Overview
overview
10Static
static
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.ps1
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.msi
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
10Ransomware...KB.ps1
windows10-2004-x64
10Ransomware...KB.exe
windows10-2004-x64
8Ransomware...KB.exe
windows10-2004-x64
10Resubmissions
28-07-2024 16:38
240728-t5tryssgmm 1007-07-2024 14:07
240707-rfgd8atekm 1007-07-2024 14:07
240707-re689awdpe 1013-09-2022 17:54
220913-wg1lpsgbg7 10Analysis
-
max time kernel
1800s -
max time network
1807s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
13-09-2022 17:54
Static task
static1
Behavioral task
behavioral1
Sample
RansomwareSamples/Babuk_20_04_2021_79KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral2
Sample
RansomwareSamples/BlackKingdom_23_03_2021_12460KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral3
Sample
RansomwareSamples/BlackMatter_02_08_2021_67KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral4
Sample
RansomwareSamples/Conti_22_12_2020_186KB.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral5
Sample
RansomwareSamples/Cuba_08_03_2021_1130KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral6
Sample
RansomwareSamples/DarkSide_01_05_2021_30KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral7
Sample
RansomwareSamples/DarkSide_16_01_2021_59KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral8
Sample
RansomwareSamples/DarkSide_18_11_2020_17KB.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral9
Sample
RansomwareSamples/DearCry_13_03_2021_1292KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral10
Sample
RansomwareSamples/Hades_29_03_2021_1909KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral11
Sample
RansomwareSamples/Hive_17_07_2021_808KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral12
Sample
RansomwareSamples/LockBit_14_02_2021_146KB.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral13
Sample
RansomwareSamples/MAKOP_27_10_2020_115KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral14
Sample
RansomwareSamples/MedusaLocker_24_04_2020_661KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral15
Sample
RansomwareSamples/MountLocker_20_11_2020_200KB.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral16
Sample
RansomwareSamples/Nefilim_31_08_2020_3061KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral17
Sample
RansomwareSamples/Nemty_03_02_2021_124KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral18
Sample
RansomwareSamples/NetWalker_19_10_2020_903KB.ps1
Resource
win10v2004-20220812-en
Behavioral task
behavioral19
Sample
RansomwareSamples/Phoenix_29_03_2021_1930KB.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral20
Sample
RansomwareSamples/PwndLocker_04_03_2020_17KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral21
Sample
RansomwareSamples/Pysa_08_04_2021_500KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral22
Sample
RansomwareSamples/REvil_07_04_2021_121KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral23
Sample
RansomwareSamples/REvil_08_04_2021_121KB.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral24
Sample
RansomwareSamples/Ragnar_11_02_2020_40KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral25
Sample
RansomwareSamples/RansomEXX_14_12_2020_156KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral26
Sample
RansomwareSamples/Ranzy_20_11_2020_138KB.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral27
Sample
RansomwareSamples/Ryuk_21_03_2021_274KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral28
Sample
RansomwareSamples/Sekhmet_30_03_2020_364KB.msi
Resource
win10v2004-20220812-en
Behavioral task
behavioral29
Sample
RansomwareSamples/Sodinokibi_04_07_2019_253KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral30
Sample
RansomwareSamples/SunCrypt_26_01_2021_1422KB.ps1
Resource
win10v2004-20220901-en
Behavioral task
behavioral31
Sample
RansomwareSamples/Thanos_23_03_2021_91KB.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral32
Sample
RansomwareSamples/Zeppelin_08_03_2021_813KB.exe
Resource
win10v2004-20220812-en
General
-
Target
RansomwareSamples/RansomEXX_14_12_2020_156KB.exe
-
Size
156KB
-
MD5
fcd21c6fca3b9378961aa1865bee7ecb
-
SHA1
0abaa05da2a05977e0baf68838cff1712f1789e0
-
SHA256
4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458
-
SHA512
e39c1f965f6faeaa33dfec6eba23fbfff14b287f4777797ea79480bb037d6d806516bda7046315e051961fce12e935ac546819c1e0bef5c33568d68955a9792a
-
SSDEEP
1536:7ZLTzASUIG0TOOYTufIaSWvRYkekdvizSBXxNe9VPw6s6aUCT7Q7qn:OBI9HYyfNBdviGBBQsrhPk4
Malware Config
Extracted
C:\odt\!TXDOT_READ_ME!.txt
Signatures
-
Deletes NTFS Change Journal 2 TTPs 1 IoCs
The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.
pid Process 3028 fsutil.exe -
RansomEXX Ransomware
Targeted ransomware with variants which affect Windows and Linux systems.
