Overview

overview

10

Static

static

Trojan-Ran...er.exe

windows7-x64

10

Trojan-Ran...er.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    131s
  • max time network
    140s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    21-09-2022 03:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Trojan-Ransom.Win32.Scatter.exe

  • Size

    99KB

  • MD5

    ff0e42146794f0d080df0467337b2d01

  • SHA1

    26ef91a61e0d1bdefd22162c30af92e0fadf00c3

  • SHA256

    3fb5af5018d03ff87735c678bef687cd5099e64c8c0636b62919c3b7d2072de9

  • SHA512

    9dc93ad2699ab6fc94e1ae85d220a436bad8dd4710a9ee3b8febdd49886bd33994e4b634c8f30725e864d3e8a37ed930686e2406366cd8aae18eee346035696e

  • SSDEEP

    1536:yUU9pH+lElvTHDMZHupmW4F6F1WzPnJoP8FHLIgSTa+5zmD6KjkQok:yT7H+EkZO944CzPmP8SG+tmmKjkQok

Score
10/10
nukepersistenceransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\!!_RECOVERY_instructions_!!.html

Ransom Note
<html> <head> <title>FILE RECOVERY</title> <style> body{ padding:0; margin:0; background: #004d80; font-family: Verdana, Geneva, sans-serif; font-size: 11px; } #nuclear55_content_middle{ margin-top: 30px; margin-bottom: 30px; margin-left: auto; margin-right: auto; width: 800px; background: #fff; border: 2px dotted black; padding: 13px; } a{ color: #660000; font-weight: bold; } h3{ color: #660000; text-align: center; } #btc-addr-display{ border: 1px dotted #000; padding: 5px; } </style> </head> <body> <div id="nuclear55_content_middle"> <h3>Your files and documents on this computer have been encrypted</h3> <p><strong>What happened to my files?</strong></p> <p>Your important files on your computer; photos, documents, and videos have been encrypted. Your files were encrypted using AES and RSA encryption. <p><strong>What does this mean?</strong></p> <p>File encryption was produced using a unique 256-bit key generated specifically for this machine. Encryption is a way of securing data and requires a special key to decipher.</p> <p>Unforunate for you, this special key was encrypted using an additional layer of encryption; RSA. Your files were encrypted using the <strong>public</strong> RSA key. To truly reverse the unfortunate state of your files, you need the <strong>private</strong> RSA key which is only known by us. <p><strong>What should I do next?</strong></p> <p>For your information your private key is a paid product. If you really value your data we suggest you start acting fast because you only short amount of time to recover your files before they are gone forever.</p> <p>There are no solutions to this problem, and no anti-virus software can reverse the process of file encryption because we have also erased recent versions of your files which means you <strong>cannot</strong> use file recovery software.</p> <p>Modifying your files in any way can damage your files permenantly and we will no longer be able to help you. Follow our terms assigned to you below, and we will have your files recovered. <p style="color: red; font-weight: bold; font-size: 11px;">You now have 72 hours to make payment before we destroy your encryption keys, leaving your files damaged for good</p> <p><strong>Recovering your files</strong></p> <h4 style="background-color: #004d99; font-weight: normal; padding: 4px; color: #fff;">1. Getting started with Bitcoin</h4> In order to use Bitcoin you will need to setup your own Bitcoin wallet. We recommend <a href="https://blockchain.info" target="_blank">blockchain.info</a>. However, if you already own a Bitcoin wallet you can skip this step. <h4 style="background-color: #004d99; font-weight: normal; padding: 4px; color: #fff;">2. Purchase Bitcoins</h4> <p>There are a number of ways to purchase Bitcoins, whether you're paying by cash, credit/debit card, or direct from your bank account. A range of Bitcoin sellers make Bitcoins easy to obtain.</p> </p> <p> <a href="https://localbitcoins.com" target="_blank">https://localbitcoins.com</a> Buy bitcoins with bank transfer, cash, and Moneygram (best option)<br /> <a href="https://coinatmradar.com" target="_blank">https://coinatmradar.com</a> Buy bitcoins from local ATM machines <br /> <a href="https://bittylicious.com" target="_blank">https://bittylicious.com</a> Buy bitcoins with bank transfer or debit card (United Kingdom) <br /> <a href="https://cex.io" target="_blank">https://cex.io</a> Buy bitcoins with credit/debit card or bank transfer<br /> <a href="https://btcdirect.eu" target="_blank">https://btcdirect.eu</a> Buy bitcoins in Europe<br /> <a href="https://coincorner.com" target="_blank">https://coincorner.com</a> Buy bitcoins in Europe with credit or debit card </p> <h4 style="background-color: #004d99; font-weight: normal; padding: 4px; color: #fff;">3. Send <strong>2</strong> BTC</font> to the Bitcoin address:</h4> <div id="btc-addr-display"><strong>Address:</strong> 1NLLrung1MaXucHpAzY5KjdK4y8woodJWt</div> <div style="margin-top: 25px;"/></div> </p> <h4 style="background-color: #004d99; font-weight: normal; padding: 4px; color: #fff;">4. Receive file recovery software</h4> After buying bitcoins, and sending them to the assigned address, follow these steps below: <p> <li>Send an email with the subject 'PAYMENT' along with 1 encrypted file attached [these end in .nuclear55], to <strong style="color: #660000;">[email protected]</strong></li> <!--<li>For a free test decrypt, send one small file which will decrypt free</li>--> <li>Wait for a response from our support (up to 24-48 hours)</li> <!--<li>We will send you further information regarding payment and full file decryption of your computer</li>--> <li>Receive file decryption software to decrypt every encrypted file on the hard drive</li> <li>If you do not here from us after 3 days, register an account on mail.india.com and email us. Your mail provider may be blocking us</li> <li>We won't respond without proof of payment. if you waste our time, we will destroy your encryption key and <strong>waste</strong> the life of your files</li> </p> <p><strong>Our guarentee</strong></p> <p>Our service is not designed to harm his/her computer in any way, but to provide a full decryption service of the intended computer and allow the user to regain access to the specified files.</p> <p></p> </div> </body> </html>
Emails

