Analysis
-
max time kernel
43s -
max time network
51s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
-
submitted
06/06/2023, 14:34
Errors
Reason
Machine shutdown
General
-
Target
0e60d49a967599fab179f8c885d91db25016be996d66a4e00cbb197e5085efa4.exe
-
Size
255KB
-
MD5
1933fed76a030529b141d032c0620117
-
SHA1
c55c60a23f5110e0b45fc02a09c4a64d3094809a
-
SHA256
0e60d49a967599fab179f8c885d91db25016be996d66a4e00cbb197e5085efa4
-
SHA512
b153383ebd9919ff293896381d89a895c58985eef60f67803a4276026631184f4d85c19e9ea06351efb7230226b18ed9a17b533fb602e10ded518a7bd090dcfe
-
SSDEEP
3072:iBWxT8JtvyAuX3CGun8r8206BretpJwIiymE9xTRVhGT4z106OKclYQO565tgPYs:iBxrKA4CGu8V0tl9zVhM49OxlYQ8fD3
Score
10/10
Malware Config
Extracted
Path
C:\Users\Admin\Documents\Readme.1352FF327.txt
Ransom Note
~~~ DarkRace ransomware ~~~
>>>> Your data are stolen and encrypted
The data will be published on TOR website if you do not pay the ransom
Links for Tor Browser:
http://wkrlpub5k52rjigwxfm6m7ogid55kamgc5azxlq7zjgaopv33tgx2sqd.onion
>>>> What guarantees that we will not deceive you?
We are not a politically motivated group and we do not need anything other than your money.
If you pay, we will provide you the programs for decryption and we will delete your data.
If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future.
Therefore to us our reputation is very important. We attack the companies worldwide and there is no dissatisfied victim after payment.
>>>> You need contact us and decrypt one file for free on these TOR sites with your personal DECRYPTION ID
Download and install TOR Browser https://www.torproject.org/
Write to a chat and wait for the answer, we will always answer you.
You can install qtox to contanct us online https://tox.chat/download.html
Tox ID Contact: ************************
Mail (OnionMail) Support: [email protected]
>>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems!
>>>> Warning! If you do not pay the ransom we will attack your company repeatedly again!
Emails
URLs
http://wkrlpub5k52rjigwxfm6m7ogid55kamgc5azxlq7zjgaopv33tgx2sqd.onion
https://tox.chat/download.html
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (146) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Modifies extensions of user files 11 IoCs
Ransomware generally changes the extension on encrypted files.
-
Deletes itself 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Kills process with taskkill 64 IoCs
-
Modifies registry class 5 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Runs ping.exe 1 TTPs 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\0e60d49a967599fab179f8c885d91db25016be996d66a4e00cbb197e5085efa4.exe"C:\Users\Admin\AppData\Local\Temp\0e60d49a967599fab179f8c885d91db25016be996d66a4e00cbb197e5085efa4.exe"1⤵
- Modifies extensions of user files
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c "wmic shadowcopy delete /nointeractive"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete /nointeractive3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.execmd /c "vssadmin Delete Shadows /All /Quiet"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\ProgramData\1.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 23⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sql*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im oracle*3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mysq*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im veeam*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im firefox*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im excel*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im msaccess*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im onenote*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im outlook*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im powerpnt*3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im winword*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im wuauclt*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 23⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sql*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im oracle*3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mysq*3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im veeam*3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im firefox*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im excel*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im msaccess*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im onenote*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im outlook*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im powerpnt*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im winword*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im wuauclt*3⤵
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 23⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sql*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im oracle*3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mysq*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im veeam*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im firefox*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im excel*3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im msaccess*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im onenote*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im outlook*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im powerpnt*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im winword*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im wuauclt*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 23⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sql*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im oracle*3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mysq*3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im veeam*3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im firefox*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im excel*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im msaccess*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im onenote*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im outlook*3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im powerpnt*3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im winword*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im wuauclt*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 23⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sql*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im oracle*3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mysq*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im veeam*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im firefox*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im excel*3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im msaccess*3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im onenote*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im outlook*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im powerpnt*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im winword*3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im wuauclt*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 23⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sql*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im oracle*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mysq*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im veeam*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im firefox*3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im excel*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im msaccess*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im onenote*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im outlook*3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im powerpnt*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im winword*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im wuauclt*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 23⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sql*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im oracle*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mysq*3⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome*3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im veeam*3⤵
- Kills process with taskkill
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c "taskkill /f /im cmd.exe & taskkill /f /im conhost.exe"2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im cmd.exe3⤵
- Kills process with taskkill
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c "ping 127.0.0.1 & del C:\ProgramData\1.bat & del C:\Users\Admin\AppData\Local\Temp\0e60d49a967599fab179f8c885d91db25016be996d66a4e00cbb197e5085efa4.exe & shutdown -r -f -t 0"2⤵
- Deletes itself
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
-
-
C:\Windows\SysWOW64\shutdown.exeshutdown -r -f -t 03⤵
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\UnlockPing.ps1xml1⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
385B
MD54a4d03743fd3a7ee1d03d89d0e3b8011
SHA1127d72408c87d866c72331fb0f16d13fef6a92ec
SHA2562b15e09b98bc2835a4430c4560d3f5b25011141c9efa4331f66e9a707e2a23c0
SHA512d26e5865bef6a7c7a5991c34ef8c0ae7e4c78c40b5f0c68f3490e89de50401e13e53321ee98def52ee7da390bcd3eb895f3ec1485a50cd63c94f0b640e1cfa60
-
Filesize
1KB
MD54b88b5a8f74421f9c61671ec61b8eb02
SHA13b0534af339c362b889ba49888e61cbbb260427f
SHA2564f8a200177e621e534dba2f5a09247a35ac47711c1f9e40f0a65649afb0ae5ac
SHA5121fe8c1fb63a3668718ce89f822abece8a770d14e9f4ef70d702eaee0309dd34f42056eca77df242ed781259bb198b30604376a1a7fb1958e3bcb07b295a6341e
-
Filesize
4KB
-
Filesize
4KB