81fb00c585e1c2379fc3241d104e62f6e106e8dfc1d4a73f8e878f2975740613

Analysis

max time kernel
35s
max time network
14s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12-10-2023 22:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1d67abe1ec08e6215e08d6bb595ade3d1d33d0e886edf887b29f4d8e1d46e593.exe
Size

4.6MB
MD5

7d9c6313b2e412f0db4380b279eb4fed
SHA1

0675b3958e7eef4090775f665d8201837f167f01
SHA256

1d67abe1ec08e6215e08d6bb595ade3d1d33d0e886edf887b29f4d8e1d46e593
SHA512

ddaa21b661f448442df6556dec57429636e7aa6fa9ce4f098ac218cc702b301903c7bf254b9aee732a90561402b420d977be6bb7940bf49aa55e0e5f9991075e
SSDEEP

98304:OOTXCHbq9evuviwF+Mc42HfPt5Sqg9pkJ:3LCHbqwvuvi40HN5Tgi

Score

10^/10

ransomware

Malware Config

Extracted

Path

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\HOW TO RESTORE YOUR FILES.TXT

Ransom Note

Hello! All your files are encrypted, write to me if you want to return your files - I can do it very quickly! Contact me by email: [email protected] or [email protected] The subject line must contain an encryption extension or the name of your company! Do not rename encrypted files, you may lose them forever. You may be a victim of fraud. Free decryption as a guarantee. Send us up to 3 files for free decryption. The total file size should be no more than 1 MB! (not in the archive), and the files should not contain valuable information. (databases, backups, large Excel spreadsheets, etc.) !!! Do not turn off or restart the NAS equipment. This will lead to data loss !!!

Emails

[email protected]

