Analysis

  • max time kernel
    117s
  • max time network
    99s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-02-2023 14:10

General

  • Target

    0595876dcfb02cbe4d85d3f9cb374b24473e5b338df781e18bd059ea48d60119.dll

  • Size

    827KB

  • MD5

    9af1db273268198c2c9e2eac3dbe9ae3

  • SHA1

    a0fcf49afe94e173f8b341811800c317a487f489

  • SHA256

    0595876dcfb02cbe4d85d3f9cb374b24473e5b338df781e18bd059ea48d60119

  • SHA512

    658eb72ed8d27376cd9d323e551bf69d9b1186b23312d269a2627844deb61313aac3acc36a94e7d3da2e71c787f884aba04752adfe833cc38d6e6647ed791a25

  • SSDEEP

    24576:8Udit0a6YWgnd8p0GGSyhFdAjb8oeXrLs:jfYWgnd/SyhFdggokrLs

Score
10/10

Malware Config

Extracted

Path

C:\instructions_read_me.txt

Ransom Note
ATTENTION! Your network has been breached and all data was encrypted. Please contact us at: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ Login ID: 4926700e-a70a-40e7-a4b4-5c20c8ecbd7a *!* To access .onion websites download and install Tor Browser at: https://www.torproject.org/ (Tor Browser is not related to us) *!* To restore all your PCs and get your network working again, follow these instructions: - Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency. Please follow these simple rules to avoid data corruption: - Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. - Do not hire a recovery company. They can't decrypt without the key. They also don't care about your business. They believe that they are good negotiators, but it is not. They usually fail. So speak for yourself. Waiting you in a chat.
URLs

https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/

Signatures

  • Modifies extensions of user files 9 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Drops file in Program Files directory 64 IoCs
  • Modifies registry class 3 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\0595876dcfb02cbe4d85d3f9cb374b24473e5b338df781e18bd059ea48d60119.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4404
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\0595876dcfb02cbe4d85d3f9cb374b24473e5b338df781e18bd059ea48d60119.dll,#1
      2⤵
      • Modifies extensions of user files
      • Drops file in Program Files directory
      • Modifies registry class
      PID:1564

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1564-132-0x0000000000000000-mapping.dmp