Overview

overview

10

Static

static

1

1711ea5267...87.exe

windows7-x64

10

1711ea5267...87.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    151s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    24-11-2022 11:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1711ea526738aaf92b92ed158b96d8d4c626adc6e98b70da6308903e1efc7487.exe

  • Size

    770KB

  • MD5

    5fb5607b0f61bb044ff17e28388df490

  • SHA1

    a5e0e097746b63d8ee36701dd040e16784df5da2

  • SHA256

    1711ea526738aaf92b92ed158b96d8d4c626adc6e98b70da6308903e1efc7487

  • SHA512

    37fa97795ae202377263b62dce420acad9397c17aefe1ac8ea35be43bd386bdb1aa0a0ef4a0ad659359269a29180bb0036d2c7310e8b511a1136df4ac4afa25d

  • SSDEEP

    12288:+MzEoDzA1NLzZJncwAVDZI2r1xZyLA6y3TlWW+X+a3qml9nkDRTXj69mfx:t7wnLzZ0Dr1xP6y3t+Z3Vl9nATzGGx

Score
10/10
ransomware

Malware Config

Extracted

Path

C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\Decrypt All Files nrlhicl.txt

Ransom Note
Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. 1. Type the address http://torproject.org in your Internet browser. It opens the Tor site. 2. Press 'Download Tor', then press 'DOWNLOAD Tor Browser Bundle', install and run it.\ 3. Now you have Tor Browser. In the Tor Browser open the http://q4vyrzddq25a4jhf.onion Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. 4. Copy and paste the following public key in the input form on server. Avoid missprints. J3XCDB-Z74J3X-FKXMEZ-BNFYMX-OG7O4B-BD4EM2-QHDZXS-3QVGBA SHRICA-GFNLE4-ZQ26OO-YYYXOE-XVZHN4-FLB55A-MEX6K7-WKPXOV LCTTNP-F5SXCH-M4MTU2-RUFB73-F6LRUS-A72FQ6-QGAT4C-ABZU6F 5. Follow the instructions on the server.
URLs

http://q4vyrzddq25a4jhf.onion

Signatures

  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 3 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • NSIS installer 8 IoCs
    installer
  • Suspicious behavior: EnumeratesProcesses 58 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1711ea526738aaf92b92ed158b96d8d4c626adc6e98b70da6308903e1efc7487.exe
    "C:\Users\Admin\AppData\Local\Temp\1711ea526738aaf92b92ed158b96d8d4c626adc6e98b70da6308903e1efc7487.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1008
    • C:\Users\Admin\AppData\Local\Temp\1711ea526738aaf92b92ed158b96d8d4c626adc6e98b70da6308903e1efc7487.exe
      "C:\Users\Admin\AppData\Local\Temp\1711ea526738aaf92b92ed158b96d8d4c626adc6e98b70da6308903e1efc7487.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:336
  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:1260
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 1260 -s 3240
      2⤵
      • Program crash
      PID:1716
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {89A8B3CA-60D1-4748-955C-847DE425F4CC} S-1-5-21-2292972927-2705560509-2768824231-1000:GRXNNIIE\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1596
    • C:\Users\Admin\AppData\Local\Temp\gejzibk.exe
      C:\Users\Admin\AppData\Local\Temp\gejzibk.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:912
      • C:\Users\Admin\AppData\Local\Temp\gejzibk.exe
        "C:\Users\Admin\AppData\Local\Temp\gejzibk.exe"
        3⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:560

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Mozilla\qrsyusl
    Filesize

    654B

    MD5

    6d4191b3e0121e9817efe5f8b5b9640e

    SHA1

    e35d64d8d92c56fbe5d3de610e22d178cf8d2745

    SHA256

    d809227388a8e1c4177eb72ab091c6b2364a2a763ee52bea6229fc305c52ebe3

    SHA512

    2c0b6fe9da1381483791c6ed64f59c25fd546602bdd9ae8e843798fd5eb727805e4e94ff8d792e3f2be37860c740b5a44774ef8e5be23d2968d1aa92f98bcba7

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\bar\lesions.wc
    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\gejzibk.exe
    Filesize

    770KB

    MD5

    5fb5607b0f61bb044ff17e28388df490

    SHA1

    a5e0e097746b63d8ee36701dd040e16784df5da2

    SHA256

    1711ea526738aaf92b92ed158b96d8d4c626adc6e98b70da6308903e1efc7487

    SHA512

    37fa97795ae202377263b62dce420acad9397c17aefe1ac8ea35be43bd386bdb1aa0a0ef4a0ad659359269a29180bb0036d2c7310e8b511a1136df4ac4afa25d

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\gejzibk.exe
    Filesize

    770KB

    MD5

    5fb5607b0f61bb044ff17e28388df490

    SHA1

    a5e0e097746b63d8ee36701dd040e16784df5da2

    SHA256

    1711ea526738aaf92b92ed158b96d8d4c626adc6e98b70da6308903e1efc7487

    SHA512

    37fa97795ae202377263b62dce420acad9397c17aefe1ac8ea35be43bd386bdb1aa0a0ef4a0ad659359269a29180bb0036d2c7310e8b511a1136df4ac4afa25d

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\gejzibk.exe
    Filesize

    770KB

    MD5

    5fb5607b0f61bb044ff17e28388df490

    SHA1

    a5e0e097746b63d8ee36701dd040e16784df5da2

    SHA256

    1711ea526738aaf92b92ed158b96d8d4c626adc6e98b70da6308903e1efc7487

    SHA512

    37fa97795ae202377263b62dce420acad9397c17aefe1ac8ea35be43bd386bdb1aa0a0ef4a0ad659359269a29180bb0036d2c7310e8b511a1136df4ac4afa25d

    Download Submit
  • \Users\Admin\AppData\Local\Temp\gejzibk.exe
    Filesize

    770KB

    MD5

    5fb5607b0f61bb044ff17e28388df490

    SHA1

    a5e0e097746b63d8ee36701dd040e16784df5da2

    SHA256

    1711ea526738aaf92b92ed158b96d8d4c626adc6e98b70da6308903e1efc7487

    SHA512

    37fa97795ae202377263b62dce420acad9397c17aefe1ac8ea35be43bd386bdb1aa0a0ef4a0ad659359269a29180bb0036d2c7310e8b511a1136df4ac4afa25d

    Download Submit
  • \Users\Admin\AppData\Local\Temp\nseCFDF.tmp\lesions.dll
    Filesize

    58KB

    MD5

    7f932b6120900b3173396748c5c6eb56

    SHA1

    05ebef281fb7848636c06a18b29626baaf993214

    SHA256

    efce73f68630ceab971c912c0a5887eb2b4c7b48f1e7faeb8cf52e03281a7055

    SHA512

    b5b59e25a5bae9fdae64309d10a0604cb7fe93f97f30b63cd0778aa7db7aa8b5c6a969c8539bdf63fb212c7f4efb4ea76a80076c84c237450897a248f15704f1

    Download Submit
  • \Users\Admin\AppData\Local\Temp\nso67E9.tmp\lesions.dll
    Filesize

    58KB

    MD5

    7f932b6120900b3173396748c5c6eb56

    SHA1

    05ebef281fb7848636c06a18b29626baaf993214

    SHA256

    efce73f68630ceab971c912c0a5887eb2b4c7b48f1e7faeb8cf52e03281a7055

    SHA512

    b5b59e25a5bae9fdae64309d10a0604cb7fe93f97f30b63cd0778aa7db7aa8b5c6a969c8539bdf63fb212c7f4efb4ea76a80076c84c237450897a248f15704f1

    Download Submit
  • memory/336-61-0x00000000004A760F-mapping.dmp
    Download
  • memory/336-63-0x00000000006B0000-0x00000000008DE000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/336-65-0x00000000008E0000-0x0000000000B3F000-memory.dmp
    Filesize

    2.4MB

    Download
  • memory/336-66-0x0000000000400000-0x00000000004B0A00-memory.dmp
    Filesize

    706KB

    Download
  • memory/336-58-0x0000000000400000-0x00000000004B1000-memory.dmp
    Filesize

    708KB

    Download
  • memory/336-57-0x0000000000400000-0x00000000004B1000-memory.dmp
    Filesize

    708KB

    Download
  • memory/336-60-0x0000000000400000-0x00000000004B1000-memory.dmp
    Filesize

    708KB

    Download
  • memory/560-79-0x00000000004A760F-mapping.dmp
    Download
  • memory/560-84-0x0000000000860000-0x0000000000ABF000-memory.dmp
    Filesize

    2.4MB

    Download
  • memory/912-73-0x00000000004D0000-0x00000000004E8000-memory.dmp
    Filesize

    96KB

    Download
  • memory/912-68-0x0000000000000000-mapping.dmp
    Download
  • memory/1008-56-0x0000000001C50000-0x0000000001C68000-memory.dmp
    Filesize

    96KB

    Download
  • memory/1008-54-0x0000000075C51000-0x0000000075C53000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1260-85-0x0000000002A50000-0x0000000002AB5000-memory.dmp
    Filesize

    404KB

    Download
  • memory/1260-87-0x0000000002A50000-0x0000000002AB5000-memory.dmp
    Filesize

    404KB

    Download
  • memory/1716-89-0x0000000000000000-mapping.dmp
    Download