5230f18b804d1117f09f2ec7d7b45977c154bc80bfbfbb3c1f32997a28583087

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
resource tags

arch:x64arch:x86image:win10v2004-20220414-enlocale:en-usos:windows10-2004-x64system
submitted
17-07-2022 03:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5230f18b804d1117f09f2ec7d7b45977c154bc80bfbfbb3c1f32997a28583087.exe
Size

679KB
MD5

cfe5a7469deb3aff3d6630614833afda
SHA1

8d99a9c94bfced8df8f50395e990465d0721e815
SHA256

5230f18b804d1117f09f2ec7d7b45977c154bc80bfbfbb3c1f32997a28583087
SHA512

89fa84f2f5395d5b5a6d263140c7a118d97c8e7d11283f41148dd786f6d16bc583292cec30dbd6e8d9ef3743633fb9adde63e3624a36c9ec89281dfb7603e8ff

Score

10^/10

persistence ransomware

Malware Config

Extracted

Path

C:\@@_READ_ME_@@.txt

Ransom Note

$$$$$$$$$$$$$$$$$$$$$$$$> PEEKABOO <$$$$$$$$$$$$$$$$$$$$$$$$ SORRY! Your files are encrypted. File contents are encrypted with random key. Random key is encrypted with RSA public key (2048 bit). We STRONGLY RECOMMEND you NOT to use any "decryption tools". These tools can damage your data, making recover IMPOSSIBLE. Also we recommend you not to contact data recovery companies. They will just contact us, buy the key and sell it to you at a higher price. If you want to decrypt your files, you have to get RSA private key. -- In order to get private key, write here: [email protected] =========== !ATTENTION! Attach file is 000000000.key from %appdata% to email message, without it we will not be able to decrypt your files =========== And pay $300 on BTC-wallet: 1NkjBNF7fmpRsX4WjokUie21m8bv9xvRKs If someone else offers you files restoring, ask him for test decryption. Only we can successfully decrypt your files; knowing this can protect you from fraud. You will receive instructions of what to do next. $$$$$$$$$$$$$$$$$$$$$$$$> PEEKABOO <$$$$$$$$$$$$$$$$$$$$$$$$

Emails

[email protected]

Wallets

1NkjBNF7fmpRsX4WjokUie21m8bv9xvRKs

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run	5230f18b804d1117f09f2ec7d7b45977c154bc80bfbfbb3c1f32997a28583087.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSFEEditor = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\5230f18b804d1117f09f2ec7d7b45977c154bc80bfbfbb3c1f32997a28583087.exe\" e"	5230f18b804d1117f09f2ec7d7b45977c154bc80bfbfbb3c1f32997a28583087.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1736 set thread context of 4192	1736	5230f18b804d1117f09f2ec7d7b45977c154bc80bfbfbb3c1f32997a28583087.exe	89

