Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-11-2022 05:05

General

  • Target

    c0c726a23111c220d022fcd01a85f9788249e42baece03f83b6059170453b801.exe

  • Size

    301KB

  • MD5

    2dc0dad1939edfdf997525bac94cdc21

  • SHA1

    e3e398a3eed8ffc0266dbe37c396909eee150cf4

  • SHA256

    c0c726a23111c220d022fcd01a85f9788249e42baece03f83b6059170453b801

  • SHA512

    bfab68408e2812a00a114372fc51704ebaa232f63aeb3564769d10af5895957b0bb8a1aefe8ffe09d92fc38e96b807c02dedc9a08d2beda5822ad4ec3d7cefda

  • SSDEEP

    6144:DRBvjMHJAGRdMSv+8nMmSIis4WKAra+xZp3AaEHhwnR:lBvjMHJANkMm9v4WKUJEHhwnR

Score
10/10

Malware Config

Extracted

Path

\??\A:\!-Recovery_Instructions-!.html

Ransom Note
<!DOCTYPE html> <html lang="en"> <head> <meta charset='utf-8'> <meta name='viewport' content='width=device-width,initial-scale=1'> <title></title> <style> html, body { background-color: #1a1a1a; } body { padding-top: 1rem !important; font-size: 1.3rem; color: white; } #text h2 { font-size: 2rem; font-weight: 600; line-height: 1.125; } .container { max-width: 1152px; flex-grow: 1; margin: 0 auto; position: relative; width: auto; } .box { background-color: #242424; display: block; padding: 1.25rem; border: 1px solid #303030; } a { color: #00b4d8; text-decoration: none; } a:hover { text-decoration: underline; } li { margin-bottom: 10px; } </style> </head> <body> <div class='container'> <div class='box'> <div id='text'> <h2>If you get this message, your network was hacked!</h2> <p>After we gained full access to your servers, we first downloaded a large amount of sensitive data and then encrypted all the data stored on them.</p> <p>That includes personal information on your clients, partners, your personnel, accounting documents, and other crucial files that are necessary for your company to work normally.</p> <p>We used modern complicated algorithms, so you or any recovery service will not be able to decrypt files without our help, wasting time on these attempts instead of negotiations can be fatal for your company.</p> <p>Make sure to act within <span style='color:#f4a261;'>72</span> hours or the negotiations will be considered failed!</p> <p>Inform your superior management about what's going on.</p> <p> Contact us for price and get decryption software.</p> <p> Contact us by email:<p> <h2>[email protected]</h2> </p>If you will get no answer within 24 hours contact us by our alternate emails:</p> <h2>[email protected]</h2> </p>To verify the possibility of the recovery of your files we can decrypted 1-3 file for free.</p> </p>Attach file to the letter (no more than 5Mb).</p> <h2>If you and us succeed the negotiations we will grant you:</h2> <ul> <li>complete confidentiality, we will keep in secret any information regarding to attack, your company will act as if nothing had happened.</li> <li>comprehensive information about vulnerabilities of your network and security report.</li> <li>software and instructions to decrypt all the data that was encrypted.</li> <li>all sensitive downloaded data will be permanently deleted from our cloud storage and we will provide an erasure log.</li> </ul> <h2>Our options if you act like nothing's happening, refuse to make a deal or fail the negotiations:</h2> <ul> <li>inform the media and independent journalists about what happened to your servers. To prove it we'll publish a chunk of private data that you should have ciphered if you care about potential breaches. Moreover, your company will inevitably take decent reputational loss which is hard to assess precisely.</li> <li>inform your clients, employees, partners by phone, e-mail, sms and social networks that you haven't prevent their data leakage. You will violate laws about private data protection.</li> <li>start DDOS attack on you website and infrastructures.</li> <li>personal data stored will be put on sale on the Darknet to find anyone interested to buy useful information regarding your company. It could be data mining agencies or your market competitors.</li> <li>publish all the discovered vulnerabilities found in your network, so anyone will do anything with it.</li> </ul> <h2>Why pay us?</h2> <p>We care about our reputation. You are welcome to google our cases up and be sure that we don't have a single case of failure to provide what we promissed.</p> <p>Turning this issue to a bug bounty will save your private information, reputation and will allow you to use the security report and avoid this kind of situations in future.</p> <h2>Your personal ID</p> Your ID: NjRer/c0wbpr5ufnHKaXzyCgBt8+8ZN6ZeesEUn3X46aCIdXMO9WYH61T7DQukH5e6tlXaEUuvUKYJoorcfQruBk8apbLIa/WOxNp/Z1bmeW1ajav0g9vrpL7Slb3X9SkKTb+Sx83waOYOgzAgT8aQ+nVPtvMcs5xfSwUbVvGQ/Uon19/xyZqS2kElJNosHaq710GDbPfJLTI+hTZ5D8xbtRvTP3mqtVGiWTdKxICWBl++giRuk6/QGXwGKybUhN+318+ZYFz/ex2sZ4z4ZsBf6x7YnM4m0h622FLse9Uwuqaw2afCdksQDGdOD6Hh5wXg9x6MXIc4WJyTeGaqarNR6EBA3VT45IVO5JoqcYxtsnDwKIccite0g//5plNUUgYZwcbjJpGt7E8LLTjIue6RH5RoHfBJvrEUItYhD0jAWwJvNZsA5VRKTxR500+k347tH7KYgQoAeGiMOR3wqOrFKevcFFkFeIhGY//UiCdIVFLTdBRJrTRpxfj42tPDDcI7FJYwH4bK+ynrpPauO3B1Oo8joBnWVltaoLRH+x+x64uDElJROuvYC85E1KnKKVDS/O/fBrL5bkKDpKoXyt1ShG6w6G0JfBETXKkzNJ7vGftTs6YLOu4PI4dNdckIp57YsioqpUWlBdGStkH7nD/ZGiUFYAn3iu7z8Chr4goaZbavtaEH5M0c1EIN+sjD1ZIEJjNBIHi/9WnXeVkwvbSg80IBEMGGtbXASwlY5LGefQZPfkIq+XC3NUrpHSYfOJFyQY77XsEmIaXuco/vPzr19iOQ/6K/Og7d1/uRz+o3cuV/0c6oKDMPqMz5OTUFxNwWHQflAbO9g+cfY3PHgi4jrxOFF15GKgIZmKJ6O+pav7ejXhB1JNsDYknxTIbXjYkf+vc1eKFsqDBLIzsXVyocH4Hpa+a6vusDlnJ3MHJL+0HN7tWi9m2AyGLtCNZuKX8ZbQkvFYBnLWCE5U7VnYojxylK38MswAm76bQ+m/o9c6kQPAKflPUJYnzrRvJmcpAA0VgzbkTg0VRo1spQ1d9zQ1TNC/Vjuu0Wk2y5pqTtEB3mkBFE+EsgOKfdAJoh+m90zEkWrQw12ikAj79qyrUIFIRiKAOQxsGoG8PDqwFYq0tDmOSdNMHPJhQtrcXn6q8IdGnmabLlC84Me7bClLa8F37MEDTTqteFoIoHbf3WZG/132ok9a5oc1pREaKXJHcjzpIMODEYOtT2WFiyBi4C1kkIjESLsdXOe8I0VrKjp+M6zb1OyqpGRZhHIGFcfHuwj4KIzs8B7aTy8KrL/n2KFc2sOMfZgF5GJwMeVtWtdiu66ZAAsOs/Y3bbSkPwGHhOFVwKQxM0U6a4gdcUjKCyHEUUObl61mfNk6hvq68HYqjQa5OFNEezJ1mG1pDIqE7v2IVbPlXI5QhvLuZHZ7hR6U4KC/kFtRm3m96y3g7C8KSaSEenVD1eFT9UuRMeCxn5UrRR1MqXsmz0nnT5NPS+ubWj4T2H2ODxs7aGgiyQe7vQ4DWiCNCdRlleRqgkVV/s5gz0SymEKYzM8SOAKfa6loGhvEgO0al34w6Z8N7t8LmsSrCsVLXBFsjZps0gdyImdJ+SJK5trTvv8c7rITqqjha87uY1u66YCpMBZ44McL2SCs7NDyUA2/x+GtnaVnki34+7AzUsqn3iLeabpMaEU7rn80xCCag50nzq4hIJ8=
Emails

<h2>[email protected]</h2>

<h2>[email protected]</h2>

Signatures

  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
  • Modifies extensions of user files 1 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Overwrites deleted data with Cipher tool 1 TTPs

    Cipher is a Windows tool which be used to securely wipe deallocated HDD space, preventing recovery of deleted data.

