Overview

overview

10

Static

static

8

b236068ab9...e8.exe

windows7_x64

10

b236068ab9...e8.exe

windows10-2004_x64

10

Resubmissions

06/07/2022, 08:05

220706-jy9vgsadgp 10

06/07/2022, 06:45

220706-hh2cqsbgc3 10

Analysis

  • max time kernel
    39s
  • max time network
    42s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    06/07/2022, 06:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b236068ab96144198a99444a0c8c4ea42e8cde9667e56e8e1402de8a4030ebe8.exe

  • Size

    228KB

  • MD5

    707c69692402945982492eede5c829ca

  • SHA1

    1e2da40c770722385982f6f0a49a4920f69870ba

  • SHA256

    b236068ab96144198a99444a0c8c4ea42e8cde9667e56e8e1402de8a4030ebe8

  • SHA512

    5373029d7fad0c36c0f7dfeaafddaf869c7f5f53d07b4b81e0af7a32764a7fd24299bdb05ea000efdc6c840b6e5f19613315fa1185d19161d7342a4b065e8164

Score
10/10
discoverypersistenceransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\#HOW_TO_DECRYPT#.txt

Ransom Note
ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Write to our skype - RICARDOMILOS DECRYPTION Also you can write ICQ live chat which works 24/7 @RicardoMilosGachimuchi Install ICQ software on your PC https://icq.com/windows/ or on your mobile phone search in Appstore / Google market ICQ Write to our ICQ @RicardoMilosGachimuchi https://icq.im/RicardoMilosGachimuchi 2. Our company values its reputation. We give all guarantees of your files decryption, such as test decryption some of them We respect your time and waiting for respond from your side tell your MachineID: 2913756387 and LaunchID: f1d3ffa752 ====================================================================================================
URLs

https://icq.com/windows/

https://icq.im/RicardoMilosGachimuchi

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 2 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Deletes itself 1 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops desktop.ini file(s) 1 IoCs
  • Enumerates connected drives 3 TTPs 18 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Generic Ransomware Note 64 IoCs

    Ransomware often writes a note containing information on how to pay the ransom.

  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Interacts with shadow copies 2 TTPs 14 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 44 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\b236068ab96144198a99444a0c8c4ea42e8cde9667e56e8e1402de8a4030ebe8.exe
    "C:\Users\Admin\AppData\Local\Temp\b236068ab96144198a99444a0c8c4ea42e8cde9667e56e8e1402de8a4030ebe8.exe"
    1⤵
    • Modifies extensions of user files
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1868
    • C:\Windows\SysWOW64\net.exe
      net stop VSS & sc config VSS start= disabled
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1628
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop VSS & sc config VSS start= disabled
        3⤵
          PID:1604
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin delete shadows /all /quiet
        2⤵
        • Interacts with shadow copies
        PID:1696
      • C:\Windows\SysWOW64\sc.exe
        sc config VSS start= Demand & net start VSS
        2⤵
        • Launches sc.exe
        PID:916
      • C:\Windows\SysWOW64\Wbem\wmic.exe
        wmic.exe SHADOWCOPY delete /nointeractive
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:560
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin.exe Delete Shadows /All /Quiet
        2⤵
        • Interacts with shadow copies
        PID:1968
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=401MB
        2⤵
        • Interacts with shadow copies
        PID:972
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=unbounded
        2⤵
        • Interacts with shadow copies
        PID:268
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=401MB
        2⤵
        • Enumerates connected drives
        • Interacts with shadow copies
        PID:1368
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=unbounded
        2⤵
        • Enumerates connected drives
        • Interacts with shadow copies
        PID:684
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=401MB
        2⤵
        • Enumerates connected drives
        • Interacts with shadow copies
        PID:1624
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=unbounded
        2⤵
        • Enumerates connected drives
        • Interacts with shadow copies
        PID:556
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=401MB
        2⤵
        • Enumerates connected drives
        • Interacts with shadow copies
        PID:1588
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=unbounded
        2⤵
        • Enumerates connected drives
        • Interacts with shadow copies
        PID:1604
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=401MB
        2⤵
        • Enumerates connected drives
        • Interacts with shadow copies
        PID:916
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=unbounded
        2⤵
        • Enumerates connected drives
        • Interacts with shadow copies
        PID:996
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=401MB
        2⤵
        • Enumerates connected drives
        • Interacts with shadow copies
        PID:1600
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=unbounded
        2⤵
        • Enumerates connected drives
        • Interacts with shadow copies
        PID:1744
      • C:\Windows\SysWOW64\icacls.exe
        icacls.exe "{A-Z}:" /grant {Username}:F /T /C /Q
        2⤵
        • Modifies file permissions
        PID:1968
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -command "Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:580
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c timeout 1 && del "C:\Users\Admin\AppData\Local\Temp\b236068ab96144198a99444a0c8c4ea42e8cde9667e56e8e1402de8a4030ebe8.exe" >> NUL
        2⤵
        • Deletes itself
        PID:1376
        • C:\Windows\SysWOW64\timeout.exe
          timeout 1
          3⤵
          • Delays execution with timeout.exe
          PID:2036
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1240

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/580-82-0x0000000073600000-0x0000000073BAB000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/580-81-0x0000000073600000-0x0000000073BAB000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1868-56-0x0000000001240000-0x00000000012CD000-memory.dmp

      Filesize

      564KB

      Download

    • memory/1868-54-0x00000000759E1000-0x00000000759E3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1868-58-0x0000000001240000-0x00000000012CD000-memory.dmp

      Filesize

      564KB

      Download

    • memory/1868-57-0x0000000001240000-0x00000000012CD000-memory.dmp

      Filesize

      564KB

      Download

    • memory/1868-55-0x0000000001240000-0x00000000012CD000-memory.dmp

      Filesize

      564KB

      Download

    • memory/1868-64-0x0000000001240000-0x00000000012CD000-memory.dmp

      Filesize

      564KB

      Download

    • memory/1868-84-0x0000000001240000-0x00000000012CD000-memory.dmp

      Filesize

      564KB

      Download