Overview

overview

10

Static

static

10aab818e3...80.exe

windows7-x64

10

10aab818e3...80.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-11-2022 12:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    10aab818e3c30218d462f1782678581633823325dbdfb9ff41c054af351a1f80.exe

  • Size

    1.0MB

  • MD5

    5b65b00894b6bdf79de272360d268604

  • SHA1

    ba437d3e5f376f1d655632a52bf1e05af8a7e7a9

  • SHA256

    10aab818e3c30218d462f1782678581633823325dbdfb9ff41c054af351a1f80

  • SHA512

    4ff69fd3473ffc39e938009e1983de50c90a55996a51fc4d3dae09767dd0fd3bec87aced33dd71b7b0d32314161ceb15899e4fb68264928a0d9a717b6a330d12

  • SSDEEP

    24576:xVm0yFkkRztCxlvTJe9XJaCubcnoxtjZZHh65:rmvFvRav1eVdeQ8FZN6

Score
10/10
ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Documents\Decrypt-All-Files-ntjtjrd.txt

Ransom Note
Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://onja764ig6vah2jo.onion.cab or http://onja764ig6vah2jo.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://onja764ig6vah2jo.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. PUMCNX2-FHLQHOB-5IGZTMB-IIJZHUY-3NXLYNJ-GKV3O3D-5SBCBA5-BMARJYG FR76ST7-PK7DYOG-SYKP62H-FZQMAWA-4LR2EZN-DXI4ZBE-3XKV4EN-HEBP2LJ YSNZ77P-7NW2PDO-TXNJIYK-QBEXQJI-SB4EBO3-EJDSFIJ-6GSESX7-BV2MK6O Follow the instructions on the server.
URLs

http://onja764ig6vah2jo.onion.cab

http://onja764ig6vah2jo.tor2web.org

http://onja764ig6vah2jo.onion/

Extracted

Path

C:\ProgramData\ggrrhsj.html

Ransom Note
Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://onja764ig6vah2jo.onion.cab or http://onja764ig6vah2jo.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org. 2. In the Tor Browser open the http://onja764ig6vah2jo.onion Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. Follow the instructions on the server. The list of your encrypted files: Path File
URLs