  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 2 IoCs
  • Kills process with taskkill 16 IoCs
  • Modifies registry class 2 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 49 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 8 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c0c726a23111c220d022fcd01a85f9788249e42baece03f83b6059170453b801.exe
    "C:\Users\Admin\AppData\Local\Temp\c0c726a23111c220d022fcd01a85f9788249e42baece03f83b6059170453b801.exe"
    1⤵
    • Modifies extensions of user files
    • Enumerates connected drives
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:3708
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill -f -im sqlbrowser.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:4456
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill -f -im sqlwriter.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2296
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill -f -im sqlservr.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:4268
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill -f -im msmdsrv.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:4336
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill -f -im MsDtsSrvr.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:5020
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill -f -im sqlceip.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2556
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill -f -im fdlauncher.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1860
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill -f -im Ssms.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1600
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill -f -im SQLAGENT.EXE
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:4140
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill -f -im fdhost.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1184
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill -f -im fdlauncher.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2224
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill -f -im sqlservr.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1828
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill -f -im ReportingServicesService.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:3808
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill -f -im msftesql.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:4948
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill -f -im pg_ctl.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2148
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill -f -im postgres.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:3964
    • C:\Windows\SysWOW64\net.exe
      net stop MSSQLServerADHelper100
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4292
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop MSSQLServerADHelper100
        3⤵
          PID:4828
      • C:\Windows\SysWOW64\net.exe
        net stop MSSQL$ISARS
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3180
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop MSSQL$ISARS
          3⤵
            PID:4688
        • C:\Windows\SysWOW64\net.exe
          net stop MSSQL$MSFW
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:4296
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop MSSQL$MSFW
            3⤵
              PID:3940
          • C:\Windows\SysWOW64\net.exe
            net stop SQLAgent$ISARS
            2⤵
              PID:4124
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop SQLAgent$ISARS
                3⤵
                  PID:4308
              • C:\Windows\SysWOW64\net.exe
                net stop SQLAgent$MSFW
                2⤵
                  PID:1680
                  • C:\Windows\SysWOW64\net1.exe
                    C:\Windows\system32\net1 stop SQLAgent$MSFW
                    3⤵
                      PID:3388
                  • C:\Windows\SysWOW64\net.exe
                    net stop SQLBrowser
                    2⤵
                      PID:4708
                      • C:\Windows\SysWOW64\net1.exe
                        C:\Windows\system32\net1 stop SQLBrowser
                        3⤵
                          PID:2352
                      • C:\Windows\SysWOW64\net.exe
                        net stop ReportServer$ISARS
                        2⤵
                          PID:1732
                          • C:\Windows\SysWOW64\net1.exe
                            C:\Windows\system32\net1 stop ReportServer$ISARS
                            3⤵
                              PID:776
                          • C:\Windows\SysWOW64\net.exe
                            net stop SQLWriter
                            2⤵
                              PID:4080
                              • C:\Windows\SysWOW64\net1.exe
                                C:\Windows\system32\net1 stop SQLWriter
                                3⤵
                                  PID:2960
                              • C:\Windows\SysWOW64\Wbem\wmic.exe
                                wmic.exe SHADOWCOPY /nointeractive
                                2⤵
                                • Suspicious use of AdjustPrivilegeToken
                                PID:4952
                              • C:\Windows\SysWOW64\cipher.exe
                                cipher /w:A:
                                2⤵
                                • Enumerates connected drives
                                PID:1956
                              • C:\Windows\SysWOW64\cipher.exe
                                cipher /w:B:
                                2⤵
                                • Enumerates connected drives
                                PID:2676
                              • C:\Windows\SysWOW64\cipher.exe
                                cipher /w:H:
                                2⤵
                                • Enumerates connected drives
                                PID:1464
                              • C:\Windows\SysWOW64\cipher.exe
                                cipher /w:G:
                                2⤵
                                • Enumerates connected drives
                                PID:4580
                              • C:\Windows\SysWOW64\cipher.exe
                                cipher /w:E:
                                2⤵
                                • Enumerates connected drives
                                PID:4864
                              • C:\Windows\SysWOW64\cipher.exe
                                cipher /w:F:
                                2⤵
                                • Enumerates connected drives
                                PID:1600
                              • C:\Windows\SysWOW64\cipher.exe
                                cipher /w:C:
                                2⤵
                                  PID:1132
                                • C:\Windows\SysWOW64\cipher.exe
