Overview

overview

10

Static

static

10

Ransomware...KB.exe

windows10-2004-x64

10

Ransomware...KB.exe

windows10-2004-x64

10

Ransomware...KB.exe

windows10-2004-x64

10

Ransomware...KB.exe

windows10-2004-x64

10

Ransomware...KB.exe

windows10-2004-x64

10

Ransomware...KB.exe

windows10-2004-x64

10

Ransomware...KB.exe

windows10-2004-x64

10

Ransomware...KB.exe

windows10-2004-x64

10

Ransomware...KB.exe

windows10-2004-x64

10

Ransomware...KB.exe

windows10-2004-x64

10

Ransomware...KB.exe

windows10-2004-x64

10

Ransomware...KB.exe

windows10-2004-x64

10

Ransomware...KB.exe

windows10-2004-x64

10

Ransomware...KB.exe

windows10-2004-x64

10

Ransomware...KB.exe

windows10-2004-x64

10

Ransomware...KB.exe

windows10-2004-x64

10

Ransomware...KB.exe

windows10-2004-x64

10

Ransomware...KB.ps1

windows10-2004-x64

10

Ransomware...KB.exe

windows10-2004-x64

10

Ransomware...KB.exe

windows10-2004-x64

10

Ransomware...KB.exe

windows10-2004-x64

10

Ransomware...KB.exe

windows10-2004-x64

10

Ransomware...KB.exe

windows10-2004-x64

10

Ransomware...KB.exe

windows10-2004-x64

10

Ransomware...KB.exe

windows10-2004-x64

10

Ransomware...KB.exe

windows10-2004-x64

10

Ransomware...KB.exe

windows10-2004-x64

10

Ransomware...KB.msi

windows10-2004-x64

10

Ransomware...KB.exe

windows10-2004-x64

10

Ransomware...KB.ps1

windows10-2004-x64

10

Ransomware...KB.exe

windows10-2004-x64

8

Ransomware...KB.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    1800s
  • max time network
    1807s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-09-2022 17:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RansomwareSamples/RansomEXX_14_12_2020_156KB.exe

  • Size

    156KB

  • MD5

    fcd21c6fca3b9378961aa1865bee7ecb

  • SHA1

    0abaa05da2a05977e0baf68838cff1712f1789e0

  • SHA256

    4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458

  • SHA512

    e39c1f965f6faeaa33dfec6eba23fbfff14b287f4777797ea79480bb037d6d806516bda7046315e051961fce12e935ac546819c1e0bef5c33568d68955a9792a

  • SSDEEP

    1536:7ZLTzASUIG0TOOYTufIaSWvRYkekdvizSBXxNe9VPw6s6aUCT7Q7qn:OBI9HYyfNBdviGBBQsrhPk4

Score
10/10
ransomexx_winevasionransomware

Malware Config

Extracted

Path

C:\odt\!TXDOT_READ_ME!.txt

Ransom Note
Greetings, Texas Department of Transportation! Read this message CAREFULLY and contact someone from IT department. Your files are securely ENCRYPTED. No third party decryption software EXISTS. MODIFICATION or RENAMING encrypted files may cause decryption failure. You can send us an encrypted file (not greater than 400KB) and we will decrypt it FOR FREE, so you have no doubts in possibility to restore all files from all affected systems ANY TIME. Encrypted file SHOULD NOT contain sensitive information (technical, backups, databases, large documents). The rest of data will be available after the PAYMENT. Infrastructure rebuild will cost you MUCH more. Contact us ONLY if you officially represent the whole affected network. The ONLY attachments we accept are non archived encrypted files for test decryption. Speak ENGLISH when contacting us. Mail us: txdot911@protonmail.com We kindly ask you not to use GMAIL, YAHOO or LIVE to contact us. The PRICE depends on how quickly you do it. �
Emails

txdot911@protonmail.com

Signatures

  • Deletes NTFS Change Journal 2 TTPs 1 IoCs

    The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.

    ransomware
  • RansomEXX Ransomware

    Targeted ransomware with variants which affect Windows and Linux systems.

    ransomwareransomexx_win
  • Clears Windows event logs 1 TTPs 4 IoCs
    evasionransomware
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Disables use of System Restore points 1 TTPs
    evasion
  • Modifies extensions of user files 1 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Overwrites deleted data with Cipher tool 1 TTPs

