Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
20-12-2023 19:56
Behavioral task
behavioral1
Sample
c26ce932f3609ecd710a3a1ca7f7b96f1b103a11b49a86e9423e03664eaabd40.dll
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
c26ce932f3609ecd710a3a1ca7f7b96f1b103a11b49a86e9423e03664eaabd40.dll
Resource
win10v2004-20231215-en
General
-
Target
c26ce932f3609ecd710a3a1ca7f7b96f1b103a11b49a86e9423e03664eaabd40.dll
-
Size
2.7MB
-
MD5
88bb86494cb9411a9692f9c8e67ed32c
-
SHA1
82f8060575de96dc4edc4f7b02ec31ba7637fa03
-
SHA256
c26ce932f3609ecd710a3a1ca7f7b96f1b103a11b49a86e9423e03664eaabd40
-
SHA512
670acd30005be75bbced78a505b4f0ded7f39cb4f4d55f9b09f31964d20bebb62908d40da4c9a103c87e83f4b31e0435ffd9ec78ee7a585c216e5551e0c67ebb
-
SSDEEP
49152:MxmXXxQjiQspGXtwB0pnkF7TosNjLSq6Pq3Ecv9dsiPTg3pg:DQeQVmB0pni7TosNKq6adsi
Malware Config
Extracted
agenda
-
company_id
feGDg5BHWw
-
note
-- Qilin Your network/system was encrypted. Encrypted files have new extension. -- Compromising and sensitive data We have downloaded compromising and sensitive data from you system/network If you refuse to communicate with us and we do not come to an agreement, your data will be published. Data includes: - Employees personal data, CVs, DL , SSN. - Complete network map including credentials for local and remote services. - Financial information including clients data, bills, budgets, annual reports, bank statements. - Complete datagrams/schemas/drawings for manufacturing in solidworks format - And more... -- Warning 1) If you modify files - our decrypt software won't able to recover data 2) If you use third party software - you can damage/modify files (see item 1) 3) You need cipher key / our decrypt software to restore you files. 4) The police or authorities will not be able to help you get the cipher key. We encourage you to consider your decisions. -- Recovery 1) Download tor browser: https://www.torproject.org/download/ 2) Go to domain 3) Enter credentials-- Credentials Extension: feGDg5BHWw Domain: e3v6tjarcltwc4hdkn6fxnpkzq42ul7swf5cfqw6jzvic4577vxsxhid.onion login: _RgxgvCfv_3rQI5oinfr9gj5JS6_AGP7 password:
Signatures
-
Agenda Ransomware
A ransomware with multiple variants written in Golang and Rust first seen in August 2022.
-
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid Process procid_target PID 2872 wrote to memory of 2656 2872 rundll32.exe 17 PID 2872 wrote to memory of 2656 2872 rundll32.exe 17 PID 2872 wrote to memory of 2656 2872 rundll32.exe 17 PID 2872 wrote to memory of 2656 2872 rundll32.exe 17 PID 2872 wrote to memory of 2656 2872 rundll32.exe 17 PID 2872 wrote to memory of 2656 2872 rundll32.exe 17 PID 2872 wrote to memory of 2656 2872 rundll32.exe 17
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c26ce932f3609ecd710a3a1ca7f7b96f1b103a11b49a86e9423e03664eaabd40.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c26ce932f3609ecd710a3a1ca7f7b96f1b103a11b49a86e9423e03664eaabd40.dll,#12⤵PID:2656
-