Overview

overview

10

Static

static

3

samples4.zip

windows7-x64

1

samples4.zip

windows10-2004-x64

1

0e60d49a96...01.exe

windows7-x64

0e60d49a96...01.exe

windows10-2004-x64

1ce5dd21fb...1e.exe

windows7-x64

10

1ce5dd21fb...1e.exe

windows10-2004-x64

10

3c73425d02...e6.exe

windows7-x64

6

3c73425d02...e6.exe

windows10-2004-x64

6

5df6314b5c...5b.exe

windows7-x64

10

5df6314b5c...5b.exe

windows10-2004-x64

10

5ee5166c02...93.exe

windows7-x64

10

5ee5166c02...93.exe

windows10-2004-x64

10

5f7cdd8c28...02.exe

windows7-x64

7

5f7cdd8c28...02.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    17s
  • max time network
    20s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    01-01-2024 15:38

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    0e60d49a967599fab179f8c885d91db25016be996d66a4e00cbb197e5085efa4/0e60d49a967599fab179f8c885d91db2501.exe

  • Size

    255KB

  • MD5

    1933fed76a030529b141d032c0620117

  • SHA1

    c55c60a23f5110e0b45fc02a09c4a64d3094809a

  • SHA256

    0e60d49a967599fab179f8c885d91db25016be996d66a4e00cbb197e5085efa4

  • SHA512

    b153383ebd9919ff293896381d89a895c58985eef60f67803a4276026631184f4d85c19e9ea06351efb7230226b18ed9a17b533fb602e10ded518a7bd090dcfe

  • SSDEEP

    3072:iBWxT8JtvyAuX3CGun8r8206BretpJwIiymE9xTRVhGT4z106OKclYQO565tgPYs:iBxrKA4CGu8V0tl9zVhM49OxlYQ8fD3

Score
10/10
ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Documents\Readme.1352FF327.txt

