ransomexx_win | c5741701b3866459dd1ffa2477cfd8776713612912693a5897f78aac795d23e9

Resubmissions

28-07-2024 16:38

240728-t5tryssgmm 10

07-07-2024 14:07

240707-rfgd8atekm 10

07-07-2024 14:07

240707-re689awdpe 10

13-09-2022 17:54

220913-wg1lpsgbg7 10

Analysis

max time kernel
1800s
max time network
1807s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
13-09-2022 17:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RansomwareSamples/RansomEXX_14_12_2020_156KB.exe
Size

156KB
MD5

fcd21c6fca3b9378961aa1865bee7ecb
SHA1

0abaa05da2a05977e0baf68838cff1712f1789e0
SHA256

4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458
SHA512

e39c1f965f6faeaa33dfec6eba23fbfff14b287f4777797ea79480bb037d6d806516bda7046315e051961fce12e935ac546819c1e0bef5c33568d68955a9792a
SSDEEP

1536:7ZLTzASUIG0TOOYTufIaSWvRYkekdvizSBXxNe9VPw6s6aUCT7Q7qn:OBI9HYyfNBdviGBBQsrhPk4

Score

10^/10

ransomexx_win evasion ransomware

Malware Config

Extracted

Path

C:\odt\!TXDOT_READ_ME!.txt

Ransom Note

Greetings, Texas Department of Transportation! Read this message CAREFULLY and contact someone from IT department. Your files are securely ENCRYPTED. No third party decryption software EXISTS. MODIFICATION or RENAMING encrypted files may cause decryption failure. You can send us an encrypted file (not greater than 400KB) and we will decrypt it FOR FREE, so you have no doubts in possibility to restore all files from all affected systems ANY TIME. Encrypted file SHOULD NOT contain sensitive information (technical, backups, databases, large documents). The rest of data will be available after the PAYMENT. Infrastructure rebuild will cost you MUCH more. Contact us ONLY if you officially represent the whole affected network. The ONLY attachments we accept are non archived encrypted files for test decryption. Speak ENGLISH when contacting us. Mail us: [email protected] We kindly ask you not to use GMAIL, YAHOO or LIVE to contact us. The PRICE depends on how quickly you do it. �

Emails

[email protected]

Signatures

Deletes NTFS Change Journal 2 TTPs 1 IoCs
The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.
ransomware

Inhibit System Recovery
T1490

Data Destruction
T1485

Processes:

fsutil.exe

pid process

3028 fsutil.exe
RansomEXX Ransomware
Targeted ransomware with variants which affect Windows and Linux systems.
ransomware ransomexx_win
Clears Windows event logs 1 TTPs 4 IoCs
evasion ransomware

Indicator Removal on Host
T1070

Processes:

wevtutil.exewevtutil.exewevtutil.exewevtutil.exe

pid process

1816 wevtutil.exe
4140 wevtutil.exe
2276 wevtutil.exe
4448 wevtutil.exe
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

1848 bcdedit.exe
4572 bcdedit.exe
Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command-Line Interface
T1059

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

1960 wbadmin.exe
Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

pid	process
3028	fsutil.exe

pid	process
1816	wevtutil.exe
4140	wevtutil.exe
2276	wevtutil.exe
4448	wevtutil.exe

pid	process
1848	bcdedit.exe
4572	bcdedit.exe

pid	process
1960	wbadmin.exe

Modifies extensions of user files 1 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

RansomEXX_14_12_2020_156KB.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\TraceGrant.raw => C:\Users\Admin\Pictures\TraceGrant.raw.txd0t	RansomEXX_14_12_2020_156KB.exe

Overwrites deleted data with Cipher tool 1 TTPs
Cipher is a Windows tool which be used to securely wipe deallocated HDD space, preventing recovery of deleted data.
ransomware

Inhibit System Recovery
T1490

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RansomEXX_14_12_2020_156KB.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	RansomEXX_14_12_2020_156KB.exe

Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

cipher.exe

description ioc process

File opened (read-only) \??\D: cipher.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened (read-only)	\??\D:	cipher.exe

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vds.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

RansomEXX_14_12_2020_156KB.exe

pid	process
3172	RansomEXX_14_12_2020_156KB.exe
3172	RansomEXX_14_12_2020_156KB.exe
3172	RansomEXX_14_12_2020_156KB.exe
3172	RansomEXX_14_12_2020_156KB.exe
3172	RansomEXX_14_12_2020_156KB.exe
3172	RansomEXX_14_12_2020_156KB.exe
3172	RansomEXX_14_12_2020_156KB.exe
3172	RansomEXX_14_12_2020_156KB.exe
3172	RansomEXX_14_12_2020_156KB.exe
3172	RansomEXX_14_12_2020_156KB.exe
3172	RansomEXX_14_12_2020_156KB.exe
3172	RansomEXX_14_12_2020_156KB.exe
3172	RansomEXX_14_12_2020_156KB.exe
3172	RansomEXX_14_12_2020_156KB.exe
3172	RansomEXX_14_12_2020_156KB.exe
3172	RansomEXX_14_12_2020_156KB.exe
3172	RansomEXX_14_12_2020_156KB.exe
3172	RansomEXX_14_12_2020_156KB.exe
3172	RansomEXX_14_12_2020_156KB.exe
3172	RansomEXX_14_12_2020_156KB.exe
3172	RansomEXX_14_12_2020_156KB.exe
3172	RansomEXX_14_12_2020_156KB.exe
3172	RansomEXX_14_12_2020_156KB.exe
3172	RansomEXX_14_12_2020_156KB.exe
3172	RansomEXX_14_12_2020_156KB.exe
3172	RansomEXX_14_12_2020_156KB.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

wevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewbengine.exe

description	pid	process
Token: SeSecurityPrivilege	4252	wevtutil.exe
Token: SeBackupPrivilege	4252	wevtutil.exe
Token: SeSecurityPrivilege	2276	wevtutil.exe
Token: SeBackupPrivilege	2276	wevtutil.exe
Token: SeSecurityPrivilege	4140	wevtutil.exe
Token: SeBackupPrivilege	4140	wevtutil.exe
Token: SeSecurityPrivilege	4448	wevtutil.exe
Token: SeBackupPrivilege	4448	wevtutil.exe
Token: SeSecurityPrivilege	1816	wevtutil.exe
Token: SeBackupPrivilege	1816	wevtutil.exe
Token: SeBackupPrivilege	4476	wbengine.exe
Token: SeRestorePrivilege	4476	wbengine.exe
Token: SeSecurityPrivilege	4476	wbengine.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

RansomEXX_14_12_2020_156KB.exe

description	pid	process	target process
PID 3172 wrote to memory of 2276	3172	RansomEXX_14_12_2020_156KB.exe	wevtutil.exe
PID 3172 wrote to memory of 2276	3172	RansomEXX_14_12_2020_156KB.exe	wevtutil.exe
PID 3172 wrote to memory of 2676	3172	RansomEXX_14_12_2020_156KB.exe	cipher.exe
PID 3172 wrote to memory of 2676	3172	RansomEXX_14_12_2020_156KB.exe	cipher.exe
PID 3172 wrote to memory of 2676	3172	RansomEXX_14_12_2020_156KB.exe	cipher.exe
PID 3172 wrote to memory of 4140	3172	RansomEXX_14_12_2020_156KB.exe	wevtutil.exe
PID 3172 wrote to memory of 4140	3172	RansomEXX_14_12_2020_156KB.exe	wevtutil.exe
PID 3172 wrote to memory of 3028	3172	RansomEXX_14_12_2020_156KB.exe	fsutil.exe
PID 3172 wrote to memory of 3028	3172	RansomEXX_14_12_2020_156KB.exe	fsutil.exe
PID 3172 wrote to memory of 1960	3172	RansomEXX_14_12_2020_156KB.exe	wbadmin.exe
PID 3172 wrote to memory of 1960	3172	RansomEXX_14_12_2020_156KB.exe	wbadmin.exe
PID 3172 wrote to memory of 1848	3172	RansomEXX_14_12_2020_156KB.exe	bcdedit.exe
PID 3172 wrote to memory of 1848	3172	RansomEXX_14_12_2020_156KB.exe	bcdedit.exe
PID 3172 wrote to memory of 1816	3172	RansomEXX_14_12_2020_156KB.exe	wevtutil.exe
PID 3172 wrote to memory of 1816	3172	RansomEXX_14_12_2020_156KB.exe	wevtutil.exe
PID 3172 wrote to memory of 4252	3172	RansomEXX_14_12_2020_156KB.exe	wevtutil.exe
PID 3172 wrote to memory of 4252	3172	RansomEXX_14_12_2020_156KB.exe	wevtutil.exe
PID 3172 wrote to memory of 3444	3172	RansomEXX_14_12_2020_156KB.exe	schtasks.exe
PID 3172 wrote to memory of 3444	3172	RansomEXX_14_12_2020_156KB.exe	schtasks.exe
PID 3172 wrote to memory of 700	3172	RansomEXX_14_12_2020_156KB.exe	cipher.exe
PID 3172 wrote to memory of 700	3172	RansomEXX_14_12_2020_156KB.exe	cipher.exe
PID 3172 wrote to memory of 700	3172	RansomEXX_14_12_2020_156KB.exe	cipher.exe
PID 3172 wrote to memory of 4448	3172	RansomEXX_14_12_2020_156KB.exe	wevtutil.exe
PID 3172 wrote to memory of 4448	3172	RansomEXX_14_12_2020_156KB.exe	wevtutil.exe
PID 3172 wrote to memory of 4572	3172	RansomEXX_14_12_2020_156KB.exe	bcdedit.exe
PID 3172 wrote to memory of 4572	3172	RansomEXX_14_12_2020_156KB.exe	bcdedit.exe

