Overview

overview

10

Static

static

10

samples2.zip

windows7-x64

1

samples2.zip

windows10-2004-x64

1

032e2e00eb...36.exe

windows7-x64

3

032e2e00eb...36.exe

windows10-2004-x64

3

07e98c92e1...3b.exe

windows7-x64

8

07e98c92e1...3b.exe

windows10-2004-x64

8

0a045d39cb...35.exe

windows7-x64

7

0a045d39cb...35.exe

windows10-2004-x64

7

2d713e13f7...d3.exe

windows7-x64

1

2d713e13f7...d3.exe

windows10-2004-x64

1

37a83fd6b1...32.exe

windows7-x64

1

37a83fd6b1...32.exe

windows10-2004-x64

1

390b31934a...56.exe

windows7-x64

9

390b31934a...56.exe

windows10-2004-x64

9

4dc6bd447e...9d.exe

windows7-x64

1

4dc6bd447e...9d.exe

windows10-2004-x64

1

5300d74561...0d.exe

windows7-x64

10

5300d74561...0d.exe

windows10-2004-x64

10

5e7d11d6bd...c6.exe

windows7-x64

7

5e7d11d6bd...c6.exe

windows10-2004-x64

1

64c7d9f709...20.exe

windows7-x64

1

64c7d9f709...20.exe

windows10-2004-x64

1

7db03ff8a8...3a.exe

windows7-x64

1

7db03ff8a8...3a.exe

windows10-2004-x64

1

81cb6442c2...78.exe

windows7-x64

1

81cb6442c2...78.exe

windows10-2004-x64

1

8629ec2aed...11.exe

windows7-x64

1

8629ec2aed...11.exe

windows10-2004-x64

1

8b13ff52ff...ab.exe

windows7-x64

8

8b13ff52ff...ab.exe

windows10-2004-x64

8

90b4871229...11.exe

windows7-x64

7

90b4871229...11.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    01-01-2024 15:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe

  • Size

    453KB

  • MD5

    15e64cc4e12006fd7bf95cdfdb2ad674

  • SHA1

    f4a7023d943749b9aa5c373cc84b5ee6f2845717

  • SHA256

    5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d

  • SHA512

    596b44694970ecef43a4238c0d2e547844b40c75697e962893a0b21f248136de5a1bf27da7651a5f4eef073f595e5015d63fa0f99a1e39185cfeb5c3bdaf5bbc

  • SSDEEP

    6144:selkSPS7kiuw4SEtOvgs25TfCxFu/4grGsBNcRMr5p6LnTAOzarKJ7nkxXTv:selk4Sgiuw40vfnxIXNcw6rTcr4eTv

Score
10/10
ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\HOW_TO_RECOVER_FILES.txt

Ransom Note
> WHAT HAPPEND? Important files on your network have been ENCRYPTED and now have the extension .CIBCJEAEBI. To recover your files, you need to follow the instructions below. > SENSITIVE DATA Sensitive data from your network has been DOWNLOADED. If you DON'T WANT to your sensitive data PUBLISHED on our leak blog, you must act quickly. LEAK BLOG: noescapemsqxvizdxyl7f7rmg5cdjwp33pg2wpmiaaibilb4btwzttad.onion Data includes: - Personal data of employees, resume, DL, SSN. - Complete network map, including credentials for local and remote services. - Private financial information including: customer data, accounts, budgets, annual reports, bank statements. - Production documentation, including: datagrams, diagrams, drawings. - And much more... Sample DOWNLOADED FILES are available in your user panel. > CAUTION DO NOT MODIFY ENCRYPTED FILES BY YOURSELF. DO NOT USE THIRD PARTY SOFTWARE TO RESTORE YOUR DATA. YOU MAY DAMAGE YOUR FILES, THIS WILL RESULT IN PERMANENT DATA LOSS. > WHAT SHOULD I DO NEXT? You need to contact us: 1. Download and install TOR browser: https://www.torproject.org/ 2. Go to your user panel: noescaperjh3gg6oy7rck57fiefyuzmj7kmvojxgvlmwd5pdzizrb7ad.onion/9a327ded-8235-4391-8aa9-bd7cbeca8977
URLs

http://noescapemsqxvizdxyl7f7rmg5cdjwp33pg2wpmiaaibilb4btwzttad.onion

http://noescaperjh3gg6oy7rck57fiefyuzmj7kmvojxgvlmwd5pdzizrb7ad.onion/9a327ded-8235-4391-8aa9-bd7cbeca8977

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Renames multiple (154) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 2 TTPs 3 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe
    "C:\Users\Admin\AppData\Local\Temp\5300d7456183c470a40267da9cd1771d6147445b203d8eb02437348bf3169e0d.exe"
    1⤵
    • Enumerates connected drives
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2216
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c wmic SHADOWCOPY DELETE /nointeractive
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3060
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
      2⤵
        PID:2616
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c wbadmin DELETE BACKUP -deleteOldest
        2⤵
          PID:2580
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c wmic SHADOWCOPY DELETE /nointeractive
          2⤵
            PID:1936
            • C:\Windows\SysWOW64\Wbem\WMIC.exe
              wmic SHADOWCOPY DELETE /nointeractive
              3⤵
                PID:2792
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
              2⤵
                PID:856
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c bcdedit /set {default} recoveryenabled No
                2⤵
                  PID:2420
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
                  2⤵
                    PID:2040
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd /c vssadmin Delete Shadows /All /Quiet
                    2⤵
                      PID:2968
                    • C:\Windows\SysWOW64\cmd.exe
                      cmd /c wbadmin DELETE BACKUP -keepVersions:0
                      2⤵
                        PID:2316
                      • C:\Windows\SysWOW64\cmd.exe
                        cmd /c wbadmin DELETE BACKUP -deleteOldest
                        2⤵
                          PID:2092
                        • C:\Windows\SysWOW64\cmd.exe
                          cmd /c wbadmin DELETE SYSTEMSTATEBACKUP -keepVersions:0
                          2⤵
                            PID:2704
                          • C:\Windows\SysWOW64\cmd.exe
                            cmd /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
                            2⤵
                              PID:2192
                            • C:\Windows\SysWOW64\cmd.exe
                              cmd /c bcdedit /set {default} recoveryenabled No
                              2⤵
                                PID:1348
                              • C:\Windows\SysWOW64\cmd.exe
                                cmd /c vssadmin Delete Shadows /All /Quiet
                                2⤵
                                  PID:1424
                                • C:\Windows\SysWOW64\cmd.exe
                                  cmd /c wbadmin DELETE BACKUP -keepVersions:0
                                  2⤵
                                    PID:952
                                  • C:\Windows\SysWOW64\cmd.exe
                                    cmd /c wbadmin DELETE BACKUP -deleteOldest
                                    2⤵
                                      PID:2972
                                    • C:\Windows\SysWOW64\cmd.exe
                                      cmd /c wbadmin DELETE SYSTEMSTATEBACKUP -keepVersions:0
                                      2⤵
                                        PID:2160
                                      • C:\Windows\SysWOW64\cmd.exe
                                        cmd /c wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
                                        2⤵
                                          PID:2932
                                        • C:\Windows\SysWOW64\cmd.exe
                                          cmd /c wmic SHADOWCOPY DELETE /nointeractive
                                          2⤵
                                          • Suspicious use of WriteProcessMemory
                                          PID:2484
                                        • C:\Windows\SysWOW64\cmd.exe
                                          cmd /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
                                          2⤵
                                            PID:2464
                                          • C:\Windows\SysWOW64\cmd.exe
                                            cmd /c bcdedit /set {default} recoveryenabled No
                                            2⤵
                                              PID:1184
                                            • C:\Windows\SysWOW64\cmd.exe
                                              cmd /c vssadmin Delete Shadows /All /Quiet
                                              2⤵
                                              • Suspicious use of WriteProcessMemory
                                              PID:2720
                                            • C:\Windows\SysWOW64\cmd.exe
                                              cmd /c wbadmin DELETE BACKUP -keepVersions:0
                                              2⤵
                                                PID:2740
                                              • C:\Windows\SysWOW64\cmd.exe
                                                cmd /c wbadmin DELETE SYSTEMSTATEBACKUP -keepVersions:0
                                                2⤵
                                                  PID:2596
                                              • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                wmic SHADOWCOPY DELETE /nointeractive
                                                1⤵
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:2172
                                              • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                wmic SHADOWCOPY DELETE /nointeractive
                                                1⤵
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:2540
                                              • C:\Windows\SysWOW64\vssadmin.exe
                                                vssadmin Delete Shadows /All /Quiet
                                                1⤵
                                                • Interacts with shadow copies
                                                PID:2648
                                              • C:\Windows\SysWOW64\vssadmin.exe
                                                vssadmin Delete Shadows /All /Quiet
                                                1⤵
                                                • Interacts with shadow copies
                                                PID:2096
                                              • C:\Windows\SysWOW64\vssadmin.exe
                                                vssadmin Delete Shadows /All /Quiet
                                                1⤵
                                                • Interacts with shadow copies
                                                PID:1888
                                              • C:\Windows\system32\vssvc.exe
                                                C:\Windows\system32\vssvc.exe
                                                1⤵
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:2656

                                              Network

                                              MITRE ATT&CK Enterprise v15

                                              Replay Monitor

                                              Loading Replay Monitor...

                                              Downloads

                                              • C:\Users\Admin\Desktop\HOW_TO_RECOVER_FILES.txt
                                                Filesize

                                                1KB

                                                MD5

                                                ae09a1907f06c1c8b6944601c07466b0

                                                SHA1

                                                b836d0c8e7c49c283948d26c4f811abcb691f6c7

                                                SHA256

                                                1d811d180143ebcbf3481cbed6a271e6c0c382fc22afd2edb1fe8f2105a7d6d6

                                                SHA512

                                                4e0c0b97f388c3c51d0b4cd772855d38e0ded3b554fa4884da4c32eaa9ec91924141b06621b12b1132036a19afd8a5e333318e2991558f71fd44ec2d6a86738d

                                                Download Submit