Analysis

  • max time kernel
    31s
  • max time network
    34s
  • platform
    windows7_x64
  • resource
    win7-20230703-en
  • resource tags

    arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
  • submitted
    07-07-2023 06:25

General

  • Target

    tcvjuo.exe

  • Size

    4.8MB

  • MD5

    99a4a7145a78577d18ab6547210e5fec

  • SHA1

    20374dec61f839f1392bab96fc8e71f0e18ff334

  • SHA256

    56074a1d055957fe372a60582fa9603b4d683a029c0abbc490dcb5c44bc56885

  • SHA512

    e4d7213e2fdd38b159324cb486245414ac140e95089cb04e472c8df9c84c22560876c383da2d726e04f034c390993a2c19d3b3974f2e92f26843f04ce99693b6

  • SSDEEP

    98304:S3l8ZSUOy+EvVHBafvJNOMN5bZ9BSZJB:ClE9WvD1NrKL

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\HOW TO RESTORE YOUR TCVJUO FILES.TXT

Ransom Note
THE ENTIRE NETWORK IS ENCRYPTED YOUR BUSINESS IS LOSING MONEY! Dear Management! We inform you that your network has undergone a penetration test, during which we encrypted your files and downloaded more than 100GB of your data Personal data Marketing data Confidential documents Accounting Copy of some mailboxes Important! Do not try to decrypt the files yourself or using third-party utilities. The only program that can decrypt them is our decryptor, which you can request from the contacts below. Any other program will only damage files in such a way that it will be impossible to restore them. Write to us directly, without resorting to intermediaries, they will deceive you. You can get all the necessary evidence, discuss with us possible solutions to this problem and request a decryptor by using the contacts below. Free decryption as a guarantee. Send us up 3 files for free decryption. The total file size should be no more than 1 MB! (not in the archive). Please be advised that if we don't receive a response from you within 3 days, we reserve the right to publish files to the public. Contact us: [email protected] or [email protected]

Signatures

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops file in Program Files directory 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\tcvjuo.exe
    "C:\Users\Admin\AppData\Local\Temp\tcvjuo.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    PID:2188
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {3FA87D16-8346-4D90-9073-DFE05A3DB4CA} S-1-5-18:NT AUTHORITY\System:Service:
    1⤵
      PID:1476
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {440429BC-7B1A-4B16-B91A-30FD35DB047A} S-1-5-21-3891603265-141683679-4067940827-1000:GZZTOLJP\Admin:Interactive:[1]
      1⤵
        PID:2648

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\HOW TO RESTORE YOUR TCVJUO FILES.TXT

        Filesize

        1KB

        MD5

        f605cb189b27e5dbc73021da482f7398

        SHA1

        cf525d2a6525841e2c30123a530fca43b0384895

        SHA256

        77f65b1e9b00ff35c43eac0caf82ad918a857e8ec6b6807c18ba5e47ada5aa0c

        SHA512

        2d386e2ee2acc9d8241daeaa26743c0554e3bdc76b819cd7d2a5fcef78579bfda0916cd2f737d076965542a0074923f319214ecd260c24314ea1282eb59e477c