Overview

overview

10

Static

static

b14a9c2da9...03.exe

windows7-x64

10

b14a9c2da9...03.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    92s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/10/2022, 17:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b14a9c2da96afff8fff645922e6bf4f1ee60e7eefd4b59985d83785f83572203.exe

  • Size

    100KB

  • MD5

    1538ed64c62590c5ea5c18fb5e6d9e5b

  • SHA1

    c1135b587775f714cca7eb928bab9440dccb14d5

  • SHA256

    b14a9c2da96afff8fff645922e6bf4f1ee60e7eefd4b59985d83785f83572203

  • SHA512

    6dd8e320ee23ee9fdea830ca5cc606895b12b2fb781de4c39fd9a91b56bb750e5fb800be11b9138f5edd5dd5f9877989c10abbb94b1cd9d58262263f5365d38f

  • SSDEEP

    1536:fiDhCZHs7rVRZa+bK74ZzHIiG8GH0KRr9MUL29ASKp/IBqm4jrD2nkfWLLRX2:fqCZ8rVeaIiG1U2r97a96OWfDAkoX2

Score
10/10
ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\readme_avira9.txt

Ransom Note
What happened? Hello, Admin. Your files have been encrypted with the AES-256 Military Algorithm. You may be searching up how to decrypt your files, it is not possible. You should continue reading this note to see how you could recover your files. What can I do? Only we have the key to decrypt your files, nobody can help you here. If you want your important files back you will need $100 in Bitcoin. When you have this amount, you should e-mail us at: [email protected] Make sure to include your ID, your ID is: vHpB816ylGSdJEXrgVb3943OA What if I don't pay? If you choose not to pay us, after 7 days your files will be rendered useless. We'll also erase your key from our servers forever, no second chances. Even if you can restore your files, we have kept copies on our servers. Meaning all important files you have lost will be leaked onto various forums. If you pay of course, we will erase all your files from our servers. Good luck. ______ .-' '-. / \ | | |, .-. .-. ,| | )(_o/ \o_)( | |/ /\ \| (@_ (_ ^^ _) _ ) \_______\__|IIIIII|__/__________________________ (_)@8@8{}<________|-\IIIIII/-|___________________________> )_/ \ / (@ `--------`

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Kills process with taskkill 2 IoCs
    evasion
  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b14a9c2da96afff8fff645922e6bf4f1ee60e7eefd4b59985d83785f83572203.exe
    "C:\Users\Admin\AppData\Local\Temp\b14a9c2da96afff8fff645922e6bf4f1ee60e7eefd4b59985d83785f83572203.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4248
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C taskkill /f /im DefenderDaemon.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:5036
      • C:\Windows\system32\taskkill.exe
        taskkill /f /im DefenderDaemon.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3624
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C taskkill /f /im TrueImageMonitor.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1924
      • C:\Windows\system32\taskkill.exe
        taskkill /f /im TrueImageMonitor.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1484
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\readme_avira9.txt
      2⤵
      • Opens file in notepad (likely ransom note)
      PID:3708
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del C:\Users\Admin\AppData\Local\Temp\b14a9c2da96afff8fff645922e6bf4f1ee60e7eefd4b59985d83785f83572203.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4312
      • C:\Windows\system32\choice.exe
        choice /C Y /N /D Y /T 3
        3⤵
          PID:3024

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\Desktop\readme_avira9.txt
      Filesize

      1KB

      MD5

      5df91422e5a8b8e992e59546c9143a35

      SHA1

      a07d73f46a6abae32da563eca342f74c905a2055

      SHA256

      7eee2776f6571dcc063045dfd2f13c8efff39f831080c2ee72237f6acd7a5bbf

      SHA512

      f9663b4c601ce494df8944322c80042c103a622d4fd4e9b16ce00995a9fa5aa28ff5350847bc92483de96a52c6049849c02f4866dde4ae5f815e489495161ebc

      Download Submit

    • memory/4248-132-0x00000000007A0000-0x00000000007BE000-memory.dmp

      Filesize

      120KB

      Download

    • memory/4248-133-0x00007FFAE3640000-0x00007FFAE4101000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4248-134-0x00007FFAE3640000-0x00007FFAE4101000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4248-142-0x00007FFAE3640000-0x00007FFAE4101000-memory.dmp

      Filesize

      10.8MB

      Download