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_kor.xml	5230f18b804d1117f09f2ec7d7b45977c154bc80bfbfbb3c1f32997a28583087.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\tr-TR\@@_READ_ME_@@.txt	5230f18b804d1117f09f2ec7d7b45977c154bc80bfbfbb3c1f32997a28583087.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\@@_READ_ME_@@.txt	5230f18b804d1117f09f2ec7d7b45977c154bc80bfbfbb3c1f32997a28583087.exe
File created	C:\Program Files\Common Files\System\ado\es-ES\@@_HELPER_@@.txt	5230f18b804d1117f09f2ec7d7b45977c154bc80bfbfbb3c1f32997a28583087.exe
File created	C:\Program Files\Common Files\System\ado\fr-FR\@@_TAKE_A_LOOK_@@.txt	5230f18b804d1117f09f2ec7d7b45977c154bc80bfbfbb3c1f32997a28583087.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\oskpredbase.xml	5230f18b804d1117f09f2ec7d7b45977c154bc80bfbfbb3c1f32997a28583087.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ro-RO\@@_HELPER_@@.txt	5230f18b804d1117f09f2ec7d7b45977c154bc80bfbfbb3c1f32997a28583087.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\@@_TAKE_A_LOOK_@@.txt	5230f18b804d1117f09f2ec7d7b45977c154bc80bfbfbb3c1f32997a28583087.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\@@_HELPER_@@.txt	5230f18b804d1117f09f2ec7d7b45977c154bc80bfbfbb3c1f32997a28583087.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sv.txt	5230f18b804d1117f09f2ec7d7b45977c154bc80bfbfbb3c1f32997a28583087.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-GB\@@_TAKE_A_LOOK_@@.txt	5230f18b804d1117f09f2ec7d7b45977c154bc80bfbfbb3c1f32997a28583087.exe
File created	C:\Program Files\Common Files\Services\@@_HELPER_@@.txt	5230f18b804d1117f09f2ec7d7b45977c154bc80bfbfbb3c1f32997a28583087.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-GB\@@_READ_ME_@@.txt	5230f18b804d1117f09f2ec7d7b45977c154bc80bfbfbb3c1f32997a28583087.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipscsy.xml	5230f18b804d1117f09f2ec7d7b45977c154bc80bfbfbb3c1f32997a28583087.exe
File created	C:\Program Files\Common Files\System\fr-FR\@@_READ_ME_@@.txt	5230f18b804d1117f09f2ec7d7b45977c154bc80bfbfbb3c1f32997a28583087.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\ms.pak	5230f18b804d1117f09f2ec7d7b45977c154bc80bfbfbb3c1f32997a28583087.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\pt-BR.pak	5230f18b804d1117f09f2ec7d7b45977c154bc80bfbfbb3c1f32997a28583087.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\@@_HELPER_@@.txt	5230f18b804d1117f09f2ec7d7b45977c154bc80bfbfbb3c1f32997a28583087.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\applet\@@_TAKE_A_LOOK_@@.txt	5230f18b804d1117f09f2ec7d7b45977c154bc80bfbfbb3c1f32997a28583087.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\@@_READ_ME_@@.txt	5230f18b804d1117f09f2ec7d7b45977c154bc80bfbfbb3c1f32997a28583087.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku-ckb.txt	5230f18b804d1117f09f2ec7d7b45977c154bc80bfbfbb3c1f32997a28583087.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng.txt	5230f18b804d1117f09f2ec7d7b45977c154bc80bfbfbb3c1f32997a28583087.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\et-EE\@@_TAKE_A_LOOK_@@.txt	5230f18b804d1117f09f2ec7d7b45977c154bc80bfbfbb3c1f32997a28583087.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\@@_TAKE_A_LOOK_@@.txt	5230f18b804d1117f09f2ec7d7b45977c154bc80bfbfbb3c1f32997a28583087.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\@@_READ_ME_@@.txt	5230f18b804d1117f09f2ec7d7b45977c154bc80bfbfbb3c1f32997a28583087.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipscat.xml	5230f18b804d1117f09f2ec7d7b45977c154bc80bfbfbb3c1f32997a28583087.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ko-KR\@@_READ_ME_@@.txt	5230f18b804d1117f09f2ec7d7b45977c154bc80bfbfbb3c1f32997a28583087.exe