#660000;">[email protected]</strong></li>

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\!!_RECOVERY_instructions_!!.txt

Ransom Note
<GRXNNIIE> !! Your files and documents on this computer have been encrypted !! ** What has happened to my files? ** Your important files on your computer; photos, documents, and videos have been encrypted. Your files were encrypted using AES and RSA encryption. ** What does this mean? ** File encryption was produced using a unique 256-bit key generated specifically for this machine. Encryption is a way of securing data and requires a special key to decipher. Unforunate for you, this special key was encrypted using an additional layer of encryption; RSA. Your files were encrypted using the public RSA key. To truly reverse the unfortunate state of your files, you need the private RSA key which is only known by us. ** What should I do next? ** For your information your private key is a paid product. If you really value your data we suggest you start acting fast because you only short amount of time to recover your files before they are gone forever. There are no solutions to this problem, and no anti-virus software can reverse the process of file encryption because we have also erased recent versions of your files which means you cannot use file recovery software. Modifying your files in any way can damage your files permenantly and we will no longer be able to help you. Follow our terms assigned to you below, and we will have your files recovered. You now have 72 hours to make payment before we destroy your encryption keys, leaving your files damaged for good How do I recovering my files? Without Bitcoins your files can never be recovered. Follow the steps below: [1] => Create a Bitcoin wallet In order to use Bitcoin you will need to setup your own Bitcoin wallet. We recommend blockchain.info. However, if you already own a Bitcoin wallet you can skip this step. [2] => Purchase Bitcoins There are a number of ways to purchase Bitcoins, whether you're paying by cash, credit/debit card, or direct from your bank account. A range of Bitcoin sellers make Bitcoins easy to obtain. https://localbitcoins.com Buy bitcoins with bank transfer, cash, and Moneygram (best option - worldwide) https://coinatmradar.com Buy bitcoins from local ATM machines https://bittylicious.com Buy bitcoins with bank transfer or debit card (United Kingdom) https://cex.io Buy bitcoins with credit/debit card or bank transfer) https://btcdirect.eu Buy bitcoins in Europe https://coincorner.com Buy bitcoins in Europe with credit or debit card [3] => Send bitcoins to our address You should send 2 BTC to our Bitcoin address: 1NLLrung1MaXucHpAzY5KjdK4y8woodJWt [4] => Contact us and receive encryption keys, and file recovery software - Send an email with the subject 'PAYMENT' along with 1 encrypted file attached [these end in .nuclear55], to [email protected] - Wait for a response from us (up to 24-48 hours) - Receive file decryption software to decrypt every encrypted file on the hard drive - If you do not here from us after 3 days, register an account on mail.india.com and email us. Your mail provider may be blocking us - We will not respond without proof of payment. If you waste our time, we will destroy your encryption key and waste the life of your files ----------------------------------------------------------------- Our service is not designed to harm his/her computer in any way, but to provide a full decryption service of the intended computer and allow the user to regain access to the specified files. -----------------------------------------------------------------
Wallets

