Overview

overview

10

Static

static

3e035f2d7d...in.exe

windows7_x64

10

3e035f2d7d...in.exe

windows10-2004_x64

5

Resubmissions

28-06-2022 12:30

220628-ppntjshddq 10

28-06-2022 12:24

220628-pk7qvshdbl 10

Analysis

  • max time kernel
    85s
  • max time network
    64s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    28-06-2022 12:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3e035f2d7d30869ce53171ef5a0f761bfb9c14d94d9fe6da385e20b8d96dc2fb.bin.exe

  • Size

    71KB

  • MD5

    d8a44d2ed34b5fee7c8e24d998f805d9

  • SHA1

    d8369cb0d8ccec95b2a49ba34aa7749b60998661

  • SHA256

    3e035f2d7d30869ce53171ef5a0f761bfb9c14d94d9fe6da385e20b8d96dc2fb

  • SHA512

    27974ffb60f4bb726cbc8269257b9485533fa33b3229667f4b7a7019fbd410252a1006df18fcf784cca85d48da277277b552815ee5d23d9f811c263e20d115ac

Score
10/10
ransomware

Malware Config

Extracted

Path

C:\msocache\# DECRYPT FILES BLUESKY #.txt

Ransom Note
<<< B L U E S K Y >>> YOUR IMPORTANT FILES, DOCUMENTS, PHOTOS, VIDEOS, DATABASES HAVE BEEN ENCRYPTED! The only way to decrypt and restore your files is with our private key and program. Any attempts to restore your files manually will damage your files. To restore your files follow these instructions: -------------------------------------------------------------- 1. Download and install "Tor Browser" from https://torproject.org/ 2. Run "Tor Browser" 3. In the tor browser open website: http://ccpyeuptrlatb2piua4ukhnhi7lrxgerrcrj4p2b5uhbzqm2xgdjaqid.onion 4. On the website enter your recovery id: RECOVERY ID: 2898c3f96b33f589977288cb21b56d99c0a59ece1ff9342205122cf6b2017f86d4b75b033173ced0ec9ad0243c3127e438449f730e45abee8a75e3fd40cad4a3 5f55c0922fb48d5b598b875355c246bd942b043d4edd4c24a36dc9d8ca372b7a6b52bb60768b51610d92b8ae0ecf31504a0b3b31aa76c047 5. Follow the instructions --------------------------------------------------------------
URLs

http://ccpyeuptrlatb2piua4ukhnhi7lrxgerrcrj4p2b5uhbzqm2xgdjaqid.onion

Extracted

Path

C:\msocache\# DECRYPT FILES BLUESKY #.html

Ransom Note
<!DOCTYPE html> <html> <body> <center> <font size = "6"> <p><b>B L U E S K Y</b></p> <font size = "4"> <p><b>YOUR IMPORTANT FILES, DOCUMENTS, PHOTOS, VIDEOS, DATABASES HAVE BEEN ENCRYPTED!</b></p> <p>The only way to decrypt and restore your files is with our private key and program.</p> <p>Any attempts to restore your files manually will damage your files.</p> <br> <p>To restore your files follow these instructions:</p> <p><b>1. Download and install "Tor Browser" from https://torproject.org/</p> <p>2. Run "Tor Browser"</p> <p>3. In the Tor Browser open website:</p> <p></b>http://ccpyeuptrlatb2piua4ukhnhi7lrxgerrcrj4p2b5uhbzqm2xgdjaqid.onion</p> <p><b>4. On the website enter your recovery id:</p> <p></b>RECOVERY ID: 2898c3f96b33f589977288cb21b56d99c0a59ece1ff9342205122cf6b2017f86d4b75b033173ced0ec9ad0243c3127e438449f730e45abee8a75e3fd40cad4a3 5f55c0922fb48d5b598b875355c246bd942b043d4edd4c24a36dc9d8ca372b7a6b52bb60768b51610d92b8ae0ecf31504a0b3b31aa76c047</p> <p><b>5. Follow the instructions on the website</b></p> </center> </body> </html>

Extracted

Path

C:\Users\Admin\Desktop\# DECRYPT FILES BLUESKY #.html

Ransom Note
B L U E S K Y YOUR IMPORTANT FILES, DOCUMENTS, PHOTOS, VIDEOS, DATABASES HAVE BEEN ENCRYPTED! The only way to decrypt and restore your files is with our private key and program. Any attempts to restore your files manually will damage your files. To restore your files follow these instructions: 1. Download and install "Tor Browser" from https://torproject.org/ 2. Run "Tor Browser" 3. In the Tor Browser open website: http://ccpyeuptrlatb2piua4ukhnhi7lrxgerrcrj4p2b5uhbzqm2xgdjaqid.onion 4. On the website enter your recovery id: RECOVERY ID: 2898c3f96b33f589977288cb21b56d99c0a59ece1ff9342205122cf6b2017f86d4b75b033173ced0ec9ad0243c3127e438449f730e45abee8a75e3fd40cad4a3 5f55c0922fb48d5b598b875355c246bd942b043d4edd4c24a36dc9d8ca372b7a6b52bb60768b51610d92b8ae0ecf31504a0b3b31aa76c047 5. Follow the instructions on the website
URLs

http://ccpyeuptrlatb2piua4ukhnhi7lrxgerrcrj4p2b5uhbzqm2xgdjaqid.onion

Signatures

  • Modifies extensions of user files 9 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 33 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 37 IoCs
  • Suspicious use of SendNotifyMessage 32 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3e035f2d7d30869ce53171ef5a0f761bfb9c14d94d9fe6da385e20b8d96dc2fb.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\3e035f2d7d30869ce53171ef5a0f761bfb9c14d94d9fe6da385e20b8d96dc2fb.bin.exe"
    1⤵
    • Modifies extensions of user files
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1672
  • C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT FILES BLUESKY #.txt
    1⤵
      PID:2036
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\# DECRYPT FILES BLUESKY #.html
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1700
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1700 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1248
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --single-argument C:\Users\Admin\Desktop\# DECRYPT FILES BLUESKY #.html
      1⤵
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1304
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6924f50,0x7fef6924f60,0x7fef6924f70
        2⤵
          PID:396
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1100,15920030754783725690,16412112306035549276,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1112 /prefetch:2
          2⤵
            PID:1676
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1100,15920030754783725690,16412112306035549276,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1152 /prefetch:8
            2⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:2028
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1100,15920030754783725690,16412112306035549276,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1704 /prefetch:8
            2⤵
              PID:2024
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1100,15920030754783725690,16412112306035549276,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2000 /prefetch:1
              2⤵
                PID:1500
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1100,15920030754783725690,16412112306035549276,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2008 /prefetch:1
                2⤵
                  PID:1740
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1100,15920030754783725690,16412112306035549276,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2664 /prefetch:8
                  2⤵
                    PID:2064
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1100,15920030754783725690,16412112306035549276,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3244 /prefetch:2
                    2⤵
                      PID:2148

                  Network

                  MITRE ATT&CK Matrix ATT&CK v6

                  Initial Access

                  Execution

                  Persistence

                  Privilege Escalation

                  Defense Evasion

                  Modify Registry

                  1
                  T1112

                  Credential Access

                  Discovery

                  System Information Discovery

                  2
                  T1082

                  Query Registry

                  1
                  T1012

                  Lateral Movement

                  Collection

                  Exfiltration

                  Command and Control

                  Impact

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\Desktop\# DECRYPT FILES BLUESKY #.html
                    Filesize

                    1KB

                    MD5

                    e11f3f3365d89a4c7fc36cef867027a3

                    SHA1

                    19b793c72ee43b7edc0fb6f39d45e19b0e663a25

                    SHA256

                    85c2089ab426ab13cd9d11a80d7c0b92b416aab477db2a51b970179912f93e34

                    SHA512

                    3f80d9ff65add3e190cac3792ccfdbffe497d3554c38cd8cb93e7622165b590ca75ef185cab6d7474edd25b7340098568ad2f498a85baaca8cef2238c1b8f8a9

                    Download Submit
                  • C:\Users\Admin\Desktop\# DECRYPT FILES BLUESKY #.txt
                    Filesize

                    985B

                    MD5

                    fdd933640e474cbf59bb3a855b4bb074

                    SHA1

                    1ee2241187dc358ab86325aaa455bb3e1f5fb40a

                    SHA256

                    fc35eb5b9ceb0245abf32764e77d70f9572d11f1bf606a369c8c914ee6fa9943

                    SHA512

                    01a6630760e2b309a19174594c1ee254c5f53d4a2a2e7c6527484442f9f5c6cf2bc5ffddf1cea6e3ed1f00650a41640e266e9e271e2ea82437ebd89aaa83015a

                    Download Submit
                  • \??\pipe\crashpad_1304_NHIBXDCXAXHYKSID
                    MD5

                    d41d8cd98f00b204e9800998ecf8427e

                    SHA1

                    da39a3ee5e6b4b0d3255bfef95601890afd80709

                    SHA256

                    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                    SHA512

                    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                    Download Submit
                  • memory/1672-54-0x00000000763C1000-0x00000000763C3000-memory.dmp
                    Filesize

                    8KB

                    Download
                  • memory/2036-55-0x000007FEFBED1000-0x000007FEFBED3000-memory.dmp
                    Filesize

                    8KB

                    Download