Overview

overview

10

Static

static

8

b236068ab9...e8.exe

windows7_x64

10

b236068ab9...e8.exe

windows10-2004_x64

10

Resubmissions

06/07/2022, 08:05

220706-jy9vgsadgp 10

06/07/2022, 06:45

220706-hh2cqsbgc3 10

Analysis

  • max time kernel
    90s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    06/07/2022, 06:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b236068ab96144198a99444a0c8c4ea42e8cde9667e56e8e1402de8a4030ebe8.exe

  • Size

    228KB

  • MD5

    707c69692402945982492eede5c829ca

  • SHA1

    1e2da40c770722385982f6f0a49a4920f69870ba

  • SHA256

    b236068ab96144198a99444a0c8c4ea42e8cde9667e56e8e1402de8a4030ebe8

  • SHA512

    5373029d7fad0c36c0f7dfeaafddaf869c7f5f53d07b4b81e0af7a32764a7fd24299bdb05ea000efdc6c840b6e5f19613315fa1185d19161d7342a4b065e8164

Score
10/10
discoverypersistenceransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\#HOW_TO_DECRYPT#.txt

Ransom Note
ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Write to our skype - RICARDOMILOS DECRYPTION Also you can write ICQ live chat which works 24/7 @RicardoMilosGachimuchi Install ICQ software on your PC https://icq.com/windows/ or on your mobile phone search in Appstore / Google market ICQ Write to our ICQ @RicardoMilosGachimuchi https://icq.im/RicardoMilosGachimuchi 2. Our company values its reputation. We give all guarantees of your files decryption, such as test decryption some of them We respect your time and waiting for respond from your side tell your MachineID: 2216818140 and LaunchID: e2be84a158 ====================================================================================================
URLs

https://icq.com/windows/

https://icq.im/RicardoMilosGachimuchi

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 1 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops desktop.ini file(s) 1 IoCs
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Generic Ransomware Note 64 IoCs

    Ransomware often writes a note containing information on how to pay the ransom.

  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 49 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\b236068ab96144198a99444a0c8c4ea42e8cde9667e56e8e1402de8a4030ebe8.exe
    "C:\Users\Admin\AppData\Local\Temp\b236068ab96144198a99444a0c8c4ea42e8cde9667e56e8e1402de8a4030ebe8.exe"
    1⤵
    • Modifies extensions of user files
    • Checks computer location settings
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1976
    • C:\Windows\SysWOW64\net.exe
      net stop VSS & sc config VSS start= disabled
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:444
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop VSS & sc config VSS start= disabled
        3⤵
          PID:1892
      • C:\Windows\SysWOW64\sc.exe
        sc config VSS start= Demand & net start VSS
        2⤵
        • Launches sc.exe
        PID:2224
      • C:\Windows\SysWOW64\Wbem\wmic.exe
        wmic.exe SHADOWCOPY delete /nointeractive
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4216
      • C:\Windows\SysWOW64\icacls.exe
        icacls.exe "{A-Z}:" /grant {Username}:F /T /C /Q
        2⤵
        • Modifies file permissions
        PID:4688
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -command "Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1484
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c timeout 1 && del "C:\Users\Admin\AppData\Local\Temp\b236068ab96144198a99444a0c8c4ea42e8cde9667e56e8e1402de8a4030ebe8.exe" >> NUL
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:228
        • C:\Windows\SysWOW64\timeout.exe
          timeout 1
          3⤵
          • Delays execution with timeout.exe
          PID:2588
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2772
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:488
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\#HOW_TO_DECRYPT#.txt
      1⤵
        PID:3264

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Public\Desktop\#HOW_TO_DECRYPT#.txt
        Filesize

        2KB

        MD5

        84298f4317b9d380a3e6daa3f9741cb8

        SHA1

        f7df54959078452bfca4e6b4576c5d8f925abafb

        SHA256

        9761fd7ed2c75ed1bcb8cb46204d3df6ef3a5ece4e6364806c36d62cd3ab88ba

        SHA512

        b0e6fc12d525a39e61f6f474ce7a0923b1c6b00008ed6a27ce9a8a5cd3c514768e3358787e2d5b7210bc858e2b44dc2fd92d78ed19c861479be3168a528db222

        Download Submit

      • memory/1484-148-0x00000000065D0000-0x00000000065EA000-memory.dmp

        Filesize

        104KB

        Download

      • memory/1484-149-0x0000000006620000-0x0000000006642000-memory.dmp

        Filesize

        136KB

        Download

      • memory/1484-150-0x00000000076B0000-0x0000000007C54000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/1484-147-0x0000000006650000-0x00000000066E6000-memory.dmp

        Filesize

        600KB

        Download

      • memory/1484-146-0x0000000006100000-0x000000000611E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/1484-145-0x0000000005230000-0x0000000005296000-memory.dmp

        Filesize

        408KB

        Download

      • memory/1484-144-0x00000000051B0000-0x0000000005216000-memory.dmp

        Filesize

        408KB

        Download

      • memory/1484-141-0x0000000002AB0000-0x0000000002AE6000-memory.dmp

        Filesize

        216KB

        Download

      • memory/1484-142-0x00000000052D0000-0x00000000058F8000-memory.dmp

        Filesize

        6.2MB

        Download

      • memory/1484-143-0x0000000005090000-0x00000000050B2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/1976-131-0x0000000000430000-0x00000000004BD000-memory.dmp

        Filesize

        564KB

        Download

      • memory/1976-134-0x0000000000430000-0x00000000004BD000-memory.dmp

        Filesize

        564KB

        Download

      • memory/1976-130-0x0000000000430000-0x00000000004BD000-memory.dmp

        Filesize

        564KB

        Download

      • memory/1976-133-0x0000000000430000-0x00000000004BD000-memory.dmp

        Filesize

        564KB

        Download

      • memory/1976-152-0x0000000000430000-0x00000000004BD000-memory.dmp

        Filesize

        564KB

        Download

      • memory/1976-132-0x0000000000430000-0x00000000004BD000-memory.dmp

        Filesize

        564KB

        Download