Overview

overview

10

Static

static

10

f3c6dac2d2...0f.exe

windows7-x64

10

f3c6dac2d2...0f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    178s
  • max time network
    207s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-01-2024 12:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f3c6dac2d21f7289e2807c0479a76105a5e8ed3a5c7ccbeae6d289e0b6e6880f.exe

  • Size

    3.9MB

  • MD5

    e935daaad632a9539fcddcb2839a4413

  • SHA1

    96f7794f17ce6d4f4bd34242b86035728612cd6d

  • SHA256

    f3c6dac2d21f7289e2807c0479a76105a5e8ed3a5c7ccbeae6d289e0b6e6880f

  • SHA512

    515fe24aa8203c83e58ba59621bc057da2b6f9f5529dd18fc11b5f3001503d10d06ec58d654f1446707113581c4d51d39e4144f47a7ab1a80fe609c89d8bf9c8

  • SSDEEP

    49152:QqfUqBfTafqaa5Xa+Xyqr5LFZBUM2/x102UlJnI7mRkyMDiNZri3r8SZ:QqfHr+qF/C0rBN2Z/yMDiXgr

Score
10/10
ransomware

Malware Config

Extracted

Path

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\HOW TO RESTORE YOUR FILES.TXT

Ransom Note
Dear Management! We inform you that your network has undergone a penetration test, during which we encrypted your files and downloaded more than 55 GB of your and your customers data, including: Accounting Marketing data Confidentional documents Copy of some mailboxes Databases backups We understand that if this information gets to your clients or to media directly, it will cause reputational and financial damage to your business, which we wouldn't want, therefore, for our part, we guarantee that information about what happened will not get into the media (but we cannot guarantee this if you decide to turn to third-party companies for help or ignore this message). Important! Do not try to decrypt the files yourself or using third-party utilities. The only program that can decrypt them is our decryptor, which you can request from the contacts below. Any other program will only damage files in such a way that it will be impossible to restore them. You can get all the necessary evidence, discuss with us possible solutions to this problem and request a decryptor by using the contacts below. Please be advised that if we don't receive a response from you within 3 days, we reserve the right to publish files to the public. Contact me: [email protected] or [email protected] Additional ways to communicate in tox chat https://tox.chat/ contact our tox id: 5BF6FF6E9633FDCF1441BF271CBE5DAE1B6B027FA5B85A6EE5704E8B7FEC8E50A323CD66F7D2
URLs

https://tox.chat/

Signatures

  • Renames multiple (3311) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Drops file in Program Files directory 64 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f3c6dac2d21f7289e2807c0479a76105a5e8ed3a5c7ccbeae6d289e0b6e6880f.exe
    "C:\Users\Admin\AppData\Local\Temp\f3c6dac2d21f7289e2807c0479a76105a5e8ed3a5c7ccbeae6d289e0b6e6880f.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:2892
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uhrnrblqgiqa.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:5088
      • C:\Windows\SysWOW64\sc.exe
        SC QUERY
        3⤵
        • Launches sc.exe
        PID:4216
      • C:\Windows\SysWOW64\findstr.exe
        FINDSTR SERVICE_NAME
        3⤵
          PID:2936
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\arcfgdimyaoqd.bat
        2⤵
          PID:4536

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\HOW TO RESTORE YOUR FILES.TXT
        Filesize

        1KB

        MD5

        908b081d27e66459f1a358ad68dd4f2e

        SHA1

        83368abadbac8ff7b287d5456d793dda97d6c770

        SHA256

        ebe3caa315fe5d07d991a3aecbc4697e4392800d61917c4e16de6582048682cf

        SHA512

        20e5a4e138d0e234ec366ebe63d6481bf578a9640aa03475b22b2d1cf1c7f94b07db1bad0aeb462729108152f216faee025670d8e57f9ff05d96f8572ae18785

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\uhrnrblqgiqa.bat
        Filesize

        43B

        MD5

        55310bb774fff38cca265dbc70ad6705

        SHA1

        cb8d76e9fd38a0b253056e5f204dab5441fe932b

        SHA256

        1fbdb97893d09d59575c3ef95df3c929fe6b6ddf1b273283e4efadf94cdc802d

        SHA512

        40e5a5e8454ca3eaac36d732550e2c5d869a235e3bbc4d31c4afa038fe4e06f782fa0885e876ad8119be766477fdcc12c1d5d04d53cf6b324e366b5351fc7cd4

        Download Submit