                                  cipher /w:I:
                                  2⤵
                                  • Enumerates connected drives
                                  PID:3448
                                • C:\Windows\SysWOW64\cipher.exe
                                  cipher /w:J:
                                  2⤵
                                  • Enumerates connected drives
                                  PID:4936
                                • C:\Windows\SysWOW64\cipher.exe
                                  cipher /w:K:
                                  2⤵
                                  • Enumerates connected drives
                                  PID:2612
                                • C:\Windows\SysWOW64\cipher.exe
                                  cipher /w:L:
                                  2⤵
                                  • Enumerates connected drives
                                  PID:4948
                                • C:\Windows\SysWOW64\cipher.exe
                                  cipher /w:N:
                                  2⤵
                                  • Enumerates connected drives
                                  PID:4604
                                • C:\Windows\SysWOW64\cipher.exe
                                  cipher /w:O:
                                  2⤵
                                  • Enumerates connected drives
                                  PID:2148
                                • C:\Windows\SysWOW64\cipher.exe
                                  cipher /w:Q:
                                  2⤵
                                  • Enumerates connected drives
                                  PID:740
                                • C:\Windows\SysWOW64\cipher.exe
                                  cipher /w:P:
                                  2⤵
                                  • Enumerates connected drives
                                  PID:1284
                                • C:\Windows\SysWOW64\cipher.exe
                                  cipher /w:M:
                                  2⤵
                                  • Enumerates connected drives
                                  PID:480
                                • C:\Windows\SysWOW64\cipher.exe
                                  cipher /w:R:
                                  2⤵
                                  • Enumerates connected drives
                                  PID:2520
                                • C:\Windows\SysWOW64\cipher.exe
                                  cipher /w:S:
                                  2⤵
                                  • Enumerates connected drives
                                  PID:2336
                                • C:\Windows\SysWOW64\cipher.exe
                                  cipher /w:T:
                                  2⤵
                                  • Enumerates connected drives
                                  PID:1972
                                • C:\Windows\SysWOW64\cipher.exe
                                  cipher /w:U:
                                  2⤵
                                  • Enumerates connected drives
                                  PID:3536
                                • C:\Windows\SysWOW64\cipher.exe
                                  cipher /w:W:
                                  2⤵
                                  • Enumerates connected drives
                                  PID:552
                                • C:\Windows\SysWOW64\cipher.exe
                                  cipher /w:Z:
                                  2⤵
                                  • Enumerates connected drives
                                  PID:1420
                                • C:\Windows\SysWOW64\cipher.exe
                                  cipher /w:X:
                                  2⤵
                                  • Enumerates connected drives
                                  PID:4172
                                • C:\Windows\SysWOW64\cipher.exe
                                  cipher /w:Y:
                                  2⤵
                                  • Enumerates connected drives
                                  PID:3188
                                • C:\Windows\SysWOW64\cipher.exe
                                  cipher /w:V:
                                  2⤵
                                  • Enumerates connected drives
                                  PID:4124
                              • C:\Windows\system32\WerFault.exe
                                C:\Windows\system32\WerFault.exe -pss -s 408 -p 1272 -ip 1272
                                1⤵
                                  PID:3632
                                • C:\Windows\system32\WerFault.exe
                                  C:\Windows\system32\WerFault.exe -u -p 1272 -s 3044
                                  1⤵
                                  • Program crash
                                  PID:1100
                                • C:\Windows\explorer.exe
                                  explorer.exe
                                  1⤵
                                  • Modifies Installed Components in the registry
                                  • Modifies registry class
                                  • Suspicious use of AdjustPrivilegeToken
                                  • Suspicious use of FindShellTrayWindow
                                  • Suspicious use of SendNotifyMessage
                                  PID:2184
                                  • C:\Windows\system32\WerFault.exe
                                    C:\Windows\system32\WerFault.exe -u -p 2184 -s 2272
                                    2⤵
                                    • Program crash
                                    PID:3572
                                • C:\Windows\system32\WerFault.exe
                                  C:\Windows\system32\WerFault.exe -pss -s 184 -p 2184 -ip 2184
                                  1⤵
                                    PID:312

                                  Network

                                  MITRE ATT&CK Enterprise v6

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db.bulwark4

                                    Filesize

                                    624KB

                                    MD5

                                    adef2d9c21b8af0447288add8507f6fb

                                    SHA1

                                    fae3acdc4eafa17746a07f976dbee629008c7089

                                    SHA256

                                    dc4cca40cb6abb03ddbc802477fe894c6386024b6e60abff150759d8d8803f6b

                                    SHA512

                                    8286e27662ec32517eed741a95165a0a8f5b6dfca4216b1a88f647b9d3d93b0fb1169c69dc6cebebe1ed8117f5b45203ae9cbaf020abe9b3c8666f671e17591e