410KB
MD5

80dc3c416941c3d8955fd132d29d2500
SHA1

5800d69fbb28e74b7683bdfcc2d230095e44e996
SHA256

3921cb707f4e47deafff47d53d066217f4fe97546f7427ecb2c0fca1ce015a3a
SHA512

ac0434782766d7ff161818133c6a5d5f4819f03abd93fdd38b40aa3dcb2332a63ba88f09ff6245ceb28cc9517713df7072048e384bc7236b3fa8047a19252247

Score

10^/10

ransomware

Malware Config

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-1083475884-596052423-1669053738-1000\RECOVERoutwt.txt

Ransom Note

NOT YOUR LANGUAGE? USE https://translate.google.com What's the matter with your files? Your data was secured using a strong encryption with RSA4096. Use the link down below to find additional information on the encryption keys using RSA4096:https://en.wikipedia.org/wiki/RSA_(cryptosystem) What exactly that means? It means that on a structural level your files have been transformed. You won't be able to use, read, see or work with them anymore. In other words they are useless, however, there is a possibility to restore them with our help. What exactly happened to your files? *** Two personal RSA4096 keys were generated for your PC/Laptop; one key is public, another key is private. *** All your data and files were encrypted by the means of the public key, which you received over the web. *** In order to decrypt your data and gain access to your computer you need a private key and a decryption software, which can be found on one of our secret servers. What should you do next? There are several options for you to consider: 1. You can wait for a while until the price of a private key will raise, so you will have to pay twice as much to access your files or 2. You can start getting BitCoins right now and get access to your data quite fast. In case you have valuable files, we advise you to act fast as there is no other option rather than paying in order to get back your data. In order to obtain specific instructions, please access your personal homepage by choosing one of the few addresses down below: http://kkr4hbwdklf234bfl84uoqleflqwrfqwuelfh.brazabaya.com/228D5240A2F4AE2A http://974gfbjhb23hbfkyfaby3byqlyuebvly5q254y.mendilobo.com/228D5240A2F4AE2A http://a64gfdsjhb4htbiwaysbdvukyft5q.zobodine.at/228D5240A2F4AE2A If you can't access your personal homepage or the addresses are not working, complete the following steps: 1. Download TOR Browser - http://www.torproject.org/projects/torbrowser.html.en 2. Install TOR Browser 3. Open TOR Browser 4. Insert the following link in the address bar: k7tlx3ghr3m4n2tu.onion/228D5240A2F4AE2A 5. Follow the steps on your screen IMPORTANT INFORMATION Your personal homepages: http://kkr4hbwdklf234bfl84uoqleflqwrfqwuelfh.brazabaya.com/228D5240A2F4AE2A http://974gfbjhb23hbfkyfaby3byqlyuebvly5q254y.mendilobo.com/228D5240A2F4AE2A http://a64gfdsjhb4htbiwaysbdvukyft5q.zobodine.at/228D5240A2F4AE2A Your personal page Tor-Browser k7tlx3ghr3m4n2tu.onion/228D5240A2F4AE2A Your personal identification ID: 228D5240A2F4AE2A

URLs

http://kkr4hbwdklf234bfl84uoqleflqwrfqwuelfh.brazabaya.com/228D5240A2F4AE2A

http://974gfbjhb23hbfkyfaby3byqlyuebvly5q254y.mendilobo.com/228D5240A2F4AE2A

http://a64gfdsjhb4htbiwaysbdvukyft5q.zobodine.at/228D5240A2F4AE2A

http://k7tlx3ghr3m4n2tu.onion/228D5240A2F4AE2A

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Executes dropped EXE 2 IoCs

Processes:

gxebyv.exegxebyv.exe

pid	Process
940	gxebyv.exe
536	gxebyv.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
1220	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

3921cb707f4e47deafff47d53d066217f4fe97546f7427ecb2c0fca1ce015a3a.exe

pid	Process
1476	3921cb707f4e47deafff47d53d066217f4fe97546f7427ecb2c0fca1ce015a3a.exe
1476	3921cb707f4e47deafff47d53d066217f4fe97546f7427ecb2c0fca1ce015a3a.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

