Overview

overview

10

Static

static

8

b236068ab9...e8.exe

windows7_x64

10

b236068ab9...e8.exe

windows10-2004_x64

10

Resubmissions

06-07-2022 08:05

220706-jy9vgsadgp 10

06-07-2022 06:45

220706-hh2cqsbgc3 10

Analysis

  • max time kernel
    53s
  • max time network
    51s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    06-07-2022 08:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b236068ab96144198a99444a0c8c4ea42e8cde9667e56e8e1402de8a4030ebe8.exe

  • Size

    228KB

  • MD5

    707c69692402945982492eede5c829ca

  • SHA1

    1e2da40c770722385982f6f0a49a4920f69870ba

  • SHA256

    b236068ab96144198a99444a0c8c4ea42e8cde9667e56e8e1402de8a4030ebe8

  • SHA512

    5373029d7fad0c36c0f7dfeaafddaf869c7f5f53d07b4b81e0af7a32764a7fd24299bdb05ea000efdc6c840b6e5f19613315fa1185d19161d7342a4b065e8164

Score
10/10
discoverypersistenceransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\#HOW_TO_DECRYPT#.txt

Ransom Note
ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Write to our skype - RICARDOMILOS DECRYPTION Also you can write ICQ live chat which works 24/7 @RicardoMilosGachimuchi Install ICQ software on your PC https://icq.com/windows/ or on your mobile phone search in Appstore / Google market ICQ Write to our ICQ @RicardoMilosGachimuchi https://icq.im/RicardoMilosGachimuchi 2. Our company values its reputation. We give all guarantees of your files decryption, such as test decryption some of them We respect your time and waiting for respond from your side tell your MachineID: 2346306799 and LaunchID: b82bfa9e87 ====================================================================================================
URLs

https://icq.com/windows/

https://icq.im/RicardoMilosGachimuchi

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 1 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Deletes itself 1 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops desktop.ini file(s) 1 IoCs
  • Enumerates connected drives 3 TTPs 18 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Interacts with shadow copies 2 TTPs 14 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies registry class 2 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 44 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\b236068ab96144198a99444a0c8c4ea42e8cde9667e56e8e1402de8a4030ebe8.exe
    "C:\Users\Admin\AppData\Local\Temp\b236068ab96144198a99444a0c8c4ea42e8cde9667e56e8e1402de8a4030ebe8.exe"
    1⤵
    • Modifies extensions of user files
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1836
    • C:\Windows\SysWOW64\vssadmin.exe
      vssadmin delete shadows /all /quiet
      2⤵
      • Interacts with shadow copies
      PID:1980
    • C:\Windows\SysWOW64\net.exe
      net stop VSS & sc config VSS start= disabled
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2012
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop VSS & sc config VSS start= disabled
        3⤵
          PID:1696
      • C:\Windows\SysWOW64\sc.exe
        sc config VSS start= Demand & net start VSS
        2⤵
        • Launches sc.exe
        PID:1132
      • C:\Windows\SysWOW64\Wbem\wmic.exe
        wmic.exe SHADOWCOPY delete /nointeractive
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:688
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin.exe Delete Shadows /All /Quiet
        2⤵
        • Interacts with shadow copies
        PID:896
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=401MB
        2⤵
        • Interacts with shadow copies
        PID:672
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=unbounded
        2⤵
        • Interacts with shadow copies
        PID:1984
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=401MB
        2⤵
        • Enumerates connected drives
        • Interacts with shadow copies
        PID:1892
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=unbounded
        2⤵
        • Enumerates connected drives
        • Interacts with shadow copies
        PID:472
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=401MB
        2⤵
        • Enumerates connected drives
        • Interacts with shadow copies
        PID:1564
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=unbounded
        2⤵
        • Enumerates connected drives
        • Interacts with shadow copies
        PID:964
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=401MB
        2⤵
        • Enumerates connected drives
        • Interacts with shadow copies
        PID:1696
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=unbounded
        2⤵
        • Enumerates connected drives
        • Interacts with shadow copies
        PID:1132
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=401MB
        2⤵
        • Enumerates connected drives
        • Interacts with shadow copies
        PID:1980
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=unbounded
        2⤵
        • Enumerates connected drives
        • Interacts with shadow copies
        PID:1204
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=401MB
        2⤵
        • Enumerates connected drives
        • Interacts with shadow copies
        PID:1504
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=unbounded
        2⤵
        • Enumerates connected drives
        • Interacts with shadow copies
        PID:484
      • C:\Windows\SysWOW64\icacls.exe
        icacls.exe "{A-Z}:" /grant {Username}:F /T /C /Q
        2⤵
        • Modifies file permissions
        PID:1092
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -command "Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1212
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c timeout 1 && del "C:\Users\Admin\AppData\Local\Temp\b236068ab96144198a99444a0c8c4ea42e8cde9667e56e8e1402de8a4030ebe8.exe" >> NUL
        2⤵
        • Deletes itself
        PID:1684
        • C:\Windows\SysWOW64\timeout.exe
          timeout 1
          3⤵
          • Delays execution with timeout.exe
          PID:1840
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2028
    • C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\StartReset.ps1.[b82bfa9e87].[Ricardo Milos].Washedback
      1⤵
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      PID:1888
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\StartReset.ps1.[b82bfa9e87].[Ricardo Milos].Washedback
        2⤵
        • Opens file in notepad (likely ransom note)
        PID:1132
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\#HOW_TO_DECRYPT#.txt
      1⤵
        PID:688

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Registry Run Keys / Startup Folder

      1
      T1060

      Privilege Escalation

      Defense Evasion

      File Deletion

      2
      T1107

      File Permissions Modification

      1
      T1222

      Modify Registry

      2
      T1112

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      Peripheral Device Discovery

      1
      T1120

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Inhibit System Recovery

      2
      T1490

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\Desktop\StartReset.ps1.[b82bfa9e87].[Ricardo Milos].Washedback
        Filesize

        281KB

        MD5

        edddcf7f8224d92a9e56b35bf97996c7

        SHA1

        9f3e6d81d11dc69eb70d5c12e17cf89200075004

        SHA256

        6dac78c74e3aa8d05438f5abfdefd7b663d794ed6267eb93256c2c1c33be12bd

        SHA512

        35c2847fa909d222431e9f6c29ce9def218496742967177182715c086ae39b2281e8f9c6044ccdc9490445393943e8182d4aadf2a37b6e56ef3f8c1cc32c12a7

        Download Submit
      • C:\Users\Public\Desktop\#HOW_TO_DECRYPT#.txt
        Filesize

        2KB

        MD5

        44381b240eadf03ac821aa6c25dc1248

        SHA1

        3778a9bcb3404abcc5e9fd0f0241e370f96f5762

        SHA256

        a07ca2576f621736a53df65787ea668b6e27ad7258fb19a82de6f419a6d068be

        SHA512

        0a1a7dcd69f8d897310b5d41ad02946eec4c78cc0aac8ef68fd296501f62bbddf347b3d13bb056dd3e0459e8901e4c17742f1b30e37755c8b8d3a2b891794fc3

        Download Submit
      • memory/472-69-0x0000000000000000-mapping.dmp
        Download
      • memory/484-77-0x0000000000000000-mapping.dmp
        Download
      • memory/672-65-0x0000000000000000-mapping.dmp
        Download
      • memory/688-63-0x0000000000000000-mapping.dmp
        Download
      • memory/896-64-0x0000000000000000-mapping.dmp
        Download
      • memory/964-71-0x0000000000000000-mapping.dmp
        Download
      • memory/1092-78-0x0000000000000000-mapping.dmp
        Download
      • memory/1132-62-0x0000000000000000-mapping.dmp
        Download
      • memory/1132-73-0x0000000000000000-mapping.dmp
        Download
      • memory/1132-87-0x0000000000000000-mapping.dmp
        Download
      • memory/1204-75-0x0000000000000000-mapping.dmp
        Download
      • memory/1212-82-0x0000000073B60000-0x000000007410B000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/1212-81-0x0000000073B60000-0x000000007410B000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/1212-79-0x0000000000000000-mapping.dmp
        Download
      • memory/1504-76-0x0000000000000000-mapping.dmp
        Download
      • memory/1564-70-0x0000000000000000-mapping.dmp
        Download
      • memory/1684-83-0x0000000000000000-mapping.dmp
        Download
      • memory/1696-61-0x0000000000000000-mapping.dmp
        Download
      • memory/1696-72-0x0000000000000000-mapping.dmp
        Download
      • memory/1836-55-0x0000000000B30000-0x0000000000BBD000-memory.dmp
        Filesize

        564KB

        Download
      • memory/1836-57-0x0000000000B30000-0x0000000000BBD000-memory.dmp
        Filesize

        564KB

        Download
      • memory/1836-54-0x0000000076421000-0x0000000076423000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1836-68-0x0000000000B30000-0x0000000000BBD000-memory.dmp
        Filesize

        564KB

        Download
      • memory/1836-58-0x0000000000B30000-0x0000000000BBD000-memory.dmp
        Filesize

        564KB

        Download
      • memory/1836-56-0x0000000000B30000-0x0000000000BBD000-memory.dmp
        Filesize

        564KB

        Download
      • memory/1836-84-0x0000000000B30000-0x0000000000BBD000-memory.dmp
        Filesize

        564KB

        Download
      • memory/1840-85-0x0000000000000000-mapping.dmp
        Download
      • memory/1888-86-0x000007FEFBB11000-0x000007FEFBB13000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1892-67-0x0000000000000000-mapping.dmp
        Download
      • memory/1980-59-0x0000000000000000-mapping.dmp
        Download
      • memory/1980-74-0x0000000000000000-mapping.dmp
        Download
      • memory/1984-66-0x0000000000000000-mapping.dmp
        Download
      • memory/2012-60-0x0000000000000000-mapping.dmp
        Download