45fcdd90b1268f6d5dd2a99a78c3df1a95b7809cbe13b68d9f164edd2264005e

General

Target

Trojan-Ransom.Win32.Bart.exe
Size

121KB
MD5

6de7324c37519831cf586e3b2c786e53
SHA1

abb423454abd2caa431634667903640037b6ee9b
SHA256

45fcdd90b1268f6d5dd2a99a78c3df1a95b7809cbe13b68d9f164edd2264005e
SHA512

6172a9b52749e89017c4ad2f685a4399e5d092e0517ef98dff6d071b61e5db7343ca5298d00c57b1fed2d5a7afc9b63d2be8cd89b83af0c09b3e6c950c227227
SSDEEP

3072:3s+7qZCqeKW9cafSypBCaJDftXdCD66X:377qZCqeKW9cotpBfVVoDX

Score

10^/10

evasion ransomware

Malware Config

Extracted

Path

C:\ProgramData\Microsoft\User Account Pictures\recover.txt

Ransom Note

!!! IMPORTANT INFORMATION !!! All your files are encrypted. Decrypting of your files is only possible with the private key, which is on our secret server. To receive your private key follow one of the links: 1. http://s3clm4lufbmfhmeb.tor2web.org/?id=Av4FlE4c0fbQZGneSyP4oT8G1PJiCB8SDgCfAvD5uZs81g%3d%3d 2. http://s3clm4lufbmfhmeb.onion.to/?id=Av4FlE4c0fbQZGneSyP4oT8G1PJiCB8SDgCfAvD5uZs81g%3d%3d 3. http://s3clm4lufbmfhmeb.onion.cab/?id=Av4FlE4c0fbQZGneSyP4oT8G1PJiCB8SDgCfAvD5uZs81g%3d%3d 4. http://s3clm4lufbmfhmeb.onion.link/?id=Av4FlE4c0fbQZGneSyP4oT8G1PJiCB8SDgCfAvD5uZs81g%3d%3d If all addresses are not available, follow these steps: 1. Download and install Tor Browser: https://torproject.org/download/download-easy.html 2. After successfull installation, run the browser and wait for initialization. 3. Type in the address bar: s3clm4lufbmfhmeb.onion/?id=Av4FlE4c0fbQZGneSyP4oT8G1PJiCB8SDgCfAvD5uZs81g%3d%3d 4. Follow the instructions on the site. !!! Your personal identification ID: Av4FlE4c0fbQZGneSyP4oT8G1PJiCB8SDgCfAvD5uZs81g== !!!

URLs

http://s3clm4lufbmfhmeb.tor2web.org/?id=Av4FlE4c0fbQZGneSyP4oT8G1PJiCB8SDgCfAvD5uZs81g%3d%3d

http://s3clm4lufbmfhmeb.onion.to/?id=Av4FlE4c0fbQZGneSyP4oT8G1PJiCB8SDgCfAvD5uZs81g%3d%3d

http://s3clm4lufbmfhmeb.onion.cab/?id=Av4FlE4c0fbQZGneSyP4oT8G1PJiCB8SDgCfAvD5uZs81g%3d%3d

http://s3clm4lufbmfhmeb.onion.link/?id=Av4FlE4c0fbQZGneSyP4oT8G1PJiCB8SDgCfAvD5uZs81g%3d%3d

http://s3clm4lufbmfhmeb.onion/?id=Av4FlE4c0fbQZGneSyP4oT8G1PJiCB8SDgCfAvD5uZs81g%3d%3d

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "0"	Trojan-Ransom.Win32.Bart.exe