3921cb707f4e47deafff47d53d066217f4fe97546f7427ecb2c0fca1ce015a3a.exegxebyv.exe

description	pid	Process	procid_target
PID 1544 set thread context of 1476	1544	3921cb707f4e47deafff47d53d066217f4fe97546f7427ecb2c0fca1ce015a3a.exe	28
PID 940 set thread context of 536	940	gxebyv.exe	32

Drops file in Program Files directory 2 IoCs

Processes:

gxebyv.exe

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\af.txt	gxebyv.exe
File opened for modification	C:\Program Files\7-Zip\History.txt	gxebyv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

vssadmin.exe

pid	Process
656	vssadmin.exe

Modifies data under HKEY_USERS 1 IoCs

Processes:

gxebyv.exe

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\trueimg	gxebyv.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

gxebyv.exe

pid	Process
536	gxebyv.exe
536	gxebyv.exe
536	gxebyv.exe
536	gxebyv.exe
536	gxebyv.exe
536	gxebyv.exe
536	gxebyv.exe
536	gxebyv.exe
536	gxebyv.exe
536	gxebyv.exe
536	gxebyv.exe
536	gxebyv.exe
536	gxebyv.exe
536	gxebyv.exe
536	gxebyv.exe
536	gxebyv.exe
536	gxebyv.exe
536	gxebyv.exe
536	gxebyv.exe
536	gxebyv.exe
536	gxebyv.exe
536	gxebyv.exe
536	gxebyv.exe
536	gxebyv.exe
536	gxebyv.exe
536	gxebyv.exe
536	gxebyv.exe
536	gxebyv.exe
536	gxebyv.exe
536	gxebyv.exe
536	gxebyv.exe
536	gxebyv.exe
536	gxebyv.exe
536	gxebyv.exe
536	gxebyv.exe
536	gxebyv.exe
536	gxebyv.exe
536	gxebyv.exe
536	gxebyv.exe
536	gxebyv.exe
536	gxebyv.exe
536	gxebyv.exe
536	gxebyv.exe
536	gxebyv.exe
536	gxebyv.exe
536	gxebyv.exe
536	gxebyv.exe
536	gxebyv.exe
536	gxebyv.exe
536	gxebyv.exe
536	gxebyv.exe
536	gxebyv.exe
536	gxebyv.exe
536	gxebyv.exe
536	gxebyv.exe
536	gxebyv.exe
536	gxebyv.exe
536	gxebyv.exe
536	gxebyv.exe
536	gxebyv.exe
536	gxebyv.exe
536	gxebyv.exe
536	gxebyv.exe
536	gxebyv.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

gxebyv.exevssvc.exe

description	pid	Process
Token: SeDebugPrivilege	536	gxebyv.exe
Token: SeBackupPrivilege	2004	vssvc.exe
Token: SeRestorePrivilege	2004	vssvc.exe
Token: SeAuditPrivilege	2004	vssvc.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

3921cb707f4e47deafff47d53d066217f4fe97546f7427ecb2c0fca1ce015a3a.exe3921cb707f4e47deafff47d53d066217f4fe97546f7427ecb2c0fca1ce015a3a.exegxebyv.exegxebyv.exe

