28b3ecf298a47f0e3db76f087e056f30736dab5a0d0a367cb48651897fa617d7

General

Target

9272022_diav1.exe
Size

227KB
MD5

2f62c5385dc49b91f5bd5e2a42f75fe6
SHA1

fdfdfacde0b898d13b01b1ab95d09d55196a13f5
SHA256

28b3ecf298a47f0e3db76f087e056f30736dab5a0d0a367cb48651897fa617d7
SHA512

45aa5c281ab9d0e5c01b8da10a96416b2d01f0d57662ccbc1394b8f0dea1baa9d349675bd58a069e6ad005bf7601452bba17edefdb8f309c9bcc909d2364b351
SSDEEP

3072:v+HwIahsiDzTvGvJTkwEluO9GYSFR8HenNGmeu9+hvwG:GHZs/LeJTkz0YGYSz1n1id

Score

10^/10

ransomware spyware stealer

Malware Config

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\WARNING.TXT

Ransom Note

You've been hacked. All your corporate network servers and workstations are encrypted. Your company is a victim of double extortion ransomware attack. What is it? Basically it means that not only your data is encrypted, but it's also have been exfiltrated from your network. Double Extortion attack explained in details : https://www.zscaler.com/resources/security-terms-glossary/what-is-double-extortion-ransomware ===== What now? ===== If you want your network to be fully operational again and if you want us not to publish all files we've taken : 1. Download Tor Browser from original site : https://torproject.org 2. Open this url in Tor Browser and visit this website : https://7ypnbv3snejqmgce4kbewwvym4cm5j6lkzf2hra2hyhtsvwjaxwipkyd.onion/ 3. Enter this key : 2A58A-29167-F7907-33C1E-B50BF-5704B If you've done everything correctly - now you are able to contact us and take a chance to leave this all behind for a reasonable fee. NOTE : If TOR network is unavailable by any reason - you can use any VPN service to solve it.

URLs

https://www.zscaler.com/resources/security-terms-glossary/what-is-double-extortion-ransomware

https://7ypnbv3snejqmgce4kbewwvym4cm5j6lkzf2hra2hyhtsvwjaxwipkyd.onion/

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 5 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

9272022_diav1.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\SyncCompress.raw => \??\c:\users\admin\pictures\synccompress.raw.bully	9272022_diav1.exe
File renamed	C:\Users\Admin\Pictures\UnprotectConvertFrom.tiff => \??\c:\users\admin\pictures\unprotectconvertfrom.tiff.bully	9272022_diav1.exe
File opened for modification	\??\c:\users\admin\pictures\unprotectconvertfrom.tiff	9272022_diav1.exe
File renamed	C:\Users\Admin\Pictures\FindClear.png => \??\c:\users\admin\pictures\findclear.png.bully	9272022_diav1.exe
File renamed	C:\Users\Admin\Pictures\LimitDisable.tif => \??\c:\users\admin\pictures\limitdisable.tif.bully	9272022_diav1.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

9272022_diav1.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	9272022_diav1.exe

Drops startup file 2 IoCs

Processes:

9272022_diav1.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\WARNING.TXT	9272022_diav1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\WARNING.TXT	9272022_diav1.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 2 IoCs

Processes:

9272022_diav1.exe

description	ioc	process
File opened for modification	\??\c:\users\admin\desktop\desktop.ini	9272022_diav1.exe
File opened for modification	\??\c:\users\public\desktop\desktop.ini	9272022_diav1.exe

Drops file in Program Files directory 64 IoCs

Processes:

