Analysis
-
max time kernel
154s -
max time network
165s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
submitted
11-08-2022 18:09
General
-
Target
d11793433065633b84567de403c1989640a07c9a399dd2753aaf118891ce791c.exe
Score
10/10
Malware Config
Extracted
Path
C:\odt\README.txt
Ransom Note
Hi, since you are reading this it means you have been hacked.
In addition to encrypting all your systems, deleting backups, we also downloaded 2 terabytes of confidential information.
Here's what you shouldn't do:
1) Contact the police, fbi or other authorities before the end of our deal
2) Contact the recovery company so that they would conduct dialogues with us. (This can slow down the recovery, and generally put our communication to naught)
3) Do not try to decrypt the files yourself, as well as do not change the file extension yourself !!! This can lead to the impossibility of their decryption.
4) Keep us for fools)
We will also stop any communication with you, and continue DDoS, calls to employees and business partners.
In a few weeks, we will simply repeat our attack and delete all your data from your networks, WHICH WILL LEAD TO THEIR UNAVAILABILITY!
Here's what you should do right after reading it:
1) If you are an ordinary employee, send our message to the CEO of the company, as well as to the IT department
2) If you are a CEO, or a specialist in the IT department, or another person who has weight in the company, you should contact us within 24 hours by email.
We are ready to confirm all our intentions regarding DDOS, calls, and deletion of the date at your first request.
As a guarantee that we can decrypt the files, we suggest that you send several files for free decryption.
Mails to contact us:
1)[email protected]
2)[email protected]/10RcjlacqrOwohIlC4B05A3X8jh
isUPAwdwOMgJYaJWzYM5ThOkJEeMkp8oVYjgxELfu7HuVwMqHjtwu1HuUwgCO+C3
E3g9xU/a5Y+4oIt0wSFah4imLmTN4J/xPBAAw21uni8=
Emails
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Windows directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\d11793433065633b84567de403c1989640a07c9a399dd2753aaf118891ce791c.exeC:\Users\Admin\AppData\Local\Temp\d11793433065633b84567de403c1989640a07c9a399dd2753aaf118891ce791c.exe --pass D86BDXL9N3H1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c powershell -command "Get-VM | Stop-VM -Force"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "Get-VM | Stop-VM -Force"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" net stop MSSQLServerADHelper1002⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" net stop MSSQL$ISARS2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" net stop MSSQL$MSFW2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" net stop SQLAgent$ISARS2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" net stop SQLAgent$MSFW2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" net stop SQLBrowser2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" net stop ReportServer$ISARS2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" net stop SQLWriter2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" net stop WinDefend2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" net stop mr2kserv2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" net stop MSExchangeADTopology2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" net stop MSExchangeFBA2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" net stop MSExchangeIS2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" net stop MSExchangeSA2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" net stop ShadowProtectSvc2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" net stop SPAdminV42⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" net stop SPTimerV42⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" net stop SPTraceV42⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" net stop SPUserCodeV42⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" net stop SPWriterV42⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" net stop SPSearch42⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" net stop MSSQLServerADHelper1002⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" net stop IISADMIN2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" net stop firebirdguardiandefaultinstance2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" net stop ibmiasrw2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" net stop QBCFMonitorService2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" net stop QBVSS2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" net stop QBPOSDBServiceV122⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" net stop "IBM Domino Server (CProgramFilesIBMDominodata)"2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" net stop "IBM Domino Diagnostics (CProgramFilesIBMDomino)"2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" net stop IISADMIN2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" net stop "Simply Accounting Database Connection Manager"2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" net stop QuickBooksDB12⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" net stop QuickBooksDB22⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" net stop QuickBooksDB32⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" net stop QuickBooksDB42⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" net stop QuickBooksDB52⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" net stop QuickBooksDB62⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" net stop QuickBooksDB72⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" net stop QuickBooksDB82⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" net stop QuickBooksDB92⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" net stop QuickBooksDB102⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" net stop QuickBooksDB112⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" net stop QuickBooksDB122⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" net stop QuickBooksDB132⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" net stop QuickBooksDB142⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" net stop QuickBooksDB152⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" net stop QuickBooksDB162⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" net stop QuickBooksDB172⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" net stop QuickBooksDB182⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" net stop QuickBooksDB192⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" net stop QuickBooksDB202⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" net stop QuickBooksDB212⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" net stop QuickBooksDB222⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" net stop QuickBooksDB232⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" net stop QuickBooksDB242⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" net stop QuickBooksDB252⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" taskkill /f /im mysql*2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" taskkill /f /im dsa*2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" taskkill /f /im veeam*2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" taskkill /f /im chrome*2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" taskkill /f /im iexplore*2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" taskkill /f /im firefox*2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" taskkill /f /im outlook*2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" taskkill /f /im excel*2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" taskkill /f /im outlook*2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" taskkill /f /im taskmgr*2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" taskkill /f /im tasklist*2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" taskkill /f /im Ntrtscan*2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" taskkill /f /im ds_monitor*2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" taskkill /f /im Notifier*2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" taskkill /f /im putty*2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" taskkill /f /im ssh*2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" taskkill /f /im iVPAgent*2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" taskkill /f /im TmListen*2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" taskkill /f /im CNTAoSMgr*2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" taskkill /f /im IBM*2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" taskkill /f /im black*2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" taskkill /f /im bes10*2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" taskkill /f /im copy*2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" taskkill /f /im robo*2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" taskkill /f /im sql2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" taskkill /f /im store.exe2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" taskkill /f /im sql*2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" taskkill /f /im vee*2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" taskkill /f /im wrsa.exe2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" taskkill /f /im postg*2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" taskkill /f /im sage*2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" taskkill /f /im wrsa*2⤵
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD58f96320ab4e0bc1369dc19e92e8a80f9
SHA1f6b6ce97cc2d25420cedb7fd56e1997f0708784a
SHA2568e7fbdb100e3011090351fa85b0c0a45b729e3e69cc27de6983868a9a5e80677
SHA5121c49036de8852e3618939e722294a8353b6ab827d978740fb05954d2ca377e45ab81bcee1130373475d0ce0402c95cf53e9aaac41650b858fec73201c1abc795
-
Filesize
18KB
MD53902e23c5e6e1dc28aa5090a1a48aac7
SHA14a20ad2bb624336bb144dbf2351a924122a5fdcf
SHA256f4fc7755d3123d09d8bddb28570c163ffe1a6303a602c181ae4102583d051b43
SHA512e0b62395cd6c7cbd59a0a0f444eb0241e4b4a2a9510170102191acbb3d8e593da76b045b8b1fc59675bd8cc4336330982082114a661e947b7a096ce817da03b3
-
Filesize
104KB
-
Filesize
600KB
-
Filesize
216KB
-
Filesize
200KB
-
Filesize
304KB
-
Filesize
120KB
-
Filesize
6.2MB
-
Filesize
6.5MB
-
Filesize
104KB
-
Filesize
40KB
-
Filesize
56KB
-
Filesize
120KB
-
Filesize
136KB
-
Filesize
408KB
-
Filesize
32KB
-
Filesize
408KB