http://onja764ig6vah2jo.onion.cab

http://onja764ig6vah2jo.tor2web.org

http://onja764ig6vah2jo.onion

Signatures

  • Executes dropped EXE 5 IoCs
  • Modifies extensions of user files 3 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops desktop.ini file(s) 1 IoCs
  • Drops file in System32 directory 6 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 20 IoCs
  • Modifies registry class 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch -p
    1⤵
    • Modifies extensions of user files
    • Drops desktop.ini file(s)
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:780
    • C:\Windows\system32\wbem\wmiprvse.exe
      C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
      2⤵
        PID:2352
      • C:\Windows\system32\DllHost.exe
        C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
        2⤵
          PID:4500
        • C:\Windows\System32\mousocoreworker.exe
          C:\Windows\System32\mousocoreworker.exe -Embedding
          2⤵
            PID:2208
        • C:\Windows\Explorer.EXE
          C:\Windows\Explorer.EXE
          1⤵
          • Sets desktop wallpaper using registry
          • Suspicious use of AdjustPrivilegeToken
          PID:760
          • C:\Users\Admin\AppData\Local\Temp\10aab818e3c30218d462f1782678581633823325dbdfb9ff41c054af351a1f80.exe
            "C:\Users\Admin\AppData\Local\Temp\10aab818e3c30218d462f1782678581633823325dbdfb9ff41c054af351a1f80.exe"
            2⤵
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:5072
            • C:\Users\Admin\AppData\Local\Temp\10aab818e3c30218d462f1782678581633823325dbdfb9ff41c054af351a1f80.exe
              "C:\Users\Admin\AppData\Local\Temp\10aab818e3c30218d462f1782678581633823325dbdfb9ff41c054af351a1f80.exe"
              3⤵
                PID:3132
              • C:\Users\Admin\AppData\Local\Temp\10aab818e3c30218d462f1782678581633823325dbdfb9ff41c054af351a1f80.exe
                "C:\Users\Admin\AppData\Local\Temp\10aab818e3c30218d462f1782678581633823325dbdfb9ff41c054af351a1f80.exe"
                3⤵
                • Suspicious behavior: EnumeratesProcesses
                PID:4976
          • C:\Users\Admin\AppData\Local\Temp\xlobkpb.exe
            C:\Users\Admin\AppData\Local\Temp\xlobkpb.exe
            1⤵
            • Executes dropped EXE
            • Drops file in System32 directory
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:380
            • C:\Users\Admin\AppData\Local\Temp\xlobkpb.exe
              C:\Users\Admin\AppData\Local\Temp\xlobkpb.exe
              2⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1520
              • C:\Users\Admin\AppData\Local\Temp\xlobkpb.exe
                "C:\Users\Admin\AppData\Local\Temp\xlobkpb.exe" -u
                3⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious use of WriteProcessMemory
                PID:3620
                • C:\Users\Admin\AppData\Local\Temp\xlobkpb.exe
                  "C:\Users\Admin\AppData\Local\Temp\xlobkpb.exe" -u
                  4⤵
                  • Executes dropped EXE
                  PID:4868
                • C:\Users\Admin\AppData\Local\Temp\xlobkpb.exe
                  "C:\Users\Admin\AppData\Local\Temp\xlobkpb.exe" -u
                  4⤵
                  • Executes dropped EXE
                  • Checks computer location settings
                  • Drops file in System32 directory
                  • Modifies Internet Explorer settings
                  • Suspicious use of FindShellTrayWindow
                  • Suspicious use of SendNotifyMessage
                  • Suspicious use of SetWindowsHookEx
                  PID:3228

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Initial Access

          Execution

          Persistence

          Privilege Escalation

          Defense Evasion

          Modify Registry

          2
          T1112

          Credential Access

          Discovery

          Query Registry

          1
          T1012

          System Information Discovery

          2
          T1082

          Lateral Movement

          Collection

          Exfiltration

          Command and Control

          Impact

          Defacement

          1
          T1491

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\ProgramData\Microsoft OneDrive\xkefqne
            Filesize

            654B

            MD5

            9c740ebfc2c006410bd8169141d467a7

            SHA1

            f08cf9c2d7d1fabd95dc27891a4105941c362614

            SHA256

            08608980e0d5465fa7763d6e283dcebef59573657a04572ac5609a6d5c27db11

            SHA512

            8e3927ca89f77f9f061e33be75bed3f87540186889ed2f49e6362f99acd5882e231b85e71ea3a90c888e10b6ab5a4219bb07a95b5fb81b523f2f4c5057404c21

            Download Submit
          • C:\ProgramData\Microsoft OneDrive\xkefqne
            Filesize

            654B

            MD5

            9c740ebfc2c006410bd8169141d467a7

            SHA1

            f08cf9c2d7d1fabd95dc27891a4105941c362614

            SHA256

            08608980e0d5465fa7763d6e283dcebef59573657a04572ac5609a6d5c27db11

            SHA512

            8e3927ca89f77f9f061e33be75bed3f87540186889ed2f49e6362f99acd5882e231b85e71ea3a90c888e10b6ab5a4219bb07a95b5fb81b523f2f4c5057404c21

            Download Submit
          • C:\ProgramData\Microsoft OneDrive\xkefqne
            Filesize

            654B

            MD5

            5b520ec3ace2eccc71bcdf8d52fbcc50

            SHA1

            6cc1e712c64c07140d94f8bce226160554a86506

            SHA256

            6af56ccbed4aa253d3db8b40dacec9a9da88f9cdd09f74845a82d3a103c24da2

            SHA512

            dd40d6c87f87f00488a06411489f9307d554fa4a0b9029090b0654caa98b78566f5943874be9f9cfd160893a04ddf1b31554a86e7412bfab3781f9b5dd636546

