Overview

overview

10

Static

static

f3caa040ef...f5.exe

windows7_x64

10

f3caa040ef...f5.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    122s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    08-07-2022 10:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f3caa040efb298878b99f883a898f76d92554e07a8958e90ff70e7ff3cfabdf5.exe

  • Size

    235KB

  • MD5

    b7a182db3ba75e737f75bda1bc76331a

  • SHA1

    cf0fe28214ad4106c48ec5867327319eaa82b3c3

  • SHA256

    f3caa040efb298878b99f883a898f76d92554e07a8958e90ff70e7ff3cfabdf5

  • SHA512

    5e8d7f65ae231020056a3940d3ca31546986a6130a7956374edc0bc4f139f66f467bf27b66b5cdff73f52dc48ad00f84a9a618fec6db2727c61c44807fb650e8

Score
10/10
ransomware

Malware Config

Extracted

Path

C:\Restore_Your_Files.txt

Ransom Note
All your important files have been encrypted and stolen! Contact us for price and get decryption software. You have 3 days to contact us for negotiation. If you don't contact within three days, we'll start leaking data. 1) Contact our tox. Tox download address: https://tox.chat/ Our poison ID: 59B542C61F574BD8B3255E55651FC7C49EB53546FC6AD0698C7A12D97D193C7D6DBA9758A282 * Note that this server is available via Tor browser only Follow the instructions to open the link: 1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site. 2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it. 3. Now you have Tor browser. In the Tor Browser open : http://yeuajcizwytgmrntijhxphs6wn5txp2prs6rpndafbsapek3zd4ubcid.onion
URLs

https://tox.chat/

http://yeuajcizwytgmrntijhxphs6wn5txp2prs6rpndafbsapek3zd4ubcid.onion

Signatures

  • Modifies extensions of user files 8 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Drops startup file 1 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f3caa040efb298878b99f883a898f76d92554e07a8958e90ff70e7ff3cfabdf5.exe
    "C:\Users\Admin\AppData\Local\Temp\f3caa040efb298878b99f883a898f76d92554e07a8958e90ff70e7ff3cfabdf5.exe"
    1⤵
    • Modifies extensions of user files
    • Drops startup file
    • Enumerates connected drives
    • Suspicious behavior: EnumeratesProcesses
    PID:4508
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:4704

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4508-130-0x00007FF83FC00000-0x00007FF83FF55000-memory.dmp
    Filesize

    3.3MB

    Download