Overview

overview

10

Static

static

10

8e974a3be9...22.exe

windows7-x64

10

8e974a3be9...22.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    109s
  • max time network
    119s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-10-2022 16:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8e974a3be94b7748f7971f278160a74d738d5cab2c3088b1492cfbbd05e83e22.exe

  • Size

    159KB

  • MD5

    ecc918fd6e040ba4675c3179f05da459

  • SHA1

    b372124021c93ffc52e43a7af0883e880d4eb730

  • SHA256

    8e974a3be94b7748f7971f278160a74d738d5cab2c3088b1492cfbbd05e83e22

  • SHA512

    840b668cbad5897b5f52fe4ef86069b6668f49299a5b2bba24290d7df7b7db36f8ef4ee89644134d61930da647a235b38af2ebe79e772c547a8ba5b05ba08cad

  • SSDEEP

    3072:X3ypcDozZR/WcCF7dPiyJUh5KvdtEZtPz4g0I/t9L05Uht9uew+BVfRUi6BJ+L:X3ypcmR/UoyJU8EPPE0tVPtnNgg

Score
10/10
evasionransomware

Malware Config

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-2629973501-4017243118-3254762364-1000\RECOVERY FILES.txt

Ransom Note
YOUR FILES ARE ENCRYPTED !!! TO DECRYPT, FOLLOW THE INSTRUCTIONS: To recover data you need decrypt tool. To get the decrypt tool you should: 1.In the letter include your personal ID! Send me this ID in your first email to me! 2.We can give you free test for decrypt few files (NOT VALUE) and assign the price for decryption all files! 3.After we send you instruction how to pay for decrypt tool and after payment you will receive a decryption tool! 4.We can decrypt few files in quality the evidence that we have the decoder. Do not rename, do not use third-party software or the data will be permanently damaged CONTACT US: [email protected] If first email will not reply in 24 hours then contact with reserve address: [email protected] YOUR PERSONAL ID: E7281A596504 In case of non-payment of the ransom, your data may be published in the public domain. Our page in telegram with data leaks: https://t.me/mallox_leaks �
URLs

https://t.me/mallox_leaks

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 11 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Stops running service(s) 3 TTPs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8e974a3be94b7748f7971f278160a74d738d5cab2c3088b1492cfbbd05e83e22.exe
    "C:\Users\Admin\AppData\Local\Temp\8e974a3be94b7748f7971f278160a74d738d5cab2c3088b1492cfbbd05e83e22.exe"
    1⤵
    • Modifies extensions of user files
    • Checks computer location settings
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1956
    • C:\Windows\system32\vssadmin.exe
      "C:\Windows\sysnative\vssadmin.exe" delete shadows /all /quiet
      2⤵
      • Interacts with shadow copies
      PID:4688
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c bcdedit /set {current} recoveryenabled no
      2⤵
        PID:5012
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C sc delete MsDtsServer100&&sc delete MSSQL$SOPHOS&&sc delete MSSQLFDLauncher&&sc delete MSSQLSERVER&&sc delete MSSQLServerADHelper100&&sc delete MSSQLServerOLAPService&&sc delete ReportServer&&sc delete SQLAgent$SOPHOS&&sc delete "SQLANYs_sem5"&&sc delete SQLBrowser&&sc delete SQLSERVERAGENT&&sc delete SQLWriter&&sc delete B1LicenseService&&sc delete b1s50000&&sc delete b1s50001&&sc delete b1s50002&&sc delete B1ServerTools&&sc delete B1ServerTools64&&sc delete B1Workflow&&sc delete COMSysApp&&sc delete Gatekeeper64&&sc delete isapnp&&sc delete "SAP Business One RSP Agent Service"&&sc delete SBOClientAgent&&sc delete "SBODI_Server"&&sc delete SBOMail&&sc delete SBOWFDataAccess&&taskkill /f /im db*&&taskkill /f /im apache*&&taskkill /f /im mysql*&&taskkill /f /im Notifier*&&taskkill /f /im IBM*&&taskkill /f /im copy*&&taskkill /f /im store*&&taskkill /f /im sql*&&taskkill /f /im vee*&&taskkill /f /im wrsa*&&taskkill /f /im postg*&&taskkill /f /im sage*&&taskkill /f /im msdt*&&taskkill /f /im ora*&&taskkill /f /im microsoft*&&taskkill /f /im backup*&&taskkill /f /im http*&&taskkill /f /im office*&&taskkill /f /im cube*&&taskkill /f /im team*&&taskkill /f /im b1*&&taskkill /f /im sbo*&&taskkill /f /im reporting*&&taskkill /f /im sav*&&taskkill /f /im fd*&&taskkill /f /im microsoft*&&net stop MSSQLFDLauncher&&net stop MSSQLServerOLAPService&&net stop ReportServer
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1484
        • C:\Windows\SysWOW64\sc.exe
          sc delete MsDtsServer100
          3⤵
          • Launches sc.exe
          PID:4244
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c bcdedit /set {current} bootstatuspolicy ignoreallfailures
        2⤵
          PID:3696
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3396
      • C:\Windows\System32\rundll32.exe
        C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
        1⤵
          PID:3532
        • C:\Windows\system32\NOTEPAD.EXE
          "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY FILES.txt
          1⤵
          • Suspicious use of FindShellTrayWindow
          PID:1512

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\Desktop\RECOVERY FILES.txt
          Filesize

          958B

          MD5

          1eb927f52f1c36c07093a62dc77f3f3b

          SHA1

          dd8930eaa2020fdc7d043790d8f9cbeb0503e8b1

          SHA256

          404991846efc7386b9a7590e0fc362da9404f4c1f5ee60a2730f60c7b748f307

          SHA512

          71c7e07befb9f3e2e7067d6f6bb7ba254e454d1ca0c3582785686c4c9e464aa86763426a60bf53f692c83f43b62e2791fa8d7ae1c4ca9e90226cde092b5ab334

          Download Submit