9272022_diav1.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\WARNING.TXT	9272022_diav1.exe
File opened for modification	\??\c:\program files\windowsapps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\hxmailsplashlogo.scale-400.png	9272022_diav1.exe
File opened for modification	\??\c:\program files\windowsapps\microsoft.zunemusic_10.19071.19011.0_x64__8wekyb3d8bbwe\assets\contrast-black\widelogo.scale-200_contrast-black.png	9272022_diav1.exe
File opened for modification	\??\c:\program files\common files\system\ado\msado25.tlb	9272022_diav1.exe
File opened for modification	\??\c:\program files\microsoft office\root\licenses16\o365proplusr_subscription1-ppd.xrm-ms	9272022_diav1.exe
File opened for modification	\??\c:\program files\microsoft office\root\licenses16\onenotevl_kms_client-ul.xrm-ms	9272022_diav1.exe
File opened for modification	\??\c:\program files\microsoft office\root\office16\1033\quickstyles\word2013.dotx	9272022_diav1.exe
File opened for modification	\??\c:\program files\windowsapps\deletedalluserpackages\microsoft.windowsstore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\appxmanifest.xml	9272022_diav1.exe
File opened for modification	\??\c:\program files\windowsapps\microsoft.windows.photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\assets\photosapplist.targetsize-48_altform-colorize.png	9272022_diav1.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\WARNING.TXT	9272022_diav1.exe
File opened for modification	\??\c:\program files\windowsapps\microsoft.microsoftofficehub_18.1903.1152.0_x64__8wekyb3d8bbwe\images\square44x44logo.scale-200.png	9272022_diav1.exe
File opened for modification	\??\c:\program files\windowsapps\microsoft.windowsalarms_10.1906.2182.0_x64__8wekyb3d8bbwe\assets\alarmsapplist.targetsize-30_altform-lightunplated.png	9272022_diav1.exe
File opened for modification	\??\c:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\createpdfupsell-app\js\nls\uk-ua\ui-strings.js	9272022_diav1.exe
File opened for modification	\??\c:\program files (x86)\microsoft\edge\application\92.0.902.67\locales\pt-br.pak	9272022_diav1.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\WARNING.TXT	9272022_diav1.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\WARNING.TXT	9272022_diav1.exe
File opened for modification	\??\c:\program files\java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ecf.provider.filetransfer_3.2.200.v20140827-1444.jar	9272022_diav1.exe
File opened for modification	\??\c:\program files\windowsapps\microsoft.bingweather_4.25.20211.0_x64__8wekyb3d8bbwe\assets\apptiles\weathericons\30x30\187.png	9272022_diav1.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\da\WARNING.TXT	9272022_diav1.exe
File opened for modification	\??\c:\program files\java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\meta-inf\eclipse_.sf	9272022_diav1.exe
File opened for modification	\??\c:\program files\java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.nl_zh_4.4.0.v20140623020002.jar	9272022_diav1.exe
File opened for modification	\??\c:\program files\microsoft office\root\office16\msipc\sr-cyrl-ba\msipc.dll.mui	9272022_diav1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\hu-hu\WARNING.TXT	9272022_diav1.exe
File opened for modification	\??\c:\program files\windowsapps\microsoft.windowsmaps_5.1906.1972.0_x64__8wekyb3d8bbwe\assets\secondarytiles\directions\car\rtl\contrast-white\widetile.scale-200.png	9272022_diav1.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\WARNING.TXT	9272022_diav1.exe
File opened for modification	\??\c:\program files\windowsapps\deletedalluserpackages\microsoft.xboxapp_48.49.31001.0_neutral_split.scale-125_8wekyb3d8bbwe\assets\gamesxboxhubapplist.scale-125_contrast-white.png	9272022_diav1.exe
File opened for modification	\??\c:\program files\windowsapps\microsoft.microsoft3dviewer_6.1908.2042.0_x64__8wekyb3d8bbwe\assets\square44x44logo.targetsize-256.png	9272022_diav1.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\contrast-standard\WARNING.TXT	9272022_diav1.exe
File opened for modification	\??\c:\program files\windowsapps\microsoft.webmediaextensions_1.0.20875.0_x64__8wekyb3d8bbwe\assets\medtile.scale-200.png	9272022_diav1.exe
File opened for modification	\??\c:\program files\windowsapps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\hxa-advanced-dark.scale-125.png	9272022_diav1.exe
File opened for modification	\??\c:\program files\windowsapps\microsoft.windowsmaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\assets\secondarytiles\traffichub\contrast-white\widetile.scale-100.png	9272022_diav1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\pl-pl\WARNING.TXT	9272022_diav1.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\ink\bg-bg\tipresx.dll.mui	9272022_diav1.exe
File opened for modification	\??\c:\program files\windowsapps\microsoft.office.onenote_16001.12026.20112.0_x64__8wekyb3d8bbwe\manifests\builtinresearcher.xml	9272022_diav1.exe
File opened for modification	\??\c:\program files\windowsapps\microsoft.windowscalculator_10.1906.55.0_x64__8wekyb3d8bbwe\assets\calculatorapplist.targetsize-256_altform-fullcolor.png	9272022_diav1.exe
File opened for modification	\??\c:\program files\windowsapps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\8041_24x24x32.png	9272022_diav1.exe
File opened for modification	\??\c:\program files\windowsapps\microsoft.windowsmaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\assets\apptiles\contrast-white\mapsbadgelogo.scale-100.png	9272022_diav1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\ja-jp\WARNING.TXT	9272022_diav1.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\en-us\View3d\WARNING.TXT	9272022_diav1.exe
File opened for modification	\??\c:\program files\windowsapps\microsoft.windowscamera_2018.826.98.0_x64__8wekyb3d8bbwe\assets\windowsicons\windowscameraapplist.targetsize-40_altform-unplated.png	9272022_diav1.exe
File opened for modification	\??\c:\program files\windowsapps\microsoft.yourphone_0.19051.7.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\s-1-5-21-929662420-1054238289-2961194603-1000-mergedresources-0.pri	9272022_diav1.exe
File opened for modification	\??\c:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\core\dev\nls\en-ae\ui-strings.js	9272022_diav1.exe
File opened for modification	\??\c:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\exportpdfupsell-app\js\plugin.js	9272022_diav1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\sk-sk\WARNING.TXT	9272022_diav1.exe
File opened for modification	\??\c:\program files\windowsapps\deletedalluserpackages\microsoft.desktopappinstaller_1.0.30251.0_neutral_split.scale-125_8wekyb3d8bbwe\assets\apppackagestorelogo.scale-125.png	9272022_diav1.exe
File opened for modification	\??\c:\program files\windowsapps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\linkedinboxsmalltile.scale-100.png	9272022_diav1.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\nb-no\WARNING.TXT	9272022_diav1.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\tl\WARNING.TXT	9272022_diav1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\pl-pl\WARNING.TXT	9272022_diav1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ar-ae\WARNING.TXT	9272022_diav1.exe
File opened for modification	\??\c:\program files\java\jdk1.8.0_66\jre\lib\security\blacklisted.certs	9272022_diav1.exe
File created	C:\Program Files\Java\jre1.8.0_66\lib\images\cursors\WARNING.TXT	9272022_diav1.exe
File opened for modification	\??\c:\program files\microsoft office\root\licenses16\powerpointr_oem_perp-pl.xrm-ms	9272022_diav1.exe
File opened for modification	\??\c:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\ob-preview\images\themeless\example_icons.png	9272022_diav1.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\AppxMetadata\WARNING.TXT	9272022_diav1.exe
File opened for modification	\??\c:\program files\windowsapps\microsoft.xboxgameoverlay_1.46.11001.0_x64__8wekyb3d8bbwe\appxsignature.p7x	9272022_diav1.exe
File opened for modification	\??\c:\program files (x86)\adobe\acrobat reader dc\reader\webresources\resource0\static\images\themes\dark\s_duplicate_18.svg	9272022_diav1.exe
File opened for modification	\??\c:\program files (x86)\microsoft\edge\application\92.0.902.67\resiliencylinks\msedge.dll.sig.data	9272022_diav1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\nb-no\WARNING.TXT	9272022_diav1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\zh-cn\WARNING.TXT	9272022_diav1.exe
File opened for modification	\??\c:\program files\microsoft office\root\fre\startmenu_win7_rtl.wmv	9272022_diav1.exe
File opened for modification	\??\c:\program files\microsoft office\root\licenses16\o365proplusr_subscription2-ppd.xrm-ms	9272022_diav1.exe
File opened for modification	\??\c:\program files\windowsapps\microsoft.bingweather_4.25.20211.0_x64__8wekyb3d8bbwe\assets\apptiles\weathericons\30x30\170.png	9272022_diav1.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\WARNING.TXT	9272022_diav1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

