Analysis
-
max time kernel
143s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
17-07-2023 14:41
Behavioral task
behavioral1
Sample
17dc5b45928356cf58c20dbf74027cf09101150a5e0cef31a533b26c91321600.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
17dc5b45928356cf58c20dbf74027cf09101150a5e0cef31a533b26c91321600.exe
Resource
win10v2004-20230703-en
General
-
Target
17dc5b45928356cf58c20dbf74027cf09101150a5e0cef31a533b26c91321600.exe
-
Size
3.0MB
-
MD5
76180c8d79b27c393263f194291b522d
-
SHA1
bc76665ffd1b3b826e95f2414e6b0faf54948567
-
SHA256
17dc5b45928356cf58c20dbf74027cf09101150a5e0cef31a533b26c91321600
-
SHA512
636ffafaa4afa62c13ebd5fd419086ad1d942f1f89d0f9a8efd4d75332c6fa1bcea2e2f77096565f5fe22b86a2164f11cc0183aee9c789fd500a1e213702a71c
-
SSDEEP
49152:BegAQ+Yg8sxmXXxQjiQspGXtwB0pnk57TosNjLSq6Pq3Ecv9dsiPTg3pg1k:BegAQ+YBQeQVmB0pni7TosNKq6adsiQ
Malware Config
Extracted
agenda
-
company_id
hm-OG60Qdd
-
note
-- Qilin Your network/system was encrypted. Encrypted files have new extension. -- Compromising and sensitive data We have downloaded compromising and sensitive data from you system/network If you refuse to communicate with us and we do not come to an agreement, your data will be published. Data includes: - Employees personal data, CVs, DL , SSN. - Complete network map including credentials for local and remote services. - Financial information including clients data, bills, budgets, annual reports, bank statements. - Complete datagrams/schemas/drawings for manufacturing in solidworks format - And more... -- Warning 1) If you modify files - our decrypt software won't able to recover data 2) If you use third party software - you can damage/modify files (see item 1) 3) You need cipher key / our decrypt software to restore you files. 4) The police or authorities will not be able to help you get the cipher key. We encourage you to consider your decisions. -- Recovery 1) Download tor browser: https://www.torproject.org/download/ 2) Go to domain 3) Enter credentials-- Credentials Extension: hm-OG60Qdd Domain: wp7lhpt4dbh7f7lseqvp3332nlmwlpa7wz5up2vltrxnacwwwlolwuyd.onion login: xKNntdSVcDnrNYDgWjDwrITbDlNlAwfb password:
Signatures
-
Agenda Ransomware
A ransomware with multiple variants written in Golang and Rust first seen in August 2022.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
17dc5b45928356cf58c20dbf74027cf09101150a5e0cef31a533b26c91321600.exedescription pid process Token: SeDebugPrivilege 2748 17dc5b45928356cf58c20dbf74027cf09101150a5e0cef31a533b26c91321600.exe