Modifies extensions of user files 10 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\GroupBlock.tif.bart	Trojan-Ransom.Win32.Bart.exe
File opened for modification	C:\Users\Admin\Pictures\ProtectPublish.tiff	Trojan-Ransom.Win32.Bart.exe
File opened for modification	C:\Users\Admin\Pictures\ProtectPublish.tiff.bart	Trojan-Ransom.Win32.Bart.exe
File opened for modification	C:\Users\Admin\Pictures\BackupRestore.tif.bart	Trojan-Ransom.Win32.Bart.exe
File opened for modification	C:\Users\Admin\Pictures\ConnectShow.tiff	Trojan-Ransom.Win32.Bart.exe
File opened for modification	C:\Users\Admin\Pictures\ConnectShow.tiff.bart	Trojan-Ransom.Win32.Bart.exe
File opened for modification	C:\Users\Admin\Pictures\FindMount.tiff	Trojan-Ransom.Win32.Bart.exe
File opened for modification	C:\Users\Admin\Pictures\FindMount.tiff.bart	Trojan-Ransom.Win32.Bart.exe
File opened for modification	C:\Users\Admin\Pictures\OutRegister.tif.bart	Trojan-Ransom.Win32.Bart.exe
File opened for modification	C:\Users\Admin\Pictures\PublishExit.png.bart	Trojan-Ransom.Win32.Bart.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Control Panel\International\Geo\Nation	Trojan-Ransom.Win32.Bart.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\recover.bmp"	Trojan-Ransom.Win32.Bart.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1988	notepad.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
2044	Trojan-Ransom.Win32.Bart.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 1988	2044	Trojan-Ransom.Win32.Bart.exe	34
PID 2044 wrote to memory of 1988	2044	Trojan-Ransom.Win32.Bart.exe	34
PID 2044 wrote to memory of 1988	2044	Trojan-Ransom.Win32.Bart.exe	34
PID 2044 wrote to memory of 1988	2044	Trojan-Ransom.Win32.Bart.exe	34

C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Bart.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Bart.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies extensions of user files
- Checks computer location settings
- Sets desktop wallpaper using registry
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Windows\SysWOW64\notepad.exe
  notepad.exe "C:\Users\Admin\Desktop\recover.txt"o
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:1988

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\User Account Pictures\recover.txt

Filesize
2KB

MD5
7753c51c4bddef0507774acb1fbde693

SHA1
8735a767b5b252ca3a4a25b9eb25a5e45079dcc3

SHA256
49f6a4ea6fae5cad1360a5a6c8d28cf6839ed1b8f21ae576861cdbe2932ee39e

SHA512
5b59f80011399e2a0ccbe63f7068a213b4e166f4b5e7cdcd6db25f36f1ca1398bb42a00a79fb9a01fb217fa2158d966ae74fd4d6bed84ac37004ed429f3da8cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nfq343.log

Filesize
4KB

MD5
c128d18f7a75132b6d8b704333d1a6c3

SHA1
7f14d32bbcf4ba73bb5ee75ec7088f090b4abb24

SHA256
4f5ac63698a42be9bbea5c0fa65b376620bf9cc13bbabfb9de68ec743503e4c4

SHA512
0a0b868d446eb324db5defdfcf6f37c9ce3a849a39e0f6c5436665359934564ea17a622197a4ba45cb32cdc3689db1668f54f0c32bf1b3e0a6cbd68ea59a342f

Download Submit
C:\Users\Admin\Desktop\recover.txt

Filesize
2KB

MD5
7753c51c4bddef0507774acb1fbde693

SHA1
8735a767b5b252ca3a4a25b9eb25a5e45079dcc3

SHA256
49f6a4ea6fae5cad1360a5a6c8d28cf6839ed1b8f21ae576861cdbe2932ee39e

SHA512
5b59f80011399e2a0ccbe63f7068a213b4e166f4b5e7cdcd6db25f36f1ca1398bb42a00a79fb9a01fb217fa2158d966ae74fd4d6bed84ac37004ed429f3da8cf

Download Submit
memory/2044-55-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2044-58-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2044-60-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2044-64-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2044-69-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2044-84-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2044-454-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2044-671-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2044-672-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads