targetcompany | de4c8cc850c5b70212aded154ec4f2ec0836b340397b0b912a0f1434d141a5c6

Analysis

max time kernel
507s
max time network
509s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06/06/2023, 22:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

local.exe
Size

125KB
MD5

98c7f6b6ddf6a01adb25457e9a3c52b8
SHA1

8fe68e8675b53c801ed110e635e9a9e3d66c9d4d
SHA256

de4c8cc850c5b70212aded154ec4f2ec0836b340397b0b912a0f1434d141a5c6
SHA512

1393e9fcdf844f3c350b961e5bf2669c1739a09009746774cdbbabf6eee28f32d0782524fc57e0b7080eb57183ab38bc8bd83273dff02c67b9b4ba029fb7af67
SSDEEP

3072:BA1LW6KAqdcKNzXjQopiuL5dmTPFtkFeZ5NlGj:BSRKAccKNzNpxL5dWPLJhg

Score

10^/10

targetcompany evasion ransomware

Malware Config

Extracted

Path

C:\Program Files (x86)\Microsoft\Edge\How to decrypt files.txt

Family

targetcompany

Ransom Note

Your personal identifier: HSTMD3LS0T All files on network have been encrypted due to insufficient security. The only way to quickly and reliably regain access to your files is to contact us. The price depends on how fast you write to us. In other cases, you risk losing your time and access to data. Usually time is much more valuable than money. FAQ Q: How to contact us A: * Download Tor Browser - https://www.torproject.org/ * Open link in Tor Browser http://hye34tlszbt562z34d4k36eia2vq5tnhhd3mimrt5n5cdovbqnan3myd.onion/contact * Follow the instructions on the website. Q: What guarantees? A: Before paying, we can decrypt several of your test files. Files should not contain valuable information. Q: Can I decrypt my data for free or through intermediaries? A: Use third party programs and intermediaries at your own risk. Third party software may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price or you can become a victim of a scam.�

URLs

http://hye34tlszbt562z34d4k36eia2vq5tnhhd3mimrt5n5cdovbqnan3myd.onion/contact

Signatures

TargetCompany
Ransomware which encrypts files using a combination of ChaCha20, AES-128, and Curve25519, first seen in June 2021.
ransomware targetcompany
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
2628	bcdedit.exe
4384	bcdedit.exe

Renames multiple (6857) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Modifies extensions of user files 13 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\CompressStop.tiff	local.exe
File opened for modification	C:\Users\Admin\Pictures\ConvertToCheckpoint.tiff	local.exe
File renamed	C:\Users\Admin\Pictures\ProtectSuspend.png => C:\Users\Admin\Pictures\ProtectSuspend.png.host	local.exe
File renamed	C:\Users\Admin\Pictures\EnterConvert.raw => C:\Users\Admin\Pictures\EnterConvert.raw.host	local.exe
File opened for modification	C:\Users\Admin\Pictures\UnblockResume.tiff	local.exe
File renamed	C:\Users\Admin\Pictures\UnblockResume.tiff => C:\Users\Admin\Pictures\UnblockResume.tiff.host	local.exe
File renamed	C:\Users\Admin\Pictures\WatchRepair.png => C:\Users\Admin\Pictures\WatchRepair.png.host	local.exe
File renamed	C:\Users\Admin\Pictures\ConvertToCheckpoint.tiff => C:\Users\Admin\Pictures\ConvertToCheckpoint.tiff.host	local.exe
File renamed	C:\Users\Admin\Pictures\CompressStop.tiff => C:\Users\Admin\Pictures\CompressStop.tiff.host	local.exe
File renamed	C:\Users\Admin\Pictures\GroupConnect.raw => C:\Users\Admin\Pictures\GroupConnect.raw.host	local.exe
File renamed	C:\Users\Admin\Pictures\SubmitAdd.crw => C:\Users\Admin\Pictures\SubmitAdd.crw.host	local.exe
File renamed	C:\Users\Admin\Pictures\UseWatch.crw => C:\Users\Admin\Pictures\UseWatch.crw.host	local.exe
File renamed	C:\Users\Admin\Pictures\MoveUnlock.tif => C:\Users\Admin\Pictures\MoveUnlock.tif.host	local.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	local.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	local.exe
File opened (read-only)	\??\P:	local.exe
File opened (read-only)	\??\T:	local.exe
File opened (read-only)	\??\V:	local.exe
File opened (read-only)	\??\Y:	local.exe
File opened (read-only)	\??\A:	local.exe
File opened (read-only)	\??\E:	local.exe
File opened (read-only)	\??\H:	local.exe
File opened (read-only)	\??\L:	local.exe
File opened (read-only)	\??\N:	local.exe
File opened (read-only)	\??\R:	local.exe
File opened (read-only)	\??\U:	local.exe
File opened (read-only)	\??\W:	local.exe
File opened (read-only)	\??\B:	local.exe
File opened (read-only)	\??\J:	local.exe
File opened (read-only)	\??\K:	local.exe
File opened (read-only)	\??\M:	local.exe
File opened (read-only)	\??\S:	local.exe
File opened (read-only)	\??\X:	local.exe
File opened (read-only)	\??\Z:	local.exe
File opened (read-only)	\??\F:	local.exe
File opened (read-only)	\??\O:	local.exe
File opened (read-only)	\??\Q:	local.exe
File opened (read-only)	\??\I:	local.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\vlc.mo	local.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_forward_18.svg	local.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-spi-quicksearch.xml	local.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\dot_2x.png	local.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.nl_ja_4.4.0.v20140623020002.jar	local.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.update.configurator.nl_ja_4.4.0.v20140623020002.jar	local.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL112.XML	local.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ja-jp\How to decrypt files.txt	local.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\find-text-2x.png	local.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\en-us\PlayStore_icon.svg	local.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\eclipse_update_120.jpg	local.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-core-kit.xml	local.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f7\FA000000007	local.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TEXTCONV\How to decrypt files.txt	local.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230220184428.pma	local.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\it-it\ui-strings.js	local.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SATIN\THMBNAIL.PNG	local.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-white_scale-100.png	local.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler.xml	local.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\fonts\LucidaBrightDemiBold.ttf	local.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\tool\plugin.js	local.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\PLANNERS.ONE	local.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_gloss-wave_35_f6a828_500x100.png	local.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MLModels\autofill_labeling_features.txt	local.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fi-fi\ui-strings.js	local.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\css\main.css	local.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessDemoR_BypassTrial365-ul-oob.xrm-ms	local.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\fi-fi\ui-strings.js	local.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ru-ru\ui-strings.js	local.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\da-dk\How to decrypt files.txt	local.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt_0.11.101.v20140818-1343.jar	local.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.update.configurator_3.3.300.v20140518-1928.jar	local.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\MS.GRAPH.16.1033.hxn	local.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.scale-180.png	local.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_selectlist_checkmark_18.svg	local.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\nb-no\ui-strings.js	local.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp-ul-phn.xrm-ms	local.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_MAK-ppd.xrm-ms	local.exe
File created	C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\How to decrypt files.txt	local.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\meta\art\03_lastfm.luac	local.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\illustrations.png	local.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_Grace-ul-oob.xrm-ms	local.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\ext\zipfs.jar	local.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PIXEL\PREVIEW.GIF	local.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusDemoR_BypassTrial180-ppd.xrm-ms	local.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\fr-fr\ui-strings.js	local.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\rt.jar	local.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-print.xml	local.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\Word 2010 look.dotx	local.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ps\How to decrypt files.txt	local.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\en-il\ui-strings.js	local.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\zh-cn\ui-strings.js	local.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\How to decrypt files.txt	local.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\feature.xml	local.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF\How to decrypt files.txt	local.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_PrepidBypass-ppd.xrm-ms	local.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\OneNote\prnms006.inf	local.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\root\ui-strings.js	local.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\eu-es\How to decrypt files.txt	local.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	local.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\AccessRuntime2019R_PrepidBypass-ppd.xrm-ms	local.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTest-pl.xrm-ms	local.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\ESEN\How to decrypt files.txt	local.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\svgCheckboxUnselected.svg	local.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
2228	vssadmin.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3772	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1220	local.exe
1220	local.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1220	local.exe
Token: SeDebugPrivilege	1220	local.exe
Token: SeBackupPrivilege	5088	vssvc.exe
Token: SeRestorePrivilege	5088	vssvc.exe
Token: SeAuditPrivilege	5088	vssvc.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1220 wrote to memory of 2228	1220	local.exe	78
PID 1220 wrote to memory of 2228	1220	local.exe	78
PID 1220 wrote to memory of 4268	1220	local.exe	80
PID 1220 wrote to memory of 4268	1220	local.exe	80
PID 1220 wrote to memory of 2232	1220	local.exe	82
PID 1220 wrote to memory of 2232	1220	local.exe	82
PID 2232 wrote to memory of 2628	2232	cmd.exe	85
PID 2232 wrote to memory of 2628	2232	cmd.exe	85
PID 4268 wrote to memory of 4384	4268	cmd.exe	86
PID 4268 wrote to memory of 4384	4268	cmd.exe	86
PID 1220 wrote to memory of 3580	1220	local.exe	100
PID 1220 wrote to memory of 3580	1220	local.exe	100
PID 3580 wrote to memory of 3772	3580	cmd.exe	102
PID 3580 wrote to memory of 3772	3580	cmd.exe	102

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\local.exe
"C:\Users\Admin\AppData\Local\Temp\local.exe"
1⤵
- Modifies extensions of user files
- Checks computer location settings
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1220
- C:\Windows\system32\vssadmin.exe
  "C:\Windows\sysnative\vssadmin.exe" delete shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:2228
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c bcdedit /set {current} bootstatuspolicy ignoreallfailures
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4268
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {current} bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:4384
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c bcdedit /set {current} recoveryenabled no
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2232
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {current} recoveryenabled no
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:2628
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\local.exe" >> NUL
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3580
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:3772

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5088

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\How to decrypt files.txt

Filesize
1KB

MD5
df7bed1bcdf69b26d913ae8418af1d4c

SHA1
7b99f543e11c62c9e12fa762aee549161971e4e5

SHA256
c0342dea1ccaab2c3925787e4c5a9b6f23f75db7abfb6fc4b5155ff348615486

SHA512
6c89511992d556dbe3d6ffc71d79c08e62277fa1cc40d771ecef3c6cfaac47bf025bae577437300b59d5c23630961bc2f9b52e75c1fd4ec7fab67ab3f1a785fa

Download Submit