Analysis
-
max time kernel
143s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20230831-en -
resource tags
arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system -
submitted
04-09-2023 06:21
Static task
static1
Behavioral task
behavioral1
Sample
cv4TCGxUjvS.exe
Resource
win7-20230831-en
windows7-x64
0 signatures
150 seconds
Behavioral task
behavioral2
Sample
cv4TCGxUjvS.exe
Resource
win10v2004-20230831-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
cv4TCGxUjvS.exe
-
Size
1.3MB
-
MD5
f6b8f6b814763ee0befe3c55637f0c42
-
SHA1
3cf78ca5b35161a618efadf904abbaa161d7b02c
-
SHA256
5ed4dfb7da504438688d779092a717cb2426ee88bc4f0ee588b3e989b7567dff
-
SHA512
37fb6483bf598d3c52ea9dc1787fe7885b7439ec1a9bb6bb93486afd9d8d1650aeba2c819cc02cb3be3733722c63c00a3ecf605bcbac05fbaf6b7dec5047ff91
-
SSDEEP
12288:1BVVtkNBJOlMmXP0447OdMyogfJ7gwPueClVVRWM5YDh8xpoP5ouMA+nkGGCp+YE:WTcCG0447AMVgfdnTClVm4Q5cGRSS
Score
10/10
Malware Config
Extracted
Path
C:\Users\Admin\How To Restore Your Files.txt
Ransom Note
All your documents, company files, images, etc (and there are a lot of company data) have been encrypted and the extension has been changed to .knight_l .
The recovery is only possible with our help.
US $14493 in Bitcoin is the price for restoring all of your data. This is the average monthly wage for 1 employee in your company. So don't even think about negotiating. That would only be a waste of time and you will be ignored.
Send the Bitcoin to this wallet:1Ab1X2puGcXmCLWK5aWM1WdANyPxKSrzem (This is your only payment address, please don't pay BTC to other than this or you won't be able to get it decrypted!)
After completing the Bitcoin transaction, send an email at: http://knightv5pdwrrfyxghivy3qccxxghk2yfyfigur562gcnmpmgd4pgfid.onion/cfb52f38-0c93-4438-baf2-79db0554abf8/ (Download and install TOR Browser (https://www.torproject.org/).[If you don't know how to use it, do a Google search!]).You will get an answer as soon as possible.
I expect a message from you with the transfer of BTC Confirmation (TXID). So we can move forward to decrypt all your data. TXID is very important because it will help us identify your payment and connect it to your encrypted data.Do not use that I am here to waste mine or your time.
How to buy the BTC?
https://www.binance.com/en/how-to-buy/bitcoin
https://www.coinbase.com/how-to-buy/bitcoin
Note:
Your data are uploaded to our servers before being encrypted,
Everything related to your business (customer data, POS Data, documents related to your orders and delivery, and others).
If you do not contact us and do not confirm the payment within 4 days, we will move forward and will announce the sales of the extracted data.
ID:b6b0f83cda63f157b0aadbdb0f0ca0ec4199f57fd3247ca6f660b5d67a50d26a
URLs
http://knightv5pdwrrfyxghivy3qccxxghk2yfyfigur562gcnmpmgd4pgfid.onion/cfb52f38-0c93-4438-baf2-79db0554abf8/
https://www.binance.com/en/how-to-buy/bitcoin
Signatures
-
Renames multiple (175) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops desktop.ini file(s) 16 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\desktop.ini explorer.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini explorer.exe File opened for modification C:\Users\Admin\Videos\desktop.ini explorer.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini explorer.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini explorer.exe File opened for modification C:\Users\Admin\Searches\desktop.ini explorer.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini explorer.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini explorer.exe File opened for modification C:\Users\Admin\3D Objects\desktop.ini explorer.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini explorer.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini explorer.exe File opened for modification C:\Users\Admin\Documents\desktop.ini explorer.exe File opened for modification C:\Users\Admin\Links\desktop.ini explorer.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini explorer.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini explorer.exe File opened for modification C:\Users\Admin\Music\desktop.ini explorer.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: explorer.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4008 set thread context of 4900 4008 cv4TCGxUjvS.exe 86 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4008 cv4TCGxUjvS.exe 4008 cv4TCGxUjvS.exe 4900 cmd.exe 4312 explorer.exe 4312 explorer.exe 4312 explorer.exe 4312 explorer.exe 4312 explorer.exe 4312 explorer.exe 4312 explorer.exe 4312 explorer.exe 4312 explorer.exe 4312 explorer.exe 4312 explorer.exe 4312 explorer.exe 4312 explorer.exe 4312 explorer.exe 4312 explorer.exe 4312 explorer.exe 4312 explorer.exe 4312 explorer.exe 4312 explorer.exe 4312 explorer.exe 4312 explorer.exe 4312 explorer.exe 4312 explorer.exe 4312 explorer.exe 4312 explorer.exe 4312 explorer.exe 4312 explorer.exe 4312 explorer.exe 4312 explorer.exe 4312 explorer.exe 4312 explorer.exe 4312 explorer.exe 4312 explorer.exe 4312 explorer.exe 4312 explorer.exe 4312 explorer.exe 4312 explorer.exe 4312 explorer.exe 4312 explorer.exe 4312 explorer.exe 4312 explorer.exe 4312 explorer.exe 4312 explorer.exe 4312 explorer.exe 4312 explorer.exe 4312 explorer.exe 4312 explorer.exe 4312 explorer.exe 4312 explorer.exe 4312 explorer.exe 4312 explorer.exe 4312 explorer.exe 4312 explorer.exe 4312 explorer.exe 4312 explorer.exe 4312 explorer.exe 4312 explorer.exe 4312 explorer.exe 4312 explorer.exe 4312 explorer.exe 4312 explorer.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 4008 cv4TCGxUjvS.exe 4900 cmd.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeBackupPrivilege 2596 vssvc.exe Token: SeRestorePrivilege 2596 vssvc.exe Token: SeAuditPrivilege 2596 vssvc.exe Token: SeIncreaseQuotaPrivilege 4784 WMIC.exe Token: SeSecurityPrivilege 4784 WMIC.exe Token: SeTakeOwnershipPrivilege 4784 WMIC.exe Token: SeLoadDriverPrivilege 4784 WMIC.exe Token: SeSystemProfilePrivilege 4784 WMIC.exe Token: SeSystemtimePrivilege 4784 WMIC.exe Token: SeProfSingleProcessPrivilege 4784 WMIC.exe Token: SeIncBasePriorityPrivilege 4784 WMIC.exe Token: SeCreatePagefilePrivilege 4784 WMIC.exe Token: SeBackupPrivilege 4784 WMIC.exe Token: SeRestorePrivilege 4784 WMIC.exe Token: SeShutdownPrivilege 4784 WMIC.exe Token: SeDebugPrivilege 4784 WMIC.exe Token: SeSystemEnvironmentPrivilege 4784 WMIC.exe Token: SeRemoteShutdownPrivilege 4784 WMIC.exe Token: SeUndockPrivilege 4784 WMIC.exe Token: SeManageVolumePrivilege 4784 WMIC.exe Token: 33 4784 WMIC.exe Token: 34 4784 WMIC.exe Token: 35 4784 WMIC.exe Token: 36 4784 WMIC.exe Token: SeIncreaseQuotaPrivilege 4784 WMIC.exe Token: SeSecurityPrivilege 4784 WMIC.exe Token: SeTakeOwnershipPrivilege 4784 WMIC.exe Token: SeLoadDriverPrivilege 4784 WMIC.exe Token: SeSystemProfilePrivilege 4784 WMIC.exe Token: SeSystemtimePrivilege 4784 WMIC.exe Token: SeProfSingleProcessPrivilege 4784 WMIC.exe Token: SeIncBasePriorityPrivilege 4784 WMIC.exe Token: SeCreatePagefilePrivilege 4784 WMIC.exe Token: SeBackupPrivilege 4784 WMIC.exe Token: SeRestorePrivilege 4784 WMIC.exe Token: SeShutdownPrivilege 4784 WMIC.exe Token: SeDebugPrivilege 4784 WMIC.exe Token: SeSystemEnvironmentPrivilege 4784 WMIC.exe Token: SeRemoteShutdownPrivilege 4784 WMIC.exe Token: SeUndockPrivilege 4784 WMIC.exe Token: SeManageVolumePrivilege 4784 WMIC.exe Token: 33 4784 WMIC.exe Token: 34 4784 WMIC.exe Token: 35 4784 WMIC.exe Token: 36 4784 WMIC.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 4008 wrote to memory of 4900 4008 cv4TCGxUjvS.exe 86 PID 4008 wrote to memory of 4900 4008 cv4TCGxUjvS.exe 86 PID 4008 wrote to memory of 4900 4008 cv4TCGxUjvS.exe 86 PID 4008 wrote to memory of 4900 4008 cv4TCGxUjvS.exe 86 PID 4900 wrote to memory of 4312 4900 cmd.exe 92 PID 4900 wrote to memory of 4312 4900 cmd.exe 92 PID 4900 wrote to memory of 4312 4900 cmd.exe 92 PID 4900 wrote to memory of 4312 4900 cmd.exe 92 PID 4312 wrote to memory of 2888 4312 explorer.exe 95 PID 4312 wrote to memory of 2888 4312 explorer.exe 95 PID 2888 wrote to memory of 4784 2888 cmd.exe 97 PID 2888 wrote to memory of 4784 2888 cmd.exe 97 PID 4900 wrote to memory of 4312 4900 cmd.exe 92 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\cv4TCGxUjvS.exe"C:\Users\Admin\AppData\Local\Temp\cv4TCGxUjvS.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4008 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4900 -
C:\Windows\explorer.exeC:\Windows\explorer.exe3⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4312 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3ECF19A5-656D-4CA6-8E1B-E037C950ED2A}'" delete4⤵
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3ECF19A5-656D-4CA6-8E1B-E037C950ED2A}'" delete5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4784
-
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2596
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
760KB
MD58e42de68271f0fbb6d7aba9a66973c45
SHA130491b7d73a4fad0a7a47ff2499c134ecb045fbd
SHA256a505737dcb11664365fbcf4ff16bb62aadb73b3ad21dbeac03eb4927a05e929a
SHA5120b62e30793ccef1cb6ecf19fbdfc1c2239ba8c4c3f104973b9a3bafc631b9a1482928fe12614aa0fe9d0c3c4616d0e5bc197d2542d21b7df96d8f4979e6fd3fe
-
Filesize
1KB
MD53408ccb9017e82e93e868eeb5a6a91ef
SHA1784753fd3324e38eb614656d3e50406e8a93b1e7
SHA256ec835702b03af8d4a4cc017411cfb616a00095441070cd6be889597f18e6f988
SHA512094cbd1fbc36eaa94fc24a08b757bb4df3680f14497b73c92353510f2da8eb42af24bcbb27945851b6ca3ea41c3187b608356d8a3fabe1e0c435c4fbeb17b34d