Overview

overview

10

Static

static

10

decryptor_...7c.exe

windows7-x64

10

decryptor_...7c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-05-2023 06:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    decryptor_575a467c.exe

  • Size

    1.7MB

  • MD5

    a72345f5a627a2c8222f71347a44b013

  • SHA1

    595bf5761ec6eee55fb291cb465736bbbb4bfcf8

  • SHA256

    9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800

  • SHA512

    5081c69929c6bd43277f416e942c7d8bb57a45c26089ade5a985ed9ae6a376128ed7dc9cba2618cf918941f7b919db73f1f48cf0c6d30b707927c4a77fbb3482

  • SSDEEP

    24576:SV2LT3INDJRQDj4uFgjR9XKaNIAOgoXeQ7vIKiKyn9cr2Uy9TnFXlDi9uIIg:fLT4NDG4uGlF6AubJyKr2UBuIIg

Score
10/10
agendaransomwarespywarestealer

Malware Config

Extracted

Family

agenda

Attributes
  • company_id

    feGDg5BHWw

  • note

    -- Qilin Your network/system was encrypted. Encrypted files have new extension. -- Compromising and sensitive data We have downloaded compromising and sensitive data from you system/network If you refuse to communicate with us and we do not come to an agreement, your data will be published. Data includes: - Employees personal data, CVs, DL , SSN. - Complete network map including credentials for local and remote services. - Financial information including clients data, bills, budgets, annual reports, bank statements. - Complete datagrams/schemas/drawings for manufacturing in solidworks format - And more... -- Warning 1) If you modify files - our decrypt software won't able to recover data 2) If you use third party software - you can damage/modify files (see item 1) 3) You need cipher key / our decrypt software to restore you files. 4) The police or authorities will not be able to help you get the cipher key. We encourage you to consider your decisions. -- Recovery 1) Download tor browser: https://www.torproject.org/download/ 2) Go to domain 3) Enter credentials-- Credentials Extension: feGDg5BHWw Domain: e3v6tjarcltwc4hdkn6fxnpkzq42ul7swf5cfqw6jzvic4577vxsxhid.onion login: _RgxgvCfv_3rQI5oinfr9gj5JS6_AGP7 password:

rsa_privkey.plain

Signatures

  • Agenda Ransomware

    A ransomware with multiple variants written in Golang and Rust first seen in August 2022.

    ransomwareagenda
  • Drops file in Drivers directory 21 IoCs
  • Drops startup file 1 IoCs
  • Loads dropped DLL 12 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 64 IoCs
  • Drops autorun.inf file 1 TTPs 1 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 34 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\decryptor_575a467c.exe
    "C:\Users\Admin\AppData\Local\Temp\decryptor_575a467c.exe"
    1⤵
    • Drops file in Drivers directory
    • Drops startup file
    • Drops desktop.ini file(s)
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    PID:2752
  • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
    "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
    1⤵
    • Loads dropped DLL
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:216
  • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
    "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
    1⤵
    • Loads dropped DLL
    • Modifies data under HKEY_USERS
    PID:4472

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

1
T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1
T1081

Discovery

System Information Discovery

1
T1082

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Common Files\microsoft shared\ClickToRun\ApiClient.dll
    Filesize

    230KB

    MD5

    2fc4d42f568c9fee6e069f7ea46d5cc0

    SHA1

    318429f05909b5d4097c2840d64029bc76d08d0f

    SHA256

    f0d4d5993e3e236c288ab8534583da7a624b340c0f6160f61ff4e2df4a82d390

    SHA512

    8e419505b40f55486aaa25ddca9e19c575986ffcd606168dca0ffda25e3affc5e5104185647f5cc277c5f647a6358f0fd35f53ca20bcc208728659eaf43daee9

    Download Submit
  • C:\Program Files\Common Files\microsoft shared\ClickToRun\ApiClient.dll
    Filesize

    230KB

    MD5

    2fc4d42f568c9fee6e069f7ea46d5cc0

    SHA1

    318429f05909b5d4097c2840d64029bc76d08d0f

    SHA256

    f0d4d5993e3e236c288ab8534583da7a624b340c0f6160f61ff4e2df4a82d390

    SHA512

    8e419505b40f55486aaa25ddca9e19c575986ffcd606168dca0ffda25e3affc5e5104185647f5cc277c5f647a6358f0fd35f53ca20bcc208728659eaf43daee9

    Download Submit
  • C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVCatalog.dll
    Filesize

    672KB

    MD5

    f5d4c22ced66b4f563c6640068aec6b4

    SHA1

    33ce26f849b4f981448567c379e6c88031c919e4

    SHA256

    df7abcdf3da7c974c481c90535cb143d5ba005c2972639c1b0613634dc6f055f

    SHA512

    97ed0d91c18a4a056f7914dd7899710c9447adde3bbbcc395197dfa297b265e835687ef9d030e850b2b031759448cf9369642bdc67f08c306c0c4aa1d7d9682f

    Download Submit
  • C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVFileSystemMetadata.dll
    Filesize

    304KB

    MD5

    d89cb906c358b2649e15b444a5e0411a

    SHA1

    93869f7039ae43e04344516234ab9e6a7811307b

    SHA256

    3ce0887e31ede3772dd5ff44a11fd8bf1611442e88b28605ffe881affc533aa0

    SHA512

    e4bcbd596b8ae810af9bddfb4b2128af2718e12e886ef9218a6c81638e60dcd69f162997c9771f830fe5248ade961d50a2abbfa2633bd28d90310d30710e23f6

    Download Submit
  • C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIntegration.dll
    Filesize

    2.2MB

    MD5

    64fa89fe1bdc88ef8db4cc8c7c8319ec

    SHA1

    e1aff65c5b65a6a06303d5fe3bb9b8b6cdf5921b

    SHA256

    863b48351587489dc53337324d2d0602f6df57cc51b39d5713cf4bbec9046621

    SHA512

    11af835730f761ba86f518bd8d18425287fbb25f49faaa2d82defc84f7794d5684327e84f36b91ef57262828b0989d4a126e75fce30911eecc552c266223658c

    Download Submit
  • C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvApi.dll
    Filesize

    486KB

    MD5

    c9dab12378f3f914ed34c23494ce74c0

    SHA1

    69c14443b2ebb2f1e726243288aab1d12b97db37

    SHA256

    18c514f88f60310f3cf25cda77924a01e0a36d14a0e9762756648c2c648ce705

    SHA512

    150fc79994d2af3fa38d61d875220c1baa3c24364423ee670718bd149be1129c52b30296bba44394eac8cbc587c065f04aa527522ef5c605f7221439fb7c7ca9

    Download Submit
  • C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvStreamingManager.dll
    Filesize

    210KB

    MD5

    761277d21e3a31948012fef82b42f022

    SHA1

    08f7b27e33dd2d3cdfd54c283cdd22994a53402b

    SHA256

    6e1fec70fc0013137957242159edf04eafdb3c14d8a6f1ee2204d451114a19be

    SHA512

    0401fa3425ac8b472f9f42166e70906cc531c94782f2b0338281f983a5ad6f6fd6817b26fe59e841be25aacbfca0df88f672db5a4e17fa9e99d281d912db2d8f

    Download Submit
  • C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvSubsystemController.dll
    Filesize

    1.5MB

    MD5

    cd68777721d728fe1f0417afd2a7b8fa

    SHA1

    2b245556966182e297eca0a53e1af9f732182272

    SHA256

    62023fd2449f16654306b645c1617aeb84c913778ce128fa1c90840dd230361e

    SHA512

    93a500ee36496211d108d950d5b2877010d1544528fac16abc64a5798f535093a7a78f209b848527e6f559a6b4bd29317a4aa4afbac0be609afb946789a35e66