    Cipher is a Windows tool which be used to securely wipe deallocated HDD space, preventing recovery of deleted data.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\RansomEXX_14_12_2020_156KB.exe
    "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\RansomEXX_14_12_2020_156KB.exe"
    1⤵
    • Modifies extensions of user files
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3172
    • C:\Windows\SysWOW64\cipher.exe
      "C:\Windows\System32\cipher.exe" /w:D:
      2⤵
      • Enumerates connected drives
      PID:700
    • C:\Windows\System32\wevtutil.exe
      "C:\Windows\System32\wevtutil.exe" cl Application
      2⤵
      • Clears Windows event logs
      • Suspicious use of AdjustPrivilegeToken
      PID:4448
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable
      2⤵
        PID:3444
      • C:\Windows\System32\wevtutil.exe
        "C:\Windows\System32\wevtutil.exe" sl Security /e:false
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4252
      • C:\Windows\System32\wevtutil.exe
        "C:\Windows\System32\wevtutil.exe" cl Security
        2⤵
        • Clears Windows event logs
        • Suspicious use of AdjustPrivilegeToken
        PID:1816
      • C:\Windows\System32\bcdedit.exe
        "C:\Windows\System32\bcdedit.exe" /set {default} recoveryenabled no
        2⤵
        • Modifies boot configuration data using bcdedit
        PID:1848
      • C:\Windows\System32\wbadmin.exe
        "C:\Windows\System32\wbadmin.exe" delete catalog -quiet
        2⤵
        • Deletes backup catalog
        PID:1960
      • C:\Windows\System32\fsutil.exe
        "C:\Windows\System32\fsutil.exe" usn deletejournal /D C:
        2⤵
        • Deletes NTFS Change Journal
        PID:3028
      • C:\Windows\System32\wevtutil.exe
        "C:\Windows\System32\wevtutil.exe" cl System
        2⤵
        • Clears Windows event logs
        • Suspicious use of AdjustPrivilegeToken
        PID:4140
      • C:\Windows\System32\bcdedit.exe
        "C:\Windows\System32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures
        2⤵
        • Modifies boot configuration data using bcdedit
        PID:4572
      • C:\Windows\SysWOW64\cipher.exe
        "C:\Windows\System32\cipher.exe" /w:C:
        2⤵
          PID:2676
        • C:\Windows\System32\wevtutil.exe
          "C:\Windows\System32\wevtutil.exe" cl Setup
          2⤵
          • Clears Windows event logs
          • Suspicious use of AdjustPrivilegeToken
          PID:2276
      • C:\Windows\system32\wbengine.exe
        "C:\Windows\system32\wbengine.exe"
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4476
      • C:\Windows\System32\vdsldr.exe
        C:\Windows\System32\vdsldr.exe -Embedding
        1⤵
          PID:3252
        • C:\Windows\System32\vds.exe
          C:\Windows\System32\vds.exe
          1⤵
          • Checks SCSI registry key(s)
          PID:3944

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Command-Line Interface

        1
        T1059

        Persistence

        Privilege Escalation

        Defense Evasion

        Indicator Removal on Host

        1
        T1070

        File Deletion

        1
        T1107

        Credential Access

        Discovery

        Query Registry

        3
        T1012

        System Information Discovery

        4
        T1082

        Peripheral Device Discovery

        2
        T1120

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Inhibit System Recovery

        5
        T1490

        Data Destruction

        1
        T1485

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/700-132-0x0000000000000000-mapping.dmp
          Download
        • memory/1816-141-0x0000000000000000-mapping.dmp
          Download
        • memory/1848-133-0x0000000000000000-mapping.dmp
          Download
        • memory/1960-139-0x0000000000000000-mapping.dmp
          Download
        • memory/2276-142-0x0000000000000000-mapping.dmp
          Download
        • memory/2676-138-0x0000000000000000-mapping.dmp
          Download
        • memory/3028-137-0x0000000000000000-mapping.dmp
          Download
        • memory/3444-140-0x0000000000000000-mapping.dmp
          Download
        • memory/4140-143-0x0000000000000000-mapping.dmp
          Download
        • memory/4252-134-0x0000000000000000-mapping.dmp
          Download
        • memory/4448-136-0x0000000000000000-mapping.dmp
          Download
        • memory/4572-135-0x0000000000000000-mapping.dmp
          Download