-
Clears Windows event logs 1 TTPs 4 IoCs
pid Process 1816 wevtutil.exe 4140 wevtutil.exe 2276 wevtutil.exe 4448 wevtutil.exe -
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 1848 bcdedit.exe 4572 bcdedit.exe -
pid Process 1960 wbadmin.exe -
Disables use of System Restore points 1 TTPs
-
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\TraceGrant.raw => C:\Users\Admin\Pictures\TraceGrant.raw.txd0t RansomEXX_14_12_2020_156KB.exe -
Overwrites deleted data with Cipher tool 1 TTPs
Cipher is a Windows tool which be used to securely wipe deallocated HDD space, preventing recovery of deleted data.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation RansomEXX_14_12_2020_156KB.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\D: cipher.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
pid Process 3172 RansomEXX_14_12_2020_156KB.exe 3172 RansomEXX_14_12_2020_156KB.exe 3172 RansomEXX_14_12_2020_156KB.exe 3172 RansomEXX_14_12_2020_156KB.exe 3172 RansomEXX_14_12_2020_156KB.exe 3172 RansomEXX_14_12_2020_156KB.exe 3172 RansomEXX_14_12_2020_156KB.exe 3172 RansomEXX_14_12_2020_156KB.exe 3172 RansomEXX_14_12_2020_156KB.exe 3172 RansomEXX_14_12_2020_156KB.exe 3172 RansomEXX_14_12_2020_156KB.exe 3172 RansomEXX_14_12_2020_156KB.exe 3172 RansomEXX_14_12_2020_156KB.exe 3172 RansomEXX_14_12_2020_156KB.exe 3172 RansomEXX_14_12_2020_156KB.exe 3172 RansomEXX_14_12_2020_156KB.exe 3172 RansomEXX_14_12_2020_156KB.exe 3172 RansomEXX_14_12_2020_156KB.exe 3172 RansomEXX_14_12_2020_156KB.exe 3172 RansomEXX_14_12_2020_156KB.exe 3172 RansomEXX_14_12_2020_156KB.exe 3172 RansomEXX_14_12_2020_156KB.exe 3172 RansomEXX_14_12_2020_156KB.exe 3172 RansomEXX_14_12_2020_156KB.exe 3172 RansomEXX_14_12_2020_156KB.exe 3172 RansomEXX_14_12_2020_156KB.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
description pid Process Token: SeSecurityPrivilege 4252 wevtutil.exe Token: SeBackupPrivilege 4252 wevtutil.exe Token: SeSecurityPrivilege 2276 wevtutil.exe Token: SeBackupPrivilege 2276 wevtutil.exe Token: SeSecurityPrivilege 4140 wevtutil.exe Token: SeBackupPrivilege 4140 wevtutil.exe Token: SeSecurityPrivilege 4448 wevtutil.exe Token: SeBackupPrivilege 4448 wevtutil.exe Token: SeSecurityPrivilege 1816 wevtutil.exe Token: SeBackupPrivilege 1816 wevtutil.exe Token: SeBackupPrivilege 4476 wbengine.exe Token: SeRestorePrivilege 4476 wbengine.exe Token: SeSecurityPrivilege 4476 wbengine.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 3172 wrote to memory of 2276 3172 RansomEXX_14_12_2020_156KB.exe 96 PID 3172 wrote to memory of 2276 3172 RansomEXX_14_12_2020_156KB.exe 96 PID 3172 wrote to memory of 2676 3172 RansomEXX_14_12_2020_156KB.exe 95 PID 3172 wrote to memory of 2676 3172 RansomEXX_14_12_2020_156KB.exe 95 PID 3172 wrote to memory of 2676 3172 RansomEXX_14_12_2020_156KB.exe 95 PID 3172 wrote to memory of 4140 3172 RansomEXX_14_12_2020_156KB.exe 93 PID 3172 wrote to memory of 4140 3172 RansomEXX_14_12_2020_156KB.exe 93 PID 3172 wrote to memory of 3028 3172 RansomEXX_14_12_2020_156KB.exe 92 PID 3172 wrote to memory of 3028 3172 RansomEXX_14_12_2020_156KB.exe 92 PID 3172 wrote to memory of 1960 3172 RansomEXX_14_12_2020_156KB.exe 