1NLLrung1MaXucHpAzY5KjdK4y8woodJWt

URLs

https://coinatmradar.com

https://bittylicious.com

https://cex.io

https://btcdirect.eu

https://coincorner.com

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\!!_RECOVERY_instructions_!!.html

Ransom Note
Your files and documents on this computer have been encrypted What happened to my files? Your important files on your computer; photos, documents, and videos have been encrypted. Your files were encrypted using AES and RSA encryption. What does this mean? File encryption was produced using a unique 256-bit key generated specifically for this machine. Encryption is a way of securing data and requires a special key to decipher. Unforunate for you, this special key was encrypted using an additional layer of encryption; RSA. Your files were encrypted using the public RSA key. To truly reverse the unfortunate state of your files, you need the private RSA key which is only known by us. What should I do next? For your information your private key is a paid product. If you really value your data we suggest you start acting fast because you only short amount of time to recover your files before they are gone forever. There are no solutions to this problem, and no anti-virus software can reverse the process of file encryption because we have also erased recent versions of your files which means you cannot use file recovery software. Modifying your files in any way can damage your files permenantly and we will no longer be able to help you. Follow our terms assigned to you below, and we will have your files recovered. You now have 72 hours to make payment before we destroy your encryption keys, leaving your files damaged for good Recovering your files In order to use Bitcoin you will need to setup your own Bitcoin wallet. We recommend blockchain.info. However, if you already own a Bitcoin wallet you can skip this step. There are a number of ways to purchase Bitcoins, whether you're paying by cash, credit/debit card, or direct from your bank account. A range of Bitcoin sellers make Bitcoins easy to obtain. https://localbitcoins.com Buy bitcoins with bank transfer, cash, and Moneygram (best option) https://coinatmradar.com Buy bitcoins from local ATM machines https://bittylicious.com Buy bitcoins with bank transfer or debit card (United Kingdom) https://cex.io Buy bitcoins with credit/debit card or bank transfer https://btcdirect.eu Buy bitcoins in Europe https://coincorner.com Buy bitcoins in Europe with credit or debit card 2 BTC to the Bitcoin address: Address: 1NLLrung1MaXucHpAzY5KjdK4y8woodJWt After buying bitcoins, and sending them to the assigned address, follow these steps below: Send an email with the subject 'PAYMENT' along with 1 encrypted file attached [these end in .nuclear55], to [email protected] Wait for a response from our support (up to 24-48 hours) Receive file decryption software to decrypt every encrypted file on the hard drive If you do not here from us after 3 days, register an account on mail.india.com and email us. Your mail provider may be blocking us We won't respond without proof of payment. if you waste our time, we will destroy your encryption key and waste the life of your files Our guarentee Our service is not designed to harm his/her computer in any way, but to provide a full decryption service of the intended computer and allow the user to regain access to the specified files.
Wallets

1NLLrung1MaXucHpAzY5KjdK4y8woodJWt

URLs

https://coinatmradar.com

https://bittylicious.com

https://cex.io

https://btcdirect.eu

https://coincorner.com

Signatures

  • Nuke

    Ransomware family first discovered in 2016.

    ransomwarenuke
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Deletes itself 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
    adwarespyware
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Scatter.exe
    "C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Scatter.exe"
    1⤵
    • Adds Run key to start application
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Modifies Control Panel
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1896
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Roaming\Microsoft\!!_RECOVERY_instructions_!!.html
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1152
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1152 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1864
    • C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\Microsoft\!!_RECOVERY_instructions_!!.txt
      2⤵
        PID:1096
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1048
        • C:\Windows\SysWOW64\vssadmin.exe
          vssadmin delete shadows /all /quiet
          3⤵
          • Interacts with shadow copies
          PID:1420
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Scatter.exe"
        2⤵
        • Deletes itself
        • Suspicious use of WriteProcessMemory
        PID:896
        • C:\Windows\SysWOW64\PING.EXE
          ping 1.1.1.1 -n 1 -w 3000
          3⤵
          • Runs ping.exe
          PID:1476
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1472

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\!!_RECOVERY_instructions_!!.html
      Filesize

      5KB

      MD5

      87b73b46a65c09addc736c337b9673b6

      SHA1

      27d3df4a6aca465a7bcd1914b759c123c7d6583a

      SHA256

      4bd75e317feea0b7a3d2570b4befc406efc4dfb1391cfc9a5a20fdb7438ba109

      SHA512

      af4b863a0d2fffca7bdaeb5c2f892c0baea0809662490ed17f0b436b22bcf4c5b70d28e5448faaa3079fcba55c28e3da3a4b01d783438a359a41d3c340dee2f3

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\!!_RECOVERY_instructions_!!.txt
      Filesize

      3KB

      MD5

      c78f1fabe5ff1bab15266ef6b45d7c37

      SHA1

      0f64aaad777c7c9554a4ab8e33dc681fe947173c

      SHA256

      1d3ede941cebb8bdf78479147cab435e1e49b59b389b0641e5c828fc403c6c66

      SHA512

      cf3ca480fc31861afa4ff3cdea0025bfc80cbbcd2871c94b759dff5747d4efeccd889c42e31b52d7d8c8c0a4b7a404955c6f39081f92d8fb2b9a0fe32fb48e34

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\1DRA18IO.txt
      Filesize

      595B

      MD5

      d7be3c48515f1b34f85dfea3cff24f57

      SHA1

      57e3103048bfb5a1ae6073ee1c147ca4d8b08c4e

      SHA256

      1f2b7c21e77749e957144d87d2ac00d34f610f5554ebf12ef64742ec332962d4

      SHA512

      475247677e3a940c9e490822b63b67db51e918566af76bae4c037f5c0ca1819c3bb203806245c453fdcb6dc0b0a453bb6edb279d51197f4f6a29e60cf8969bed

      Download Submit

    • memory/896-60-0x0000000000000000-mapping.dmp

      Download

    • memory/1048-59-0x0000000000000000-mapping.dmp

      Download

    • memory/1096-56-0x0000000000000000-mapping.dmp

      Download

    • memory/1420-63-0x0000000000000000-mapping.dmp

      Download

    • memory/1476-62-0x0000000000000000-mapping.dmp

      Download

    • memory/1896-54-0x0000000000B30000-0x0000000000B4E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/1896-55-0x0000000076181000-0x0000000076183000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1896-61-0x0000000000AD5000-0x0000000000AE6000-memory.dmp

      Filesize

      68KB

      Download