description	pid	Process	procid_target
PID 1544 wrote to memory of 1476	1544	3921cb707f4e47deafff47d53d066217f4fe97546f7427ecb2c0fca1ce015a3a.exe	28
PID 1544 wrote to memory of 1476	1544	3921cb707f4e47deafff47d53d066217f4fe97546f7427ecb2c0fca1ce015a3a.exe	28
PID 1544 wrote to memory of 1476	1544	3921cb707f4e47deafff47d53d066217f4fe97546f7427ecb2c0fca1ce015a3a.exe	28
PID 1544 wrote to memory of 1476	1544	3921cb707f4e47deafff47d53d066217f4fe97546f7427ecb2c0fca1ce015a3a.exe	28
PID 1544 wrote to memory of 1476	1544	3921cb707f4e47deafff47d53d066217f4fe97546f7427ecb2c0fca1ce015a3a.exe	28
PID 1544 wrote to memory of 1476	1544	3921cb707f4e47deafff47d53d066217f4fe97546f7427ecb2c0fca1ce015a3a.exe	28
PID 1544 wrote to memory of 1476	1544	3921cb707f4e47deafff47d53d066217f4fe97546f7427ecb2c0fca1ce015a3a.exe	28
PID 1544 wrote to memory of 1476	1544	3921cb707f4e47deafff47d53d066217f4fe97546f7427ecb2c0fca1ce015a3a.exe	28
PID 1544 wrote to memory of 1476	1544	3921cb707f4e47deafff47d53d066217f4fe97546f7427ecb2c0fca1ce015a3a.exe	28
PID 1544 wrote to memory of 1476	1544	3921cb707f4e47deafff47d53d066217f4fe97546f7427ecb2c0fca1ce015a3a.exe	28
PID 1544 wrote to memory of 1476	1544	3921cb707f4e47deafff47d53d066217f4fe97546f7427ecb2c0fca1ce015a3a.exe	28
PID 1476 wrote to memory of 940	1476	3921cb707f4e47deafff47d53d066217f4fe97546f7427ecb2c0fca1ce015a3a.exe	29
PID 1476 wrote to memory of 940	1476	3921cb707f4e47deafff47d53d066217f4fe97546f7427ecb2c0fca1ce015a3a.exe	29
PID 1476 wrote to memory of 940	1476	3921cb707f4e47deafff47d53d066217f4fe97546f7427ecb2c0fca1ce015a3a.exe	29
PID 1476 wrote to memory of 940	1476	3921cb707f4e47deafff47d53d066217f4fe97546f7427ecb2c0fca1ce015a3a.exe	29
PID 1476 wrote to memory of 1220	1476	3921cb707f4e47deafff47d53d066217f4fe97546f7427ecb2c0fca1ce015a3a.exe	30
PID 1476 wrote to memory of 1220	1476	3921cb707f4e47deafff47d53d066217f4fe97546f7427ecb2c0fca1ce015a3a.exe	30
PID 1476 wrote to memory of 1220	1476	3921cb707f4e47deafff47d53d066217f4fe97546f7427ecb2c0fca1ce015a3a.exe	30
PID 1476 wrote to memory of 1220	1476	3921cb707f4e47deafff47d53d066217f4fe97546f7427ecb2c0fca1ce015a3a.exe	30
PID 940 wrote to memory of 536	940	gxebyv.exe	32
PID 940 wrote to memory of 536	940	gxebyv.exe	32
PID 940 wrote to memory of 536	940	gxebyv.exe	32
PID 940 wrote to memory of 536	940	gxebyv.exe	32
PID 940 wrote to memory of 536	940	gxebyv.exe	32
PID 940 wrote to memory of 536	940	gxebyv.exe	32
PID 940 wrote to memory of 536	940	gxebyv.exe	32
PID 940 wrote to memory of 536	940	gxebyv.exe	32
PID 940 wrote to memory of 536	940	gxebyv.exe	32
PID 940 wrote to memory of 536	940	gxebyv.exe	32
PID 940 wrote to memory of 536	940	gxebyv.exe	32
PID 536 wrote to memory of 656	536	gxebyv.exe	33
PID 536 wrote to memory of 656	536	gxebyv.exe	33
PID 536 wrote to memory of 656	536	gxebyv.exe	33
PID 536 wrote to memory of 656	536	gxebyv.exe	33
PID 536 wrote to memory of 1972	536	gxebyv.exe	37
PID 536 wrote to memory of 1972	536	gxebyv.exe	37
PID 536 wrote to memory of 1972	536	gxebyv.exe	37
PID 536 wrote to memory of 1972	536	gxebyv.exe	37

C:\Users\Admin\AppData\Local\Temp\3921cb707f4e47deafff47d53d066217f4fe97546f7427ecb2c0fca1ce015a3a.exe
"C:\Users\Admin\AppData\Local\Temp\3921cb707f4e47deafff47d53d066217f4fe97546f7427ecb2c0fca1ce015a3a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1544
- C:\Users\Admin\AppData\Local\Temp\3921cb707f4e47deafff47d53d066217f4fe97546f7427ecb2c0fca1ce015a3a.exe
  "C:\Users\Admin\AppData\Local\Temp\3921cb707f4e47deafff47d53d066217f4fe97546f7427ecb2c0fca1ce015a3a.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1476
- - C:\Users\Admin\Documents\gxebyv.exe
    C:\Users\Admin\Documents\gxebyv.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:940
  - - C:\Users\Admin\Documents\gxebyv.exe
      C:\Users\Admin\Documents\gxebyv.exe
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:536
    - - C:\Windows\System32\vssadmin.exe
        
        "C:\Windows\System32\vssadmin.exe" Delete Shadows /All /Quiet
        5⤵
        Interacts with shadow copies
        
        PID:656
    - - C:\Windows\system32\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\tvcgy.bat
        5⤵
        
        PID:1972
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\3921CB~1.EXE >> NUL
    3⤵
    - Deletes itself
    PID:1220

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2004

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Documents\gxebyv.exe

Filesize
410KB

MD5
80dc3c416941c3d8955fd132d29d2500

SHA1
5800d69fbb28e74b7683bdfcc2d230095e44e996

SHA256
3921cb707f4e47deafff47d53d066217f4fe97546f7427ecb2c0fca1ce015a3a

SHA512
ac0434782766d7ff161818133c6a5d5f4819f03abd93fdd38b40aa3dcb2332a63ba88f09ff6245ceb28cc9517713df7072048e384bc7236b3fa8047a19252247

Download Submit
C:\Users\Admin\Documents\gxebyv.exe

Filesize
410KB

MD5
80dc3c416941c3d8955fd132d29d2500

SHA1
5800d69fbb28e74b7683bdfcc2d230095e44e996

SHA256
3921cb707f4e47deafff47d53d066217f4fe97546f7427ecb2c0fca1ce015a3a

SHA512
ac0434782766d7ff161818133c6a5d5f4819f03abd93fdd38b40aa3dcb2332a63ba88f09ff6245ceb28cc9517713df7072048e384bc7236b3fa8047a19252247

Download Submit
C:\Users\Admin\Documents\gxebyv.exe

Filesize
410KB

MD5
80dc3c416941c3d8955fd132d29d2500

SHA1
5800d69fbb28e74b7683bdfcc2d230095e44e996

SHA256
3921cb707f4e47deafff47d53d066217f4fe97546f7427ecb2c0fca1ce015a3a

SHA512
ac0434782766d7ff161818133c6a5d5f4819f03abd93fdd38b40aa3dcb2332a63ba88f09ff6245ceb28cc9517713df7072048e384bc7236b3fa8047a19252247

Download Submit
\Users\Admin\Documents\gxebyv.exe

Filesize
410KB

MD5
80dc3c416941c3d8955fd132d29d2500

SHA1
5800d69fbb28e74b7683bdfcc2d230095e44e996

SHA256
3921cb707f4e47deafff47d53d066217f4fe97546f7427ecb2c0fca1ce015a3a

SHA512
ac0434782766d7ff161818133c6a5d5f4819f03abd93fdd38b40aa3dcb2332a63ba88f09ff6245ceb28cc9517713df7072048e384bc7236b3fa8047a19252247

Download Submit
\Users\Admin\Documents\gxebyv.exe

Filesize
410KB

MD5
80dc3c416941c3d8955fd132d29d2500

SHA1
5800d69fbb28e74b7683bdfcc2d230095e44e996

SHA256
3921cb707f4e47deafff47d53d066217f4fe97546f7427ecb2c0fca1ce015a3a

SHA512
ac0434782766d7ff161818133c6a5d5f4819f03abd93fdd38b40aa3dcb2332a63ba88f09ff6245ceb28cc9517713df7072048e384bc7236b3fa8047a19252247

Download Submit
memory/536-91-0x0000000000428DD2-mapping.dmp

Download
memory/536-98-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/536-96-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/536-95-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/656-97-0x0000000000000000-mapping.dmp

Download
memory/940-75-0x0000000000000000-mapping.dmp

Download
memory/1220-77-0x0000000000000000-mapping.dmp

Download
memory/1476-59-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1476-78-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1476-61-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1476-71-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1476-63-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1476-57-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1476-70-0x0000000075721000-0x0000000075723000-memory.dmp

Filesize
8KB

Download
memory/1476-72-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1476-56-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1476-64-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1476-66-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1476-67-0x0000000000428DD2-mapping.dmp

Download
memory/1544-68-0x0000000000220000-0x0000000000226000-memory.dmp

Filesize
24KB

Download
memory/1544-55-0x0000000000220000-0x0000000000226000-memory.dmp

Filesize
24KB

Download
memory/1544-54-0x0000000000220000-0x0000000000226000-memory.dmp

Filesize
24KB

Download
memory/1972-99-0x0000000000000000-mapping.dmp

Download