Analysis
-
max time kernel
136s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
11-03-2023 16:58
Behavioral task
behavioral1
Sample
Q7B3RC.bin.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Q7B3RC.bin.exe
Resource
win10v2004-20230221-en
General
-
Target
Q7B3RC.bin.exe
-
Size
229KB
-
MD5
2979ed84c4ca3deb2924bd1f26bf88bd
-
SHA1
8f01f9112904389e0b53a25506ef69f99cc0fa1b
-
SHA256
bcf49e8f493c9eff83d9bc891e91dc91777f02b4f176e44b20f9a2d651f20fc3
-
SHA512
bd0088d587357851da5e4a7bd9cb1034c404cd5db9a12b9b27efa68a8a28b250d4a2c7346eff0cd14955713cbc13698a6c646d0d573602ccc0f7bda3d0c2d37f
-
SSDEEP
6144:oNxyvPouZtK58suC/004GKXkq4RUs3fyW:oNxyXNtK58su3Z0RPj
Malware Config
Extracted
C:\PerfLogs\!!!HOW_TO_DECRYPT!!!.txt
https://tox.chat/download.html
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 11 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
Q7B3RC.bin.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\ResetMerge.tiff Q7B3RC.bin.exe File renamed C:\Users\Admin\Pictures\ResetMerge.tiff => C:\Users\Admin\Pictures\ResetMerge.tiff.code Q7B3RC.bin.exe File renamed C:\Users\Admin\Pictures\ResolveMerge.tif => C:\Users\Admin\Pictures\ResolveMerge.tif.code Q7B3RC.bin.exe File renamed C:\Users\Admin\Pictures\TraceStop.tif => C:\Users\Admin\Pictures\TraceStop.tif.code Q7B3RC.bin.exe File renamed C:\Users\Admin\Pictures\UninstallWait.png => C:\Users\Admin\Pictures\UninstallWait.png.code Q7B3RC.bin.exe File renamed C:\Users\Admin\Pictures\SplitDismount.tif => C:\Users\Admin\Pictures\SplitDismount.tif.code Q7B3RC.bin.exe File renamed C:\Users\Admin\Pictures\CompressJoin.png => C:\Users\Admin\Pictures\CompressJoin.png.code Q7B3RC.bin.exe File renamed C:\Users\Admin\Pictures\ExitRevoke.tif => C:\Users\Admin\Pictures\ExitRevoke.tif.code Q7B3RC.bin.exe File opened for modification C:\Users\Admin\Pictures\MeasureJoin.tiff Q7B3RC.bin.exe File renamed C:\Users\Admin\Pictures\MeasureJoin.tiff => C:\Users\Admin\Pictures\MeasureJoin.tiff.code Q7B3RC.bin.exe File renamed C:\Users\Admin\Pictures\ResizePublish.crw => C:\Users\Admin\Pictures\ResizePublish.crw.code Q7B3RC.bin.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Q7B3RC.bin.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation Q7B3RC.bin.exe -
Modifies file permissions 1 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Q7B3RC.bin.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Windows\CurrentVersion\Run Q7B3RC.bin.exe Set value (str) \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSFEEditor = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Q7B3RC.bin.exe\" e" Q7B3RC.bin.exe -
Drops desktop.ini file(s) 26 IoCs
Processes:
Q7B3RC.bin.exedescription ioc process File opened for modification C:\Users\Public\Downloads\desktop.ini Q7B3RC.bin.exe File opened for modification C:\Users\Admin\3D Objects\desktop.ini Q7B3RC.bin.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini Q7B3RC.bin.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini Q7B3RC.bin.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini Q7B3RC.bin.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini Q7B3RC.bin.exe File opened for modification C:\Users\Public\desktop.ini Q7B3RC.bin.exe File opened for modification C:\Users\Public\Pictures\desktop.ini Q7B3RC.bin.exe File opened for modification C:\Users\Public\Videos\desktop.ini Q7B3RC.bin.