Overview

overview

10

Static

static

8

trojan/1.exe

windows7_x64

10

trojan/1.exe

windows10-2004_x64

10

trojan/10.exe

windows7_x64

10

trojan/10.exe

windows10-2004_x64

8

trojan/2.exe

windows7_x64

3

trojan/2.exe

windows10-2004_x64

5

trojan/3.exe

windows7_x64

10

trojan/3.exe

windows10-2004_x64

10

trojan/4.exe

windows7_x64

8

trojan/4.exe

windows10-2004_x64

8

trojan/5.exe

windows7_x64

8

trojan/5.exe

windows10-2004_x64

8

trojan/6.exe

windows7_x64

10

trojan/6.exe

windows10-2004_x64

10

trojan/7.exe

windows7_x64

10

trojan/7.exe

windows10-2004_x64

10

trojan/8.exe

windows7_x64

trojan/8.exe

windows10-2004_x64

10

trojan/9.exe

windows7_x64

8

trojan/9.exe

windows10-2004_x64

8

Analysis

  • max time kernel
    153s
  • max time network
    47s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    07-07-2022 09:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    trojan/10.exe

  • Size

    216KB

  • MD5

    78621f1e196497d440afb57f4609fcf9

  • SHA1

    eed7c3bb3fc5181b88abeed2204997f350324022

  • SHA256

    4a4be110d587421ad50d2b1a38b108fa05f314631066a2e96a1c85cc05814080

  • SHA512

    8bcc845b88710528c45df0ccc1ffc4d52663a2e7b870f7d347dacf2a2a698ea8d7ffc412b14841b5020618be845a0a1ee70e54f2aa86b3a4d8a9c298ff7ced44

Score
10/10
persistenceransomware

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Ransom Note
ALL YOUR FILES HAVE BEEN ENCRYPTED BY "VICE SOCIETY" All your important documents, photos, databases were stolen and encrypted. If you don't contact us in 7 days we will upload your files to darknet. The only method of recovering files is to purchase an unique private key. We are the only who can give you tool to recover your files. To proove that we have the key and it works you can send us 2 files and we decrypt it for free (not more than 2 MB each). This file should be not valuable! Write to email: BruceBoyle@onionmail.org Alternative email: SylvesterJones@onionmail.org Public emai:l v-society.official@onionmail.org Our tor website: vsociethok6sbprvevl4dlwbqrzyhxcxaqpvcqt5belwvsuxaxsutyad.onion Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to ours) or you can become a victim of a scam.
Emails

BruceBoyle@onionmail.org

SylvesterJones@onionmail.org

v-society.official@onionmail.org
URLs

http://vsociethok6sbprvevl4dlwbqrzyhxcxaqpvcqt5belwvsuxaxsutyad.onion

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Executes dropped EXE 2 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 55 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\trojan\10.exe
    "C:\Users\Admin\AppData\Local\Temp\trojan\10.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1348
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe" -start
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:952
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1588
        • C:\Windows\SysWOW64\Wbem\WMIC.exe
          wmic shadowcopy delete
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1824
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
        3⤵
          PID:1332
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
          3⤵
            PID:1980
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
            3⤵
              PID:320
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:300
              • C:\Windows\SysWOW64\vssadmin.exe
                vssadmin delete shadows /all /quiet
                4⤵
                • Interacts with shadow copies
                PID:1216
            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe
              "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe" -agent 0
              3⤵
              • Executes dropped EXE
              • Drops file in Program Files directory
              PID:972
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:1388
              • C:\Windows\SysWOW64\Wbem\WMIC.exe
                wmic shadowcopy delete
                4⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:568
              • C:\Windows\SysWOW64\vssadmin.exe
                vssadmin delete shadows /all /quiet
                4⤵
                • Interacts with shadow copies
                PID:112
          • C:\Windows\SysWOW64\notepad.exe
            notepad.exe
            2⤵
            • Deletes itself
            PID:1560
        • C:\Windows\system32\vssvc.exe
          C:\Windows\system32\vssvc.exe
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1716

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Registry Run Keys / Startup Folder

        1
        T1060

        Privilege Escalation

        Defense Evasion

        File Deletion

        2
        T1107

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        Query Registry

        1
        T1012

        Peripheral Device Discovery

        1
        T1120

        System Information Discovery

        2
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Inhibit System Recovery

        2
        T1490

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\~temp001.bat
          Filesize

