Resubmissions

01-08-2022 08:17

220801-j625lsfeck 10

05-07-2022 14:57

220705-sby9xaccb4 10

05-07-2022 14:36

220705-ryptbacah4 10

26-07-2021 12:57

210726-wxmw2p8876 10

Analysis

  • max time kernel
    119s
  • max time network
    135s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220721-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-08-2022 08:17

General

  • Target

    d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe

  • Size

    235KB

  • MD5

    c41a0e1ddeb85b6326a3dc403a5fd0fa

  • SHA1

    3c8e60ce5ff0cb21be39d1176d1056f9ef9438fa

  • SHA256

    d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9

  • SHA512

    2e380295fe24b54e04699a43f4b124501f4b25ca356857b7a137718f1904dd60c3d7f40cea11063acbf15f5db85712d94a4572b8729d7cdc20ae9de9ace1882a

Score
10/10

Malware Config

Extracted

Path

C:\ClopReadMe.txt

Family

clop

Ransom Note
Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm. Backups were either encrypted or deleted or backup disks were formatted. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation No decryption software is available in the public. DO NOT RESET OR SHUTDOWN – files may be damaged. DO NOT RENAME OR MOVE the encrypted and readme files. DO NOT DELETE readme files. This may lead to the impossibility of recovery of the certain files. Photorec, RannohDecryptor etc. repair tools are useless and can destroy your files irreversibly. If you want to restore your files write to emails (contacts are at the bottom of the sheet) and attach 2-3 encrypted files (Less than 5 Mb each, non-archived and your files should not contain valuable information (Databases, backups, large excel sheets, etc.)). You will receive decrypted samples and our conditions how to get the decoder. Attention!!! Your warranty - decrypted samples. Do not rename encrypted files. Do not try to decrypt your data using third party software. We don`t need your files and your information. But after 2 weeks all your files and keys will be deleted automatically. Contact emails: [email protected] or [email protected] The final price depends on how fast you write to us. Clop

Signatures

  • Clop

    Ransomware discovered in early 2019 which has been actively developed since release.

  • Modifies extensions of user files 5 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Drops desktop.ini file(s) 24 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe
    "C:\Users\Admin\AppData\Local\Temp\d0cde86d47219e9c56b717f55dcdb01b0566344c13aa671613598cab427345b9.exe"
    1⤵
    • Modifies extensions of user files
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    PID:4288

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4288-130-0x0000000000400000-0x000000000043D000-memory.dmp

    Filesize

    244KB