Analysis
-
max time kernel
90s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
05-02-2023 23:00
Static task
static1
Behavioral task
behavioral1
Sample
svcshost.exe
Resource
win7-20220812-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
svcshost.exe
Resource
win10v2004-20221111-en
windows10-2004-x64
1 signatures
150 seconds
General
-
Target
svcshost.exe
-
Size
493KB
-
MD5
c15bd704405c47f1cf081cba3ec67d17
-
SHA1
5c74894ad0228821cef1794cfeb6a989e7ec551a
-
SHA256
0e1afd3c9ee17408c055e272c2087fdb1e759c8a4b9373fcf2a4bf81d041b58e
-
SHA512
aa00445344d0c8b81ef983f931063ca20cd3510e588e26fcab342b6cb2af894a119c8ba10f9b103bbc16c9d04089b6817a0545ebe6975ce51a5eb03479c3cb7a
-
SSDEEP
12288:vNoGU5LsJBWYgeWYg955/155/kjDP9XBDZQN/WioxCcjyoUoecWR:lstsJFjDFXFZQNWioxlyoUr3
Score
10/10
Malware Config
Extracted
Path
C:\Users\Admin\Documents\__READ_ME_TO_RECOVER_YOUR_FILES.txt
Ransom Note
Hello, your files were encrypted and are currently unusable.
The only way to recover your files is decrypting them with a key that only we have.
In order for us to send you the key and the application to decrypt your files, you will have to make a transfer of Bitcoins
to an electronic wallet. We leave you here the data to make the bitcoins transfer.
Bitcoin wallet: 398sW5eMDvyr93CJHKRD3eYE9vK5ELVrHP
Transfer the amount of bitcoins equivalent to 200 USD.
Your computer ID is: 957af1f1-6875-4c40-9804-a0dcc430f453
Once you make the transfer of bitcoins, send us the transfer ID and your computer ID to our email: nhands_q647t@pudxe.com
When we verify the transfer we will send you your key and the decryption application.
Emails
nhands_q647t@pudxe.com
Wallets
398sW5eMDvyr93CJHKRD3eYE9vK5ELVrHP
Signatures
-
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
svcshost.exedescription pid process target process PID 3796 wrote to memory of 2528 3796 svcshost.exe cmd.exe PID 3796 wrote to memory of 2528 3796 svcshost.exe cmd.exe
Processes
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2528-132-0x0000000000000000-mapping.dmp