Ransom Note
~~~ DarkRace ransomware ~~~ >>>> Your data are stolen and encrypted The data will be published on TOR website if you do not pay the ransom Links for Tor Browser: http://wkrlpub5k52rjigwxfm6m7ogid55kamgc5azxlq7zjgaopv33tgx2sqd.onion >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future. Therefore to us our reputation is very important. We attack the companies worldwide and there is no dissatisfied victim after payment. >>>> You need contact us and decrypt one file for free on these TOR sites with your personal DECRYPTION ID Download and install TOR Browser https://www.torproject.org/ Write to a chat and wait for the answer, we will always answer you. You can install qtox to contanct us online https://tox.chat/download.html Tox ID Contact: ************************ Mail (OnionMail) Support: [email protected] >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems! >>>> Warning! If you do not pay the ransom we will attack your company repeatedly again!
URLs

http://wkrlpub5k52rjigwxfm6m7ogid55kamgc5azxlq7zjgaopv33tgx2sqd.onion

https://tox.chat/download.html

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Renames multiple (141) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes itself 1 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Kills process with taskkill 64 IoCs
    evasion
  • Modifies registry class 5 IoCs
  • Runs ping.exe 1 TTPs 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\0e60d49a967599fab179f8c885d91db25016be996d66a4e00cbb197e5085efa4\0e60d49a967599fab179f8c885d91db2501.exe
    "C:\Users\Admin\AppData\Local\Temp\0e60d49a967599fab179f8c885d91db25016be996d66a4e00cbb197e5085efa4\0e60d49a967599fab179f8c885d91db2501.exe"
    1⤵
    • Enumerates connected drives
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2444
    • C:\Windows\system32\cmd.exe
      cmd /c "vssadmin Delete Shadows /All /Quiet"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3024
      • C:\Windows\system32\vssadmin.exe
        vssadmin Delete Shadows /All /Quiet
        3⤵
        • Interacts with shadow copies
        PID:2024
    • C:\Windows\system32\cmd.exe
      cmd /c "wmic shadowcopy delete /nointeractive"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1988
      • C:\Windows\System32\Wbem\WMIC.exe
        wmic shadowcopy delete /nointeractive
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2656
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\ProgramData\1.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2796
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 2
        3⤵
        • Runs ping.exe
        PID:3020
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im sql*
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1636
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im oracle*
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2428
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im mysq*
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1452
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im chrome*
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1064
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im veeam*
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1912
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im firefox*
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2844
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im excel*
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2220
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im msaccess*
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2028
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im onenote*
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1976
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im outlook*
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1028
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im powerpnt*
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1712
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im winword*
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2528
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im wuauclt*
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1840
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 2
        3⤵
        • Runs ping.exe
        PID:2952
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im oracle*
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1088
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im mysq*
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:800
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im firefox*
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:616
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im msaccess*
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1792
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im onenote*
        3⤵
          PID:2124
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im outlook*
          3⤵
          • Kills process with taskkill
          PID:1724
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im powerpnt*
          3⤵
          • Kills process with taskkill
          PID:380
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im winword*
          3⤵
          • Kills process with taskkill
          PID:888
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im wuauclt*
          3⤵
          • Kills process with taskkill
          PID:876
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.0.0.1 -n 2
          3⤵
          • Runs ping.exe
          PID:704
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im excel*
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:448
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im veeam*
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1128
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im chrome*
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1748
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im sql*
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:300
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im sql*
          3⤵
          • Kills process with taskkill
          PID:2960
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im oracle*
          3⤵
            PID:2964
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /f /im mysq*
            3⤵
            • Kills process with taskkill
            PID:1644
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /f /im chrome*
            3⤵
            • Kills process with taskkill
            PID:2464
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /f /im veeam*
            3⤵
              PID:2980
