Overview

overview

10

Static

static

WindowsRun...ty.exe

windows7-x64

10

WindowsRun...ty.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    124s
  • max time network
    129s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/10/2022, 18:31

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    WindowsRuntimeSecurity.exe

  • Size

    18KB

  • MD5

    7799cb222f53fdea43585f7d40104ed6

  • SHA1

    28d6fc08e1571db3c6358c4b3b6687517afb04ec

  • SHA256

    38ccc368bf474e923dae79501b03b4c5cc62bf57890a99bd4b0a8b3867630e42

  • SHA512

    101cdcbb66655065ca35985efd82862a626a3bf3d080f41713b5ca41f6861169a1f02a8e6d6b23dee65fb740d63af5e46f936b3bfd84537b8580d4b30060bc4f

  • SSDEEP

    384:RixYSYy3Wd/xVAngX0GEmKPK7fUl49cHFMemGCI/mP4:mFYy3QxVRpqGe498MemrP4

Score
10/10
ransomwarespywarestealer

Malware Config

Extracted

Path

C:\$Recycle.Bin\ALL_OF_YOUR_FILES_ARE_ENCRYPTED_README.txt

Ransom Note
___ ___________________ ________________ _ ____ / |/_ __/_ __/ ____/ | / /_ __/ _/ __ \/ | / / / / /| | / / / / / __/ / |/ / / / / // / / / |/ / / / ___ |/ / / / / /___/ /| / / / _/ // /_/ / /| /_/ /_/ |_/_/ /_/ /_____/_/ |_/ /_/ /___/\____/_/ |_(_) π˜ˆπ˜“π˜“ π˜–π˜ π˜ π˜–π˜œπ˜™ π˜π˜π˜“π˜Œπ˜š 𝘏𝘈𝘝𝘌 π˜‰π˜Œπ˜Œπ˜• π˜Œπ˜•π˜Šπ˜™π˜ π˜—π˜›π˜Œπ˜‹ π˜‰π˜  π˜—π˜Άπ˜³π˜±π˜­π˜¦π˜Šπ˜’π˜΄π˜€π˜’π˜₯𝘦! YOUR FILES HAVE BEEN ENCRYPTED WITH MILITARY-GRADE ENCRYPTION ALGORITHM AND IS PERMANENTLY ENCRYPTED UNLESS YOU PAY FOR OUR SERVICES! Q.1> What happened? ---> All of your sensitive files have been encrypted by PurpleCascade ransomware. You cannot decrypt your files without our special decryption tool. Q.2> How can I get back my files? ---> You can get back your files only if you pay for our decryption tool. The price for our decryption tool is $1,200 and can be purchased only using Monero. Attempting to decrypt your files without our service will only permanently damage your files even more, making it impossible to recover even with our decryption tool. Also, PLEASE SPECIFY YOUR VERSION OF PURPLECASCADE BELOW!!! Q.3> How can I pay? ---> As mentioned above, you need to pay us $1,500 in Monero. You can get customer support via qTox, our ID is 0F87E1BAF92E5535EB9D097374150FC7E97F54C97EFB6A5A202F632B6EFD3C28F15588421ACB. Download qTox from: https://tox.chat/download.html (π™Žπ™€π™‡π™€π˜Ύπ™ π™Šπ™‰π™‡π™” 𝙦𝙏𝙀𝙭!). We will send you the XMR address you should pay us to, and also guide you on transaction, and give you free technical support. Q.4> Can I trust this process? ---> Of course you can! Our decryption tools have been tested and work 100%, and we will surely give you decryption tool when you will pay us. We DO NOT scam people as then no one will pay us in return. PurpleCascade version: CVXC
URLs

https://tox.chat/download.html

Signatures

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 7 IoCs
  • Program crash 1 IoCs
  • Opens file in notepad (likely ransom note) 2 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\WindowsRuntimeSecurity.exe
    "C:\Users\Admin\AppData\Local\Temp\WindowsRuntimeSecurity.exe"
    1⤵
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:4776
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4776 -s 2976
      2⤵
      • Program crash
      PID:2856
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:324
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4776 -ip 4776
      1⤵
        PID:4876
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\ALL_OF_YOUR_FILES_ARE_ENCRYPTED_README.txt
        1⤵
        • Opens file in notepad (likely ransom note)
        PID:4720
      • C:\Windows\System32\Notepad.exe
        "C:\Windows\System32\Notepad.exe" C:\Users\Admin\Downloads\DisconnectConvert.vbs
        1⤵
        • Opens file in notepad (likely ransom note)
        PID:1772
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Downloads\CompressUnblock.htm
        1⤵
          PID:552

        Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\Desktop\ALL_OF_YOUR_FILES_ARE_ENCRYPTED_README.txt
                Filesize

                2KB

                MD5

                a2c9416d9b5d7c3c0fa1ff3938ad585c

                SHA1

                13ad0e70e0138ab82f5bdda79e47a7dddd52c8f7

                SHA256

                1cdc0612ea6a3b56eea4e197c58f67364791ce43dc61844a64629fbb7c84b3df

                SHA512

                e871a753bf8eac1e87a3c8e1efc495a7b864d66a41dbf1f4884d5460f5ea18520f5926eac2163dc6f1e1db36e25fb59e0108897a9a00ef2be29da1e0dbd7d137

                Download Submit

              • memory/4776-132-0x00000000009F0000-0x00000000009FA000-memory.dmp

                Filesize

                40KB

                Download