Overview

overview

10

Static

static

10

samples5.zip

windows7-x64

1

samples5.zip

windows10-2004-x64

1

104b5623d8...d3.exe

windows7-x64

1

104b5623d8...d3.exe

windows10-2004-x64

1

160010289c...02.exe

windows7-x64

1

160010289c...02.exe

windows10-2004-x64

1

1a757d4aa5...6f.exe

windows7-x64

1

1a757d4aa5...6f.exe

windows10-2004-x64

1

21ff399e57...56.dll

windows7-x64

1

21ff399e57...56.dll

windows10-2004-x64

1

3c311150e2...bf.exe

windows7-x64

1

3c311150e2...bf.exe

windows10-2004-x64

1

3efe068c64...0f.exe

windows7-x64

3

3efe068c64...0f.exe

windows10-2004-x64

3

403be0442e...17.exe

windows7-x64

10

403be0442e...17.exe

windows10-2004-x64

10

49c96478e9...66.exe

windows7-x64

6

49c96478e9...66.exe

windows10-2004-x64

6

5154914351...a7.exe

windows7-x64

1

5154914351...a7.exe

windows10-2004-x64

1

616ea8ac34...858437

windows7-x64

1

616ea8ac34...858437

windows10-2004-x64

1

6a637e90e0...bc.exe

windows7-x64

10

6a637e90e0...bc.exe

windows10-2004-x64

9

759c06eedc...4c.dll

windows7-x64

10

759c06eedc...4c.dll

windows10-2004-x64

10

85cad059cc...20.exe

windows7-x64

1

85cad059cc...20.exe

windows10-2004-x64

1

8ca6b7929e...3c.exe

windows7-x64

10

8ca6b7929e...3c.exe

windows10-2004-x64

9

90ef3f841b...77.exe

windows7-x64

9

90ef3f841b...77.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    31s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-01-2024 15:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    403be0442e847aee7ca7553e19672112450f2e034180a1f57eb8a6d7d39b8d17.exe

  • Size

    31KB

  • MD5

    408358751abe67dcf31de9a955253724

  • SHA1

    81c19445c96f0b4346ae6b4036ff18c8c44db0ed

  • SHA256

    403be0442e847aee7ca7553e19672112450f2e034180a1f57eb8a6d7d39b8d17

  • SHA512

    ffc1425bfca8e5e1b78a43bac829b8930ade14b017c12e0218c44e594f2d559ca9f2060b204eb07115f2bbd4111199ea061852f1742763cfdc80a9808e9bc8aa

  • SSDEEP

    384:bMBQl5CVzAW054SrIVuLRR0b3ZpUyXhVgeHy3jfSG+wKmOL1MCEdYdOiHNFx2khV:bMBQWVM6Srtlab7MC6wThw4

Score
10/10
ransomwarespywarestealer

Malware Config

Extracted

Path

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\decrypt_Last_Chance.html

Ransom Note
<!DOCTYPE html> <html> <title>TargetWare Decryption Information</title> <meta name="viewport" content="width=device-width, initial-scale=1"> <head> <link rel="stylesheet" href="https://fonts.googleapis.com/icon?family=Material+Icons"> </head> <link rel="stylesheet" href="https://www.w3schools.com/w3css/4/w3.css"> <STYLE type="text/css"> BODY { background-color: rgb(246, 246, 246); } </STYLE> <body> <div class="w3-container w3-center " > <img src="https://www.seekpng.com/png/detail/227-2279324_oops-oops-png.png"> <div class="w3-container w3-border w3-small w3-content"> <div class="w3-panel w3-border-top w3-border-bottom w3-border-black w3-pale-gray " > <b>Dear Curexa, it`s only a warning to you. <br><br> Also we can wipe your systems but give you chance <br><br> Contact us within 48 hours for get more details ;) We also steal your databases with Prescriptions and Patient info.<br><br> <br><br> What happened to your files?<br><br> We completed target attack on your company.<br> All your files were encrypted by a <br> strong encryption with RSA2048 .<br> Our software not decryptable for free !<br> Try search in Google : MMM Ransomware, Triple M ransomware</b> ;)<br> </div> </div> <div class="w3-container w3-border w3-small w3-content"> <div class="w3-panel w3-border-top w3-border-bottom w3-border-black w3-pale-gray w3-content"> <b>Recomendations</b><br> Do not attempt to recover the files yourself.You might corrupt your files.<br> We rewrite all old blocks on your HDD and you can`t recover files with <br> Recuva ,Acronis etc...<br> <br> . </div> </div> <div class="w3-container w3-border w3-small w3-content"> <div class="w3-panel w3-border-top w3-border-bottom w3-border-black w3-pale-gray w3-content"> <b>How decrypt files?</b><br><br> Your uniq ID it`s <b>CRX202304</b>.<br> You have only 48 hours for contact with us.<br> Write within this time to email [email protected] or if you don`t get answer within 12 hours to Jabber (use Psi+ or Pidgin clients)<b> [email protected] </b><br> In first message write your uniq ID <b>CRX202304</b><br><br> </div> </div> </div> </body> </html>

Signatures

  • Drops startup file 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\403be0442e847aee7ca7553e19672112450f2e034180a1f57eb8a6d7d39b8d17.exe
    "C:\Users\Admin\AppData\Local\Temp\403be0442e847aee7ca7553e19672112450f2e034180a1f57eb8a6d7d39b8d17.exe"
    1⤵
    • Drops startup file
    • Drops file in Program Files directory
    • Drops file in Windows directory
    PID:4708

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\decrypt_Last_Chance.html
    Filesize

    2KB

    MD5

    b20e472b04a6314c755aef583d7e5b84

    SHA1

    697f540da9cc422e6d26e4fe831511f258613060

    SHA256

    640ea8f8f8538fddfbb338ec2db57f5c32a99d67c1057e15bbb7ccc16e932711

    SHA512

    4d2bd2d01847cad32cfc502b97976fea3628647aa3217cbd9efcacf0ed43e9a19c75b1fdb72e1b46f20f2f79316ccd7b216b4cb64325748ff0a7067abdd19d2b

    Download Submit

  • memory/4708-0-0x00000255C42C0000-0x00000255C42CE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/4708-1-0x00007FFEC2540000-0x00007FFEC3001000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4708-4-0x00000255C5F50000-0x00000255C5F60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4708-33150-0x00007FFEC2540000-0x00007FFEC3001000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4708-34747-0x00000255C5F50000-0x00000255C5F60000-memory.dmp

    Filesize

    64KB

    Download