Resubmissions

19-01-2023 10:17

230119-mbpsksff79 10

14-11-2022 04:26

221114-e2qhsseg47 10

20-01-2022 19:02

220120-xptc2abbh7 10

Analysis

  • max time kernel
    42s
  • max time network
    45s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    14-11-2022 04:26

General

  • Target

    c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe

  • Size

    2.9MB

  • MD5

    ccde3fe374a219ed3a85a0bf548542c3

  • SHA1

    c1187fe0eaddee995773d6c66bcb558536e9b62c

  • SHA256

    c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40

  • SHA512

    94852c04d6f627b35a7486de166648eb43373850b862e1958e676c53fd5dc37103659fe28e2b51f2fffd815ded2745d8793d8158543ff14b1e1f0cafe2a3c63c

  • SSDEEP

    49152:4dwE1vCCeShiBHJFIPiEPE3bvk6Ca89388YhwjfJNt/RgaJ2wtb:WwE1253IPiYE3bnCa8Hzj5vwwtb

Score
10/10

Malware Config

Extracted

Path

C:\RECOVER-mfqssdj-FILES.txt

Ransom Note
>> What happened? Important files on your network was ENCRYPTED and now they have "mfqssdj" extension. In order to recover your files you need to follow instructions below. >> Sensitive Data Sensitive data on your system was DOWNLOADED. If you DON'T WANT your sensitive data to be PUBLISHED you have to act quickly. Data includes: - Employees personal data, CVs, DL, SSN. - Complete network map including credentials for local and remote services. - Private financial information including: clients data, bills, budgets, annual reports, bank statements. - Manufacturing documents including: datagrams, schemas, drawings in solidworks format. - Source code. -And more... >> CAUTION DO NOT MODIFY ENCRYPTED FILES YOURSELF. DO NOT USE THIRD PARTY SOFTWARE TO RESTORE YOUR DATA. YOU MAY DAMAGE YOUR FILES, IT WILL RESULT IN PERMANENT DATA LOSS. >> What should I do next? Follow these simple steps to get everything back to normal: 1) Download and install Tor Browser from: https://torproject.org/ 2) Navigate to: http://b4twqa2mvob3s6uvuyfra5xk3qgps2v5kkt7k2qnb7rpdu3j4fkntead.onion/?access-key=RrffeR4CVartLMYTErq9%2FPVD%2Fz4sez5toskePW0P8urvDeotAomkbpUCg6JYW4MMxbX73YDPXMk3wQW0oSYnXGy5aGuT9ZPXpJKPaE6kYN9nNcxMBi92FcIv80rEpVUY9S5ukN796JGSdG%2BeWBVgx6nvw2vlhogyu35Ht2Iz6r6Zcc4J4mdX6RuzKXu5eny7saSaH0LMN6GYnIUfTF5UMR%2BtUchaTLOHyU5i1FnYeueodio9ECm8BgQ5Hbb3%2BIWlgrlEf4htHAwvPwCn2ld8lheacG87vkFKekfFCGErE5lNgNr12JSohBq1tH%2B3O8gw%2FG86wBsC46qR82KshQKpzQ%3D%3D
URLs

http://b4twqa2mvob3s6uvuyfra5xk3qgps2v5kkt7k2qnb7rpdu3j4fkntead.onion/?access-key=RrffeR4CVartLMYTErq9%2FPVD%2Fz4sez5toskePW0P8urvDeotAomkbpUCg6JYW4MMxbX73YDPXMk3wQW0oSYnXGy5aGuT9ZPXpJKPaE6kYN9nNcxMBi92FcIv80rEpVUY9S5ukN796JGSdG%2BeWBVgx6nvw2vlhogyu35Ht2Iz6r6Zcc4J4mdX6RuzKXu5eny7saSaH0LMN6GYnIUfTF5UMR%2BtUchaTLOHyU5i1FnYeueodio9ECm8BgQ5Hbb3%2BIWlgrlEf4htHAwvPwCn2ld8lheacG87vkFKekfFCGErE5lNgNr12JSohBq1tH%2B3O8gw%2FG86wBsC46qR82KshQKpzQ%3D%3D