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /f /im firefox*
              3⤵
              • Kills process with taskkill
              PID:2640
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /f /im msaccess*
              3⤵
              • Kills process with taskkill
              PID:2548
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /f /im onenote*
              3⤵
              • Kills process with taskkill
              PID:2756
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /f /im powerpnt*
              3⤵
              • Kills process with taskkill
              PID:1016
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /f /im outlook*
              3⤵
              • Kills process with taskkill
              PID:2056
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /f /im wuauclt*
              3⤵
              • Kills process with taskkill
              PID:628
            • C:\Windows\SysWOW64\PING.EXE
              ping 127.0.0.1 -n 2
              3⤵
              • Runs ping.exe
              PID:2740
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /f /im winword*
              3⤵
                PID:2896
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /f /im excel*
                3⤵
                • Kills process with taskkill
                PID:1528
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /f /im sql*
                3⤵
                • Kills process with taskkill
                PID:2588
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /f /im mysq*
                3⤵
                • Kills process with taskkill
                PID:856
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /f /im veeam*
                3⤵
                • Kills process with taskkill
                PID:1256
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /f /im excel*
                3⤵
                • Kills process with taskkill
                PID:2456
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /f /im msaccess*
                3⤵
                • Kills process with taskkill
                PID:1232
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /f /im outlook*
                3⤵
                • Kills process with taskkill
                PID:1908
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /f /im onenote*
                3⤵
                  PID:2020
                • C:\Windows\SysWOW64\taskkill.exe
                  taskkill /f /im powerpnt*
                  3⤵
                  • Kills process with taskkill
                  PID:1948
                • C:\Windows\SysWOW64\taskkill.exe
                  taskkill /f /im wuauclt*
                  3⤵
                  • Kills process with taskkill
                  PID:2944
                • C:\Windows\SysWOW64\PING.EXE
                  ping 127.0.0.1 -n 2
                  3⤵
                  • Runs ping.exe
                  PID:2064
                • C:\Windows\SysWOW64\taskkill.exe
                  taskkill /f /im winword*
                  3⤵
                  • Kills process with taskkill
                  PID:2492
                • C:\Windows\SysWOW64\taskkill.exe
                  taskkill /f /im firefox*
                  3⤵
                  • Kills process with taskkill
                  PID:2608
                • C:\Windows\SysWOW64\taskkill.exe
                  taskkill /f /im chrome*
                  3⤵
                    PID:760
                  • C:\Windows\SysWOW64\taskkill.exe
                    taskkill /f /im oracle*
                    3⤵
                    • Kills process with taskkill
                    PID:1676
                  • C:\Windows\SysWOW64\taskkill.exe
                    taskkill /f /im sql*
                    3⤵
                    • Kills process with taskkill
                    PID:1420
                  • C:\Windows\SysWOW64\taskkill.exe
                    taskkill /f /im oracle*
                    3⤵
                    • Kills process with taskkill
                    PID:2956
                  • C:\Windows\SysWOW64\taskkill.exe
                    taskkill /f /im mysq*
                    3⤵
                    • Kills process with taskkill
                    PID:2644
                  • C:\Windows\SysWOW64\taskkill.exe
                    taskkill /f /im veeam*
                    3⤵
                    • Kills process with taskkill
                    PID:1716
                  • C:\Windows\SysWOW64\taskkill.exe
                    taskkill /f /im excel*
                    3⤵
                    • Kills process with taskkill
                    PID:2260
                  • C:\Windows\SysWOW64\taskkill.exe
                    taskkill /f /im msaccess*
                    3⤵
                    • Kills process with taskkill
                    PID:2488
                  • C:\Windows\SysWOW64\taskkill.exe
                    taskkill /f /im outlook*
                    3⤵
                    • Kills process with taskkill
                    PID:1288
                  • C:\Windows\SysWOW64\taskkill.exe
                    taskkill /f /im powerpnt*
                    3⤵
                    • Kills process with taskkill
                    PID:2160
                  • C:\Windows\SysWOW64\taskkill.exe
                    taskkill /f /im onenote*
                    3⤵
                    • Kills process with taskkill
                    PID:1604
                  • C:\Windows\SysWOW64\taskkill.exe
                    taskkill /f /im firefox*
                    3⤵
                    • Kills process with taskkill
                    PID:2380
                  • C:\Windows\SysWOW64\taskkill.exe
                    taskkill /f /im chrome*
                    3⤵
                    • Kills process with taskkill
                    PID:2520
                  • C:\Windows\SysWOW64\taskkill.exe
                    taskkill /f /im wuauclt*
                    3⤵
                    • Kills process with taskkill
                    PID:2448
                  • C:\Windows\SysWOW64\PING.EXE
                    ping 127.0.0.1 -n 2
                    3⤵
                    • Runs ping.exe
                    PID:332
                  • C:\Windows\SysWOW64\taskkill.exe
                    taskkill /f /im winword*
                    3⤵
                      PID:1548
                    • C:\Windows\SysWOW64\taskkill.exe
                      taskkill /f /im sql*
                      3⤵
                      • Kills process with taskkill
                      PID:2404
                    • C:\Windows\SysWOW64\taskkill.exe
                      taskkill /f /im oracle*
                      3⤵
                      • Kills process with taskkill
                      PID:2352
                    • C:\Windows\SysWOW64\taskkill.exe
                      taskkill /f /im mysq*
                      3⤵
                        PID:2812
                      • C:\Windows\SysWOW64\taskkill.exe
                        taskkill /f /im chrome*
                        3⤵
                          PID:704
                        • C:\Windows\SysWOW64\taskkill.exe
                          taskkill /f /im veeam*
                          3⤵
                          • Kills process with taskkill
                          PID:2960
                        • C:\Windows\SysWOW64\taskkill.exe
                          taskkill /f /im firefox*
                          3⤵
                          • Kills process with taskkill
                          PID:884
                        • C:\Windows\SysWOW64\taskkill.exe
                          taskkill /f /im excel*
                          3⤵
                          • Kills process with taskkill
                          PID:1868
                        • C:\Windows\SysWOW64\taskkill.exe
                          taskkill /f /im msaccess*
                          3⤵
                          • Kills process with taskkill
                          PID:1728
                        • C:\Windows\SysWOW64\taskkill.exe
                          taskkill /f /im onenote*
                          3⤵
                            PID:2344
                          • C:\Windows\SysWOW64\taskkill.exe
                            taskkill /f /im outlook*
                            3⤵
                            • Kills process with taskkill
                            PID:2768
                          • C:\Windows\SysWOW64\taskkill.exe
                            taskkill /f /im powerpnt*
                            3⤵
                            • Kills process with taskkill
                            PID:2660
                          • C:\Windows\SysWOW64\taskkill.exe
                            taskkill /f /im winword*
                            3⤵
                            • Kills process with taskkill
                            PID:1444
                          • C:\Windows\SysWOW64\taskkill.exe
                            taskkill /f /im wuauclt*
                            3⤵
                              PID:1592
                            • C:\Windows\SysWOW64\PING.EXE
                              ping 127.0.0.1 -n 2
                              3⤵
                              • Runs ping.exe
                              PID:2908
                          • C:\Windows\SysWOW64\cmd.exe
                            cmd /c "taskkill /f /im cmd.exe & taskkill /f /im conhost.exe"
                            2⤵
                              PID:2936
                              • C:\Windows\SysWOW64\taskkill.exe
                                taskkill /f /im cmd.exe
                                3⤵
                                • Kills process with taskkill
                                PID:1600
                            • C:\Windows\SysWOW64\cmd.exe
                              cmd /c "ping 127.0.0.1 & del C:\ProgramData\1.bat & del C:\Users\Admin\AppData\Local\Temp\0e60d49a967599fab179f8c885d91db25016be996d66a4e00cbb197e5085efa4\0e60d49a967599fab179f8c885d91db2501.exe & shutdown -r -f -t 0"
                              2⤵
                              • Deletes itself
                              PID:848
                              • C:\Windows\SysWOW64\PING.EXE
                                ping 127.0.0.1
                                3⤵
                                • Runs ping.exe
                                PID:2108
                              • C:\Windows\SysWOW64\shutdown.exe
                                shutdown -r -f -t 0
                                3⤵
                                  PID:856
                            • C:\Windows\system32\vssvc.exe
                              C:\Windows\system32\vssvc.exe
                              1⤵
                              • Suspicious use of AdjustPrivilegeToken
                              PID:2760
                            • C:\Windows\system32\LogonUI.exe
                              "LogonUI.exe" /flags:0x0
                              1⤵
                                PID:1064
                              • C:\Windows\system32\LogonUI.exe
                                "LogonUI.exe" /flags:0x1
                                1⤵
                                  PID:1232

                                Network

                                MITRE ATT&CK Enterprise v15

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\ProgramData\1.bat
                                  Filesize

                                  385B

                                  MD5

                                  4a4d03743fd3a7ee1d03d89d0e3b8011

                                  SHA1

                                  127d72408c87d866c72331fb0f16d13fef6a92ec

                                  SHA256

                                  2b15e09b98bc2835a4430c4560d3f5b25011141c9efa4331f66e9a707e2a23c0

                                  SHA512

                                  d26e5865bef6a7c7a5991c34ef8c0ae7e4c78c40b5f0c68f3490e89de50401e13e53321ee98def52ee7da390bcd3eb895f3ec1485a50cd63c94f0b640e1cfa60

                                  Download Submit

                                • C:\Users\Admin\Documents\Readme.1352FF327.txt
                                  Filesize

                                  1KB

                                  MD5

                                  4b88b5a8f74421f9c61671ec61b8eb02

                                  SHA1

                                  3b0534af339c362b889ba49888e61cbbb260427f

                                  SHA256

                                  4f8a200177e621e534dba2f5a09247a35ac47711c1f9e40f0a65649afb0ae5ac

                                  SHA512

                                  1fe8c1fb63a3668718ce89f822abece8a770d14e9f4ef70d702eaee0309dd34f42056eca77df242ed781259bb198b30604376a1a7fb1958e3bcb07b295a6341e

                                  Download Submit

                                • memory/1064-20-0x0000000002E10000-0x0000000002E11000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/1232-21-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

                                  Filesize

                                  4KB

                                  Download