Resubmissions
19-01-2023 10:17
230119-mbpsksff79 1014-11-2022 04:26
221114-e2qhsseg47 1020-01-2022 19:02
220120-xptc2abbh7 10Analysis
-
max time kernel
42s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
14-11-2022 04:26
General
-
Target
c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe
-
Size
2.9MB
-
MD5
ccde3fe374a219ed3a85a0bf548542c3
-
SHA1
c1187fe0eaddee995773d6c66bcb558536e9b62c
-
SHA256
c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40
-
SHA512
94852c04d6f627b35a7486de166648eb43373850b862e1958e676c53fd5dc37103659fe28e2b51f2fffd815ded2745d8793d8158543ff14b1e1f0cafe2a3c63c
-
SSDEEP
49152:4dwE1vCCeShiBHJFIPiEPE3bvk6Ca89388YhwjfJNt/RgaJ2wtb:WwE1253IPiYE3bnCa8Hzj5vwwtb
Score
10/10
Malware Config
Extracted
Path
C:\RECOVER-mfqssdj-FILES.txt
Ransom Note
>> What happened?
Important files on your network was ENCRYPTED and now they have "mfqssdj" extension.
In order to recover your files you need to follow instructions below.
>> Sensitive Data
Sensitive data on your system was DOWNLOADED.
If you DON'T WANT your sensitive data to be PUBLISHED you have to act quickly.
Data includes:
- Employees personal data, CVs, DL, SSN.
- Complete network map including credentials for local and remote services.
- Private financial information including: clients data, bills, budgets, annual reports, bank statements.
- Manufacturing documents including: datagrams, schemas, drawings in solidworks format.
- Source code.
-And more...
>> CAUTION
DO NOT MODIFY ENCRYPTED FILES YOURSELF.
DO NOT USE THIRD PARTY SOFTWARE TO RESTORE YOUR DATA.
YOU MAY DAMAGE YOUR FILES, IT WILL RESULT IN PERMANENT DATA LOSS.
>> What should I do next?
Follow these simple steps to get everything back to normal:
1) Download and install Tor Browser from: https://torproject.org/
2) Navigate to: http://b4twqa2mvob3s6uvuyfra5xk3qgps2v5kkt7k2qnb7rpdu3j4fkntead.onion/?access-key=RrffeR4CVartLMYTErq9%2FPVD%2Fz4sez5toskePW0P8urvDeotAomkbpUCg6JYW4MMxbX73YDPXMk3wQW0oSYnXGy5aGuT9ZPXpJKPaE6kYN9nNcxMBi92FcIv80rEpVUY9S5ukN796JGSdG%2BeWBVgx6nvw2vlhogyu35Ht2Iz6r6Zcc4J4mdX6RuzKXu5eny7saSaH0LMN6GYnIUfTF5UMR%2BtUchaTLOHyU5i1FnYeueodio9ECm8BgQ5Hbb3%2BIWlgrlEf4htHAwvPwCn2ld8lheacG87vkFKekfFCGErE5lNgNr12JSohBq1tH%2B3O8gw%2FG86wBsC46qR82KshQKpzQ%3D%3D
URLs
http://b4twqa2mvob3s6uvuyfra5xk3qgps2v5kkt7k2qnb7rpdu3j4fkntead.onion/?access-key=RrffeR4CVartLMYTErq9%2FPVD%2Fz4sez5toskePW0P8urvDeotAomkbpUCg6JYW4MMxbX73YDPXMk3wQW0oSYnXGy5aGuT9ZPXpJKPaE6kYN9nNcxMBi92FcIv80rEpVUY9S5ukN796JGSdG%2BeWBVgx6nvw2vlhogyu35Ht2Iz6r6Zcc4J4mdX6RuzKXu5eny7saSaH0LMN6GYnIUfTF5UMR%2BtUchaTLOHyU5i1FnYeueodio9ECm8BgQ5Hbb3%2BIWlgrlEf4htHAwvPwCn2ld8lheacG87vkFKekfFCGErE5lNgNr12JSohBq1tH%2B3O8gw%2FG86wBsC46qR82KshQKpzQ%3D%3D
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
-
Modifies extensions of user files 5 IoCs
Ransomware generally changes the extension on encrypted files.
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Modifies Control Panel 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 31 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exeC:\Users\Admin\AppData\Local\Temp\c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe --access-token 123451⤵
- Modifies extensions of user files
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "wmic csproduct get UUID"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic csproduct get UUID3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "fsutil behavior set SymlinkEvaluation R2L:1"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\fsutil.exefsutil behavior set SymlinkEvaluation R2L:13⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "fsutil behavior set SymlinkEvaluation R2R:1"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\fsutil.exefsutil behavior set SymlinkEvaluation R2R:13⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "iisreset.exe /stop"2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters /v MaxMpxCt /d 65535 /t REG_DWORD /f"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters /v MaxMpxCt /d 65535 /t REG_DWORD /f3⤵
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "vssadmin.exe Delete Shadows /all /quiet"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet3⤵
- Interacts with shadow copies
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "arp -a"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ARP.EXEarp -a3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe"C:\Users\Admin\AppData\Local\Temp\c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe" --child --access-token 123452⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "wmic csproduct get UUID"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic csproduct get UUID4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "wmic.exe Shadowcopy Delete"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic.exe Shadowcopy Delete3⤵
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "bcdedit /set {default}"2⤵
-
C:\Windows\system32\bcdedit.exebcdedit /set {default}3⤵
- Modifies boot configuration data using bcdedit
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "bcdedit /set {default} recoveryenabled No"2⤵
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No3⤵
- Modifies boot configuration data using bcdedit
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "cmd.exe /c for /F \"tokens=*\" %1 in ('wevtutil.exe el') DO wevtutil.exe cl \"%1\""2⤵
-
C:\Windows\system32\cmd.execmd.exe /c for /F \"tokens=*\" %1 in ('wevtutil.exe el') DO wevtutil.exe cl \"%1\"3⤵
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "vssadmin.exe Delete Shadows /all /quiet"2⤵
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet3⤵
- Interacts with shadow copies
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "wmic.exe Shadowcopy Delete"2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic.exe Shadowcopy Delete3⤵
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "cmd.exe /c for /F \"tokens=*\" %1 in ('wevtutil.exe el') DO wevtutil.exe cl \"%1\""2⤵
-
C:\Windows\system32\cmd.execmd.exe /c for /F \"tokens=*\" %1 in ('wevtutil.exe el') DO wevtutil.exe cl \"%1\"3⤵
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
-
-
-
-
-
-
-
-
-
-
-
Filesize
8KB
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-