Overview

overview

10

Static

static

43c4d8f694...7b.exe

windows7_x64

10

43c4d8f694...7b.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    07-07-2022 21:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    43c4d8f6942c51587508802dc4a3336de1ae902abb8380a7aeb9b8945ee65c7b.exe

  • Size

    410KB

  • MD5

    56815047f7f330dcb598899915d6606e

  • SHA1

    8f20faecf7448606c2601bc03f94a6ed4d7c960b

  • SHA256

    43c4d8f6942c51587508802dc4a3336de1ae902abb8380a7aeb9b8945ee65c7b

  • SHA512

    fbc69c4cb808840209bec0ac52cf29e0442fc80c72dea460ced3dc0ef6e035fef7da9dbd21b8fd1ebebfdf43b02184c65ee73995473fc075bb6ad2de113fba03

Score
10/10
ransomware

Malware Config

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-1819626980-2277161760-1023733287-1000\RECOVERaduws.txt

Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com What's the matter with your files? Your data was secured using a strong encryption with RSA4096. Use the link down below to find additional information on the encryption keys using RSA4096:https://en.wikipedia.org/wiki/RSA_(cryptosystem) What exactly that means? It means that on a structural level your files have been transformed. You won't be able to use, read, see or work with them anymore. In other words they are useless, however, there is a possibility to restore them with our help. What exactly happened to your files? *** Two personal RSA4096 keys were generated for your PC/Laptop; one key is public, another key is private. *** All your data and files were encrypted by the means of the public key, which you received over the web. *** In order to decrypt your data and gain access to your computer you need a private key and a decryption software, which can be found on one of our secret servers. What should you do next? There are several options for you to consider: 1. You can wait for a while until the price of a private key will raise, so you will have to pay twice as much to access your files or 2. You can start getting BitCoins right now and get access to your data quite fast. In case you have valuable files, we advise you to act fast as there is no other option rather than paying in order to get back your data. In order to obtain specific instructions, please access your personal homepage by choosing one of the few addresses down below: http://kkr4hbwdklf234bfl84uoqleflqwrfqwuelfh.brazabaya.com/37E76456ECB79F http://974gfbjhb23hbfkyfaby3byqlyuebvly5q254y.mendilobo.com/37E76456ECB79F http://a64gfdsjhb4htbiwaysbdvukyft5q.zobodine.at/37E76456ECB79F If you can't access your personal homepage or the addresses are not working, complete the following steps: 1. Download TOR Browser - http://www.torproject.org/projects/torbrowser.html.en 2. Install TOR Browser 3. Open TOR Browser 4. Insert the following link in the address bar: k7tlx3ghr3m4n2tu.onion/37E76456ECB79F 5. Follow the steps on your screen IMPORTANT INFORMATION Your personal homepages: http://kkr4hbwdklf234bfl84uoqleflqwrfqwuelfh.brazabaya.com/37E76456ECB79F http://974gfbjhb23hbfkyfaby3byqlyuebvly5q254y.mendilobo.com/37E76456ECB79F http://a64gfdsjhb4htbiwaysbdvukyft5q.zobodine.at/37E76456ECB79F Your personal page Tor-Browser k7tlx3ghr3m4n2tu.onion/37E76456ECB79F Your personal identification ID: 37E76456ECB79F
URLs

http://kkr4hbwdklf234bfl84uoqleflqwrfqwuelfh.brazabaya.com/37E76456ECB79F

http://974gfbjhb23hbfkyfaby3byqlyuebvly5q254y.mendilobo.com/37E76456ECB79F

http://a64gfdsjhb4htbiwaysbdvukyft5q.zobodine.at/37E76456ECB79F

http://k7tlx3ghr3m4n2tu.onion/37E76456ECB79F

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Executes dropped EXE 2 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies data under HKEY_USERS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\43c4d8f6942c51587508802dc4a3336de1ae902abb8380a7aeb9b8945ee65c7b.exe
    "C:\Users\Admin\AppData\Local\Temp\43c4d8f6942c51587508802dc4a3336de1ae902abb8380a7aeb9b8945ee65c7b.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1800
    • C:\Users\Admin\AppData\Local\Temp\43c4d8f6942c51587508802dc4a3336de1ae902abb8380a7aeb9b8945ee65c7b.exe
      "C:\Users\Admin\AppData\Local\Temp\43c4d8f6942c51587508802dc4a3336de1ae902abb8380a7aeb9b8945ee65c7b.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1664
      • C:\Users\Admin\Documents\kgudig.exe
        C:\Users\Admin\Documents\kgudig.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1400
        • C:\Users\Admin\Documents\kgudig.exe
          C:\Users\Admin\Documents\kgudig.exe
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1976
          • C:\Windows\System32\vssadmin.exe
            "C:\Windows\System32\vssadmin.exe" Delete Shadows /All /Quiet
            5⤵
            • Interacts with shadow copies
            PID:1336
          • C:\Windows\system32\cmd.exe
            cmd /c C:\Users\Admin\AppData\Local\Temp\juanv.bat
            5⤵
              PID:1480
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\43C4D8~1.EXE >> NUL
          3⤵
          • Deletes itself
          PID:776
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:636

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\juanv.bat
      Filesize

      135B

      MD5

      04d2d5e62bf08ba848dfef7a1dae5347

      SHA1

      04017eb2a205ad24a80a676e9b3b1b6798a6ae54

      SHA256

      0f314b8bccc34be459927f166712f9e5119980db1fb98681b818633a9715ba43

      SHA512

      c85219c26873e0b243bcbf139eeda1adf09c1e9650a2f78233bb55554dccce5022a19b1f7f574b16a2f0df66412b3dbcd01a32e7a1e82e22ac94eef6f3c9b11d

      Download Submit

    • C:\Users\Admin\Documents\kgudig.exe
      Filesize

      410KB

      MD5

      56815047f7f330dcb598899915d6606e

      SHA1

      8f20faecf7448606c2601bc03f94a6ed4d7c960b

      SHA256

      43c4d8f6942c51587508802dc4a3336de1ae902abb8380a7aeb9b8945ee65c7b

      SHA512

      fbc69c4cb808840209bec0ac52cf29e0442fc80c72dea460ced3dc0ef6e035fef7da9dbd21b8fd1ebebfdf43b02184c65ee73995473fc075bb6ad2de113fba03

      Download Submit

    • C:\Users\Admin\Documents\kgudig.exe
      Filesize

      410KB

      MD5

      56815047f7f330dcb598899915d6606e

      SHA1

      8f20faecf7448606c2601bc03f94a6ed4d7c960b

      SHA256

      43c4d8f6942c51587508802dc4a3336de1ae902abb8380a7aeb9b8945ee65c7b

      SHA512

      fbc69c4cb808840209bec0ac52cf29e0442fc80c72dea460ced3dc0ef6e035fef7da9dbd21b8fd1ebebfdf43b02184c65ee73995473fc075bb6ad2de113fba03

      Download Submit

    • C:\Users\Admin\Documents\kgudig.exe
      Filesize

      410KB

      MD5

      56815047f7f330dcb598899915d6606e

      SHA1

      8f20faecf7448606c2601bc03f94a6ed4d7c960b

      SHA256

      43c4d8f6942c51587508802dc4a3336de1ae902abb8380a7aeb9b8945ee65c7b

      SHA512

      fbc69c4cb808840209bec0ac52cf29e0442fc80c72dea460ced3dc0ef6e035fef7da9dbd21b8fd1ebebfdf43b02184c65ee73995473fc075bb6ad2de113fba03

      Download Submit

    • \Users\Admin\Documents\kgudig.exe
      Filesize

      410KB

      MD5

      56815047f7f330dcb598899915d6606e

      SHA1

      8f20faecf7448606c2601bc03f94a6ed4d7c960b

      SHA256

      43c4d8f6942c51587508802dc4a3336de1ae902abb8380a7aeb9b8945ee65c7b

      SHA512

      fbc69c4cb808840209bec0ac52cf29e0442fc80c72dea460ced3dc0ef6e035fef7da9dbd21b8fd1ebebfdf43b02184c65ee73995473fc075bb6ad2de113fba03

      Download Submit

    • \Users\Admin\Documents\kgudig.exe
      Filesize

      410KB

      MD5

      56815047f7f330dcb598899915d6606e

      SHA1

      8f20faecf7448606c2601bc03f94a6ed4d7c960b

      SHA256

      43c4d8f6942c51587508802dc4a3336de1ae902abb8380a7aeb9b8945ee65c7b

      SHA512

      fbc69c4cb808840209bec0ac52cf29e0442fc80c72dea460ced3dc0ef6e035fef7da9dbd21b8fd1ebebfdf43b02184c65ee73995473fc075bb6ad2de113fba03

      Download Submit

    • memory/1664-64-0x0000000000400000-0x000000000047E000-memory.dmp

      Filesize

      504KB

      Download

    • memory/1664-78-0x0000000000400000-0x000000000047E000-memory.dmp

      Filesize

      504KB

      Download

    • memory/1664-71-0x0000000000400000-0x000000000047E000-memory.dmp

      Filesize

      504KB

      Download

    • memory/1664-72-0x0000000000400000-0x000000000047E000-memory.dmp

      Filesize

      504KB

      Download

    • memory/1664-56-0x0000000000400000-0x000000000047E000-memory.dmp

      Filesize

      504KB

      Download

    • memory/1664-66-0x0000000000400000-0x000000000047E000-memory.dmp

      Filesize

      504KB

      Download

    • memory/1664-57-0x0000000000400000-0x000000000047E000-memory.dmp

      Filesize

      504KB

      Download

    • memory/1664-63-0x0000000000400000-0x000000000047E000-memory.dmp

      Filesize

      504KB

      Download

    • memory/1664-70-0x0000000074E91000-0x0000000074E93000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1664-61-0x0000000000400000-0x000000000047E000-memory.dmp

      Filesize

      504KB

      Download

    • memory/1664-59-0x0000000000400000-0x000000000047E000-memory.dmp

      Filesize

      504KB

      Download

    • memory/1800-54-0x00000000001B0000-0x00000000001B6000-memory.dmp

      Filesize

      24KB

      Download

    • memory/1800-68-0x00000000001B0000-0x00000000001B6000-memory.dmp

      Filesize

      24KB

      Download

    • memory/1800-55-0x00000000001B0000-0x00000000001B6000-memory.dmp

      Filesize

      24KB

      Download

    • memory/1976-95-0x0000000000400000-0x000000000047E000-memory.dmp

      Filesize

      504KB

      Download

    • memory/1976-96-0x0000000000400000-0x000000000047E000-memory.dmp

      Filesize

      504KB

      Download

    • memory/1976-98-0x0000000000400000-0x000000000047E000-memory.dmp

      Filesize

      504KB

      Download