Overview

overview

10

Static

static

10

134ca8f486...57.exe

windows7-x64

10

134ca8f486...57.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    102s
  • max time network
    130s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-03-2023 12:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe

  • Size

    12.0MB

  • MD5

    a067491773524cf499e7a0bc77ceec96

  • SHA1

    e8034dfd3468dcd3d5a6d09f3fde7f63dcc9ec13

  • SHA256

    134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457

  • SHA512

    c759d0ace38c842f98d4a9d4a8cc342c89d40ab4238ff52625db13a4e50714aedf701798f6ea22e755e3599c4e002b4ba49ed3f9b06c56e4d95ac7ce6800fa4c

  • SSDEEP

    98304:QnLu1TIRtUOV5ZQ+5jZArLu1OWWqXpy05QP:QnTRtBYk405QP

Score
10/10
ransomwarespywarestealer

Malware Config

Extracted

Path

C:\ProgramData\Readme_Instructions.html

Ransom Note
<!DOCTYPE HTML> <html><head><title>infected with ransomware virus</title> <meta http-equiv="X-UA-Compatible" content="IE=edge"> </head> <body style="margin: 0.4em; font-size: 14pt;"><p>!!!&nbsp; &nbsp; Your files are encrypted&nbsp; !!!<br><br>*All your files are protected with encryption*<br>*There is no public decryption software.*<br>*All files/documents/software with ".CRYPT" extension is encrypted*<br><br><br>###### Program and private key, What is the price? The price depends on how fast you can pay us.!######<br>1 day : 50 Bitcoin<br>2 day : 60 Bitcoin<br>3 day : 90 Bitcoin<br>4 day : 130 Bitcoin<br> 5 day&nbsp; &nbsp; : permanent data loss !!!!<br><br> ***How to contact our team through tox chat***<br><br>*Download tox chat from<br>*<a href="https://tox.chat/download.html">https://tox.chat/download.html</a><br>*send us friend request to tox chat id <br><br>7D8796EB86CBF29F53F8A8447EABAF310ED898D9DEFF97AE09C1864C2A6B3B14ED8F82AE9B9D<br><br>*Our team is waiting*<br><br>!!!!For immediate decryption!!!<br><br>write to our email:<br><br><a href="mailto:[email protected]">[email protected]</a><br><br> *After payment received, we will send private key to your IT department.!!!*<br><br> *Free decryption As a guarantee, you can send us up to 3 free decrypted files before payment.*<br><br>!!! We have downloaded all your files to our servers and will release data if you do not comply.!!!<br>!!! Do not attempt to decrypt your data using third-party software, this will result in permanent data loss.!!!</p></body></html>
Emails

href="mailto:[email protected]">[email protected]</a><br><br>

URLs

http-equiv="X-UA-Compatible"

Signatures

  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Program Files directory 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 45 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
    "C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe"
    1⤵
    • Drops startup file
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4652
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A0B0B306-6CF5-4165-87A7-82F15E2F8736}'" delete
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1412
      • C:\Windows\System32\wbem\WMIC.exe
        C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A0B0B306-6CF5-4165-87A7-82F15E2F8736}'" delete
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3472
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4116

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Readme_Instructions.html
    Filesize

    1KB

    MD5

    9ae54b4efc9f30245782c6001f69b120

    SHA1

    3de64c5e9732699b76510728e43f408c131a995e

    SHA256

    cef2395cc2ae718f07b84bdbae435752c0e7049aa6de8488ab045c07f5fd0b37

    SHA512

    fbbb0e2bf0d11756dba1d9bf0183a2f0ec94ee729d97740ed3ba47b3f99922188fc04fdbc255f51a3544fa3bfc7ed588d3aabb45de0ed59ed96ce6d15daeed75

    Download Submit