Signatures

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\HOW TO RESTORE YOUR FILES.TXT	1d67abe1ec08e6215e08d6bb595ade3d1d33d0e886edf887b29f4d8e1d46e593.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\jfr\HOW TO RESTORE YOUR FILES.TXT	1d67abe1ec08e6215e08d6bb595ade3d1d33d0e886edf887b29f4d8e1d46e593.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\HOW TO RESTORE YOUR FILES.TXT	1d67abe1ec08e6215e08d6bb595ade3d1d33d0e886edf887b29f4d8e1d46e593.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\HOW TO RESTORE YOUR FILES.TXT	1d67abe1ec08e6215e08d6bb595ade3d1d33d0e886edf887b29f4d8e1d46e593.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\ext\locale\HOW TO RESTORE YOUR FILES.TXT	1d67abe1ec08e6215e08d6bb595ade3d1d33d0e886edf887b29f4d8e1d46e593.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\HOW TO RESTORE YOUR FILES.TXT	1d67abe1ec08e6215e08d6bb595ade3d1d33d0e886edf887b29f4d8e1d46e593.exe
File created	C:\Program Files\Java\jre1.8.0_66\lib\HOW TO RESTORE YOUR FILES.TXT	1d67abe1ec08e6215e08d6bb595ade3d1d33d0e886edf887b29f4d8e1d46e593.exe
File created	C:\Program Files\Microsoft Office\Updates\Apply\HOW TO RESTORE YOUR FILES.TXT	1d67abe1ec08e6215e08d6bb595ade3d1d33d0e886edf887b29f4d8e1d46e593.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\D81E4632-E37A-4E03-BFEB-99AEB37FF3F3\HOW TO RESTORE YOUR FILES.TXT	1d67abe1ec08e6215e08d6bb595ade3d1d33d0e886edf887b29f4d8e1d46e593.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\HOW TO RESTORE YOUR FILES.TXT	1d67abe1ec08e6215e08d6bb595ade3d1d33d0e886edf887b29f4d8e1d46e593.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\HOW TO RESTORE YOUR FILES.TXT	1d67abe1ec08e6215e08d6bb595ade3d1d33d0e886edf887b29f4d8e1d46e593.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cy.txt.tkoinprz	1d67abe1ec08e6215e08d6bb595ade3d1d33d0e886edf887b29f4d8e1d46e593.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\HOW TO RESTORE YOUR FILES.TXT	1d67abe1ec08e6215e08d6bb595ade3d1d33d0e886edf887b29f4d8e1d46e593.exe
File created	C:\Program Files\Java\jdk1.8.0_66\include\win32\HOW TO RESTORE YOUR FILES.TXT	1d67abe1ec08e6215e08d6bb595ade3d1d33d0e886edf887b29f4d8e1d46e593.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\.data\HOW TO RESTORE YOUR FILES.TXT	1d67abe1ec08e6215e08d6bb595ade3d1d33d0e886edf887b29f4d8e1d46e593.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\HOW TO RESTORE YOUR FILES.TXT	1d67abe1ec08e6215e08d6bb595ade3d1d33d0e886edf887b29f4d8e1d46e593.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\HOW TO RESTORE YOUR FILES.TXT	1d67abe1ec08e6215e08d6bb595ade3d1d33d0e886edf887b29f4d8e1d46e593.exe
File created	C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\D81E4632-E37A-4E03-BFEB-99AEB37FF3F3\HOW TO RESTORE YOUR FILES.TXT	1d67abe1ec08e6215e08d6bb595ade3d1d33d0e886edf887b29f4d8e1d46e593.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\es\HOW TO RESTORE YOUR FILES.TXT	1d67abe1ec08e6215e08d6bb595ade3d1d33d0e886edf887b29f4d8e1d46e593.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\HOW TO RESTORE YOUR FILES.TXT	1d67abe1ec08e6215e08d6bb595ade3d1d33d0e886edf887b29f4d8e1d46e593.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\HOW TO RESTORE YOUR FILES.TXT	1d67abe1ec08e6215e08d6bb595ade3d1d33d0e886edf887b29f4d8e1d46e593.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\HOW TO RESTORE YOUR FILES.TXT	1d67abe1ec08e6215e08d6bb595ade3d1d33d0e886edf887b29f4d8e1d46e593.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\HOW TO RESTORE YOUR FILES.TXT	1d67abe1ec08e6215e08d6bb595ade3d1d33d0e886edf887b29f4d8e1d46e593.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\HOW TO RESTORE YOUR FILES.TXT	1d67abe1ec08e6215e08d6bb595ade3d1d33d0e886edf887b29f4d8e1d46e593.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\HOW TO RESTORE YOUR FILES.TXT	1d67abe1ec08e6215e08d6bb595ade3d1d33d0e886edf887b29f4d8e1d46e593.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\deployed\jdk15\windows-amd64\HOW TO RESTORE YOUR FILES.TXT	1d67abe1ec08e6215e08d6bb595ade3d1d33d0e886edf887b29f4d8e1d46e593.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\HOW TO RESTORE YOUR FILES.TXT	1d67abe1ec08e6215e08d6bb595ade3d1d33d0e886edf887b29f4d8e1d46e593.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\uk\HOW TO RESTORE YOUR FILES.TXT	1d67abe1ec08e6215e08d6bb595ade3d1d33d0e886edf887b29f4d8e1d46e593.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\applet\HOW TO RESTORE YOUR FILES.TXT	1d67abe1ec08e6215e08d6bb595ade3d1d33d0e886edf887b29f4d8e1d46e593.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	1d67abe1ec08e6215e08d6bb595ade3d1d33d0e886edf887b29f4d8e1d46e593.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\core\locale\HOW TO RESTORE YOUR FILES.TXT	1d67abe1ec08e6215e08d6bb595ade3d1d33d0e886edf887b29f4d8e1d46e593.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\HOW TO RESTORE YOUR FILES.TXT	1d67abe1ec08e6215e08d6bb595ade3d1d33d0e886edf887b29f4d8e1d46e593.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\HOW TO RESTORE YOUR FILES.TXT	1d67abe1ec08e6215e08d6bb595ade3d1d33d0e886edf887b29f4d8e1d46e593.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\Heartbeat\HOW TO RESTORE YOUR FILES.TXT	1d67abe1ec08e6215e08d6bb595ade3d1d33d0e886edf887b29f4d8e1d46e593.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\HOW TO RESTORE YOUR FILES.TXT	1d67abe1ec08e6215e08d6bb595ade3d1d33d0e886edf887b29f4d8e1d46e593.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\HOW TO RESTORE YOUR FILES.TXT	1d67abe1ec08e6215e08d6bb595ade3d1d33d0e886edf887b29f4d8e1d46e593.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\PlatformCapabilities\HOW TO RESTORE YOUR FILES.TXT	1d67abe1ec08e6215e08d6bb595ade3d1d33d0e886edf887b29f4d8e1d46e593.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\HOW TO RESTORE YOUR FILES.TXT	1d67abe1ec08e6215e08d6bb595ade3d1d33d0e886edf887b29f4d8e1d46e593.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1036\HOW TO RESTORE YOUR FILES.TXT	1d67abe1ec08e6215e08d6bb595ade3d1d33d0e886edf887b29f4d8e1d46e593.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\HOW TO RESTORE YOUR FILES.TXT	1d67abe1ec08e6215e08d6bb595ade3d1d33d0e886edf887b29f4d8e1d46e593.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\OpenSSL64.DllA\HOW TO RESTORE YOUR FILES.TXT	1d67abe1ec08e6215e08d6bb595ade3d1d33d0e886edf887b29f4d8e1d46e593.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\HOW TO RESTORE YOUR FILES.TXT	1d67abe1ec08e6215e08d6bb595ade3d1d33d0e886edf887b29f4d8e1d46e593.exe
File created	C:\Program Files\Microsoft Office\root\Templates\Presentation Designs\HOW TO RESTORE YOUR FILES.TXT	1d67abe1ec08e6215e08d6bb595ade3d1d33d0e886edf887b29f4d8e1d46e593.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eu.txt	1d67abe1ec08e6215e08d6bb595ade3d1d33d0e886edf887b29f4d8e1d46e593.exe
File created	C:\Program Files\Java\jre1.8.0_66\lib\images\HOW TO RESTORE YOUR FILES.TXT	1d67abe1ec08e6215e08d6bb595ade3d1d33d0e886edf887b29f4d8e1d46e593.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\HOW TO RESTORE YOUR FILES.TXT	1d67abe1ec08e6215e08d6bb595ade3d1d33d0e886edf887b29f4d8e1d46e593.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\HOW TO RESTORE YOUR FILES.TXT	1d67abe1ec08e6215e08d6bb595ade3d1d33d0e886edf887b29f4d8e1d46e593.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\HOW TO RESTORE YOUR FILES.TXT	1d67abe1ec08e6215e08d6bb595ade3d1d33d0e886edf887b29f4d8e1d46e593.exe
File opened for modification	C:\Program Files\7-Zip\7zCon.sfx	1d67abe1ec08e6215e08d6bb595ade3d1d33d0e886edf887b29f4d8e1d46e593.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\HOW TO RESTORE YOUR FILES.TXT	1d67abe1ec08e6215e08d6bb595ade3d1d33d0e886edf887b29f4d8e1d46e593.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\D81E4632-E37A-4E03-BFEB-99AEB37FF3F3\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.AnalysisServices.SPClient.Interfaces\13.0.0.0__89845DCD8080CC91\HOW TO RESTORE YOUR FILES.TXT	1d67abe1ec08e6215e08d6bb595ade3d1d33d0e886edf887b29f4d8e1d46e593.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_f7\HOW TO RESTORE YOUR FILES.TXT	1d67abe1ec08e6215e08d6bb595ade3d1d33d0e886edf887b29f4d8e1d46e593.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\lt\HOW TO RESTORE YOUR FILES.TXT	1d67abe1ec08e6215e08d6bb595ade3d1d33d0e886edf887b29f4d8e1d46e593.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\tr\HOW TO RESTORE YOUR FILES.TXT	1d67abe1ec08e6215e08d6bb595ade3d1d33d0e886edf887b29f4d8e1d46e593.exe
File created	C:\Program Files\Java\jre1.8.0_66\lib\amd64\HOW TO RESTORE YOUR FILES.TXT	1d67abe1ec08e6215e08d6bb595ade3d1d33d0e886edf887b29f4d8e1d46e593.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\eu\HOW TO RESTORE YOUR FILES.TXT	1d67abe1ec08e6215e08d6bb595ade3d1d33d0e886edf887b29f4d8e1d46e593.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\HOW TO RESTORE YOUR FILES.TXT	1d67abe1ec08e6215e08d6bb595ade3d1d33d0e886edf887b29f4d8e1d46e593.exe
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt	1d67abe1ec08e6215e08d6bb595ade3d1d33d0e886edf887b29f4d8e1d46e593.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\HOW TO RESTORE YOUR FILES.TXT	1d67abe1ec08e6215e08d6bb595ade3d1d33d0e886edf887b29f4d8e1d46e593.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\HOW TO RESTORE YOUR FILES.TXT	1d67abe1ec08e6215e08d6bb595ade3d1d33d0e886edf887b29f4d8e1d46e593.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\dtplugin\HOW TO RESTORE YOUR FILES.TXT	1d67abe1ec08e6215e08d6bb595ade3d1d33d0e886edf887b29f4d8e1d46e593.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\HOW TO RESTORE YOUR FILES.TXT	1d67abe1ec08e6215e08d6bb595ade3d1d33d0e886edf887b29f4d8e1d46e593.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\HOW TO RESTORE YOUR FILES.TXT	1d67abe1ec08e6215e08d6bb595ade3d1d33d0e886edf887b29f4d8e1d46e593.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\HOW TO RESTORE YOUR FILES.TXT	1d67abe1ec08e6215e08d6bb595ade3d1d33d0e886edf887b29f4d8e1d46e593.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
432	sc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4916 wrote to memory of 3120	4916	1d67abe1ec08e6215e08d6bb595ade3d1d33d0e886edf887b29f4d8e1d46e593.exe	83
PID 4916 wrote to memory of 3120	4916	1d67abe1ec08e6215e08d6bb595ade3d1d33d0e886edf887b29f4d8e1d46e593.exe	83
PID 3120 wrote to memory of 432	3120	cmd.exe	85
PID 3120 wrote to memory of 432	3120	cmd.exe	85
PID 3120 wrote to memory of 4908	3120	cmd.exe	86
PID 3120 wrote to memory of 4908	3120	cmd.exe	86
PID 4916 wrote to memory of 2420	4916	1d67abe1ec08e6215e08d6bb595ade3d1d33d0e886edf887b29f4d8e1d46e593.exe	87
PID 4916 wrote to memory of 2420	4916	1d67abe1ec08e6215e08d6bb595ade3d1d33d0e886edf887b29f4d8e1d46e593.exe	87