91 PID 3172 wrote to memory of 1960 3172 RansomEXX_14_12_2020_156KB.exe 91 PID 3172 wrote to memory of 1848 3172 RansomEXX_14_12_2020_156KB.exe 90 PID 3172 wrote to memory of 1848 3172 RansomEXX_14_12_2020_156KB.exe 90 PID 3172 wrote to memory of 1816 3172 RansomEXX_14_12_2020_156KB.exe 89 PID 3172 wrote to memory of 1816 3172 RansomEXX_14_12_2020_156KB.exe 89 PID 3172 wrote to memory of 4252 3172 RansomEXX_14_12_2020_156KB.exe 88 PID 3172 wrote to memory of 4252 3172 RansomEXX_14_12_2020_156KB.exe 88 PID 3172 wrote to memory of 3444 3172 RansomEXX_14_12_2020_156KB.exe 87 PID 3172 wrote to memory of 3444 3172 RansomEXX_14_12_2020_156KB.exe 87 PID 3172 wrote to memory of 700 3172 RansomEXX_14_12_2020_156KB.exe 85 PID 3172 wrote to memory of 700 3172 RansomEXX_14_12_2020_156KB.exe 85 PID 3172 wrote to memory of 700 3172 RansomEXX_14_12_2020_156KB.exe 85 PID 3172 wrote to memory of 4448 3172 RansomEXX_14_12_2020_156KB.exe 86 PID 3172 wrote to memory of 4448 3172 RansomEXX_14_12_2020_156KB.exe 86 PID 3172 wrote to memory of 4572 3172 RansomEXX_14_12_2020_156KB.exe 94 PID 3172 wrote to memory of 4572 3172 RansomEXX_14_12_2020_156KB.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\RansomEXX_14_12_2020_156KB.exe"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\RansomEXX_14_12_2020_156KB.exe"1⤵
- Modifies extensions of user files
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3172 -
C:\Windows\SysWOW64\cipher.exe"C:\Windows\System32\cipher.exe" /w:D:2⤵
- Enumerates connected drives
PID:700
-
-
C:\Windows\System32\wevtutil.exe"C:\Windows\System32\wevtutil.exe" cl Application2⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:4448
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable2⤵PID:3444
-
-
C:\Windows\System32\wevtutil.exe"C:\Windows\System32\wevtutil.exe" sl Security /e:false2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4252
-
-
C:\Windows\System32\wevtutil.exe"C:\Windows\System32\wevtutil.exe" cl Security2⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:1816
-
-
C:\Windows\System32\bcdedit.exe"C:\Windows\System32\bcdedit.exe" /set {default} recoveryenabled no2⤵
- Modifies boot configuration data using bcdedit
PID:1848
-
-
C:\Windows\System32\wbadmin.exe"C:\Windows\System32\wbadmin.exe" delete catalog -quiet2⤵
- Deletes backup catalog
PID:1960
-
-
C:\Windows\System32\fsutil.exe"C:\Windows\System32\fsutil.exe" usn deletejournal /D C:2⤵
- Deletes NTFS Change Journal
PID:3028
-
-
C:\Windows\System32\wevtutil.exe"C:\Windows\System32\wevtutil.exe" cl System2⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:4140
-
-
C:\Windows\System32\bcdedit.exe"C:\Windows\System32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures2⤵
- Modifies boot configuration data using bcdedit
PID:4572
-
-
C:\Windows\SysWOW64\cipher.exe"C:\Windows\System32\cipher.exe" /w:C:2⤵PID:2676
-
-
C:\Windows\System32\wevtutil.exe"C:\Windows\System32\wevtutil.exe" cl Setup2⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:2276
-
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4476
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:3252
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
PID:3944