Analysis

  • max time kernel
    4s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-01-2024 12:21

General

  • Target

    42e978a513d1bce5d9b837029a3f280220d7cabb7be556c6ee2a9e8113fd0c92.exe

  • Size

    4.6MB

  • MD5

    30803c7dd34a425b0e5a62a782576148

  • SHA1

    41a65c6a96ad29fe2a33cae37938fa927ba202e7

  • SHA256

    42e978a513d1bce5d9b837029a3f280220d7cabb7be556c6ee2a9e8113fd0c92

  • SHA512

    ad5d6f994501fcf0a38d015f4aa83e06fbb9c09f667e333fbc78c4a9b5c5341b77ea975a57f35b0d861b379cff6410578ad51221668dec2aa4926d22770b9e9c

  • SSDEEP

    49152:i9b8Scr3fzHowpVjg7eB4z17/nhzk/E5Xgg2Ju9omuMgcs4Ty5hPLZPwDBQH2/5x:i1uPzHowIE4Fhzk/0jQ9DtcQypMJ

Score
10/10

Malware Config

Extracted

Path

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\HOW TO RESTORE YOUR FILES.TXT

Ransom Note
Hello! All your files are encrypted, write to me if you want to return your files - I can do it very quickly! Contact me by email: [email protected] or [email protected] The subject line must contain an encryption extension or the name of your company! Do not rename encrypted files, you may lose them forever. You may be a victim of fraud. Free decryption as a guarantee. Send us up to 3 files for free decryption. The total file size should be no more than 1 MB! (not in the archive), and the files should not contain valuable information. (databases, backups, large Excel spreadsheets, etc.) !!! Do not turn off or restart the NAS equipment. This will lead to data loss !!! To contact us, we recommend that you create an email address at protonmail.com or tutanota.com Because gmail and other public email programs can block our messages!

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Drops file in Program Files directory 64 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\joptbcwtomenivj.bat
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1528
    • C:\Windows\system32\findstr.exe
      FINDSTR SERVICE_NAME
      2⤵
        PID:728
      • C:\Windows\system32\sc.exe
        SC QUERY
        2⤵
        • Launches sc.exe
        PID:4148
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\axubusosebavhx.bat
      1⤵
        PID:3160
      • C:\Users\Admin\AppData\Local\Temp\42e978a513d1bce5d9b837029a3f280220d7cabb7be556c6ee2a9e8113fd0c92.exe
        "C:\Users\Admin\AppData\Local\Temp\42e978a513d1bce5d9b837029a3f280220d7cabb7be556c6ee2a9e8113fd0c92.exe"
        1⤵
        • Drops file in Program Files directory
        • Suspicious use of WriteProcessMemory
        PID:2100
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nfbief.bat
          2⤵
            PID:532
            • C:\Windows\system32\vssadmin.exe
              vssadmin delete shadows /all /quiet
              3⤵
              • Interacts with shadow copies
              PID:1868
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oueodergtfpnqblobiv.bat
            2⤵
              PID:2680
          • C:\Windows\system32\vssvc.exe
            C:\Windows\system32\vssvc.exe
            1⤵
              PID:4344

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\joptbcwtomenivj.bat

              Filesize

              43B

              MD5

              55310bb774fff38cca265dbc70ad6705

              SHA1

              cb8d76e9fd38a0b253056e5f204dab5441fe932b

              SHA256

              1fbdb97893d09d59575c3ef95df3c929fe6b6ddf1b273283e4efadf94cdc802d

              SHA512

              40e5a5e8454ca3eaac36d732550e2c5d869a235e3bbc4d31c4afa038fe4e06f782fa0885e876ad8119be766477fdcc12c1d5d04d53cf6b324e366b5351fc7cd4