C:\Users\Admin\AppData\Local\Temp\1d67abe1ec08e6215e08d6bb595ade3d1d33d0e886edf887b29f4d8e1d46e593.exe
"C:\Users\Admin\AppData\Local\Temp\1d67abe1ec08e6215e08d6bb595ade3d1d33d0e886edf887b29f4d8e1d46e593.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4916
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cprkppnctrrujyjgq.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3120
- - C:\Windows\system32\sc.exe
    SC QUERY
    3⤵
    - Launches sc.exe
    PID:432
- - C:\Windows\system32\findstr.exe
    FINDSTR SERVICE_NAME
    3⤵
    PID:4908
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iebuybqmtyxirt.bat
  2⤵
  PID:2420

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\HOW TO RESTORE YOUR FILES.TXT

Filesize
693B

MD5
a79e430b2fba0a454b52da329f96740f

SHA1
feca3bcb918fced853eb6fd8db45e2cbef7cdce5

SHA256
5a834263135bc4f1b86b7236d7f1e2bbbbfa207c748e7e988b37e82ddbd647b0

SHA512
c416feb4eaa72a5913cea6af1f8b32855e93c2ed29447f1a71a6bf024caa8412ad77cbd43689b8a9d71da96f21c9c6b9eebd474198419dd3e95e1069e854659e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cprkppnctrrujyjgq.bat

Filesize
43B

MD5
55310bb774fff38cca265dbc70ad6705

SHA1
cb8d76e9fd38a0b253056e5f204dab5441fe932b

SHA256
1fbdb97893d09d59575c3ef95df3c929fe6b6ddf1b273283e4efadf94cdc802d

SHA512
40e5a5e8454ca3eaac36d732550e2c5d869a235e3bbc4d31c4afa038fe4e06f782fa0885e876ad8119be766477fdcc12c1d5d04d53cf6b324e366b5351fc7cd4

Download Submit