    Download Submit
  • C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvVirtualization.dll
    Filesize

    600KB

    MD5

    ccc94602a6a71b59771ef2c321fe7bcd

    SHA1

    72fa3ce5942e46a3ddff792a6a9c95bcd9575646

    SHA256

    ef9d1539107155cf0fabe420790cb58d36fe562a5e2255ce472266669fc4bf98

    SHA512

    a731734703e12260a6fa37b4c0ec37d8afd0d97538c3383b59a9c15b6e44e6876babc3dba34e2bfc691b7f349632b6daeaaa97f388af7d5e57aa1fe17b781e31

    Download Submit
  • C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVManifest.dll
    Filesize

    1.2MB

    MD5

    c7f5af65598cf219f1f7544f895edd4c

    SHA1

    82f2decf1eb8a3c3dd015194f02e07abe651959f

    SHA256

    d872c5c1b312f4b257cad8c1f77c7e3b1ed090611e7186438f0b0ca6db6638d0

    SHA512

    8fb9378b798ec099079a23ccb7c2ec29ca0d87e6864ecf020fa5e300bc0bd9425f13a466c677818ee38fe560ceb493aff33fa831c6af03fac1566deb07535829

    Download Submit
  • C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVOrchestration.dll
    Filesize

    952KB

    MD5

    25297efc3bf8d2cb34972e49f033fa0a

    SHA1

    291881891e917c780fc00b22021e5c391b060dfe

    SHA256

    1ed32eb18896bd5fb1f6281eb875ce21dfa9ea20ffaa7e6c3b94eeb23f13aedd

    SHA512

    2ebb012a8973913c4b849988884372550bc1e7c5dd3af01ac01feab49dca40227e653876fce6b13a2c364c04931d5c6bfe88ef23e7065d22279779605954d2dd

    Download Submit
  • C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVPolicy.dll
    Filesize

    1.2MB

    MD5

    77055f17bb0ddb795ef3a63ca0039bac

    SHA1

    433d647221c9bb54c3c76be44eed0c6a67b0a0de

    SHA256

    20f7fa3c8ab200d87ffa9f58c2700ab393893291338090ec900b6111ca561040

    SHA512

    5aab26f303672c3d745c303ea54ed5891529a0cc5860a4fb8fbb33abc2559ac064c44ea1a943301bd399f2616dd1e15d358474b1089d1cb11eb046d88d9d8d04

    Download Submit
  • memory/2752-147-0x0000000000C30000-0x0000000000DEE000-memory.dmp
    Filesize

    1.7MB

    Download
  • memory/2752-146-0x0000000000C30000-0x0000000000DEE000-memory.dmp
    Filesize

    1.7MB

    Download
  • memory/2752-145-0x0000000000C30000-0x0000000000DEE000-memory.dmp
    Filesize

    1.7MB

    Download
  • memory/2752-149-0x0000000000C30000-0x0000000000DEE000-memory.dmp
    Filesize

    1.7MB

    Download
  • memory/2752-151-0x0000000000C30000-0x0000000000DEE000-memory.dmp
    Filesize

    1.7MB

    Download
  • memory/2752-152-0x0000000000C30000-0x0000000000DEE000-memory.dmp
    Filesize

    1.7MB

    Download
  • memory/2752-153-0x0000000000C30000-0x0000000000DEE000-memory.dmp
    Filesize

    1.7MB

    Download
  • memory/2752-154-0x0000000000C30000-0x0000000000DEE000-memory.dmp
    Filesize

    1.7MB

    Download
  • memory/2752-155-0x0000000000C30000-0x0000000000DEE000-memory.dmp
    Filesize

    1.7MB

    Download
  • memory/2752-156-0x0000000000C30000-0x0000000000DEE000-memory.dmp
    Filesize

    1.7MB

    Download
  • memory/2752-157-0x0000000000C30000-0x0000000000DEE000-memory.dmp
    Filesize

    1.7MB

    Download