File created	C:\Program Files\Common Files\System\en-US\@@_TAKE_A_LOOK_@@.txt	5230f18b804d1117f09f2ec7d7b45977c154bc80bfbfbb3c1f32997a28583087.exe
File created	C:\Program Files\Common Files\System\msadc\ja-JP\@@_HELPER_@@.txt	5230f18b804d1117f09f2ec7d7b45977c154bc80bfbfbb3c1f32997a28583087.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\AccessBridgeCalls.h	5230f18b804d1117f09f2ec7d7b45977c154bc80bfbfbb3c1f32997a28583087.exe
File created	C:\Program Files\Common Files\System\ado\en-US\@@_READ_ME_@@.txt	5230f18b804d1117f09f2ec7d7b45977c154bc80bfbfbb3c1f32997a28583087.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kab.txt	5230f18b804d1117f09f2ec7d7b45977c154bc80bfbfbb3c1f32997a28583087.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\el-GR\@@_READ_ME_@@.txt	5230f18b804d1117f09f2ec7d7b45977c154bc80bfbfbb3c1f32997a28583087.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\insertbase.xml	5230f18b804d1117f09f2ec7d7b45977c154bc80bfbfbb3c1f32997a28583087.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base.xml	5230f18b804d1117f09f2ec7d7b45977c154bc80bfbfbb3c1f32997a28583087.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\@@_TAKE_A_LOOK_@@.txt	5230f18b804d1117f09f2ec7d7b45977c154bc80bfbfbb3c1f32997a28583087.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\@@_HELPER_@@.txt	5230f18b804d1117f09f2ec7d7b45977c154bc80bfbfbb3c1f32997a28583087.exe
File created	C:\Program Files\Common Files\System\ado\de-DE\@@_READ_ME_@@.txt	5230f18b804d1117f09f2ec7d7b45977c154bc80bfbfbb3c1f32997a28583087.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\SmallLogoCanary.png	5230f18b804d1117f09f2ec7d7b45977c154bc80bfbfbb3c1f32997a28583087.exe
File created	C:\Program Files\Internet Explorer\de-DE\@@_READ_ME_@@.txt	5230f18b804d1117f09f2ec7d7b45977c154bc80bfbfbb3c1f32997a28583087.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fy.txt	5230f18b804d1117f09f2ec7d7b45977c154bc80bfbfbb3c1f32997a28583087.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ru.txt	5230f18b804d1117f09f2ec7d7b45977c154bc80bfbfbb3c1f32997a28583087.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\bn.pak	5230f18b804d1117f09f2ec7d7b45977c154bc80bfbfbb3c1f32997a28583087.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\ml.pak	5230f18b804d1117f09f2ec7d7b45977c154bc80bfbfbb3c1f32997a28583087.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\LogoDev.png	5230f18b804d1117f09f2ec7d7b45977c154bc80bfbfbb3c1f32997a28583087.exe
File created	C:\Program Files\Java\jdk1.8.0_66\db\bin\@@_TAKE_A_LOOK_@@.txt	5230f18b804d1117f09f2ec7d7b45977c154bc80bfbfbb3c1f32997a28583087.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\amd64\jvm.cfg	5230f18b804d1117f09f2ec7d7b45977c154bc80bfbfbb3c1f32997a28583087.exe
File created	C:\Program Files\Common Files\System\Ole DB\ja-JP\@@_HELPER_@@.txt	5230f18b804d1117f09f2ec7d7b45977c154bc80bfbfbb3c1f32997a28583087.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lt.txt	5230f18b804d1117f09f2ec7d7b45977c154bc80bfbfbb3c1f32997a28583087.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\@@_HELPER_@@.txt	5230f18b804d1117f09f2ec7d7b45977c154bc80bfbfbb3c1f32997a28583087.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\et-EE\@@_READ_ME_@@.txt	5230f18b804d1117f09f2ec7d7b45977c154bc80bfbfbb3c1f32997a28583087.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert.xml	5230f18b804d1117f09f2ec7d7b45977c154bc80bfbfbb3c1f32997a28583087.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\@@_HELPER_@@.txt	5230f18b804d1117f09f2ec7d7b45977c154bc80bfbfbb3c1f32997a28583087.exe
File created	C:\Program Files\Common Files\System\es-ES\@@_TAKE_A_LOOK_@@.txt	5230f18b804d1117f09f2ec7d7b45977c154bc80bfbfbb3c1f32997a28583087.exe
File created	C:\Program Files\Common Files\System\it-IT\@@_TAKE_A_LOOK_@@.txt	5230f18b804d1117f09f2ec7d7b45977c154bc80bfbfbb3c1f32997a28583087.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ro.txt	5230f18b804d1117f09f2ec7d7b45977c154bc80bfbfbb3c1f32997a28583087.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\@@_HELPER_@@.txt	5230f18b804d1117f09f2ec7d7b45977c154bc80bfbfbb3c1f32997a28583087.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\th-TH\@@_TAKE_A_LOOK_@@.txt	5230f18b804d1117f09f2ec7d7b45977c154bc80bfbfbb3c1f32997a28583087.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\@@_HELPER_@@.txt	5230f18b804d1117f09f2ec7d7b45977c154bc80bfbfbb3c1f32997a28583087.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\@@_READ_ME_@@.txt	5230f18b804d1117f09f2ec7d7b45977c154bc80bfbfbb3c1f32997a28583087.exe
File created	C:\Program Files\Common Files\microsoft shared\Source Engine\@@_READ_ME_@@.txt	5230f18b804d1117f09f2ec7d7b45977c154bc80bfbfbb3c1f32997a28583087.exe
File opened for modification	C:\Program Files\ImportFormat.iso	5230f18b804d1117f09f2ec7d7b45977c154bc80bfbfbb3c1f32997a28583087.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ea-sym.xml	5230f18b804d1117f09f2ec7d7b45977c154bc80bfbfbb3c1f32997a28583087.exe
File created	C:\Program Files\Common Files\microsoft shared\VGX\@@_TAKE_A_LOOK_@@.txt	5230f18b804d1117f09f2ec7d7b45977c154bc80bfbfbb3c1f32997a28583087.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 4192	1736	5230f18b804d1117f09f2ec7d7b45977c154bc80bfbfbb3c1f32997a28583087.exe	89
PID 1736 wrote to memory of 4192	1736	5230f18b804d1117f09f2ec7d7b45977c154bc80bfbfbb3c1f32997a28583087.exe	89
PID 1736 wrote to memory of 4192	1736	5230f18b804d1117f09f2ec7d7b45977c154bc80bfbfbb3c1f32997a28583087.exe	89
PID 1736 wrote to memory of 4192	1736	5230f18b804d1117f09f2ec7d7b45977c154bc80bfbfbb3c1f32997a28583087.exe	89
PID 1736 wrote to memory of 4192	1736	5230f18b804d1117f09f2ec7d7b45977c154bc80bfbfbb3c1f32997a28583087.exe	89
PID 1736 wrote to memory of 4192	1736	5230f18b804d1117f09f2ec7d7b45977c154bc80bfbfbb3c1f32997a28583087.exe	89
PID 1736 wrote to memory of 4192	1736	5230f18b804d1117f09f2ec7d7b45977c154bc80bfbfbb3c1f32997a28583087.exe	89
PID 1736 wrote to memory of 4192	1736	5230f18b804d1117f09f2ec7d7b45977c154bc80bfbfbb3c1f32997a28583087.exe	89
PID 1736 wrote to memory of 4192	1736	5230f18b804d1117f09f2ec7d7b45977c154bc80bfbfbb3c1f32997a28583087.exe	89
PID 1736 wrote to memory of 4192	1736	5230f18b804d1117f09f2ec7d7b45977c154bc80bfbfbb3c1f32997a28583087.exe	89

C:\Users\Admin\AppData\Local\Temp\5230f18b804d1117f09f2ec7d7b45977c154bc80bfbfbb3c1f32997a28583087.exe
"C:\Users\Admin\AppData\Local\Temp\5230f18b804d1117f09f2ec7d7b45977c154bc80bfbfbb3c1f32997a28583087.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Users\Admin\AppData\Local\Temp\5230f18b804d1117f09f2ec7d7b45977c154bc80bfbfbb3c1f32997a28583087.exe
  "C:\Users\Admin\AppData\Local\Temp\5230f18b804d1117f09f2ec7d7b45977c154bc80bfbfbb3c1f32997a28583087.exe"
  2⤵
  - Adds Run key to start application
  - Drops file in Program Files directory
  PID:4192

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1736-133-0x00000000007E8000-0x000000000084E000-memory.dmp

Filesize
408KB

Download
memory/4192-131-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4192-132-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4192-134-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4192-135-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4192-136-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download