Analysis

  • max time kernel
    148s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-10-2023 20:38

General

  • Target

    fd71b1ab3e3823ccd88c0f406c30c4386074c36e1c0432e13121550cd655098f.exe

  • Size

    53KB

  • MD5

    5efa19dc204e46e8d8c57482f80e7a40

  • SHA1

    5c83b3ddc8417fe64e0bbd3495445ddcee52e35e

  • SHA256

    fd71b1ab3e3823ccd88c0f406c30c4386074c36e1c0432e13121550cd655098f

  • SHA512

    0cdf4a1263b9a341240acea245155f0afbaac864eccd1d9623a9a152a9287e8a65cd62f12804d5a1293c9d960a4958c2aa05a720f35d42699fec5d4ac0accfc1

  • SSDEEP

    768:FKcvuye1kVtGBk6P/v7nWlHznbkVwrEKD9yDwxVSHrowNI2tG6o/t84B5YW:F9eytM3alnawrRIwxVSHMweio3+

Malware Config

Extracted

Path

C:\ProgramData\regid.1991-06.com.microsoft\how_to_back_files.html

Ransom Note
<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">����������49 5B F6 6B D7 11 DE 63 20 F0 7E 9C 26 B9 77 5C DB AA B7 BD 83 22 BF 82 E5 EC 20 C4 50 5C 9B 74 CC 85 94 23 EB FE 8A 72 E0 AF 7A 0A F4 AE 46 FC BD FB DA 84 01 F7 EC A8 4E B0 3F 56 C3 50 C4 E1 5F FB 2D B1 67 BB 97 F5 23 10 68 6E B7 AC 8A FC 37 7A CA B1 26 56 04 CA 98 D1 5C 7A 7E 43 73 CF CC CD EB 9C 3C B9 94 EE 44 3E 36 B5 81 D5 1C 14 4A 97 94 7A 6E 78 9B F0 C2 86 75 83 E3 A3 85 3B C1 74 A9 91 07 FA 64 91 F8 2B A5 4D CD AF F2 6D 29 48 29 53 A1 4B D9 2D A4 AE E5 70 8E 33 4C 47 15 26 D8 9B EE 8F D3 30 6F 10 D7 BC 3C 1F 34 12 8F 43 2C 1F FA 21 34 90 7B B9 22 A2 CC E0 29 22 11 8B A0 CB 3E 13 91 AD E2 D6 9D 2B EE 5F 5D 51 3C 9B 75 DA 20 14 00 BC A7 6E 69 4D 7E 72 28 11 5A 0A C5 07 C9 62 6F F9 94 99 B4 62 EE 2A DE 1D 63 52 68 24 A7 70 29 C3 63 1A 8C 2C EE 3A 7A 64 </span> <br> <!-- !!! dont changing this !!! --> </div> </div> <!-- --> <div class="tabs"> <!--tab--> <div class="tab"> <div id="tab-content1" class="content"> <div class="text"> <!--text data --> <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br> <!--text data --> <hr> <b>Contact us for price and get decryption software.</b><br><br> <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</a><br> * Note that this server is available via Tor browser only<br><br> Follow the instructions to open the link:<br> 1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br> 2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br> 3. Now you have Tor browser. In the Tor Browser open <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion<br> </a> 4. Start a chat and follow the further instructions. <br> <hr> <b>If you can not use the above link, use the email:</b><br> <a href="[email protected] ">[email protected] </a> <br> <a href="[email protected] ">[email protected] </a> <br> <p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br> <b> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> </div> </div> </div> <!--tab--> <!--text data --> </div> </div> <!--tab--> </div> </div> </body> </html>

Signatures

  • Renames multiple (947) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops file in Program Files directory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fd71b1ab3e3823ccd88c0f406c30c4386074c36e1c0432e13121550cd655098f.exe
    "C:\Users\Admin\AppData\Local\Temp\fd71b1ab3e3823ccd88c0f406c30c4386074c36e1c0432e13121550cd655098f.exe"
    1⤵
    • Drops file in Program Files directory
    PID:4560

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\regid.1991-06.com.microsoft\how_to_back_files.html

    Filesize

    4KB

    MD5

    a04d8acde3e56d5707c8277d707f5c3e

    SHA1

    917ab95f70f619a3ee05d0471083ae2b377427b2

    SHA256

    45c479802770e519e3e68bd7df6db8330f79b3bd1165115acba2c1efe180646b

    SHA512

    61a976dc6495f9ebcd09873a69d86faaa2d2e469a8d822932d2abcbc66fb4897d81fb44ceae80ae669d7ae4c86761eaceb92caf232b52c9ab30ebb3ed4b286c2

  • memory/4560-0-0x0000000000400000-0x000000000040E200-memory.dmp

    Filesize

    56KB

  • memory/4560-55-0x0000000000400000-0x000000000040E200-memory.dmp

    Filesize

    56KB