Analysis

  • max time kernel
    123s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-05-2023 17:48

General

  • Target

    VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe

  • Size

    137KB

  • MD5

    21d01fa87dfcaf971ff7b63a1a6fda94

  • SHA1

    f3caa9831fc715af4f47cd98803549902dffe30a

  • SHA256

    ab0aa003d7238940cbdf7393677f968c4a252516de7f0699cd4654abd2e7ae83

  • SHA512

    f89997f8c31d77029f1087257a5b24337f9989bebfbe4169067acae72a5dd50ce118d273fae00690ef2e2bf345901d723034992f53dd3e5b9df5cbe9be2e67fa

  • SSDEEP

    1536:ASOoRSNl/XT9yYSvVKJJgpBy7bICS4AUsiz8djOK:WPaKJJctOqjOK

Malware Config

Extracted

Path

C:\Recovery\8e2y81-readme.txt

Ransom Note
---=== Welcome. Again. ===--- [-] Whats Happen? [-] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 8e2y81. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [-] What guarantees? [-] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] Using a TOR browser! 1) Download and install TOR browser from this site: https://torproject.org/ 2) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/C8122D50B6F33773 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: kmFf01Rk1G7chE2N2u+kxsEbMx48QQ8Wf57bSgDF/06SbWi4PAaP8hgcBnW0AoAy loJGVX2qhbfBjJa6g/3Wt63vqZwTRSTIcRge+Pmtu6/S79Vzmwsh4sa+ShXP5Vse 1SoFHiaOj761lFTUOUge94JBRFB5a+dMiw0cOc5GSOTnSGm3+m3vHYYWI4sjnRf6 dyvz09OXjnTGjGPMcUYj9y+2ofNtpBI9+ujN8jyJe3jmWSJyrlHRYgQi2Mk8t7FW 2iEFqaXsqzx4FCkF+pDRzXDW4gT5BDPGM7lPoTBkzW3eiM+LOZGS1V+SZO7xF2ps BGXnIRU129jKOH0jLIFKH3wdvt0YTho5vZ17vGG68XZ0RZcAdnuACZVwDpnqCVId dWPHqe5fK+pP8pR2dhXSPXebV43UoHwjCUbfN4W+zqt3QXWEzVcklw2cbrk0XhDw xUiUsBhWN6kKupAnUPzTuCU1s9BNADTD8juY3v+F5Z4SJjfK7U1ERknSZHcGRnru RO/sjpVblW2TR4gHW/09VOxPYoY7nCTXkqBbLxcXa5ebl7GZ1k97Q9VWlYSdu3LK +ibkhfHPRnmdeA1IESzulSI55Yh5xnRQp56GNLTIn1m4B0a6h/LgBCx7xbVElo54 Qd7URFWcnR7DSme4k1/WCr1TK2GRiWM6tTEgVizQS+oym7WYTyAoC91sMbDDGzc7 58CXWJp4wpipEq9cWIkzajusc3QcfWW4Ppb57YDuMbkIMlmExbdD5qmpo+rrxYGV epLaeXt1iuk0Cxpya4+kt0jCq8So6kQwrSELCPE7bcGiVnZeayd303y26rPkjGZC E4z1lG7NjhlpAmLme+1RSwgrq35PcX91k+P/QUMDeVjHMtrsqai/3vGXm0bnR3/A FUgsUFRP2795EXdh3y3Ct7C+iVzwrTqKf5eQivUQAQDhLsl0HkUcsyS3ShG2Pqr6 hyHUjlQRJf6MgWugS83BnhL+SAO+9koTUQSl5krcrAw3CT9VRaB4Nb95z0mWJD+F PlcaST5MLvsLvkQ9/f56SiqHwGPJEr6PNbE8iWa4WAaMbz+2wPZn55vt+9UMqFQp kiMgJaI9HlmYVjthHv4Drfdiv+eHfxpL3eroGloWGNsVKX7IKxpv8aZG52Jgia6O I3CvmLKQA1IYIWTmyYGG3GmwBwu/8Axk5N2CZLiT3zj/LHLYAnOra2es2O/xDK27 f19mZdx6gKv48upg2t6SnLdSwPKS6j2XmQvxUkRISmpL5SPkkflFIz4GyU0GmSFs sQbt2FBISvIXDYGDMUevviGwvOs= ----------------------------------------------------------------------------------------- !!! DANGER !!! DON'T try to change files by yourself, DON'T use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/C8122D50B6F33773

Signatures

  • Modifies extensions of user files 11 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Drops file in Program Files directory 16 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe
    "C:\Users\Admin\AppData\Local\Temp\VirusShare_21d01fa87dfcaf971ff7b63a1a6fda94.exe"
    1⤵
    • Modifies extensions of user files
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2488
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:3156
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:552

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Recovery\8e2y81-readme.txt

      Filesize

      6KB

      MD5

      2c8cff78b31a71ce1688b3345cb31c37

      SHA1

      61fb194030b3b95cfb968736d0a193c3c83c40d7

      SHA256

      d104919ccabb105907a06d0c91e7385c3d9bd047cdec13964db2651ebf8f0d85

      SHA512

      046c0b7ed1c67ef743b744b57109f61f0f5954ffb9b5d963fd1bcf9e41804940c0c949ff7337db4198b0e06a12f90632434ef8310b8d551a5623c722361848f8