            Download Submit
          • C:\ProgramData\Microsoft OneDrive\xkefqne
            Filesize

            654B

            MD5

            b8fb50c8a43d86013133da4864e45362

            SHA1

            a8a81d17073c6ed3f3f1fcc40d910c383b802446

            SHA256

            2764f27ae71027de973fe976709419279e60729b1d97bbba23a9a0a021b54ac4

            SHA512

            445b2fc440b267300eb9dc268fca010b4f55a65f06d9c9dd75f181095fdd5d44cbbe9c141029f24aa2f0f9793af8c06bb63a33762ab7e56f1e595e7b721a6b78

            Download Submit
          • C:\ProgramData\Microsoft OneDrive\xkefqne
            Filesize

            654B

            MD5

            d5a42877f8416071453f026752b57184

            SHA1

            c2b90d75f9859ac5911b906e2664c1f9e7875424

            SHA256

            ff22e70b75fe42bf3e43bdc95a5c5b45d3bb40b80e2101c547643a336a5e2309

            SHA512

            76e25450ebe0a323145f14d2631e16b0e1bd591a3c4785eb8d683c7c5fd9144904beddb73f36e6c8d58fe53c03db4cbcd7d6737ddaae483a0fee2775525ecd23

            Download Submit
          • C:\ProgramData\ggrrhsj.html
            Filesize

            226KB

            MD5

            4ec5647cbe788ec60c8dfbc57e8f6d28

            SHA1

            327b1dd812b69630836383d60708a4848b8ec70f

            SHA256

            8a4b127ad7e0adf36157e904a75cd28afcce07a91421034eb30fbfa9147ab9be

            SHA512

            f8ea125a06381e767e75b1a8e4c6e642daea790b2ff6d471abd0a86bf4ee827d6f64c81dfc9feeca027bd46ebd2b7c99ecd4cf27ac027e4cbab72de26c174bf9

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\xlobkpb.exe
            Filesize

            1.0MB

            MD5

            5b65b00894b6bdf79de272360d268604

            SHA1

            ba437d3e5f376f1d655632a52bf1e05af8a7e7a9

            SHA256

            10aab818e3c30218d462f1782678581633823325dbdfb9ff41c054af351a1f80

            SHA512

            4ff69fd3473ffc39e938009e1983de50c90a55996a51fc4d3dae09767dd0fd3bec87aced33dd71b7b0d32314161ceb15899e4fb68264928a0d9a717b6a330d12

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\xlobkpb.exe
            Filesize

            1.0MB

            MD5

            5b65b00894b6bdf79de272360d268604

            SHA1

            ba437d3e5f376f1d655632a52bf1e05af8a7e7a9

            SHA256

            10aab818e3c30218d462f1782678581633823325dbdfb9ff41c054af351a1f80

            SHA512

            4ff69fd3473ffc39e938009e1983de50c90a55996a51fc4d3dae09767dd0fd3bec87aced33dd71b7b0d32314161ceb15899e4fb68264928a0d9a717b6a330d12

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\xlobkpb.exe
            Filesize

            1.0MB

            MD5

            5b65b00894b6bdf79de272360d268604

            SHA1

            ba437d3e5f376f1d655632a52bf1e05af8a7e7a9

            SHA256

            10aab818e3c30218d462f1782678581633823325dbdfb9ff41c054af351a1f80

            SHA512

            4ff69fd3473ffc39e938009e1983de50c90a55996a51fc4d3dae09767dd0fd3bec87aced33dd71b7b0d32314161ceb15899e4fb68264928a0d9a717b6a330d12

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\xlobkpb.exe
            Filesize

            1.0MB

            MD5

            5b65b00894b6bdf79de272360d268604

            SHA1

            ba437d3e5f376f1d655632a52bf1e05af8a7e7a9

            SHA256

            10aab818e3c30218d462f1782678581633823325dbdfb9ff41c054af351a1f80

            SHA512

            4ff69fd3473ffc39e938009e1983de50c90a55996a51fc4d3dae09767dd0fd3bec87aced33dd71b7b0d32314161ceb15899e4fb68264928a0d9a717b6a330d12

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\xlobkpb.exe
            Filesize

            1.0MB

            MD5

            5b65b00894b6bdf79de272360d268604

            SHA1

            ba437d3e5f376f1d655632a52bf1e05af8a7e7a9

            SHA256

            10aab818e3c30218d462f1782678581633823325dbdfb9ff41c054af351a1f80

            SHA512

            4ff69fd3473ffc39e938009e1983de50c90a55996a51fc4d3dae09767dd0fd3bec87aced33dd71b7b0d32314161ceb15899e4fb68264928a0d9a717b6a330d12

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\xlobkpb.exe
            Filesize

            1.0MB

            MD5

            5b65b00894b6bdf79de272360d268604

            SHA1

            ba437d3e5f376f1d655632a52bf1e05af8a7e7a9

            SHA256

            10aab818e3c30218d462f1782678581633823325dbdfb9ff41c054af351a1f80

            SHA512

            4ff69fd3473ffc39e938009e1983de50c90a55996a51fc4d3dae09767dd0fd3bec87aced33dd71b7b0d32314161ceb15899e4fb68264928a0d9a717b6a330d12

            Download Submit
          • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\xlobkpb.exe.log
            Filesize

            497B

            MD5

            2719e834ff73fd4cbb1aacc4af15bc19

            SHA1

            c845f2eaa7416e6701c3539473581519005e550c

            SHA256

            b34025593554f8ef43b2a9467bab0af928606e6335e7ce0c3090d3952fbba119

            SHA512

            8eb1fb59ee040f3381cb0ffd50c8bdc3b6f4c25ebae91bd7ee71f853f15269338db1551a7f2c28bf80a068c9aee3402d11b041728a9b264cc160c67377f1abcb

            Download Submit
          • memory/380-146-0x0000000074290000-0x0000000074841000-memory.dmp
            Filesize

            5.7MB

            Download
          • memory/780-148-0x0000000026CC0000-0x0000000026D34000-memory.dmp
            Filesize

            464KB

            Download
          • memory/1520-141-0x0000000000000000-mapping.dmp
            Download
          • memory/1520-147-0x0000000000EB0000-0x00000000010F0000-memory.dmp
            Filesize

            2.2MB

            Download
          • memory/2208-169-0x0000000000000000-mapping.dmp
            Download
          • memory/2352-151-0x0000000000000000-mapping.dmp
            Download
          • memory/3228-167-0x00000000012F0000-0x0000000001530000-memory.dmp
            Filesize

            2.2MB

            Download
          • memory/3228-161-0x0000000000000000-mapping.dmp
            Download
          • memory/3620-157-0x0000000000000000-mapping.dmp
            Download
          • memory/3620-166-0x0000000074320000-0x00000000748D1000-memory.dmp
            Filesize

            5.7MB

            Download
          • memory/4500-153-0x0000000000000000-mapping.dmp
            Download
          • memory/4976-138-0x0000000000F80000-0x00000000011C0000-memory.dmp
            Filesize

            2.2MB

            Download
          • memory/4976-133-0x0000000000000000-mapping.dmp
            Download
          • memory/4976-134-0x0000000000400000-0x00000000004A4000-memory.dmp
            Filesize

            656KB

            Download
          • memory/4976-135-0x0000000000400000-0x00000000004A4000-memory.dmp
            Filesize

            656KB

            Download
          • memory/4976-137-0x0000000000D70000-0x0000000000F7F000-memory.dmp
            Filesize

            2.1MB

            Download
          • memory/5072-136-0x0000000074EC0000-0x0000000075471000-memory.dmp
            Filesize

            5.7MB

            Download
          • memory/5072-132-0x0000000074EC0000-0x0000000075471000-memory.dmp
            Filesize

            5.7MB

            Download