Resubmissions

25-09-2023 03:09

230925-dnnxdabg21 10

20-04-2023 15:22

230420-ssddrscf5z 10

Analysis

  • max time kernel
    140s
  • max time network
    126s
  • platform
    windows10-1703_x64
  • resource
    win10-20230915-en
  • resource tags

    arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
  • submitted
    25-09-2023 03:09

General

  • Target

    fd71b1ab3e3823ccd88c0f406c30c4386074c36e1c0432e13121550cd655098f.exe

  • Size

    53KB

  • MD5

    5efa19dc204e46e8d8c57482f80e7a40

  • SHA1

    5c83b3ddc8417fe64e0bbd3495445ddcee52e35e

  • SHA256

    fd71b1ab3e3823ccd88c0f406c30c4386074c36e1c0432e13121550cd655098f

  • SHA512

    0cdf4a1263b9a341240acea245155f0afbaac864eccd1d9623a9a152a9287e8a65cd62f12804d5a1293c9d960a4958c2aa05a720f35d42699fec5d4ac0accfc1

  • SSDEEP

    768:FKcvuye1kVtGBk6P/v7nWlHznbkVwrEKD9yDwxVSHrowNI2tG6o/t84B5YW:F9eytM3alnawrRIwxVSHMweio3+

Malware Config

Extracted

Path

C:\ProgramData\regid.1991-06.com.microsoft\how_to_back_files.html

Ransom Note
<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">����������4D 67 23 2A 15 C0 18 24 08 25 33 93 BE 06 AB 5D 11 2E 5A 2F 07 06 20 7F BD 69 CB 67 96 AE 00 EF C8 83 55 23 5E BC 77 D7 73 37 E6 E7 25 47 10 85 14 06 00 29 FE A9 33 AA E7 BC F9 F7 CF AE 9B E3 ED 5F 78 37 9D 42 77 FC 18 84 60 88 7D 58 AD FD 47 36 AD 0C 13 00 4F FC 80 5A B8 21 10 62 FC A5 93 70 7B 88 25 B9 8E E3 69 15 E7 08 96 51 77 C6 91 B9 A1 5F 1A 05 C7 2B 5B 5B A3 A8 9A 1F 43 F3 C1 C6 C1 D2 0C 1A 68 D3 C0 58 F3 F7 C1 EB FC B6 7C 43 C8 B9 1B 5B 8E 26 45 7A AD 7B 57 0E 78 B1 91 D0 B5 49 42 17 B0 C0 79 AF 15 E7 DC 9B E2 B6 9E 82 49 95 FB 4C 05 32 A8 8B FE D6 7F F6 EB 17 FD 82 2E 91 5A 90 94 8B 3C AD 62 DE 0B 17 26 C3 41 A5 4E CF 5C BA 77 6D E9 DE 1B A4 C0 39 F8 3E 5E 43 C5 AC E0 67 D2 A7 35 B6 B8 F2 C5 23 81 50 ED 63 04 69 61 B4 54 9B C8 82 FA B7 8F 52 01 63 </span> <br> <!-- !!! dont changing this !!! --> </div> </div> <!-- --> <div class="tabs"> <!--tab--> <div class="tab"> <div id="tab-content1" class="content"> <div class="text"> <!--text data --> <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br> <!--text data --> <hr> <b>Contact us for price and get decryption software.</b><br><br> <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</a><br> * Note that this server is available via Tor browser only<br><br> Follow the instructions to open the link:<br> 1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br> 2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br> 3. Now you have Tor browser. In the Tor Browser open <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion<br> </a> 4. Start a chat and follow the further instructions. <br> <hr> <b>If you can not use the above link, use the email:</b><br> <a href="[email protected] ">[email protected] </a> <br> <a href="[email protected] ">[email protected] </a> <br> <p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br> <b> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> </div> </div> </div> <!--tab--> <!--text data --> </div> </div> <!--tab--> </div> </div> </body> </html>

Signatures

  • Renames multiple (7143) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fd71b1ab3e3823ccd88c0f406c30c4386074c36e1c0432e13121550cd655098f.exe
    "C:\Users\Admin\AppData\Local\Temp\fd71b1ab3e3823ccd88c0f406c30c4386074c36e1c0432e13121550cd655098f.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:3444
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\fd71b1ab3e3823ccd88c0f406c30c4386074c36e1c0432e13121550cd655098f.exe > nul
      2⤵
        PID:2956

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\regid.1991-06.com.microsoft\how_to_back_files.html

      Filesize

      4KB

      MD5

      262797936249af0fc5c36138847fb982

      SHA1

      154ca864bf4e8878900a9b8a222b8aff1691d7f6

      SHA256

      748da15758ce85368c01a6e16954982abdb2190c03d539e809f7467ca1e7e33d

      SHA512

      5af30dc3353038caba17a52cfd873135de228e3b80b7a40378658c9e9085601049aa8f3bf7ac4ead7ee85da3d441711c7d2f984e9e055b96863acdc6db86bf06

    • memory/3444-0-0x0000000000400000-0x000000000040E200-memory.dmp

      Filesize

      56KB

    • memory/3444-510-0x0000000000400000-0x000000000040E200-memory.dmp

      Filesize

      56KB