b9d85a794dc76d2067d0167e3b86dbe16f65d87f73ad3d616102edd4f7feeccc

Analysis

max time kernel
171s
max time network
181s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
06-12-2022 23:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bcf0f202db47ca671ed6146040795e3c8315b7fb4f886161c675d4ddf5fdd0c4.exe
Size

476KB
MD5

3e96efd37777cc01cabb3401485297aa
SHA1

f008e568c313b6f41406658a77313f89df07017e
SHA256

bcf0f202db47ca671ed6146040795e3c8315b7fb4f886161c675d4ddf5fdd0c4
SHA512

6d864561c6b1e33229da4181ecb14c8358ef3fbcdb996131d87a0b98fb3c4d8453fed4331c8b1d939546b6a7cb246f294bf82ca21799728f114b95d176ace691
SSDEEP

6144:0qejsgRNGKhy9zzMOss2XWrccaaXCunmifiTbRF7WKHBQAk6Fjt0laAOzrJroCFQ:0m0ymOjZRaMhuF7LhQF6Mla7bu

Score

10^/10

ransomware

Malware Config

Extracted

Path

C:\odt\!!FAQ for Decryption!!.txt

Ransom Note

Good day. All your files are encrypted. For decryption contact us. Write here [email protected] We also inform that your databases, ftp server and file server were downloaded by us to our servers. * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss.

Emails

[email protected]

Signatures

Modifies extensions of user files 6 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\AddConvert.tif => C:\users\admin\pictures\addconvert.tif.cuba	bcf0f202db47ca671ed6146040795e3c8315b7fb4f886161c675d4ddf5fdd0c4.exe
File renamed	C:\Users\Admin\Pictures\DisconnectConfirm.tif => C:\users\admin\pictures\disconnectconfirm.tif.cuba	bcf0f202db47ca671ed6146040795e3c8315b7fb4f886161c675d4ddf5fdd0c4.exe
File renamed	C:\Users\Admin\Pictures\EnterStart.tif => C:\users\admin\pictures\enterstart.tif.cuba	bcf0f202db47ca671ed6146040795e3c8315b7fb4f886161c675d4ddf5fdd0c4.exe
File opened for modification	C:\users\admin\pictures\newdebug.tiff	bcf0f202db47ca671ed6146040795e3c8315b7fb4f886161c675d4ddf5fdd0c4.exe
File renamed	C:\Users\Admin\Pictures\NewDebug.tiff => C:\users\admin\pictures\newdebug.tiff.cuba	bcf0f202db47ca671ed6146040795e3c8315b7fb4f886161c675d4ddf5fdd0c4.exe
File renamed	C:\Users\Admin\Pictures\PushRename.png => C:\users\admin\pictures\pushrename.png.cuba	bcf0f202db47ca671ed6146040795e3c8315b7fb4f886161c675d4ddf5fdd0c4.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4356	bcf0f202db47ca671ed6146040795e3c8315b7fb4f886161c675d4ddf5fdd0c4.exe
4356	bcf0f202db47ca671ed6146040795e3c8315b7fb4f886161c675d4ddf5fdd0c4.exe
4356	bcf0f202db47ca671ed6146040795e3c8315b7fb4f886161c675d4ddf5fdd0c4.exe
4356	bcf0f202db47ca671ed6146040795e3c8315b7fb4f886161c675d4ddf5fdd0c4.exe
4356	bcf0f202db47ca671ed6146040795e3c8315b7fb4f886161c675d4ddf5fdd0c4.exe
4356	bcf0f202db47ca671ed6146040795e3c8315b7fb4f886161c675d4ddf5fdd0c4.exe
4356	bcf0f202db47ca671ed6146040795e3c8315b7fb4f886161c675d4ddf5fdd0c4.exe
4356	bcf0f202db47ca671ed6146040795e3c8315b7fb4f886161c675d4ddf5fdd0c4.exe
4356	bcf0f202db47ca671ed6146040795e3c8315b7fb4f886161c675d4ddf5fdd0c4.exe
4356	bcf0f202db47ca671ed6146040795e3c8315b7fb4f886161c675d4ddf5fdd0c4.exe
4356	bcf0f202db47ca671ed6146040795e3c8315b7fb4f886161c675d4ddf5fdd0c4.exe
4356	bcf0f202db47ca671ed6146040795e3c8315b7fb4f886161c675d4ddf5fdd0c4.exe
4356	bcf0f202db47ca671ed6146040795e3c8315b7fb4f886161c675d4ddf5fdd0c4.exe
4356	bcf0f202db47ca671ed6146040795e3c8315b7fb4f886161c675d4ddf5fdd0c4.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4356 wrote to memory of 3412	4356	bcf0f202db47ca671ed6146040795e3c8315b7fb4f886161c675d4ddf5fdd0c4.exe	84
PID 4356 wrote to memory of 3412	4356	bcf0f202db47ca671ed6146040795e3c8315b7fb4f886161c675d4ddf5fdd0c4.exe	84
PID 4356 wrote to memory of 3412	4356	bcf0f202db47ca671ed6146040795e3c8315b7fb4f886161c675d4ddf5fdd0c4.exe	84

C:\Users\Admin\AppData\Local\Temp\bcf0f202db47ca671ed6146040795e3c8315b7fb4f886161c675d4ddf5fdd0c4.exe
"C:\Users\Admin\AppData\Local\Temp\bcf0f202db47ca671ed6146040795e3c8315b7fb4f886161c675d4ddf5fdd0c4.exe"
1⤵
- Modifies extensions of user files
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4356
- C:\Windows\SysWOW64\cmd.exe
  /c del C:\Users\Admin\AppData\Local\Temp\bcf0f202db47ca671ed6146040795e3c8315b7fb4f886161c675d4ddf5fdd0c4.exe >> NUL
  2⤵
  PID:3412

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads