Overview

overview

10

Static

static

10

samples (2).zip

windows7-x64

1

samples (2).zip

windows10-2004-x64

1

04035f6fdd...f9.exe

windows7-x64

9

04035f6fdd...f9.exe

windows10-2004-x64

7

0ed3c87ce3...07.exe

windows7-x64

4

0ed3c87ce3...07.exe

windows10-2004-x64

1

1ce291b079...c9.exe

windows7-x64

7

1ce291b079...c9.exe

windows10-2004-x64

1

30e66f95b4...49.exe

windows7-x64

8

30e66f95b4...49.exe

windows10-2004-x64

8

335160bee7...cf.exe

windows7-x64

10

335160bee7...cf.exe

windows10-2004-x64

10

3d7dd597a4...67.exe

windows7-x64

1

3d7dd597a4...67.exe

windows10-2004-x64

7

42dcc46f9d...46.exe

windows7-x64

9

42dcc46f9d...46.exe

windows10-2004-x64

8

4fcaca23e9...f2.exe

windows7-x64

10

4fcaca23e9...f2.exe

windows10-2004-x64

10

5994300c1c...a7.exe

windows7-x64

10

5994300c1c...a7.exe

windows10-2004-x64

9

627a5569d4...e3.exe

windows7-x64

7

627a5569d4...e3.exe

windows10-2004-x64

10

kf12.pyc

windows7-x64

3

kf12.pyc

windows10-2004-x64

1

63fa775052...2f.exe

windows7-x64

1

63fa775052...2f.exe

windows10-2004-x64

1

645b8dfe73...79.exe

windows7-x64

1

645b8dfe73...79.exe

windows10-2004-x64

1

64862ec699...1b.exe

windows7-x64

9

64862ec699...1b.exe

windows10-2004-x64

10

741d75a02d...5e.exe

windows7-x64

10

741d75a02d...5e.exe

windows10-2004-x64

10

Resubmissions

18-04-2024 18:50

240418-xha8wabh29 10

01-01-2024 15:12

240101-slnwxsfeh4 10

Analysis

  • max time kernel
    148s
  • max time network
    211s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-01-2024 15:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    64862ec69991a7d454c3ea3a0c3a8f1cc9c80192078740b9c753abbf1b7bef1b.exe

  • Size

    1.7MB

  • MD5

    2b34badcdfb0921ee43548475c0ec5bb

  • SHA1

    2cfe28584ae7649e3fe0ae150bfe49f7eabc6cf9

  • SHA256

    64862ec69991a7d454c3ea3a0c3a8f1cc9c80192078740b9c753abbf1b7bef1b

  • SHA512

    c31ac862ac9211821332aa8fd03110ca3ef89304fead4a900d2190c4a3950d2d6e5704b06ab3edf2ea6c6d3b9c225e5220e62496dc42948ec6125618924f880c

  • SSDEEP

    24576:++H1KCVkwjVSjdao2bwzUaSze1AeHm/gcgX+7waf7gm7yZADfBFdOgSeiseIK1S3:399byqze1I3o+rH+MFdOsZvShn9T

Score
10/10
evasionpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\3D Objects\read_it.txt

Ransom Note
YOUR PERSONAL INFORMATION IS NOW ENCRYPTED WITH MILITARY GRADE ENCRYPTION by BAAL RANSOMWARE All files on all affected machines and network have been encrypted with Baal Ransomware Encryption. What guarantees do we give to you? You can send 2 of any encrypted files to us to decrypt then send them back. Who is responsible for the Ransom Fee? The SARB & SA Mint Organization not its employees or assosiates will need to pay the fee to obtain the unique decryption code & tool that contains the private key linked to this specific ecryption. NOTE: All data is ecrypted (locked) not overitten hence can be decrypted with assossiated key only. You have only 6 (six) days to meet the Ransom fee in Bitcoin. Instructions: 1. Send 121 BTC (Bitcoins) to the following receiving address: bc1qvrqgycul7svc33hs0ejqn5p2ewewynjkea90h7gcednhdj2745tslla7z9 Note: All Bitcoin transactions need six confirmations in the blockchain from miners before being processed. In general sending Bitcoin can take anywhere from seconds to over 60 minutes. Typically, however, it will take 10 to 20 minutes In most cases, Bitcoin transactions need 1 to 1.5 hours to complete. 2. Send blockchain transaction id screenshot not link via to the email address: [email protected] 3. Once the transaction is be confirmed. We will email back the one-click decryption tool to fully decrypt and recover all your files and remove the randsomware on all your machines and network permantly. (No I.T. background required). 4. The decryption usually takes about a few minutes to an hour depending on the scale and size of the files and additional drives the Ransomware has spread onto the network. What guarantees do we give to you? You can send 3 of your encrypted files and we decrypt then send them back. You have 6 days until the decryption keys are terminated and all data on affected machines and networks will never be recovered. We make use of Military Grade AES Encryptions. Without the linked decryption key you can just forgot about ever recovering encrypted data. ------------------------------------------------------------------------------------------------ 'Blessed are the strong for they shall inherit the Earth' - Codex Saerus

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Disables Task Manager via registry modification
    evasion
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 64 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 42 IoCs
  • Suspicious use of AdjustPrivilegeToken 50 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\64862ec69991a7d454c3ea3a0c3a8f1cc9c80192078740b9c753abbf1b7bef1b.exe
    "C:\Users\Admin\AppData\Local\Temp\64862ec69991a7d454c3ea3a0c3a8f1cc9c80192078740b9c753abbf1b7bef1b.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4876
    • C:\Users\Admin\AppData\Roaming\Netflorist.exe
      "C:\Users\Admin\AppData\Roaming\Netflorist.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops desktop.ini file(s)
      • Sets desktop wallpaper using registry
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4916
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1732
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          4⤵
          • Interacts with shadow copies
          PID:2732
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic shadowcopy delete
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2992
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4884
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} recoveryenabled no
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:2808
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} bootstatuspolicy ignoreallfailures
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:1696
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4000
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt
        3⤵
        • Opens file in notepad (likely ransom note)
        PID:976
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3844
  • C:\Windows\system32\wbadmin.exe
    wbadmin delete catalog -quiet
    1⤵
    • Deletes backup catalog
    PID:3208
  • C:\Windows\system32\wbengine.exe
    "C:\Windows\system32\wbengine.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2876
  • C:\Windows\System32\vdsldr.exe
    C:\Windows\System32\vdsldr.exe -Embedding
    1⤵
      PID:4900
    • C:\Windows\System32\vds.exe
      C:\Windows\System32\vds.exe
      1⤵
      • Checks SCSI registry key(s)
      PID:3780

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\3D Objects\read_it.txt
      Filesize

      2KB

      MD5

      8c01fc0897330efa19984569d51593de

      SHA1

      86ef2c429ec7f7e68604589e14aa2a4d46b91b97

      SHA256

      8e0bb0b0c5df1549718787f72eec31f9b996940e53a105a1c655a7bdcd15207f

      SHA512

      df6ab338df097c2dfe6b06897e7797af89b89e3a2e1a5ccd6772dcd41aee1077571759bdb81cff772ba636e8c1c411ec69cb3ba87b31961be06fca3b1e652fb7

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\64862ec69991a7d454c3ea3a0c3a8f1cc9c80192078740b9c753abbf1b7bef1b.exe.log
      Filesize

      1KB

      MD5

      4e4c88f65ddfc7e4ed96042cb5da5b76

      SHA1

      086fcef3233df3ab47b63a174c8889a5540a2418

      SHA256

      b4135b7f9a2111e0478dff935711b7362150b72b6b4f9e4f17011b503322078b

      SHA512

      f817e9161abd0aa946678c324eeb61ffd7a573a3b64a8b05102be4250402be760119bc21715dcf7ab54e3992857e975802829a0003dc2d10fac8ec9f042ccb7a

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Netflorist.exe
      Filesize

      2KB

      MD5

      43b82ac044e293717660f7c30c37341b

      SHA1

      8b3ef995e9eea518400eaed53217892dea1564d8

      SHA256

      14eddab9aa0b9552f4c9c586462b6407595f1c17701436af0890254b361a1681

      SHA512

      bca63f9866a8478da6487afc38a81d7ba4b1b5d2915562f1dd32562e3c20f82130e626fdc6b6e2aae9845d493ff74597174fd90b5cfeaa7c1e14525ad6b66efe

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Netflorist.exe
      Filesize

      8KB

      MD5

      2b279d32c6d4123a3d8f6ec62479fefe

      SHA1

      390a3644e9fc90d855f7c9029f4de89b502efd96

      SHA256

      d9df0d684de13bb52c573a0b8006240448d2284fa78b01884a851895fb45594a

      SHA512

      345274a154e23728be554ac92ffaa5fb7d27712eeceeec289426b580f49753ee6ac62f4bd53be774b147636e275ea2fdcdc40b7f49af7499fe8348a779151abf

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Netflorist.exe
      Filesize

      1KB

      MD5

      2187b478f3734c1f980a533e7639f9f4

      SHA1

      e8329f012d5a207fbf709cf71bf4710a39362c9e

      SHA256

      5ed5bca3c4a8268af542d017389a550b864ac073a488a144cc130ee9eb20dc78

      SHA512

      b28980f4f5d8b8ec4e1f3f6bc099c95fb1a49058cdddfb072c002ac01e45ad5dff203e34642a49bb426e5d2e84b839754d58a3a8cc503c2beca6b98f44fe14c9

      Download Submit

    • C:\Users\Admin\Desktop\DismountReceive.avi
      Filesize

      1B

      MD5

      d1457b72c3fb323a2671125aef3eab5d

      SHA1

      5bab61eb53176449e25c2c82f172b82cb13ffb9d

      SHA256

      8a8de823d5ed3e12746a62ef169bcf372be0ca44f0a1236abc35df05d96928e1

      SHA512

      ca63c07ad35d8c9fb0c92d6146759b122d4ec5d3f67ebe2f30ddb69f9e6c9fd3bf31a5e408b08f1d4d9cd68120cced9e57f010bef3cde97653fed5470da7d1a0

      Download Submit

    • memory/4876-5-0x0000000003100000-0x0000000003101000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4876-3-0x00007FFC6ED40000-0x00007FFC6F801000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4876-1-0x00007FFC6ED40000-0x00007FFC6F801000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4876-4-0x000000001BCF0000-0x000000001BD00000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4876-19-0x00007FFC6ED40000-0x00007FFC6F801000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4876-2-0x000000001BCF0000-0x000000001BD00000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4876-0-0x0000000000EE0000-0x00000000010A2000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/4916-21-0x0000000001550000-0x0000000001551000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4916-20-0x0000000002F90000-0x0000000002FA0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4916-18-0x00007FFC6ED40000-0x00007FFC6F801000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4916-292-0x00007FFC6ED40000-0x00007FFC6F801000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4916-293-0x0000000002F90000-0x0000000002FA0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4916-1237-0x0000000002F90000-0x0000000002FA0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4916-1239-0x0000000002F90000-0x0000000002FA0000-memory.dmp

      Filesize

      64KB

      Download