a928964f062125cc32863a361a0554939f391a2e54a614c9c20c441f638a2f20

Analysis

max time kernel
581s
max time network
582s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
17/08/2023, 06:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a928964f062125cc32863a361a0554939f391a2e54a614c9c20c441f638a2f20.exe
Size

376KB
MD5

7775825b7abdaed99d1bc135393ed739
SHA1

bd0b6fd129c333d6b90f8cf1026825e86b8224e3
SHA256

a928964f062125cc32863a361a0554939f391a2e54a614c9c20c441f638a2f20
SHA512

0761a7ecd784537f11cb78c0a0225c2f1e8c2cfbd86850e46092dd4927fc05fdee9c9f1ca87500bfd6b20cebe7485fbb63cac4b58d4984e8377dbc75e5303e65
SSDEEP

6144:/xbJ+lDAAqBVbMO1ICxkiIr9LUjqH7E46FW4NcMc2U08/cIwhJMTi0:/SdAAoLls9UjMQJs

Score

10^/10

ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\HOW TO RECOVER YOUR FILES.txt

Ransom Note

contact: [email protected] contact: [email protected] II) English Version : Regrettably, your files have been encrypted with RSA-2048 and AES-128. You may decrypt and recover your files by sending $300 in Bitcoin to this address: STILLNEEDADDY Include your Bitcoin transaction I.D. in your e-mail. We will reply within 2 (two) hours with your digital key and instructions for quickly recovering your files! PLEASE NOTE: Should you decline this solution, your files will be permanently deleted, and published online with your personal information.

Emails

[email protected]

Extracted

Path

C:\Users\Admin\Documents\Message.txt

Ransom Note

contact: [email protected] I) French Version : Vos fichiers importants vidéos, musiques, images,documents …etc sont cryptés avec chiffrement. RSA-2048 et AES-128.Décrypter vos fichiers est uniquement possible à l'aide d'une clé privée et un . programme de décryptage Qui se trouvent sur mon serveur secret Pour décrypter vos fichiers, veuillez suivre les instructions suivantes : 1) Achetez des bitcoins de 300 €, euros ( 0.05 btc ) 2) Envoyez les bitcoins à cette adresse : votre adresse de bitcoin 3) lorsque je reçois les bitcoins , je décrypte vos fichiers contact: [email protected] II) English Version : Your important files videos, music, images, documents ... etc are encrypted with encryption. RSA-2048 and AES-128.Decrypting your files is only possible using a private key and a. decryption program that are on my secret server To decrypt your files, please follow the instructions below : 1) Buy bitcoins from 300 €, euros (0.05 btc) 2) Send bitcoins to this address : your bitcoin address 3) when I receive bitcoins, I decrypt your files

Emails

[email protected]

Signatures

Renames multiple (58) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{AA9E5A5B-45D7-426C-AAD8-DFBAD328B584}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
5008	timeout.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1380	a928964f062125cc32863a361a0554939f391a2e54a614c9c20c441f638a2f20.exe
Token: SeManageVolumePrivilege	4848	svchost.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1380 wrote to memory of 3504	1380	a928964f062125cc32863a361a0554939f391a2e54a614c9c20c441f638a2f20.exe	90
PID 1380 wrote to memory of 3504	1380	a928964f062125cc32863a361a0554939f391a2e54a614c9c20c441f638a2f20.exe	90
PID 1380 wrote to memory of 3504	1380	a928964f062125cc32863a361a0554939f391a2e54a614c9c20c441f638a2f20.exe	90
PID 3504 wrote to memory of 5008	3504	cmd.exe	92
PID 3504 wrote to memory of 5008	3504	cmd.exe	92
PID 3504 wrote to memory of 5008	3504	cmd.exe	92

C:\Users\Admin\AppData\Local\Temp\a928964f062125cc32863a361a0554939f391a2e54a614c9c20c441f638a2f20.exe
"C:\Users\Admin\AppData\Local\Temp\a928964f062125cc32863a361a0554939f391a2e54a614c9c20c441f638a2f20.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1380
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C timeout 2 && Del /Q /F C:\Users\Admin\AppData\Local\Temp\a928964f062125cc32863a361a0554939f391a2e54a614c9c20c441f638a2f20.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3504
- - C:\Windows\SysWOW64\timeout.exe
    timeout 2
    3⤵
    - Delays execution with timeout.exe
    PID:5008

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
PID:1936

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:4932

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\wsu7ABC.tmp

Filesize
14KB

MD5
c01eaa0bdcd7c30a42bbb35a9acbf574

SHA1
0aee3e1b873e41d040f1991819d0027b6cc68f54

SHA256
32297224427103aa1834dba276bf5d49cd5dd6bda0291422e47ad0d0706c6d40

SHA512
d26ff775ad39425933cd3df92209faa53ec5b701e65bfbcccc64ce8dd3e79f619a9bad7cc975a98a95f2006ae89e50551877fc315a3050e48d5ab89e0802e2b7