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini Q7B3RC.bin.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini Q7B3RC.bin.exe File opened for modification C:\Users\Admin\Music\desktop.ini Q7B3RC.bin.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini Q7B3RC.bin.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini Q7B3RC.bin.exe File opened for modification C:\Users\Public\Libraries\desktop.ini Q7B3RC.bin.exe File opened for modification C:\Users\Public\Desktop\desktop.ini Q7B3RC.bin.exe File opened for modification \??\E:\$RECYCLE.BIN\S-1-5-21-2805025096-2326403612-4231045514-1000\desktop.ini Q7B3RC.bin.exe File opened for modification C:\Users\Admin\Documents\desktop.ini Q7B3RC.bin.exe File opened for modification C:\Users\Admin\Links\desktop.ini Q7B3RC.bin.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini Q7B3RC.bin.exe File opened for modification C:\Users\Admin\Searches\desktop.ini Q7B3RC.bin.exe File opened for modification C:\Users\Admin\Videos\desktop.ini Q7B3RC.bin.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini Q7B3RC.bin.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini Q7B3RC.bin.exe File opened for modification C:\Users\Public\Documents\desktop.ini Q7B3RC.bin.exe File opened for modification C:\Users\Public\Music\desktop.ini Q7B3RC.bin.exe -
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
Q7B3RC.bin.exedescription ioc process File opened (read-only) \??\E: Q7B3RC.bin.exe File opened (read-only) \??\D: Q7B3RC.bin.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exepid process 3392 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2988 timeout.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exeQ7B3RC.bin.exepid process 4400 powershell.exe 4400 powershell.exe 2336 Q7B3RC.bin.exe 2336 Q7B3RC.bin.exe 2336 Q7B3RC.bin.exe 2336 Q7B3RC.bin.exe 2336 Q7B3RC.bin.exe 2336 Q7B3RC.bin.exe 2336 Q7B3RC.bin.exe 2336 Q7B3RC.bin.exe 2336 Q7B3RC.bin.exe 2336 Q7B3RC.bin.exe 2336 Q7B3RC.bin.exe 2336 Q7B3RC.bin.exe 2336 Q7B3RC.bin.exe 2336 Q7B3RC.bin.exe 2336 Q7B3RC.bin.exe 2336 Q7B3RC.bin.exe 2336 Q7B3RC.bin.exe 2336 Q7B3RC.bin.exe 2336 Q7B3RC.bin.exe 2336 Q7B3RC.bin.exe 2336 Q7B3RC.bin.exe 2336 Q7B3RC.bin.exe 2336 Q7B3RC.bin.exe 2336 Q7B3RC.bin.exe 2336 Q7B3RC.bin.exe 2336 Q7B3RC.bin.exe 2336 Q7B3RC.bin.exe 2336 Q7B3RC.bin.exe 2336 Q7B3RC.bin.exe 2336 Q7B3RC.bin.exe 2336 Q7B3RC.bin.exe 2336 Q7B3RC.bin.exe 2336 Q7B3RC.bin.exe 2336 Q7B3RC.bin.exe 2336 Q7B3RC.bin.exe 2336 Q7B3RC.bin.exe 2336 Q7B3RC.bin.exe 2336 Q7B3RC.bin.exe 2336 Q7B3RC.bin.exe 2336 Q7B3RC.bin.exe 2336 Q7B3RC.bin.exe 2336 Q7B3RC.bin.exe 2336 Q7B3RC.bin.exe 2336 Q7B3RC.bin.exe 2336 Q7B3RC.bin.exe 2336 Q7B3RC.bin.exe 2336 Q7B3RC.bin.exe 2336 Q7B3RC.bin.exe 2336 Q7B3RC.bin.exe 2336 Q7B3RC.bin.exe 2336 Q7B3RC.bin.exe 2336 Q7B3RC.bin.exe 2336 Q7B3RC.bin.exe 2336 Q7B3RC.bin.exe 2336 Q7B3RC.bin.exe 2336 Q7B3RC.bin.exe 2336 Q7B3RC.bin.exe 2336 Q7B3RC.bin.exe 2336 Q7B3RC.bin.exe 2336 Q7B3RC.bin.exe 2336 Q7B3RC.bin.exe 2336 Q7B3RC.bin.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
