Analysis
-
max time kernel
43s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
28/06/2022, 12:24
General
-
Target
3e035f2d7d30869ce53171ef5a0f761bfb9c14d94d9fe6da385e20b8d96dc2fb.bin.exe
-
Size
71KB
-
MD5
d8a44d2ed34b5fee7c8e24d998f805d9
-
SHA1
d8369cb0d8ccec95b2a49ba34aa7749b60998661
-
SHA256
3e035f2d7d30869ce53171ef5a0f761bfb9c14d94d9fe6da385e20b8d96dc2fb
-
SHA512
27974ffb60f4bb726cbc8269257b9485533fa33b3229667f4b7a7019fbd410252a1006df18fcf784cca85d48da277277b552815ee5d23d9f811c263e20d115ac
Score
10/10
Malware Config
Extracted
Path
C:\# DECRYPT FILES BLUESKY #.txt
Ransom Note
<<< B L U E S K Y >>>
YOUR IMPORTANT FILES, DOCUMENTS, PHOTOS, VIDEOS, DATABASES HAVE BEEN ENCRYPTED!
The only way to decrypt and restore your files is with our private key and program.
Any attempts to restore your files manually will damage your files.
To restore your files follow these instructions:
--------------------------------------------------------------
1. Download and install "Tor Browser" from https://torproject.org/
2. Run "Tor Browser"
3. In the tor browser open website:
http://ccpyeuptrlatb2piua4ukhnhi7lrxgerrcrj4p2b5uhbzqm2xgdjaqid.onion
4. On the website enter your recovery id:
RECOVERY ID: 493cb0f44b024911f63391fe1a66ef6322c944632f828cf4bc261ebe79feeadf4c4d2350d1b64c1924fdc485449a9ed35ed052e3cfd067614a32123fb62d7a97
abb64b5032d735e6d75dca01c3b72aa3e6efac71f86b7ba209d3713fca372b7a6b52bb60768b51610d92b8ae0ecf31504a0b3b31aa76c047
5. Follow the instructions
--------------------------------------------------------------
URLs
http://ccpyeuptrlatb2piua4ukhnhi7lrxgerrcrj4p2b5uhbzqm2xgdjaqid.onion
Extracted
Path
C:\# DECRYPT FILES BLUESKY #.html
Ransom Note
<!DOCTYPE html>
<html>
<body>
<center>
<font size = "6">
<p><b>B L U E S K Y</b></p>
<font size = "4">
<p><b>YOUR IMPORTANT FILES, DOCUMENTS, PHOTOS, VIDEOS, DATABASES HAVE BEEN ENCRYPTED!</b></p>
<p>The only way to decrypt and restore your files is with our private key and program.</p>
<p>Any attempts to restore your files manually will damage your files.</p>
<br>
<p>To restore your files follow these instructions:</p>
<p><b>1. Download and install "Tor Browser" from https://torproject.org/</p>
<p>2. Run "Tor Browser"</p>
<p>3. In the Tor Browser open website:</p>
<p></b>http://ccpyeuptrlatb2piua4ukhnhi7lrxgerrcrj4p2b5uhbzqm2xgdjaqid.onion</p>
<p><b>4. On the website enter your recovery id:</p>
<p></b>RECOVERY ID: 493cb0f44b024911f63391fe1a66ef6322c944632f828cf4bc261ebe79feeadf4c4d2350d1b64c1924fdc485449a9ed35ed052e3cfd067614a32123fb62d7a97
abb64b5032d735e6d75dca01c3b72aa3e6efac71f86b7ba209d3713fca372b7a6b52bb60768b51610d92b8ae0ecf31504a0b3b31aa76c047</p>
<p><b>5. Follow the instructions on the website</b></p>
</center>
</body>
</html>
Signatures
-
Modifies extensions of user files 7 IoCs
Ransomware generally changes the extension on encrypted files.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\3e035f2d7d30869ce53171ef5a0f761bfb9c14d94d9fe6da385e20b8d96dc2fb.bin.exe"C:\Users\Admin\AppData\Local\Temp\3e035f2d7d30869ce53171ef5a0f761bfb9c14d94d9fe6da385e20b8d96dc2fb.bin.exe"1⤵
- Modifies extensions of user files
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB