Overview

overview

10

Static

static

7

Q7B3RC.bin.exe

windows7-x64

10

Q7B3RC.bin.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    136s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-03-2023 16:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Q7B3RC.bin.exe

  • Size

    229KB

  • MD5

    2979ed84c4ca3deb2924bd1f26bf88bd

  • SHA1

    8f01f9112904389e0b53a25506ef69f99cc0fa1b

  • SHA256

    bcf49e8f493c9eff83d9bc891e91dc91777f02b4f176e44b20f9a2d651f20fc3

  • SHA512

    bd0088d587357851da5e4a7bd9cb1034c404cd5db9a12b9b27efa68a8a28b250d4a2c7346eff0cd14955713cbc13698a6c646d0d573602ccc0f7bda3d0c2d37f

  • SSDEEP

    6144:oNxyvPouZtK58suC/004GKXkq4RUs3fyW:oNxyXNtK58su3Z0RPj

Score
10/10
discoverypersistenceransomware

Malware Config

Extracted

Path

C:\PerfLogs\!!!HOW_TO_DECRYPT!!!.txt

Ransom Note
Your network has been infected ! We have you corporate data. Thousands of all your client cases with all personal information, evidences, e-mails, addresses, SSNs, financial information, accounting, Outlook PST archives of your attorneys and staff. Really we have almost mirror of your servers in our network. ============================================================================================================================ The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. ============================================================================================================================= If no payment will be arranged or you will ignore negotiations: - we will start randomly notify some of you active 2021 clients about incident sending them link on their private data. - we well resell data on dark-web marketplaces, cause there is a thousands of personal confidential records - we will post data on few top data-leaks resources, well-known among journalists ============================================================================================================================== You can contact us by downloading and installing TOX chat (https://tox.chat/download.html) Support TOX ID: F0EC47657B9144F5161C7E343BA85401C43826CA0907309FF67513538B0ACD585A07D4A979DC
URLs

https://tox.chat/download.html

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 11 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops desktop.ini file(s) 26 IoCs
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\Q7B3RC.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\Q7B3RC.bin.exe"
    1⤵
    • Modifies extensions of user files
    • Checks computer location settings
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2336
    • C:\Windows\SysWOW64\net.exe
      net stop VSS & sc config VSS start= disabled
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2540
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop VSS & sc config VSS start= disabled
        3⤵
          PID:2988
      • C:\Windows\SysWOW64\sc.exe
        sc config VSS start= Demand & net start VSS
        2⤵
        • Launches sc.exe
        PID:3392
      • C:\Windows\SysWOW64\Wbem\wmic.exe
        wmic.exe SHADOWCOPY delete /nointeractive
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3984
      • C:\Windows\SysWOW64\icacls.exe
        icacls.exe "{A-Z}:" /grant {Username}:F /T /C /Q
        2⤵
        • Modifies file permissions
        PID:3708
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -command "Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4400
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c timeout 1 && del "C:\Users\Admin\AppData\Local\Temp\Q7B3RC.bin.exe" >> NUL
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1056
        • C:\Windows\SysWOW64\timeout.exe
          timeout 1
          3⤵
          • Delays execution with timeout.exe
          PID:2988
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2828

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    File Deletion

    1
    T1107

    File Permissions Modification

    1
    T1222

    Modify Registry

    2
    T1112

    Credential Access

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    3
    T1082

    Peripheral Device Discovery

    1
    T1120

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Inhibit System Recovery

    1
    T1490

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\PerfLogs\!!!HOW_TO_DECRYPT!!!.txt
      Filesize

      3KB

      MD5

      5874a3ef6050bccbe1808ce15b7aff0a

      SHA1

      7ce0ada09d8dcf2b46ec004b2fe2a8523ec70468

      SHA256

      a838bc92d4d1ff8cc1f8aa1c2de2a6a15b43486292b248d7669459a97ab3e711

      SHA512

      b55305b95a9d5d1e76335a5db35a05710b1d54d24abb93edcdc768e6caad00a2b49c675d6e405bab42971944fa03b2015dbf5858416b2ce5547b1e302c2bde29

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_eizp3npm.3ph.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit
    • memory/2336-135-0x00000000008D0000-0x000000000095F000-memory.dmp
      Filesize

      572KB

      Download
    • memory/2336-134-0x00000000008D0000-0x000000000095F000-memory.dmp
      Filesize

      572KB

      Download
    • memory/2336-133-0x00000000008D0000-0x000000000095F000-memory.dmp
      Filesize

      572KB

      Download
    • memory/2336-136-0x00000000008D0000-0x000000000095F000-memory.dmp
      Filesize

      572KB

      Download
    • memory/2336-137-0x00000000008D0000-0x000000000095F000-memory.dmp
      Filesize

      572KB

      Download
    • memory/2336-1062-0x00000000008D0000-0x000000000095F000-memory.dmp
      Filesize

      572KB

      Download
    • memory/2336-545-0x00000000008D0000-0x000000000095F000-memory.dmp
      Filesize

      572KB

      Download
    • memory/4400-143-0x0000000005950000-0x00000000059B6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/4400-142-0x00000000058B0000-0x00000000058D2000-memory.dmp
      Filesize

      136KB

      Download
    • memory/4400-144-0x0000000006100000-0x0000000006166000-memory.dmp
      Filesize

      408KB

      Download
    • memory/4400-141-0x0000000005490000-0x00000000054A0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4400-154-0x0000000006860000-0x000000000687E000-memory.dmp
      Filesize

      120KB

      Download
    • memory/4400-155-0x0000000007820000-0x00000000078B6000-memory.dmp
      Filesize

      600KB

      Download
    • memory/4400-156-0x0000000006D60000-0x0000000006D7A000-memory.dmp
      Filesize

      104KB

      Download
    • memory/4400-157-0x0000000006DB0000-0x0000000006DD2000-memory.dmp
      Filesize

      136KB

      Download
    • memory/4400-158-0x0000000005490000-0x00000000054A0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4400-159-0x0000000007E70000-0x0000000008414000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/4400-140-0x0000000005490000-0x00000000054A0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4400-139-0x0000000005AD0000-0x00000000060F8000-memory.dmp
      Filesize

      6.2MB

      Download
    • memory/4400-138-0x00000000052B0000-0x00000000052E6000-memory.dmp
      Filesize

      216KB

      Download