Download Submit
C:\Users\Admin\Desktop\HOW TO RECOVER YOUR FILES.txt

Filesize
688B

MD5
81ab24b674b6abc98a336d3b371eeeb0

SHA1
28f4e90fdd835840b57959e1f4e0839a3d44454e

SHA256
e1b970e25f0114f61a3b3fa754f9d1c5eadb11c96b34b60a5be12adbdd31bc78

SHA512
9ed3bb2190bad8a88fbcf06d58606478f82d9265317c37d258c0aa92d701415a8eb47b352b24143fe33823ba1a2bcbd8a5a467c033ca950d789fa4bb3a898987

Download Submit
C:\Users\Admin\Documents\Message.txt

Filesize
1KB

MD5
6ffb53efb5ab30a272b30dbd82aa245e

SHA1
92bbcb30455d3caafaa31f2a03e35b46e0335262

SHA256
b4d1ecc58915013646140f1b3bc8e59b703db41c9f388d4788612e0838d7b72e

SHA512
25212a538f50926a337144b17c75ab46bc27651446840cfb36a953c9b45c7af50422aa15314d2ef76cf37897315a9c6fc559d402c546c8b462daba30a902f46a

Download Submit
C:\Users\Admin\Downloads\Message.txt

Filesize
511B

MD5
0e006dbcb0120559c18c2242245aa9bd

SHA1
354c89f08fad212e6eacc9d0cbf04039fdc0ca88

SHA256
4ca37ca1415a1d381dbf41d81b72caf3e90fe376d3670346ae4ce67e4cee2a03

SHA512
abdd5394623b7a633d96b367a2bb6409039658264ecd69270ce27d79b50f183fc27ed74dcf9aacc63715fa19e5486b167cf59a8a7ef0d227735b36b94ed1cddd

Download Submit
C:\Users\Admin\Videos\Message.txt

Filesize
1KB

MD5
59b39df4698e6f2c729cdb14fc71db05

SHA1
b7ba87b5796e8695b63881353134ce70e94cd4bf

SHA256
0d39bb6eb52ed902362194e338431f3384ef2a5acd1b98a98ee137dc46cd60c2

SHA512
1360f5499f4cea3e7a3775dc0cb2e148c33b63c0adec344313bbca4abd1982053a36051016207b3e577ad04eb4802772f1f81c2abf1990cc4c13b488d87351af

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
92bf0d381e1e050a9ecc157783e1f0f3

SHA1
5ab0d0e7c1f3097b99e1d3e88338dea925971d48

SHA256
4d4bce75218b96a907c80e7bcac6cbeba4ecdf20917a63d6b665f7a805822758

SHA512
46674476f1c3c4e7ac98421fb14b87212e39d62ac65df71e3c3543cd88eb5d59266c8a9e5a03faf91264102e91f43baf9f6f72430e4ff84623433ee5b2fa435f

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
ac56ff27123c0cd43d139d6f50e57008

SHA1
f29c365959282a1d7a836f054416ba0f02a3c48b

SHA256
287a4b6fda97ebaf6c3e088029ea920eee648c012f494fdabb035651b8d8e1b6

SHA512
62e674d1d332efe5469427c889d125fce57c5fa855ac3db1afb31b55c907e0f555a0aa696eafe115a146c7a056c9907e43ccf4601ac5dacc77df8c4bca7b95df

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
6a038a247e336857299449ce5b681334

SHA1
10ffc6c58af1b4027374992ccd3d7e168c7184da

SHA256
33a097a5219ff372288aa5c04b5a8c3e2c02d0d16ae427bfd6fbc729f79ada32

SHA512
ec48335c51d5cd6fc29a595334eea1541b7942eb8701d89d661de5844cf3a7a1560802490d69aa089779e8e2c426d1bcc00c204cb128eb122d69ddf1e3e43101

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
4c190e07afd457a2dbac1be83d1e46df

SHA1
17f2dbaa047105507ef47fd589e4a56f07f39a50

SHA256
72a8a64851c256d0740972d4dca6933e8383dbf36c620ed6168eadc66ae2aaf5

SHA512
cf8c9b23ac57fbbe3f811ea445c60b6e06d143001e2ee4743a780a7b7deb6f15aaf4357afd33b6ee0b31a287cca03911c47951bd2d1869c34da917f4c773ef02

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
3fe365e86e0e9b8615caf8eee449db2b

SHA1
b9db769df4850d24939896d709b43a073af77d19

SHA256
62237d018e05d5db34e679fe2c95ebd85ad1400ac0782cfd512444a1ac55a7bd

SHA512
4195fe81ad0370cc8101697b3f39a7e12a3b0d54394de9bffacb573a41efaa80c245ba9e5bbf76afd2e494e66c1a4a78bc6921be94d995452228de4afcaf7e77

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
e56e96d82a003470c0d4bfa2c74da021

SHA1
f88f3ae7153d2ea35afaa7ac4591a8c24110cfa1

SHA256
090d0cb32bab947231fd735e306da509197b82db61cd80814009f31ea45059be

SHA512
50603d72e4fcac96c8393326d58ab350c6fa630ca0a7ded3b4a6e81915708716414c72b1134452bc7bc521826e23b0dc23f09a4f59388a92453d78a4bd806eb3

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
c1f5123ec0147ba1501ccae369174c96

SHA1
2a9bfe7fdb1a9c8dcbc88e4678931466e439e513

SHA256
f38148cbd45d93de33d39cff528e0c18772810c5df0f32909379638503a10bee

SHA512
59662ff10e8a5359815e23bcbdb2b565f89845dbd6744ce736e2914ac7c79a23863abe57932aba129daad69fff6db2d34d7803a2ee3fe60bbbbf2460630872b9

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
7a3f169783ee2898beb1d8a583c04497

SHA1
dd53843a923220d5704671910a4c1225b3f32773

SHA256
01a006b5745c17a1f3f07bb41c5ed043b3aadaaee26225cb2d22da78b04f8265

SHA512
50ac318e0f63c590465fead30d35b6d440830285deb2b7ca146ab67b4f02ca29f1bdd497270590ea6fef4f5a6e12625dd895d67a79ee70f4ab7675b8f72bcdf8

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
07e73305b4ea61f35c667b0a54aaae2e

SHA1
0093f4c2e9fadd6aae61f863c14a4959da03a860

SHA256
c80cdadce2d97e0c06e1753b423791d0a4c756a4ed6c3f94a97fe31931e561b0

SHA512
fe365e71144adbcac5d7d1549dc4c36cbae9b563530cf0baa55bd17b68a633f6355d7ee4d2eefdaf9324dc4eb1deece121bcce8e41666ecd8e73ac042aec63fb

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
b33868cb4278f0f4e560ab899b66309f

SHA1
28aa4caa5bb92344764977c9445b326ce8b15e81

SHA256
d25b7c164b41bb2a162a4ac6e6bb45360f58ff8381e8774c5ed828f4cf045000

SHA512
d775f2a5caa7308c5b028086bf687498d672a70f5f60ec8bde35f84029fb6f042224c4e937694c117a1ef21a86c8c9eae24613f1a9999fb6eafb34fc195b76b1

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
26ba6a83f3cc7e4478c3571400ac8ab7

SHA1
67740869a5189c2780012e8b01657dcf1dcdd13c

SHA256
8431958b8431171aab20cdcfa07c34879c51e961e38f20a69936167fff423c7c

SHA512
59a62ab02c43156082e0991aef4ac56f12a9f226977aefc0205cae08935a67057dce9825b5a95c5356018f486a052d162be3b3327721e7fe51a510aab710b8af

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
e446e57bf7918ae5343bf4fdefbd727b

SHA1
89f410d490e045b128417300d1f2e6bbd7e32cbd

SHA256
4eb9acf8e8a8ff835e04a4894e4b81a3b4863070bbba751f2b80c4f42ab6f4ec

SHA512
fc8d7f763b70faf07885fd5432137bc909f2dfcd42ab41be2618bd77cb82be9fcef136691d441003afdb0e1640d07101b50eff10fc38cc0ba60a021e6a3dcdf3

Download Submit
memory/1380-139-0x0000000074420000-0x0000000074BD0000-memory.dmp

Filesize
7.7MB

Download
memory/1380-134-0x0000000000870000-0x00000000008D2000-memory.dmp

Filesize
392KB

Download
memory/1380-346-0x0000000074420000-0x0000000074BD0000-memory.dmp

Filesize
7.7MB

Download
memory/1380-344-0x00000000052B0000-0x00000000052C0000-memory.dmp

Filesize
64KB

Download
memory/1380-136-0x00000000052F0000-0x0000000005382000-memory.dmp

Filesize
584KB

Download
memory/1380-137-0x00000000052B0000-0x00000000052C0000-memory.dmp

Filesize
64KB

Download
memory/1380-135-0x0000000005800000-0x0000000005DA4000-memory.dmp

Filesize
5.6MB

Download
memory/1380-138-0x00000000052E0000-0x00000000052EA000-memory.dmp

Filesize
40KB

Download
memory/1380-140-0x00000000052B0000-0x00000000052C0000-memory.dmp

Filesize
64KB

Download
memory/1380-133-0x0000000074420000-0x0000000074BD0000-memory.dmp

Filesize
7.7MB

Download
memory/4848-769-0x0000024911440000-0x0000024911450000-memory.dmp

Filesize
64KB

Download
memory/4848-785-0x0000024911540000-0x0000024911550000-memory.dmp

Filesize
64KB

Download
memory/4848-801-0x0000024919880000-0x0000024919881000-memory.dmp

Filesize
4KB

Download
memory/4848-803-0x00000249198B0000-0x00000249198B1000-memory.dmp

Filesize
4KB

Download
memory/4848-804-0x00000249198B0000-0x00000249198B1000-memory.dmp

Filesize
4KB

Download
memory/4848-805-0x00000249199C0000-0x00000249199C1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads