Overview

overview

10

Static

static

3

sample.exe

windows7-x64

10

sample.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    06/10/2023, 17:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    sample.exe

  • Size

    241KB

  • MD5

    6c292c92e703a155612fe50ea96161d1

  • SHA1

    e6ea7c6f564a2fbe15beaf3419dc334d536f250c

  • SHA256

    a1bcb4ceb586cd9dc78323ce2888080ea88a58708a3a95e546bff46d74fc13c8

  • SHA512

    ab1fb843188f0a5495fea9ccd66bfc13385b95d4ffd7bfc9486e6d29f1c7f3a9468f6b7dadad29f94204d9c9055e5111e7e8c23344c322b979ebd5809096566a

  • SSDEEP

    6144:7vB3myi10AU3fb9wZ+4hCLSiqdJft5sJ:7vNq10AU3fb9wosC/J

Score
10/10
discoveryransomwarespywarestealer

Malware Config

Extracted

Path

F:\LAMBDA_README.txt

Ransom Note
[[=== Lambda Ransomware ===]] [+] What's happened? All your files are encrypted and stolen, but you need to follow our instructions. otherwise, you cant return your data (NEVER). [+] What guarantees? Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, we decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. time is much more valuable than money. [+] Instructions: a) Download and install Tor Browser from this site: https://www.torproject.org/ b) Open our website: http://nn5ua7gc7jkllpoztymtfcu64yjm7znlsriq3a6v5kw7l6jvirnczyyd.onion c) Enter this UID in the input: 445ADCC3B44559D3 !!! DANGER !!! DON'T try to change files by yourself, DON'T use any third party software for restoring your data or antivirus/edr solutions - its may entail damage of the private key and, as result, The Loss all data. SPEAK for yourself. Since no one else has the private key, any interfere of third party companies/individuals is tantamount to scamming you. ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://nn5ua7gc7jkllpoztymtfcu64yjm7znlsriq3a6v5kw7l6jvirnczyyd.onion

Signatures

  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Loads dropped DLL 11 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 17 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\sample.exe
    "C:\Users\Admin\AppData\Local\Temp\sample.exe"
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2244
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2032
  • C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    1⤵
      PID:1548

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • F:\LAMBDA_README.txt
      Filesize

      1KB

      MD5

      a9830ac68af71dc7dfaf65e5994e7092

      SHA1

      497c5fc4ba6235518a438001476a4b87c57c68fb

      SHA256

      f11e99b7e6be8baf655b5342719583bf2d68292577abaafc0b7c24fafc143be8

      SHA512

      197c9c0bac64389f156220bd861e20bf1e990b27036dbe19c7d8e5158acbb07ad46610ffa930a2d7822e7953b4b0417740298f8b20882027ea51c371813facfe

      Download Submit

    • \Program Files\DVD Maker\DVDMaker.exe
      Filesize

      2.2MB

      MD5

      e83d2495d5867e224fbf42ef40d8856c

      SHA1

      fec908e0e7bc469875ab8f68d936225c635a6ac2

      SHA256

      2c806d9b932f24c4bc84e86ced7962a75c0161ff732f77eb1827a3a14976b2c1

      SHA512

      e22f36cb40fff2672e9e49aa991656a0cc1188c7ba2583efae2d238a4e864bd5f8bdc532a5c35285ca2b4b105097454eb06d5860c41e618c44bab6e300408b8d

      Download Submit

    • \Program Files\DVD Maker\DVDMaker.exe
      Filesize

      2.2MB

      MD5

      e83d2495d5867e224fbf42ef40d8856c

      SHA1

      fec908e0e7bc469875ab8f68d936225c635a6ac2

      SHA256

      2c806d9b932f24c4bc84e86ced7962a75c0161ff732f77eb1827a3a14976b2c1

      SHA512

      e22f36cb40fff2672e9e49aa991656a0cc1188c7ba2583efae2d238a4e864bd5f8bdc532a5c35285ca2b4b105097454eb06d5860c41e618c44bab6e300408b8d

      Download Submit

    • \Program Files\DVD Maker\DVDMaker.exe
      Filesize

      2.2MB

      MD5

      e83d2495d5867e224fbf42ef40d8856c

      SHA1

      fec908e0e7bc469875ab8f68d936225c635a6ac2

      SHA256

      2c806d9b932f24c4bc84e86ced7962a75c0161ff732f77eb1827a3a14976b2c1

      SHA512

      e22f36cb40fff2672e9e49aa991656a0cc1188c7ba2583efae2d238a4e864bd5f8bdc532a5c35285ca2b4b105097454eb06d5860c41e618c44bab6e300408b8d

      Download Submit

    • \Program Files\DVD Maker\DVDMaker.exe
      Filesize

      2.2MB

      MD5

      e83d2495d5867e224fbf42ef40d8856c

      SHA1

      fec908e0e7bc469875ab8f68d936225c635a6ac2

      SHA256

      2c806d9b932f24c4bc84e86ced7962a75c0161ff732f77eb1827a3a14976b2c1

      SHA512

      e22f36cb40fff2672e9e49aa991656a0cc1188c7ba2583efae2d238a4e864bd5f8bdc532a5c35285ca2b4b105097454eb06d5860c41e618c44bab6e300408b8d

      Download Submit

    • \Program Files\Internet Explorer\iexplore.exe
      Filesize

      785KB

      MD5

      0685765c0cbe095ba0c6c8790bae21ef

      SHA1

      ac421b25637dae29da89bf128c8767a85ae9ff9d

      SHA256

      1b3c732f64215970519e0895e6153ea3e83da8877a83aac62520cca5c04bd267

      SHA512

      feae15fa071e0656df05c6e0bf00c9cc6840d31b8f7f6edcb2738e59bf2f7bfd967537c7985285b1526cd508ed0792f7e14a6b4c8dfb64880d009b8770df3494

      Download Submit

    • \Program Files\Internet Explorer\iexplore.exe
      Filesize

      785KB

      MD5

      0685765c0cbe095ba0c6c8790bae21ef

      SHA1

      ac421b25637dae29da89bf128c8767a85ae9ff9d

      SHA256

      1b3c732f64215970519e0895e6153ea3e83da8877a83aac62520cca5c04bd267

      SHA512

      feae15fa071e0656df05c6e0bf00c9cc6840d31b8f7f6edcb2738e59bf2f7bfd967537c7985285b1526cd508ed0792f7e14a6b4c8dfb64880d009b8770df3494

      Download Submit

    • \Program Files\Internet Explorer\iexplore.exe
      Filesize

      785KB

      MD5

      0685765c0cbe095ba0c6c8790bae21ef

      SHA1

      ac421b25637dae29da89bf128c8767a85ae9ff9d

      SHA256

      1b3c732f64215970519e0895e6153ea3e83da8877a83aac62520cca5c04bd267

      SHA512

      feae15fa071e0656df05c6e0bf00c9cc6840d31b8f7f6edcb2738e59bf2f7bfd967537c7985285b1526cd508ed0792f7e14a6b4c8dfb64880d009b8770df3494

      Download Submit

    • \Program Files\Windows Sidebar\sidebar.exe
      Filesize

      1.4MB

      MD5

      e3bf29ced96790cdaafa981ffddf53a3

      SHA1

      e513dd19714559226cd52169fbb4489ca5740e88

      SHA256

      76cb27ef7b27e5636eda9d95229519b2a2870729a0bb694f1fd11cd602bac4dc

      SHA512

      d7b7e3a11d968ebe4e5f07667581cd0f3abb8a919dc2bf23796d2a8438d53a697792697ee9d0a42002d3d4045eb80ca3f6620a57d9ea62215969fab4edebd132

      Download Submit

    • \Program Files\Windows Sidebar\sidebar.exe
      Filesize

      1.4MB

      MD5

      e3bf29ced96790cdaafa981ffddf53a3

      SHA1

      e513dd19714559226cd52169fbb4489ca5740e88

      SHA256

      76cb27ef7b27e5636eda9d95229519b2a2870729a0bb694f1fd11cd602bac4dc

      SHA512

      d7b7e3a11d968ebe4e5f07667581cd0f3abb8a919dc2bf23796d2a8438d53a697792697ee9d0a42002d3d4045eb80ca3f6620a57d9ea62215969fab4edebd132

      Download Submit

    • \Program Files\Windows Sidebar\sidebar.exe
      Filesize

      1.4MB

      MD5

      e3bf29ced96790cdaafa981ffddf53a3

      SHA1

      e513dd19714559226cd52169fbb4489ca5740e88

      SHA256

      76cb27ef7b27e5636eda9d95229519b2a2870729a0bb694f1fd11cd602bac4dc

      SHA512

      d7b7e3a11d968ebe4e5f07667581cd0f3abb8a919dc2bf23796d2a8438d53a697792697ee9d0a42002d3d4045eb80ca3f6620a57d9ea62215969fab4edebd132

      Download Submit

    • \Program Files\Windows Sidebar\sidebar.exe
      Filesize

      1.4MB

      MD5

      e3bf29ced96790cdaafa981ffddf53a3

      SHA1

      e513dd19714559226cd52169fbb4489ca5740e88

      SHA256

      76cb27ef7b27e5636eda9d95229519b2a2870729a0bb694f1fd11cd602bac4dc

      SHA512

      d7b7e3a11d968ebe4e5f07667581cd0f3abb8a919dc2bf23796d2a8438d53a697792697ee9d0a42002d3d4045eb80ca3f6620a57d9ea62215969fab4edebd132

      Download Submit