Overview

overview

10

Static

static

e55fcf9315...62.exe

windows7-x64

10

e55fcf9315...62.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    65s
  • max time network
    48s
  • platform
    windows7_x64
  • resource
    win7-20220718-en
  • resource tags

    arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
  • submitted
    24-07-2022 15:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e55fcf9315c52d2abd3431f7e4bb82cbd2b0d24d124e0e1a27b951030b2de162.exe

  • Size

    156KB

  • MD5

    ca2326886fa699068c44f32b3e51adaf

  • SHA1

    3555aaebe6c113fb8f923a38cb3bd75da6e86277

  • SHA256

    e55fcf9315c52d2abd3431f7e4bb82cbd2b0d24d124e0e1a27b951030b2de162

  • SHA512

    d7da00f22fede4909c29d5c6125f2b5749453cefa65c262133d50cf7235fc9d3b134e5b2d5740f08e8db3fc70c21de8bed42deb84a5ca31108a7968026b7ed9e

Score
10/10
ransomexx_winevasionransomware

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\!TXDOT_READ_ME!.txt

Ransom Note
Greetings, Texas Department of Transportation! Read this message CAREFULLY and contact someone from IT department. Your files are securely ENCRYPTED. No third party decryption software EXISTS. MODIFICATION or RENAMING encrypted files may cause decryption failure. You can send us an encrypted file (not greater than 400KB) and we will decrypt it FOR FREE, so you have no doubts in possibility to restore all files from all affected systems ANY TIME. Encrypted file SHOULD NOT contain sensitive information (technical, backups, databases, large documents). The rest of data will be available after the PAYMENT. Infrastructure rebuild will cost you MUCH more. Contact us ONLY if you officially represent the whole affected network. The ONLY attachments we accept are non archived encrypted files for test decryption. Speak ENGLISH when contacting us. Mail us: [email protected] We kindly ask you not to use GMAIL, YAHOO or LIVE to contact us. The PRICE depends on how quickly you do it. �

Signatures

  • Deletes NTFS Change Journal 2 TTPs 1 IoCs

    The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.

    ransomware
  • RansomEXX Ransomware 6 IoCs

    Targeted ransomware with variants which affect Windows and Linux systems.

    ransomwareransomexx_win
  • Clears Windows event logs 1 TTPs 4 IoCs
    evasionransomware
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Disables use of System Restore points 1 TTPs
    evasion
  • Modifies extensions of user files 5 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Overwrites deleted data with Cipher tool 1 TTPs

    Cipher is a Windows tool which be used to securely wipe deallocated HDD space, preventing recovery of deleted data.

    ransomware
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e55fcf9315c52d2abd3431f7e4bb82cbd2b0d24d124e0e1a27b951030b2de162.exe
    "C:\Users\Admin\AppData\Local\Temp\e55fcf9315c52d2abd3431f7e4bb82cbd2b0d24d124e0e1a27b951030b2de162.exe"
    1⤵
    • RansomEXX Ransomware
    • Modifies extensions of user files
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1180
    • C:\Windows\System32\bcdedit.exe
      "C:\Windows\System32\bcdedit.exe" /set {default} recoveryenabled no
      2⤵
      • Modifies boot configuration data using bcdedit
      PID:1360
    • C:\Windows\System32\bcdedit.exe
      "C:\Windows\System32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures
      2⤵
      • Modifies boot configuration data using bcdedit
      PID:1276
    • C:\Windows\SysWOW64\cipher.exe
      "C:\Windows\System32\cipher.exe" /w:D:
      2⤵
      • Enumerates connected drives
      PID:1484
    • C:\Windows\System32\wevtutil.exe
      "C:\Windows\System32\wevtutil.exe" cl System
      2⤵
      • RansomEXX Ransomware
      • Clears Windows event logs
      • Suspicious use of AdjustPrivilegeToken
      PID:1068
    • C:\Windows\System32\wevtutil.exe
      "C:\Windows\System32\wevtutil.exe" cl Setup
      2⤵
      • RansomEXX Ransomware
      • Clears Windows event logs
      • Suspicious use of AdjustPrivilegeToken
      PID:680
    • C:\Windows\System32\wevtutil.exe
      "C:\Windows\System32\wevtutil.exe" cl Application
      2⤵
      • RansomEXX Ransomware
      • Clears Windows event logs
      • Suspicious use of AdjustPrivilegeToken
      PID:968
    • C:\Windows\System32\wevtutil.exe
      "C:\Windows\System32\wevtutil.exe" sl Security /e:false
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:368
    • C:\Windows\System32\wevtutil.exe
      "C:\Windows\System32\wevtutil.exe" cl Security
      2⤵
      • RansomEXX Ransomware
      • Clears Windows event logs
      • Suspicious use of AdjustPrivilegeToken
      PID:1488
    • C:\Windows\SysWOW64\cipher.exe
      "C:\Windows\System32\cipher.exe" /w:C:
      2⤵
        PID:972
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable
        2⤵
          PID:1328
        • C:\Windows\System32\wbadmin.exe
          "C:\Windows\System32\wbadmin.exe" delete catalog -quiet
          2⤵
          • Deletes backup catalog
          PID:1544
        • C:\Windows\System32\fsutil.exe
          "C:\Windows\System32\fsutil.exe" usn deletejournal /D C:
          2⤵
          • Deletes NTFS Change Journal
          • RansomEXX Ransomware
          PID:628
      • C:\Windows\system32\wbengine.exe
        "C:\Windows\system32\wbengine.exe"
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1708
      • C:\Windows\System32\vdsldr.exe
        C:\Windows\System32\vdsldr.exe -Embedding
        1⤵
          PID:1052
        • C:\Windows\System32\vds.exe
          C:\Windows\System32\vds.exe
          1⤵
            PID:1060

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/368-68-0x000007FEFBD01000-0x000007FEFBD03000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1180-54-0x0000000075481000-0x0000000075483000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1180-55-0x00000000088E0000-0x000000000939A000-memory.dmp

            Filesize

            10.7MB

            Download