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
  • Modifies extensions of user files 5 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies Control Panel 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 31 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe
    C:\Users\Admin\AppData\Local\Temp\c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe --access-token 12345
    1⤵
    • Modifies extensions of user files
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Modifies Control Panel
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1112
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "wmic csproduct get UUID"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1780
      • C:\Windows\SysWOW64\Wbem\WMIC.exe
        wmic csproduct get UUID
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:916
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "fsutil behavior set SymlinkEvaluation R2L:1"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1764
      • C:\Windows\SysWOW64\fsutil.exe
        fsutil behavior set SymlinkEvaluation R2L:1
        3⤵
          PID:1412
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "fsutil behavior set SymlinkEvaluation R2R:1"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1416
        • C:\Windows\SysWOW64\fsutil.exe
          fsutil behavior set SymlinkEvaluation R2R:1
          3⤵
            PID:300
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c "iisreset.exe /stop"
          2⤵
            PID:828
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c "reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters /v MaxMpxCt /d 65535 /t REG_DWORD /f"
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:1364
            • C:\Windows\SysWOW64\reg.exe
              reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters /v MaxMpxCt /d 65535 /t REG_DWORD /f
              3⤵
                PID:1372
            • C:\Windows\system32\cmd.exe
              "C:\Windows\system32\cmd.exe" /c "vssadmin.exe Delete Shadows /all /quiet"
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:864
              • C:\Windows\system32\vssadmin.exe
                vssadmin.exe Delete Shadows /all /quiet
                3⤵
                • Interacts with shadow copies
                PID:1908
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /c "arp -a"
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:1972
              • C:\Windows\SysWOW64\ARP.EXE
                arp -a
                3⤵
                  PID:1808
              • C:\Users\Admin\AppData\Local\Temp\c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe
                "C:\Users\Admin\AppData\Local\Temp\c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe" --child --access-token 12345
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:396
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\system32\cmd.exe" /c "wmic csproduct get UUID"
                  3⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1932
                  • C:\Windows\SysWOW64\Wbem\WMIC.exe
                    wmic csproduct get UUID
                    4⤵
                    • Suspicious use of AdjustPrivilegeToken
                    PID:764
              • C:\Windows\system32\cmd.exe
                "C:\Windows\system32\cmd.exe" /c "wmic.exe Shadowcopy Delete"
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:1736
                • C:\Windows\System32\Wbem\WMIC.exe
                  wmic.exe Shadowcopy Delete
                  3⤵
                    PID:1904
                • C:\Windows\system32\cmd.exe
                  "C:\Windows\system32\cmd.exe" /c "bcdedit /set {default}"
                  2⤵
                    PID:1100
                    • C:\Windows\system32\bcdedit.exe
                      bcdedit /set {default}
                      3⤵
                      • Modifies boot configuration data using bcdedit
                      PID:1760
                  • C:\Windows\system32\cmd.exe
                    "C:\Windows\system32\cmd.exe" /c "bcdedit /set {default} recoveryenabled No"
                    2⤵
                      PID:696
                      • C:\Windows\system32\bcdedit.exe
                        bcdedit /set {default} recoveryenabled No
                        3⤵
                        • Modifies boot configuration data using bcdedit
                        PID:1692
                    • C:\Windows\system32\cmd.exe
                      "C:\Windows\system32\cmd.exe" /c "cmd.exe /c for /F \"tokens=*\" %1 in ('wevtutil.exe el') DO wevtutil.exe cl \"%1\""
                      2⤵
                        PID:932
                        • C:\Windows\system32\cmd.exe
                          cmd.exe /c for /F \"tokens=*\" %1 in ('wevtutil.exe el') DO wevtutil.exe cl \"%1\"
                          3⤵
                            PID:1016
                        • C:\Windows\system32\cmd.exe
                          "C:\Windows\system32\cmd.exe" /c "vssadmin.exe Delete Shadows /all /quiet"
                          2⤵
                            PID:232
                            • C:\Windows\system32\vssadmin.exe
                              vssadmin.exe Delete Shadows /all /quiet
                              3⤵
                              • Interacts with shadow copies
                              PID:1216
                          • C:\Windows\system32\cmd.exe
                            "C:\Windows\system32\cmd.exe" /c "wmic.exe Shadowcopy Delete"
                            2⤵
                              PID:1904
                              • C:\Windows\System32\Wbem\WMIC.exe
                                wmic.exe Shadowcopy Delete
                                3⤵
                                  PID:1972
                              • C:\Windows\system32\cmd.exe
                                "C:\Windows\system32\cmd.exe" /c "cmd.exe /c for /F \"tokens=*\" %1 in ('wevtutil.exe el') DO wevtutil.exe cl \"%1\""
                                2⤵
                                  PID:1692
                                  • C:\Windows\system32\cmd.exe
                                    cmd.exe /c for /F \"tokens=*\" %1 in ('wevtutil.exe el') DO wevtutil.exe cl \"%1\"
                                    3⤵
                                      PID:472
                                • C:\Windows\system32\vssvc.exe
                                  C:\Windows\system32\vssvc.exe
                                  1⤵
                                    PID:576
                                  • C:\Windows\system32\vssvc.exe
                                    C:\Windows\system32\vssvc.exe
                                    1⤵
                                      PID:1508

                                    Network

                                    MITRE ATT&CK Enterprise v6

                                    Replay Monitor

                                    Loading Replay Monitor...

                                    Downloads

                                    • memory/1112-54-0x0000000074D61000-0x0000000074D63000-memory.dmp

                                      Filesize

                                      8KB