0e1afd3c9ee17408c055e272c2087fdb1e759c8a4b9373fcf2a4bf81d041b58e

Resubmissions

12-04-2023 12:13

230412-pdq5jacb34 10

05-02-2023 23:00

230205-2zfl5sef2z 10

Analysis

max time kernel
95s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
12-04-2023 12:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

svcshost.exe
Size

493KB
MD5

c15bd704405c47f1cf081cba3ec67d17
SHA1

5c74894ad0228821cef1794cfeb6a989e7ec551a
SHA256

0e1afd3c9ee17408c055e272c2087fdb1e759c8a4b9373fcf2a4bf81d041b58e
SHA512

aa00445344d0c8b81ef983f931063ca20cd3510e588e26fcab342b6cb2af894a119c8ba10f9b103bbc16c9d04089b6817a0545ebe6975ce51a5eb03479c3cb7a
SSDEEP

12288:vNoGU5LsJBWYgeWYg955/155/kjDP9XBDZQN/WioxCcjyoUoecWR:lstsJFjDFXFZQNWioxlyoUr3

Score

10^/10

ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Documents\__READ_ME_TO_RECOVER_YOUR_FILES.txt

Ransom Note

Hello, your files were encrypted and are currently unusable. The only way to recover your files is decrypting them with a key that only we have. In order for us to send you the key and the application to decrypt your files, you will have to make a transfer of Bitcoins to an electronic wallet. We leave you here the data to make the bitcoins transfer. Bitcoin wallet: 398sW5eMDvyr93CJHKRD3eYE9vK5ELVrHP Transfer the amount of bitcoins equivalent to 200 USD. Your computer ID is: 2007c659-eb65-4631-bf41-16f7650120a3 Once you make the transfer of bitcoins, send us the transfer ID and your computer ID to our email: nhands_q647t@pudxe.com When we verify the transfer we will send you your key and the decryption application.

Emails

nhands_q647t@pudxe.com

Wallets

398sW5eMDvyr93CJHKRD3eYE9vK5ELVrHP

Signatures

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

svcshost.exe

description	ioc	process
File created	C:\Users\Admin\Pictures\ApproveImport.png.encrp	svcshost.exe
File created	C:\Users\Admin\Pictures\RegisterMove.png.encrp	svcshost.exe

Opens file in notepad (likely ransom note) 2 IoCs
ransomware

Processes:

NOTEPAD.EXENOTEPAD.EXE

pid process

4832 NOTEPAD.EXE
3712 NOTEPAD.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

vlc.exe

pid process

2584 vlc.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

vlc.exe

pid process

2584 vlc.exe
Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

vlc.exeNOTEPAD.EXE

pid process

2584 vlc.exe
2584 vlc.exe
2584 vlc.exe
2584 vlc.exe
3712 NOTEPAD.EXE
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

vlc.exe

pid process

2584 vlc.exe
2584 vlc.exe
2584 vlc.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

vlc.exe

pid process

2584 vlc.exe
Suspicious use of WriteProcessMemory 2 IoCs

Processes:

svcshost.exe

description pid process target process

PID 1468 wrote to memory of 3224 1468 svcshost.exe cmd.exe
PID 1468 wrote to memory of 3224 1468 svcshost.exe cmd.exe

pid	process
4832	NOTEPAD.EXE
3712	NOTEPAD.EXE

pid	process
2584	vlc.exe

pid	process
2584	vlc.exe

pid	process
2584	vlc.exe
2584	vlc.exe
2584	vlc.exe
2584	vlc.exe
3712	NOTEPAD.EXE

pid	process
2584	vlc.exe
2584	vlc.exe
2584	vlc.exe

pid	process
2584	vlc.exe

description	pid	process	target process
PID 1468 wrote to memory of 3224	1468	svcshost.exe	cmd.exe
PID 1468 wrote to memory of 3224	1468	svcshost.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\svcshost.exe
"C:\Users\Admin\AppData\Local\Temp\svcshost.exe"
1⤵
- Modifies extensions of user files
- Suspicious use of WriteProcessMemory
PID:1468

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /C Del /f /q "C:\Users\Admin\AppData\Local\Temp\svcshost.exe"
2⤵
PID:3224

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\WatchJoin.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:4832

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\CompressApprove.AAC"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\EditUnpublish.cmd" "
1⤵
PID:2096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\EditUnpublish.cmd" "
1⤵
PID:3964

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\EditUnpublish.cmd
1⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of FindShellTrayWindow
PID:3712

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Documents\__READ_ME_TO_RECOVER_YOUR_FILES.txt
Filesize
739B

MD5
f1fbb5c5b6557a1a03d5c29bd15d018e

SHA1
27c4003c5b9f53c98ae0cd5f81283689543ee7d5

SHA256
7b9d26f4dc417eff37bd590c17b9a1c2baaa43b86ae24c0dea39c207cc0ca21d

SHA512
1c89d9bd26b6bb4780aeed3ecdfc6881c453d43daadfcaab8f2542888f44bd8675457a7cb790168e5fd6a0914ca382712f51c1492ac9a660a148b53c67aba3f9

Download Submit
memory/2584-207-0x00007FFE305C0000-0x00007FFE305F4000-memory.dmp

Filesize
208KB

Download
memory/2584-206-0x00007FF639D30000-0x00007FF639E28000-memory.dmp

Filesize
992KB

Download
memory/2584-208-0x00007FFE30300000-0x00007FFE305B4000-memory.dmp

Filesize
2.7MB

Download
memory/2584-209-0x00007FFE2EF40000-0x00007FFE2FFEB000-memory.dmp

Filesize
16.7MB

Download