          406B

          MD5

          ef572e2c7b1bbd57654b36e8dcfdc37a

          SHA1

          b84c4db6d0dfd415c289d0c8ae099aea4001e3b7

          SHA256

          e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64

          SHA512

          b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9

          Download Submit
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe
          Filesize

          216KB

          MD5

          78621f1e196497d440afb57f4609fcf9

          SHA1

          eed7c3bb3fc5181b88abeed2204997f350324022

          SHA256

          4a4be110d587421ad50d2b1a38b108fa05f314631066a2e96a1c85cc05814080

          SHA512

          8bcc845b88710528c45df0ccc1ffc4d52663a2e7b870f7d347dacf2a2a698ea8d7ffc412b14841b5020618be845a0a1ee70e54f2aa86b3a4d8a9c298ff7ced44

          Download Submit
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe
          Filesize

          216KB

          MD5

          78621f1e196497d440afb57f4609fcf9

          SHA1

          eed7c3bb3fc5181b88abeed2204997f350324022

          SHA256

          4a4be110d587421ad50d2b1a38b108fa05f314631066a2e96a1c85cc05814080

          SHA512

          8bcc845b88710528c45df0ccc1ffc4d52663a2e7b870f7d347dacf2a2a698ea8d7ffc412b14841b5020618be845a0a1ee70e54f2aa86b3a4d8a9c298ff7ced44

          Download Submit
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe
          Filesize

          216KB

          MD5

          78621f1e196497d440afb57f4609fcf9

          SHA1

          eed7c3bb3fc5181b88abeed2204997f350324022

          SHA256

          4a4be110d587421ad50d2b1a38b108fa05f314631066a2e96a1c85cc05814080

          SHA512

          8bcc845b88710528c45df0ccc1ffc4d52663a2e7b870f7d347dacf2a2a698ea8d7ffc412b14841b5020618be845a0a1ee70e54f2aa86b3a4d8a9c298ff7ced44

          Download Submit
        • \Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe
          Filesize

          216KB

          MD5

          78621f1e196497d440afb57f4609fcf9

          SHA1

          eed7c3bb3fc5181b88abeed2204997f350324022

          SHA256

          4a4be110d587421ad50d2b1a38b108fa05f314631066a2e96a1c85cc05814080

          SHA512

          8bcc845b88710528c45df0ccc1ffc4d52663a2e7b870f7d347dacf2a2a698ea8d7ffc412b14841b5020618be845a0a1ee70e54f2aa86b3a4d8a9c298ff7ced44

          Download Submit
        • \Users\Admin\AppData\Roaming\Microsoft\Windows\TrustedInstaller.exe
          Filesize

          216KB

          MD5

          78621f1e196497d440afb57f4609fcf9

          SHA1

          eed7c3bb3fc5181b88abeed2204997f350324022

          SHA256

          4a4be110d587421ad50d2b1a38b108fa05f314631066a2e96a1c85cc05814080

          SHA512

          8bcc845b88710528c45df0ccc1ffc4d52663a2e7b870f7d347dacf2a2a698ea8d7ffc412b14841b5020618be845a0a1ee70e54f2aa86b3a4d8a9c298ff7ced44

          Download Submit
        • memory/112-76-0x0000000000000000-mapping.dmp
          Download
        • memory/300-66-0x0000000000000000-mapping.dmp
          Download
        • memory/320-65-0x0000000000000000-mapping.dmp
          Download
        • memory/568-75-0x0000000000000000-mapping.dmp
          Download
        • memory/952-57-0x0000000000000000-mapping.dmp
          Download
        • memory/972-71-0x0000000000000000-mapping.dmp
          Download
        • memory/1216-67-0x0000000000000000-mapping.dmp
          Download
        • memory/1332-63-0x0000000000000000-mapping.dmp
          Download
        • memory/1348-54-0x0000000076531000-0x0000000076533000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1388-69-0x0000000000000000-mapping.dmp
          Download
        • memory/1560-60-0x0000000000000000-mapping.dmp
          Download
        • memory/1588-62-0x0000000000000000-mapping.dmp
          Download
        • memory/1824-68-0x0000000000000000-mapping.dmp
          Download
        • memory/1980-64-0x0000000000000000-mapping.dmp
          Download