Overview

overview

10

Static

static

3

sample.exe

windows7-x64

10

sample.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    137s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231020-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/10/2023, 15:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    sample.exe

  • Size

    146KB

  • MD5

    1784d03173fd273f9810be0a48f1f383

  • SHA1

    b4354665152723b9fa6e31f07d155265a1d6e2f6

  • SHA256

    03097f75904007de33f69ec77e02146fe2a0b3d3b2a923640677bb1f46815b07

  • SHA512

    35dad75e13ab4363ee1495e304e58ec11f731da1f8e21ce9690cfd0cff7d77c50f8b9b5584208e315c8cbb71345401e6ffd771427690b2cffcb40b3ec78b7edb

  • SSDEEP

    3072:nyPZHpVIYbQf91G3im/2Ef07Jysgk8vRFHoCj1advu07rr/b/V53SgvB+qMDDpvy:n2HpV+8vnvEu0Xrjt5igvy6Qijx3P

Score
10/10
ransomwarespywarestealer

Malware Config

Extracted

Path

C:\ProgramData\Merlin_Recover.txt

Ransom Note
Your ID is: 5F03B352D4822F03 Q: How to contact us? A: Install session messenger from this link : https://getsession.org/download And chat with us. This is our sessions ID: 05752759728f65ca92b3d98fc72500cdb7c5b11eb7b17f7d8afc6b8ecdcbdedf6d OR Contact with these email addresses: [email protected] [email protected] [email protected] ** Make sure to include the ID in the first line of massages or subject of email, otherwise we won�t answer your massages. Q: What's Happened? A: Your files have been encrypted and now have the "Merlin" extension. The file structure has been changed to unreadable format, so they are inaccessible. Your critical information has been downloaded, including databases, financial/developmental, accounting, and strategic documents. Q: How to recover files? A: If you want to decrypt all of your data and return your systems to operative state, you require a decryption tool. We are the only ones who own it, and also, if you want your stolen data will be wiped out from our systems, you better contact us. Q: What about guarantees? A: we decrypt 2 non_important files under 5MB for free (they should not include sensitive information). We will decrypt them and send them back to you. They can be from different computers on your network to be sure that one key can decrypts your whole systems. That is our guarantee. It's just a business and we don't pursue any political objectives. We absolutely do not care about you and your data except the money and our reputation are the only things that matters to us. if we do not do our work and liabilities, nobody will cooperate with us which is not in our interests. Q: How will the decryption process proceed after payment? A: After payment, we will send you our decryption program + detailed instructions for use. With this program, you will be able to decrypt all your encrypted files. *** Important *** 1- certain files that were encrypted but not renamed to "Merlin" extension, they will also be recovered by the decryption tool. 2- If you want the decryption procedure to be effective, DO NOT delete or modify the encrypted files, it will cause issues with the decryption process. 3- Beware Any organization or individual who asserts they can decrypt your data without paying us should be avoided. They just deceive you and charge you much more money as a consequence; they all contact us and buy the decryption tool from us. Q: If you don't want to pay to us? A: it does not matter to us, but you have to accept its consequences: 1- Your data will be leaked for free on TOR darknet and your competitors can have access to your data. 2- We know exactly what vulnerabilities exist in your network and will inform google about them. The money we asked for is nothing compare to all of these damages to your business so we recommend you to pay the price and secure your business. If you pay we will give you tips for your security so it can�t be hacked in the future besides you will lose your time and data cause we are the only ones that have the private key. In practice - time is much more valuable t
URLs

https://getsession.org/download

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Renames multiple (7055) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\sample.exe
    "C:\Users\Admin\AppData\Local\Temp\sample.exe"
    1⤵
    • Checks computer location settings
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3852
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Update BETA" /TR "C:\Users\Admin\AppData\Local\Temp\sample.exe" /F
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2100
      • C:\Windows\SysWOW64\schtasks.exe
        SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Update BETA" /TR "C:\Users\Admin\AppData\Local\Temp\sample.exe" /F
        3⤵
        • Creates scheduled task(s)
        PID:232
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:956
      • C:\Windows\system32\vssadmin.exe
        vssadmin.exe delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:3240
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:5060
      • C:\Windows\system32\vssadmin.exe
        vssadmin.exe delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:3164
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\Temp3.tmp"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4912
      • C:\Users\Admin\AppData\Local\Temp\Temp3.tmp
        C:\Users\Admin\AppData\Local\Temp\Temp3.tmp
        3⤵
        • Executes dropped EXE
        PID:1564
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Delete /TN "Windows Update BETA" /F
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4500
      • C:\Windows\SysWOW64\schtasks.exe
        SCHTASKS.exe /Delete /TN "Windows Update BETA" /F
        3⤵
          PID:3844
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2408
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
      1⤵
        PID:976
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:1880

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\Merlin_Recover.txt
        Filesize

        3KB

        MD5

        64d1b77bb61544c8440363d4374c3c65

        SHA1

        2925f8f71c44185ceb93939c1dba343e1d77d6d6

        SHA256

        9d7aee82e5e3a93c4d513ba145c72003094a9a833aeec8becffd56a8893259a1

        SHA512

        f15e8918fda73cb45a2a81286e0c16fc754661fe07d9839e070ae0581f23ada1deff3e359f0348410c3ce6511b14d8005b36f813e770270395505d3299ff0af1

        Download Submit

      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat
        Filesize

        13KB

        MD5

        e920143776eb0e45a1e176c28e8ac73a

        SHA1

        ac8d819c60e3a83f0a8739285cb8779165b473dd

        SHA256

        5d730a6b68dc4b1c83abe6045e6307c42bf36ea33d7893de92b70c443d833547

        SHA512

        22b975d01df643b369764b4b7852f424bef669231d2b35fc70118ed599929c738e933f14896c49beff786340b51ee2e83f80d9acdf7287c76872d18fdabc53ae

        Download Submit

      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat
        Filesize

        14KB

        MD5

        0cdf944d4f8cb598a4f6a95245fcc35d

        SHA1

        bbc33ebc42c2c7cea498d9217414dd8f62aacde7

        SHA256

        fcbf8a23c859cacabd4c9f687ce43b434d3d7c6e9c55fe4377135dc5bbc99e09

        SHA512

        59f0945fc850fa8b60583d01a480cd19dfdad2a093891128f1905b6dfda879ef44cf68d8032ac89a17b745da07bb0889922ce1a2a4eb3078fcac9bd60d3578c0

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Temp3.tmp
        Filesize

        5KB

        MD5

        ab65af4349e7c5b0872c8b808d036980

        SHA1

        414b2a2748b7ea6176c1d2453f89fdc8a2d349d0

        SHA256

        a6c41f368f42a7c57c307a48ce2440a60a744226b6414fadb6517a80a5d160a2

        SHA512

        2c61c56e8c299677bad4ce223e3187200c341aa4dd4503fac1217aa8e15687af03544a6d160bb2b1b131a56ea9df2967e00359aa622f12d1b82605c40cca6679

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Temp3.tmp
        Filesize

        5KB

        MD5

        ab65af4349e7c5b0872c8b808d036980

        SHA1

        414b2a2748b7ea6176c1d2453f89fdc8a2d349d0

        SHA256

        a6c41f368f42a7c57c307a48ce2440a60a744226b6414fadb6517a80a5d160a2

        SHA512

        2c61c56e8c299677bad4ce223e3187200c341aa4dd4503fac1217aa8e15687af03544a6d160bb2b1b131a56ea9df2967e00359aa622f12d1b82605c40cca6679

        Download Submit