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\RansomEXX_14_12_2020_156KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\RansomEXX_14_12_2020_156KB.exe"
1⤵
- Modifies extensions of user files
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3172
- C:\Windows\SysWOW64\cipher.exe
  "C:\Windows\System32\cipher.exe" /w:D:
  2⤵
  - Enumerates connected drives
  PID:700
- C:\Windows\System32\wevtutil.exe
  "C:\Windows\System32\wevtutil.exe" cl Application
  2⤵
  - Clears Windows event logs
  - Suspicious use of AdjustPrivilegeToken
  PID:4448
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable
  2⤵
  PID:3444
- C:\Windows\System32\wevtutil.exe
  "C:\Windows\System32\wevtutil.exe" sl Security /e:false
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4252
- C:\Windows\System32\wevtutil.exe
  "C:\Windows\System32\wevtutil.exe" cl Security
  2⤵
  - Clears Windows event logs
  - Suspicious use of AdjustPrivilegeToken
  PID:1816
- C:\Windows\System32\bcdedit.exe
  "C:\Windows\System32\bcdedit.exe" /set {default} recoveryenabled no
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:1848
- C:\Windows\System32\wbadmin.exe
  "C:\Windows\System32\wbadmin.exe" delete catalog -quiet
  2⤵
  - Deletes backup catalog
  PID:1960
- C:\Windows\System32\fsutil.exe
  "C:\Windows\System32\fsutil.exe" usn deletejournal /D C:
  2⤵
  - Deletes NTFS Change Journal
  PID:3028
- C:\Windows\System32\wevtutil.exe
  "C:\Windows\System32\wevtutil.exe" cl System
  2⤵
  - Clears Windows event logs
  - Suspicious use of AdjustPrivilegeToken
  PID:4140
- C:\Windows\System32\bcdedit.exe
  "C:\Windows\System32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:4572
- C:\Windows\SysWOW64\cipher.exe
  "C:\Windows\System32\cipher.exe" /w:C:
  2⤵
  PID:2676
- C:\Windows\System32\wevtutil.exe
  "C:\Windows\System32\wevtutil.exe" cl Setup
  2⤵
  - Clears Windows event logs
  - Suspicious use of AdjustPrivilegeToken
  PID:2276

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4476

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:3252

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:3944

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Indicator Removal on Host

T1070

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Data Destruction

T1485

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/700-132-0x0000000000000000-mapping.dmp

Download
memory/1816-141-0x0000000000000000-mapping.dmp

Download
memory/1848-133-0x0000000000000000-mapping.dmp

Download
memory/1960-139-0x0000000000000000-mapping.dmp

Download
memory/2276-142-0x0000000000000000-mapping.dmp

Download
memory/2676-138-0x0000000000000000-mapping.dmp

Download
memory/3028-137-0x0000000000000000-mapping.dmp

Download
memory/3444-140-0x0000000000000000-mapping.dmp

Download
memory/4140-143-0x0000000000000000-mapping.dmp

Download
memory/4252-134-0x0000000000000000-mapping.dmp

Download
memory/4448-136-0x0000000000000000-mapping.dmp

Download
memory/4572-135-0x0000000000000000-mapping.dmp

Download