Overview

overview

10

Static

static

10

323389cde5...f3.exe

windows7-x64

1

323389cde5...f3.exe

windows10-2004-x64

1

365712147d...a7.exe

windows7-x64

9

365712147d...a7.exe

windows10-2004-x64

10

5474e75872...06.exe

windows7-x64

10

5474e75872...06.exe

windows10-2004-x64

10

out.exe

windows7-x64

3

out.exe

windows10-2004-x64

3

59c59ef90d...4d.exe

windows7-x64

10

59c59ef90d...4d.exe

windows10-2004-x64

10

63fb410fc5...22.exe

windows7-x64

7

63fb410fc5...22.exe

windows10-2004-x64

7

9443472de4...e5.exe

windows7-x64

1

9443472de4...e5.exe

windows10-2004-x64

1

97a877b999...8d.exe

windows7-x64

10

97a877b999...8d.exe

windows10-2004-x64

10

a0f5def5aa...93.exe

windows7-x64

1

a0f5def5aa...93.exe

windows10-2004-x64

1

abfe442282...b1.exe

windows7-x64

1

abfe442282...b1.exe

windows10-2004-x64

1

b21f34ecfa...73.exe

windows7-x64

9

b21f34ecfa...73.exe

windows10-2004-x64

9

b4b97aa67e...a9.zip

windows7-x64

1

b4b97aa67e...a9.zip

windows10-2004-x64

1

svchost.exe

windows7-x64

9

svchost.exe

windows10-2004-x64

9

b8ce017478...a8.exe

windows7-x64

9

b8ce017478...a8.exe

windows10-2004-x64

9

bbb4627895...f2.exe

windows7-x64

1

bbb4627895...f2.exe

windows10-2004-x64

1

bdf06acf03...63.exe

windows7-x64

1

bdf06acf03...63.exe

windows10-2004-x64

1

Resubmissions

21-01-2024 14:52

240121-r8syqaeac7 10

21-01-2024 14:51

240121-r8k8waeac5 10

01-01-2024 13:55

240101-q776kscacp 10

Analysis

  • max time kernel
    120s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    01-01-2024 13:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    59c59ef90d1370297375d4e3195eabe2a031251bc939fae962a835d8336a8a4d.exe

  • Size

    477KB

  • MD5

    ebbb782bafaa3ab64a3e4b006a698fe0

  • SHA1

    2800cd4dd62ba63f38d0452bf80cb35b4359a3dd

  • SHA256

    59c59ef90d1370297375d4e3195eabe2a031251bc939fae962a835d8336a8a4d

  • SHA512

    cd6681d7987901eb27064c4a833052abccef60383f9b0e53360ae9e3e66a19d0d0405bdeb5a609c7d668aa8720eb49f5fc3f060920ec042ec6584eebfd9f09ae

  • SSDEEP

    6144:ko4FuDncVzUJOH5bpX3Q92J6fHgaEFx9BQOJvZTsMJfOg2lOMxPEiarVb0J0:kzuwVzUW5bN3Y6LmO13Gg2IMyxrt0u

Score
10/10
ransomware

Malware Config

Extracted

Path

C:\$Recycle.Bin\readme.txt

Ransom Note
Dear user! Your computer is encrypted! We demand a ransom! Decryption service is paid !!!! PAYMENT FOR BITCOIN !!! To decrypt your computer, you need to download the TOR browser at https://www.torproject.org/download/ Install it and visit our website for further action http://paymen45oxzpnouz.onion/3a9577cf20 Also from your servers files, documents, databases SQL, PDF were uploaded to our cloud storage After we agree, you will receive a decryption program, valuable advice in order not to fall into this situation in the future, as well as all your files on our server will be deleted. Otherwise, they will fall into the open access of the Internet! Use any third party software for restoring your data or antivirus solutions will result in a loose of data. Please be sure that we will find common languge. We will restore all the data and give you recommedations how to configure the protection of your server.
URLs

http://paymen45oxzpnouz.onion/3a9577cf20

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Renames multiple (8411) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes itself 1 IoCs
  • Drops desktop.ini file(s) 40 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\59c59ef90d1370297375d4e3195eabe2a031251bc939fae962a835d8336a8a4d.exe
    "C:\Users\Admin\AppData\Local\Temp\59c59ef90d1370297375d4e3195eabe2a031251bc939fae962a835d8336a8a4d.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2852
    • C:\Windows\SysWOW64\vssadmin.exe
      vssadmin delete shadows /all /quiet
      2⤵
      • Interacts with shadow copies
      PID:2776
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c timeout 1 && del "C:\Users\Admin\AppData\Local\Temp\59c59ef90d1370297375d4e3195eabe2a031251bc939fae962a835d8336a8a4d.exe" >> NUL
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:928
      • C:\Windows\SysWOW64\timeout.exe
        timeout 1
        3⤵
        • Delays execution with timeout.exe
        PID:1720
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1516

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-3427588347-1492276948-3422228430-1000\desktop.ini
    Filesize

    649B

    MD5

    5ab5beaced477a175a9b4c840248bb0e

    SHA1

    88d14c53433d106d0752d21fc20d5b77e25c1158

    SHA256

    8d9b682729e0c65e99d642ccdcf735dd856b56aaf850f23fa883bfa8961ae3c5

    SHA512

    c94b07c5a3d6b2298cecc0806fdc36cf73e767c9252e255d344069d0328ba840dc7533ffb5f14fa2575f336d824018a703c8342856d34467464750672d123b0a

    Download Submit

  • C:\$Recycle.Bin\readme.txt
    Filesize

    1KB

    MD5

    7ffc87c30275a73b55ef17ccf257f7c0

    SHA1

    5a7ed3674feccfe25693e761020853eb49ea86bc

    SHA256

    66ec7d7efdbae65019b5dba454829722a7e3ba0c2f8ff1c3d3f2614375efcbd3

    SHA512

    81c1246d8f820ab5aec4a95b1c05266bf79fdfde8744a661c5f32e57c018323da2881804ea3cc9648ee45605339baed12f71e322ddba035dc2caa75080d779d1

    Download Submit

  • memory/2852-11748-0x0000000000930000-0x0000000000A30000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2852-11762-0x0000000000220000-0x00000000002A0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2852-6-0x0000000000400000-0x00000000004E3000-memory.dmp

    Filesize

    908KB

    Download

  • memory/2852-10-0x0000000000400000-0x00000000004E3000-memory.dmp

    Filesize

    908KB

    Download

  • memory/2852-3-0x0000000000400000-0x00000000004E3000-memory.dmp

    Filesize

    908KB

    Download

  • memory/2852-2-0x0000000000220000-0x00000000002A0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2852-4438-0x0000000000400000-0x00000000004E3000-memory.dmp

    Filesize

    908KB

    Download

  • memory/2852-9826-0x0000000000400000-0x00000000004E3000-memory.dmp

    Filesize

    908KB

    Download

  • memory/2852-1-0x0000000000930000-0x0000000000A30000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2852-4-0x0000000000400000-0x00000000004E3000-memory.dmp

    Filesize

    908KB

    Download

  • memory/2852-11767-0x0000000000400000-0x00000000004E3000-memory.dmp

    Filesize

    908KB

    Download

  • memory/2852-11925-0x0000000000400000-0x00000000004E3000-memory.dmp

    Filesize

    908KB

    Download

  • memory/2852-13212-0x0000000000400000-0x00000000004E3000-memory.dmp

    Filesize

    908KB

    Download

  • memory/2852-13261-0x0000000000400000-0x00000000004E3000-memory.dmp

    Filesize

    908KB

    Download

  • memory/2852-14987-0x0000000000400000-0x00000000004E3000-memory.dmp

    Filesize

    908KB

    Download

  • memory/2852-16087-0x0000000000400000-0x00000000004E3000-memory.dmp

    Filesize

    908KB

    Download

  • memory/2852-18921-0x0000000000400000-0x00000000004E3000-memory.dmp

    Filesize

    908KB

    Download

  • memory/2852-18922-0x0000000000400000-0x00000000004E3000-memory.dmp

    Filesize

    908KB

    Download