Overview

overview

10

Static

static

10

local.exe

windows7-x64

10

local.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    392s
  • max time network
    395s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    06-06-2023 22:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    local.exe

  • Size

    125KB

  • MD5

    98c7f6b6ddf6a01adb25457e9a3c52b8

  • SHA1

    8fe68e8675b53c801ed110e635e9a9e3d66c9d4d

  • SHA256

    de4c8cc850c5b70212aded154ec4f2ec0836b340397b0b912a0f1434d141a5c6

  • SHA512

    1393e9fcdf844f3c350b961e5bf2669c1739a09009746774cdbbabf6eee28f32d0782524fc57e0b7080eb57183ab38bc8bd83273dff02c67b9b4ba029fb7af67

  • SSDEEP

    3072:BA1LW6KAqdcKNzXjQopiuL5dmTPFtkFeZ5NlGj:BSRKAccKNzNpxL5dWPLJhg

Score
10/10
targetcompanyevasionransomware

Malware Config

Extracted

Path

C:\Users\Admin\Music\How to decrypt files.txt

Family

targetcompany

Ransom Note
Your personal identifier: HSTMD3LS0T All files on network have been encrypted due to insufficient security. The only way to quickly and reliably regain access to your files is to contact us. The price depends on how fast you write to us. In other cases, you risk losing your time and access to data. Usually time is much more valuable than money. FAQ Q: How to contact us A: * Download Tor Browser - https://www.torproject.org/ * Open link in Tor Browser http://hye34tlszbt562z34d4k36eia2vq5tnhhd3mimrt5n5cdovbqnan3myd.onion/contact * Follow the instructions on the website. Q: What guarantees? A: Before paying, we can decrypt several of your test files. Files should not contain valuable information. Q: Can I decrypt my data for free or through intermediaries? A: Use third party programs and intermediaries at your own risk. Third party software may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price or you can become a victim of a scam.�
URLs

http://hye34tlszbt562z34d4k36eia2vq5tnhhd3mimrt5n5cdovbqnan3myd.onion/contact

Signatures

  • TargetCompany

    Ransomware which encrypts files using a combination of ChaCha20, AES-128, and Curve25519, first seen in June 2021.

    ransomwaretargetcompany
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Renames multiple (6824) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Modifies extensions of user files 11 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Deletes itself 1 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\local.exe
    "C:\Users\Admin\AppData\Local\Temp\local.exe"
    1⤵
    • Modifies extensions of user files
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1244
    • C:\Windows\system32\vssadmin.exe
      "C:\Windows\sysnative\vssadmin.exe" delete shadows /all /quiet
      2⤵
      • Interacts with shadow copies
      PID:2036
    • C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd.exe" /c bcdedit /set {current} bootstatuspolicy ignoreallfailures
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1664
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set {current} bootstatuspolicy ignoreallfailures
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:2024
    • C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd.exe" /c bcdedit /set {current} recoveryenabled no
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:384
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set {current} recoveryenabled no
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:1496
    • C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\local.exe" >> NUL
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:1696
      • C:\Windows\system32\PING.EXE
        ping 127.0.0.1
        3⤵
        • Runs ping.exe
        PID:1492
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1764

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\Music\How to decrypt files.txt
    Filesize

    1KB

    MD5

    df7bed1bcdf69b26d913ae8418af1d4c

    SHA1

    7b99f543e11c62c9e12fa762aee549161971e4e5

    SHA256

    c0342dea1ccaab2c3925787e4c5a9b6f23f75db7abfb6fc4b5155ff348615486

    SHA512

    6c89511992d556dbe3d6ffc71d79c08e62277fa1cc40d771ecef3c6cfaac47bf025bae577437300b59d5c23630961bc2f9b52e75c1fd4ec7fab67ab3f1a785fa

    Download Submit