Overview

overview

10

Static

static

1

12.exe

windows7-x64

1

12.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    166s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230831-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-09-2023 10:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    12.exe

  • Size

    1.8MB

  • MD5

    bb06f1d2e0ae4d3a3201dd2ac387ea76

  • SHA1

    c13581ccbdb7030573778cc89db82591d876e168

  • SHA256

    167678eb9daa2376bd805069fac69c42b0ad0c6f70b9d644161970c1770c117f

  • SHA512

    673d332011b8052fe4027550efa42d9b18a26c72cf8a9d406e961b6f4a467e4daf73d5c41e9c5b2f8a29eee89aa99b26b25b87af2551edaa2778d5f76431ec36

  • SSDEEP

    24576:jucUS55cDR3NgJ4zJ1H+QI84rncvGt3nE6vlTlcxBkTde/cfksg:jucUS55cHgJIzez8+n9Bn3NT2BkYoksg

Score
10/10
ransomware

Malware Config

Extracted

Path

C:\Users\How To Restore Your Files.txt

Ransom Note
All your documents, company files, images, etc (and there are a lot of company data) have been encrypted and the extension has been changed to .knight_l . The recovery is only possible with our help. US $14973 in Bitcoin is the price for restoring all of your data. This is the average monthly wage for 1 employee in your company. So don't even think about negotiating. That would only be a waste of time and you will be ignored. Send the Bitcoin to this wallet:1G7hD2pCLXSMGGzc9E6Chpz2RUBRoR9zMi (This is your only payment address, please don't pay BTC to other than this or you won't be able to get it decrypted!) After completing the Bitcoin transaction, send an email at: http://knightv5pdwrrfyxghivy3qccxxghk2yfyfigur562gcnmpmgd4pgfid.onion/d2ed4433-3efd-4a7b-9a3f-d51809f1195c/ (Download and install TOR Browser (https://www.torproject.org/).[If you don't know how to use it, do a Google search!]).You will get an answer as soon as possible. I expect a message from you with the transfer of BTC Confirmation (TXID). So we can move forward to decrypt all your data. TXID is very important because it will help us identify your payment and connect it to your encrypted data.Do not use that I am here to waste mine or your time. How to buy the BTC? https://www.binance.com/en/how-to-buy/bitcoin https://www.coinbase.com/how-to-buy/bitcoin Note: Your data are uploaded to our servers before being encrypted, Everything related to your business (customer data, POS Data, documents related to your orders and delivery, and others). If you do not contact us and do not confirm the payment within 4 days, we will move forward and will announce the sales of the extracted data. ID:d33204e0833ad3cdd4e1ace8710de1c46a5363826257785f724773ac6c85e045
URLs

http://knightv5pdwrrfyxghivy3qccxxghk2yfyfigur562gcnmpmgd4pgfid.onion/d2ed4433-3efd-4a7b-9a3f-d51809f1195c/

https://www.binance.com/en/how-to-buy/bitcoin

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Renames multiple (164) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops desktop.ini file(s) 16 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 45 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3268
      • C:\Users\Admin\AppData\Local\Temp\12.exe
        "C:\Users\Admin\AppData\Local\Temp\12.exe"
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1812
      • C:\Users\Admin\AppData\Roaming\BingMaps\Dashboard.exe
        "C:\Users\Admin\AppData\Roaming\BingMaps\Dashboard.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:3312
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\SysWOW64\cmd.exe"
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:836
          • C:\Windows\explorer.exe
            C:\Windows\explorer.exe
            4⤵
            • Drops desktop.ini file(s)
            • Enumerates connected drives
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:3112
            • C:\Windows\SYSTEM32\cmd.exe
              cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7CA95056-35C5-4BE6-9F7F-65D762F8DF00}'" delete
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:4752
              • C:\Windows\System32\wbem\WMIC.exe
                C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7CA95056-35C5-4BE6-9F7F-65D762F8DF00}'" delete
                6⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:4364
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4344

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\1f150bb8
      Filesize

      761KB

      MD5

      fbda02c9d09712af3da24dc80c4e1891

      SHA1

      4998d89457c242475ddf9b9c9256fe104be24204

      SHA256

      78dd4a61d09a08be372f03363253fb2b33c8e4606480fbcfe4fa9efe1c61bb0d

      SHA512

      b1c735fe15e95a7a6ef30ec3650e65636437fb611f603c3656cdd55eb5f0a83536bf17efc327480d49deef20928097c83a8beea88aa37d7d58029842a861b217

      Download Submit

    • C:\Users\Admin\AppData\Roaming\BingMaps\Dashboard.exe
      Filesize

      141KB

      MD5

      704925ecfdb24ef81190b82de0e5453c

      SHA1

      1128b3063180419893615ca73ad4f9dd51ebeac6

      SHA256

      8cc871ee8760a4658189528b4a5d8afe9824f6a13faaf1fe7eb56f2a3ad2d04e

      SHA512

      ca187015812ddfcaa6515f3a5b780183b4a772801aa14b3f785d6dee9b9aa7db6402a7b346623fd24cf4a28f9856683022b10c3d812f8f2888e25bb218cbf216

      Download Submit

    • C:\Users\Admin\AppData\Roaming\BingMaps\Dashboard.exe
      Filesize

      141KB

      MD5

      704925ecfdb24ef81190b82de0e5453c

      SHA1

      1128b3063180419893615ca73ad4f9dd51ebeac6

      SHA256

      8cc871ee8760a4658189528b4a5d8afe9824f6a13faaf1fe7eb56f2a3ad2d04e

      SHA512

      ca187015812ddfcaa6515f3a5b780183b4a772801aa14b3f785d6dee9b9aa7db6402a7b346623fd24cf4a28f9856683022b10c3d812f8f2888e25bb218cbf216

      Download Submit

    • C:\Users\Admin\AppData\Roaming\BingMaps\UXCore.dll
      Filesize

      811KB

      MD5

      be49f8c61f0a9680881ef0db826318eb

      SHA1

      73c8249c9105c925e20a7c4676404e8d276bc14c

      SHA256

      25db3f66e8b149fc08625a205f6524231afe8698e11ea6e7c4fae436ce45cae6

      SHA512

      3fa6c822c97cefea08311947515dc3524f84296dfc6828ad083c318e19592de3b284413025e5f30b94665b2f6ce64aa4738b3f61374174f337c9c5802454b414

      Download Submit

    • C:\Users\Admin\AppData\Roaming\BingMaps\UXCore.dll
      Filesize

      811KB

      MD5

      be49f8c61f0a9680881ef0db826318eb

      SHA1

      73c8249c9105c925e20a7c4676404e8d276bc14c

      SHA256

      25db3f66e8b149fc08625a205f6524231afe8698e11ea6e7c4fae436ce45cae6

      SHA512

      3fa6c822c97cefea08311947515dc3524f84296dfc6828ad083c318e19592de3b284413025e5f30b94665b2f6ce64aa4738b3f61374174f337c9c5802454b414

      Download Submit

    • C:\Users\Admin\AppData\Roaming\BingMaps\calico.dbf
      Filesize

      627KB

      MD5

      147a9bfe8762c95677823538a879f446

      SHA1

      7080ea125482c882ef12656ef6216e851efef295

      SHA256

      5cc84c7bf88a0dc3a8f63937e4725b95a742b47a4a57a3d954b5ab54735719a0

      SHA512

      fc99c267d138dbb10bc75f6e465a42b82511b3f296ed00af13794c00bbdc1f0881fe3809d3c8bb4b5788417499739b7d097c5698ae2c13bff422e03a19e3b20e

      Download Submit

    • C:\Users\How To Restore Your Files.txt
      Filesize

      1KB

      MD5

      f39a7091a3371c9adb3c2d122159660f

      SHA1

      f761ff3de134cab58a32149e910336b3b5f9febd

      SHA256

      4b7d7df3cc46e68a3fb7b1624d71d6edf7062669b059533894fb4405f9fdc28b

      SHA512

      c1c1edaf491697ec086ed2c28fce258c9dc131097a4c39f55aed2282eda22855eb193ecaddfc86ff930a19e0bbc550df398d718eb814840c49088ae51c97c62a

      Download Submit

    • memory/836-16-0x00007FFF4AC70000-0x00007FFF4AE65000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/836-14-0x0000000073F20000-0x0000000075174000-memory.dmp

      Filesize

      18.3MB

      Download

    • memory/836-17-0x0000000073F20000-0x0000000075174000-memory.dmp

      Filesize

      18.3MB

      Download

    • memory/836-18-0x0000000073F20000-0x0000000075174000-memory.dmp

      Filesize

      18.3MB

      Download

    • memory/836-22-0x0000000073F20000-0x0000000075174000-memory.dmp

      Filesize

      18.3MB

      Download

    • memory/1812-1-0x00007FFF3A510000-0x00007FFF3A83D000-memory.dmp

      Filesize

      3.2MB

      Download

    • memory/3312-12-0x0000000073F20000-0x0000000075174000-memory.dmp

      Filesize

      18.3MB

      Download