Analysis
-
max time kernel
126s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
29/08/2023, 13:51
Static task
static1
Behavioral task
behavioral1
Sample
6.exe
Resource
win7-20230712-en
windows7-x64
0 signatures
150 seconds
Behavioral task
behavioral2
Sample
6.exe
Resource
win10v2004-20230703-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
6.exe
-
Size
1.3MB
-
MD5
e489be3297effb32e5b015ffd20a3f3d
-
SHA1
ee26bd8b2903582bc7bc34962bf28c7ad0f2d7bd
-
SHA256
66871cebfa92f04476679fb3b00a125f7eb43ea35cfb8b187b4aa2bbd0230c10
-
SHA512
22f397bf1ac6b9d9fcecb47166ba45c4a1d4b982e0cf47184afcf179f6ece3e14bae75cb17796f1606abcfc2703185b396ad00ac86401b22a416bc0578eb4072
-
SSDEEP
12288:cBVVtkNBJOlMmXP0447OdMyogfJ7gwPueClVVRWM5YDh8xpoPkouMA+nkGGCp+1E:1TcCG0447AMVgfdnTClVm4QkcGRbS
Score
10/10
Malware Config
Extracted
Path
C:\Users\How To Restore Your Files.txt
Ransom Note
All your documents, company files, images, etc (and there are a lot of company data) have been encrypted and the extension has been changed to .knight_l .
The recovery is only possible with our help.
US $14684 in Bitcoin is the price for restoring all of your data. This is the average monthly wage for 1 employee in your company. So don't even think about negotiating. That would only be a waste of time and you will be ignored.
Send the Bitcoin to this wallet:12Es4Dtf9EMTNtK5GKD9yhWhLBAPEF7r3K (This is your only payment address, please don't pay BTC to other than this or you won't be able to get it decrypted!)
After completing the Bitcoin transaction, send an email at: http://knightv5pdwrrfyxghivy3qccxxghk2yfyfigur562gcnmpmgd4pgfid.onion/7e349743-4658-4d67-950d-24e2e0a99049/ (Download and install TOR Browser (https://www.torproject.org/).[If you don't know how to use it, do a Google search!]).You will get an answer as soon as possible.
I expect a message from you with the transfer of BTC Confirmation (TXID). So we can move forward to decrypt all your data. TXID is very important because it will help us identify your payment and connect it to your encrypted data.Do not use that I am here to waste mine or your time.
How to buy the BTC?
https://www.binance.com/en/how-to-buy/bitcoin
https://www.coinbase.com/how-to-buy/bitcoin
Note:
Your data are uploaded to our servers before being encrypted,
Everything related to your business (customer data, POS Data, documents related to your orders and delivery, and others).
If you do not contact us and do not confirm the payment within 4 days, we will move forward and will announce the sales of the extracted data.
ID:f3faa0c8a649f50dad9253bfb95c90a4cc514e7ce90b653cb1975b1a5838b91e
URLs
http://knightv5pdwrrfyxghivy3qccxxghk2yfyfigur562gcnmpmgd4pgfid.onion/7e349743-4658-4d67-950d-24e2e0a99049/
https://www.binance.com/en/how-to-buy/bitcoin
Signatures
-
Renames multiple (140) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops desktop.ini file(s) 16 IoCs
description ioc Process File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini explorer.exe File opened for modification C:\Users\Admin\3D Objects\desktop.ini explorer.exe File opened for modification C:\Users\Admin\Videos\desktop.ini explorer.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini explorer.exe File opened for modification C:\Users\Admin\Links\desktop.ini explorer.exe File opened for modification C:\Users\Admin\Searches\desktop.ini explorer.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini explorer.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini explorer.exe File opened for modification C:\Users\Admin\Music\desktop.ini explorer.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini explorer.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini explorer.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini explorer.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini explorer.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini explorer.exe File opened for modification C:\Users\Admin\Documents\desktop.ini explorer.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini explorer.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: explorer.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4240 set thread context of 3404 4240 6.exe 83 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4240 6.exe 4240 6.exe 3404 cmd.exe 4168 explorer.exe 4168 explorer.exe 4168 explorer.exe 4168 explorer.exe 4168 explorer.exe 4168 explorer.exe 4168 explorer.exe 4168 explorer.exe 4168 explorer.exe 4168 explorer.exe 4168 explorer.exe 4168 explorer.exe 4168 explorer.exe 4168 explorer.exe 4168 explorer.exe 4168 explorer.exe 4168 explorer.exe 4168 explorer.exe 4168 explorer.exe 4168 explorer.exe 4168 explorer.exe 4168 explorer.exe 4168 explorer.exe 4168 explorer.exe 4168 explorer.exe 4168 explorer.exe 4168 explorer.exe 4168 explorer.exe 4168 explorer.exe 4168 explorer.exe 4168 explorer.exe 4168 explorer.exe 4168 explorer.exe 4168 explorer.exe 4168 explorer.exe 4168 explorer.exe 4168 explorer.exe 4168 explorer.exe 4168 explorer.exe 4168 explorer.exe 4168 explorer.exe 4168 explorer.exe 4168 explorer.exe 4168 explorer.exe 4168 explorer.exe 4168 explorer.exe 4168 explorer.exe 4168 explorer.exe 4168 explorer.exe 4168 explorer.exe 4168 explorer.exe 4168 explorer.exe 4168 explorer.exe 4168 explorer.exe 4168 explorer.exe 4168 explorer.exe 4168 explorer.exe 4168 explorer.exe 4168 explorer.exe 4168 explorer.exe 4168 explorer.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 4240 6.exe 3404 cmd.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeBackupPrivilege 1308 vssvc.exe Token: SeRestorePrivilege 1308 vssvc.exe Token: SeAuditPrivilege 1308 vssvc.exe Token: SeIncreaseQuotaPrivilege 1808 WMIC.exe Token: SeSecurityPrivilege 1808 WMIC.exe Token: SeTakeOwnershipPrivilege 1808 WMIC.exe Token: SeLoadDriverPrivilege 1808 WMIC.exe Token: SeSystemProfilePrivilege 1808 WMIC.exe Token: SeSystemtimePrivilege 1808 WMIC.exe Token: SeProfSingleProcessPrivilege 1808 WMIC.exe Token: SeIncBasePriorityPrivilege 1808 WMIC.exe Token: SeCreatePagefilePrivilege 1808 WMIC.exe Token: SeBackupPrivilege 1808 WMIC.exe Token: SeRestorePrivilege 1808 WMIC.exe Token: SeShutdownPrivilege 1808 WMIC.exe Token: SeDebugPrivilege 1808 WMIC.exe Token: SeSystemEnvironmentPrivilege 1808 WMIC.exe Token: SeRemoteShutdownPrivilege 1808 WMIC.exe Token: SeUndockPrivilege 1808 WMIC.exe Token: SeManageVolumePrivilege 1808 WMIC.exe Token: 33 1808 WMIC.exe Token: 34 1808 WMIC.exe Token: 35 1808 WMIC.exe Token: 36 1808 WMIC.exe Token: SeIncreaseQuotaPrivilege 1808 WMIC.exe Token: SeSecurityPrivilege 1808 WMIC.exe Token: SeTakeOwnershipPrivilege 1808 WMIC.exe Token: SeLoadDriverPrivilege 1808 WMIC.exe Token: SeSystemProfilePrivilege 1808 WMIC.exe Token: SeSystemtimePrivilege 1808 WMIC.exe Token: SeProfSingleProcessPrivilege 1808 WMIC.exe Token: SeIncBasePriorityPrivilege 1808 WMIC.exe Token: SeCreatePagefilePrivilege 1808 WMIC.exe Token: SeBackupPrivilege 1808 WMIC.exe Token: SeRestorePrivilege 1808 WMIC.exe Token: SeShutdownPrivilege 1808 WMIC.exe Token: SeDebugPrivilege 1808 WMIC.exe Token: SeSystemEnvironmentPrivilege 1808 WMIC.exe Token: SeRemoteShutdownPrivilege 1808 WMIC.exe Token: SeUndockPrivilege 1808 WMIC.exe Token: SeManageVolumePrivilege 1808 WMIC.exe Token: 33 1808 WMIC.exe Token: 34 1808 WMIC.exe Token: 35 1808 WMIC.exe Token: 36 1808 WMIC.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 4240 wrote to memory of 3404 4240 6.exe 83 PID 4240 wrote to memory of 3404 4240 6.exe 83 PID 4240 wrote to memory of 3404 4240 6.exe 83 PID 4240 wrote to memory of 3404 4240 6.exe 83 PID 3404 wrote to memory of 4168 3404 cmd.exe 93 PID 3404 wrote to memory of 4168 3404 cmd.exe 93 PID 3404 wrote to memory of 4168 3404 cmd.exe 93 PID 3404 wrote to memory of 4168 3404 cmd.exe 93 PID 4168 wrote to memory of 2212 4168 explorer.exe 96 PID 4168 wrote to memory of 2212 4168 explorer.exe 96 PID 2212 wrote to memory of 1808 2212 cmd.exe 98 PID 2212 wrote to memory of 1808 2212 cmd.exe 98 PID 3404 wrote to memory of 4168 3404 cmd.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\6.exe"C:\Users\Admin\AppData\Local\Temp\6.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4240 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3404 -
C:\Windows\explorer.exeC:\Windows\explorer.exe3⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4168 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{9116A74A-A87C-49A6-B8F6-67FA48E47526}'" delete4⤵
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{9116A74A-A87C-49A6-B8F6-67FA48E47526}'" delete5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1808
-
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1308
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
759KB
MD5bd75f2bcbd579a61e0b1e9912d996cd8
SHA12cc046d23cd9f1643c0b9c54ba489882ee49e7ae
SHA25612f410efd17b2cac44f727f13cb757956935e0a68fd9fa2b14607c5d86536b95
SHA51257acbc97e7afc019cc02548bc3b8f38789ad1524c71b54a41a6b02b50bf0d012ebb32b461b2205021052652d4527ad997993fb0f5ec3fc1f7ca2e86e9173dc0d
-
Filesize
1KB
MD54738ca4b9d3badfa52da4b165fb25150
SHA10621f857994ec66c81fa0b236ea6ccceb954dc8b
SHA256c49d02b0752069b98433185a27cbaaf2a7eef94f7f6e43a737a55004fc390cdf
SHA51210d07327c6f8ecb04251e4be0441e3c373a18011491b2254d5e057c81052297e181fd3a428ab4173c4f079b2987f28fbf0714ec2815a855399221cbd08b44ba8