wmic.exevssvc.exepowershell.exedescription pid process Token: SeIncreaseQuotaPrivilege 3984 wmic.exe Token: SeSecurityPrivilege 3984 wmic.exe Token: SeTakeOwnershipPrivilege 3984 wmic.exe Token: SeLoadDriverPrivilege 3984 wmic.exe Token: SeSystemProfilePrivilege 3984 wmic.exe Token: SeSystemtimePrivilege 3984 wmic.exe Token: SeProfSingleProcessPrivilege 3984 wmic.exe Token: SeIncBasePriorityPrivilege 3984 wmic.exe Token: SeCreatePagefilePrivilege 3984 wmic.exe Token: SeBackupPrivilege 3984 wmic.exe Token: SeRestorePrivilege 3984 wmic.exe Token: SeShutdownPrivilege 3984 wmic.exe Token: SeDebugPrivilege 3984 wmic.exe Token: SeSystemEnvironmentPrivilege 3984 wmic.exe Token: SeRemoteShutdownPrivilege 3984 wmic.exe Token: SeUndockPrivilege 3984 wmic.exe Token: SeManageVolumePrivilege 3984 wmic.exe Token: 33 3984 wmic.exe Token: 34 3984 wmic.exe Token: 35 3984 wmic.exe Token: 36 3984 wmic.exe Token: SeIncreaseQuotaPrivilege 3984 wmic.exe Token: SeSecurityPrivilege 3984 wmic.exe Token: SeTakeOwnershipPrivilege 3984 wmic.exe Token: SeLoadDriverPrivilege 3984 wmic.exe Token: SeSystemProfilePrivilege 3984 wmic.exe Token: SeSystemtimePrivilege 3984 wmic.exe Token: SeProfSingleProcessPrivilege 3984 wmic.exe Token: SeIncBasePriorityPrivilege 3984 wmic.exe Token: SeCreatePagefilePrivilege 3984 wmic.exe Token: SeBackupPrivilege 3984 wmic.exe Token: SeRestorePrivilege 3984 wmic.exe Token: SeShutdownPrivilege 3984 wmic.exe Token: SeDebugPrivilege 3984 wmic.exe Token: SeSystemEnvironmentPrivilege 3984 wmic.exe Token: SeRemoteShutdownPrivilege 3984 wmic.exe Token: SeUndockPrivilege 3984 wmic.exe Token: SeManageVolumePrivilege 3984 wmic.exe Token: 33 3984 wmic.exe Token: 34 3984 wmic.exe Token: 35 3984 wmic.exe Token: 36 3984 wmic.exe Token: SeBackupPrivilege 2828 vssvc.exe Token: SeRestorePrivilege 2828 vssvc.exe Token: SeAuditPrivilege 2828 vssvc.exe Token: SeDebugPrivilege 4400 powershell.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
Q7B3RC.bin.exenet.execmd.exedescription pid process target process PID 2336 wrote to memory of 2540 2336 Q7B3RC.bin.exe net.exe PID 2336 wrote to memory of 2540 2336 Q7B3RC.bin.exe net.exe PID 2336 wrote to memory of 2540 2336 Q7B3RC.bin.exe net.exe PID 2540 wrote to memory of 2988 2540 net.exe net1.exe PID 2540 wrote to memory of 2988 2540 net.exe net1.exe PID 2540 wrote to memory of 2988 2540 net.exe net1.exe PID 2336 wrote to memory of 3392 2336 Q7B3RC.bin.exe sc.exe PID 2336 wrote to memory of 3392 2336 Q7B3RC.bin.exe sc.exe PID 2336 wrote to memory of 3392 2336 Q7B3RC.bin.exe sc.exe PID 2336 wrote to memory of 3984 2336 Q7B3RC.bin.exe wmic.exe PID 2336 wrote to memory of 3984 2336 Q7B3RC.bin.exe wmic.exe PID 2336 wrote to memory of 3984 2336 Q7B3RC.bin.exe wmic.exe PID 2336 wrote to memory of 3708 2336 Q7B3RC.bin.exe icacls.exe PID 2336 wrote to memory of 3708 2336 Q7B3RC.bin.exe icacls.exe PID 2336 wrote to memory of 3708 2336 Q7B3RC.bin.exe icacls.exe PID 2336 wrote to memory of 4400 2336 Q7B3RC.bin.exe powershell.exe PID 2336 wrote to memory of 4400 2336 Q7B3RC.bin.exe powershell.exe PID 2336 wrote to memory of 4400 2336 Q7B3RC.bin.exe powershell.exe PID 2336 wrote to memory of 1056 2336 Q7B3RC.bin.exe cmd.exe PID 2336 wrote to memory of 1056 2336 Q7B3RC.bin.exe cmd.exe PID 2336 wrote to memory of 1056 2336 Q7B3RC.bin.exe cmd.exe PID 1056 wrote to memory of 2988 1056 cmd.exe timeout.exe PID 1056 wrote to memory of 2988 1056 cmd.exe timeout.exe PID 1056 wrote to memory of 2988 1056 cmd.exe timeout.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
Q7B3RC.bin.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" Q7B3RC.bin.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Q7B3RC.bin.exe"C:\Users\Admin\AppData\Local\Temp\Q7B3RC.bin.exe"1⤵
- Modifies extensions of user files
- Checks computer location settings
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\net.exenet stop VSS & sc config VSS start= disabled2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VSS & sc config VSS start= disabled3⤵
-
C:\Windows\SysWOW64\sc.exesc config VSS start= Demand & net start VSS2⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY delete /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls.exe "{A-Z}:" /grant {Username}:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout 1 && del "C:\Users\Admin\AppData\Local\Temp\Q7B3RC.bin.exe" >> NUL2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\PerfLogs\!!!HOW_TO_DECRYPT!!!.txtFilesize
3KB
MD55874a3ef6050bccbe1808ce15b7aff0a
SHA17ce0ada09d8dcf2b46ec004b2fe2a8523ec70468
SHA256a838bc92d4d1ff8cc1f8aa1c2de2a6a15b43486292b248d7669459a97ab3e711
SHA512b55305b95a9d5d1e76335a5db35a05710b1d54d24abb93edcdc768e6caad00a2b49c675d6e405bab42971944fa03b2015dbf5858416b2ce5547b1e302c2bde29
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_eizp3npm.3ph.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
memory/2336-135-0x00000000008D0000-0x000000000095F000-memory.dmpFilesize
572KB
-
memory/2336-134-0x00000000008D0000-0x000000000095F000-memory.dmpFilesize
572KB
-
memory/2336-133-0x00000000008D0000-0x000000000095F000-memory.dmpFilesize
572KB
-
memory/2336-136-0x00000000008D0000-0x000000000095F000-memory.dmpFilesize
572KB
-
memory/2336-137-0x00000000008D0000-0x000000000095F000-memory.dmpFilesize
572KB
-
memory/2336-1062-0x00000000008D0000-0x000000000095F000-memory.dmpFilesize
572KB
-
memory/2336-545-0x00000000008D0000-0x000000000095F000-memory.dmpFilesize
572KB
-
memory/4400-143-0x0000000005950000-0x00000000059B6000-memory.dmpFilesize
408KB
-
memory/4400-142-0x00000000058B0000-0x00000000058D2000-memory.dmpFilesize
136KB
-
memory/4400-144-0x0000000006100000-0x0000000006166000-memory.dmpFilesize
408KB
-
memory/4400-141-0x0000000005490000-0x00000000054A0000-memory.dmpFilesize
64KB
-
memory/4400-154-0x0000000006860000-0x000000000687E000-memory.dmpFilesize
120KB
-
memory/4400-155-0x0000000007820000-0x00000000078B6000-memory.dmpFilesize
600KB
-
memory/4400-156-0x0000000006D60000-0x0000000006D7A000-memory.dmpFilesize
104KB
-
memory/4400-157-0x0000000006DB0000-0x0000000006DD2000-memory.dmpFilesize
136KB
-
memory/4400-158-0x0000000005490000-0x00000000054A0000-memory.dmpFilesize
64KB
-
memory/4400-159-0x0000000007E70000-0x0000000008414000-memory.dmpFilesize
5.6MB
-
memory/4400-140-0x0000000005490000-0x00000000054A0000-memory.dmpFilesize
64KB
-
memory/4400-139-0x0000000005AD0000-0x00000000060F8000-memory.dmpFilesize
6.2MB
-
memory/4400-138-0x00000000052B0000-0x00000000052E6000-memory.dmpFilesize
216KB