4832 vssadmin.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

9272022_diav1.exe

pid process

3284 9272022_diav1.exe
3284 9272022_diav1.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 2244 vssvc.exe
Token: SeRestorePrivilege 2244 vssvc.exe
Token: SeAuditPrivilege 2244 vssvc.exe

pid	process
4832	vssadmin.exe

pid	process
3284	9272022_diav1.exe
3284	9272022_diav1.exe

description	pid	process
Token: SeBackupPrivilege	2244	vssvc.exe
Token: SeRestorePrivilege	2244	vssvc.exe
Token: SeAuditPrivilege	2244	vssvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

9272022_diav1.execmd.exe

description	pid	process	target process
PID 3284 wrote to memory of 1488	3284	9272022_diav1.exe	cmd.exe
PID 3284 wrote to memory of 1488	3284	9272022_diav1.exe	cmd.exe
PID 3284 wrote to memory of 4284	3284	9272022_diav1.exe	cmd.exe
PID 3284 wrote to memory of 4284	3284	9272022_diav1.exe	cmd.exe
PID 1488 wrote to memory of 4832	1488	cmd.exe	vssadmin.exe
PID 1488 wrote to memory of 4832	1488	cmd.exe	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\9272022_diav1.exe
"C:\Users\Admin\AppData\Local\Temp\9272022_diav1.exe"
1⤵
- Modifies extensions of user files
- Checks computer location settings
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3284

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c vssadmin Delete Shadows /All /Quiet >> NUL
2⤵
- Suspicious use of WriteProcessMemory
PID:1488

C:\Windows\system32\vssadmin.exe
vssadmin Delete Shadows /All /Quiet
3⤵
- Interacts with shadow copies
PID:4832

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\9272022_diav1.exe >> NUL
2⤵
PID:4284

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2244

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1488-135-0x0000000000000000-mapping.dmp

Download
memory/3284-132-0x0000000002BA0000-0x0000000002BA8000-memory.dmp

Filesize
32KB

Download
memory/3284-133-0x0000000002BB0000-0x0000000002BB8000-memory.dmp

Filesize
32KB

Download
memory/3284-134-0x0000000002BA0000-0x0000000002BA8000-memory.dmp

Filesize
32KB

Download
memory/3284-137-0x0000000002BA0000-0x0000000002BA8000-memory.dmp

Filesize
32KB

Download
memory/4284-136-0x0000000000000000-mapping.dmp

Download
memory/4832-138-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads