b9d85a794dc76d2067d0167e3b86dbe16f65d87f73ad3d616102edd4f7feeccc

Analysis

max time kernel
38s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06-12-2022 23:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bcf0f202db47ca671ed6146040795e3c8315b7fb4f886161c675d4ddf5fdd0c4.exe
Size

476KB
MD5

3e96efd37777cc01cabb3401485297aa
SHA1

f008e568c313b6f41406658a77313f89df07017e
SHA256

bcf0f202db47ca671ed6146040795e3c8315b7fb4f886161c675d4ddf5fdd0c4
SHA512

6d864561c6b1e33229da4181ecb14c8358ef3fbcdb996131d87a0b98fb3c4d8453fed4331c8b1d939546b6a7cb246f294bf82ca21799728f114b95d176ace691
SSDEEP

6144:0qejsgRNGKhy9zzMOss2XWrccaaXCunmifiTbRF7WKHBQAk6Fjt0laAOzrJroCFQ:0m0ymOjZRaMhuF7LhQF6Mla7bu

Score

10^/10

ransomware

Malware Config

Extracted

Path

C:\users\admin\contacts\!!FAQ for Decryption!!.txt

Ransom Note

Good day. All your files are encrypted. For decryption contact us. Write here [email protected] We also inform that your databases, ftp server and file server were downloaded by us to our servers. * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss.

Emails

[email protected]

Signatures

Modifies extensions of user files 8 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\DenyAssert.crw => C:\users\admin\pictures\denyassert.crw.cuba	bcf0f202db47ca671ed6146040795e3c8315b7fb4f886161c675d4ddf5fdd0c4.exe
File renamed	C:\Users\Admin\Pictures\ExpandImport.crw => C:\users\admin\pictures\expandimport.crw.cuba	bcf0f202db47ca671ed6146040795e3c8315b7fb4f886161c675d4ddf5fdd0c4.exe
File renamed	C:\Users\Admin\Pictures\ExportUnblock.png => C:\users\admin\pictures\exportunblock.png.cuba	bcf0f202db47ca671ed6146040795e3c8315b7fb4f886161c675d4ddf5fdd0c4.exe
File renamed	C:\Users\Admin\Pictures\MergeReset.crw => C:\users\admin\pictures\mergereset.crw.cuba	bcf0f202db47ca671ed6146040795e3c8315b7fb4f886161c675d4ddf5fdd0c4.exe
File renamed	C:\Users\Admin\Pictures\ProtectEnable.png => C:\users\admin\pictures\protectenable.png.cuba	bcf0f202db47ca671ed6146040795e3c8315b7fb4f886161c675d4ddf5fdd0c4.exe
File renamed	C:\Users\Admin\Pictures\SetMove.png => C:\users\admin\pictures\setmove.png.cuba	bcf0f202db47ca671ed6146040795e3c8315b7fb4f886161c675d4ddf5fdd0c4.exe
File renamed	C:\Users\Admin\Pictures\SkipBackup.tif => C:\users\admin\pictures\skipbackup.tif.cuba	bcf0f202db47ca671ed6146040795e3c8315b7fb4f886161c675d4ddf5fdd0c4.exe
File renamed	C:\Users\Admin\Pictures\CopyCheckpoint.raw => C:\users\admin\pictures\copycheckpoint.raw.cuba	bcf0f202db47ca671ed6146040795e3c8315b7fb4f886161c675d4ddf5fdd0c4.exe

Deletes itself 1 IoCs

pid	Process
956	cmd.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1504	bcf0f202db47ca671ed6146040795e3c8315b7fb4f886161c675d4ddf5fdd0c4.exe
1504	bcf0f202db47ca671ed6146040795e3c8315b7fb4f886161c675d4ddf5fdd0c4.exe
1504	bcf0f202db47ca671ed6146040795e3c8315b7fb4f886161c675d4ddf5fdd0c4.exe
1504	bcf0f202db47ca671ed6146040795e3c8315b7fb4f886161c675d4ddf5fdd0c4.exe
1504	bcf0f202db47ca671ed6146040795e3c8315b7fb4f886161c675d4ddf5fdd0c4.exe
1504	bcf0f202db47ca671ed6146040795e3c8315b7fb4f886161c675d4ddf5fdd0c4.exe
1504	bcf0f202db47ca671ed6146040795e3c8315b7fb4f886161c675d4ddf5fdd0c4.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1504 wrote to memory of 956	1504	bcf0f202db47ca671ed6146040795e3c8315b7fb4f886161c675d4ddf5fdd0c4.exe	27
PID 1504 wrote to memory of 956	1504	bcf0f202db47ca671ed6146040795e3c8315b7fb4f886161c675d4ddf5fdd0c4.exe	27
PID 1504 wrote to memory of 956	1504	bcf0f202db47ca671ed6146040795e3c8315b7fb4f886161c675d4ddf5fdd0c4.exe	27
PID 1504 wrote to memory of 956	1504	bcf0f202db47ca671ed6146040795e3c8315b7fb4f886161c675d4ddf5fdd0c4.exe	27

C:\Users\Admin\AppData\Local\Temp\bcf0f202db47ca671ed6146040795e3c8315b7fb4f886161c675d4ddf5fdd0c4.exe
"C:\Users\Admin\AppData\Local\Temp\bcf0f202db47ca671ed6146040795e3c8315b7fb4f886161c675d4ddf5fdd0c4.exe"
1⤵
- Modifies extensions of user files
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1504
- C:\Windows\SysWOW64\cmd.exe
  /c del C:\Users\Admin\AppData\Local\Temp\bcf0f202db47ca671ed6146040795e3c8315b7fb4f886161c675d4ddf5fdd0c4.exe >> NUL
  2⤵
  - Deletes itself
  PID:956

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads