Analysis
-
max time kernel
122s -
max time network
137s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
04-01-2024 13:20
Behavioral task
behavioral1
Sample
c0d49fbd02250d69cba143f3988029beaef67aad3626ea9ad07e4d0a80cb9c14.dll
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
c0d49fbd02250d69cba143f3988029beaef67aad3626ea9ad07e4d0a80cb9c14.dll
Resource
win10v2004-20231215-en
General
-
Target
c0d49fbd02250d69cba143f3988029beaef67aad3626ea9ad07e4d0a80cb9c14.dll
-
Size
3.7MB
-
MD5
1a5ee819449d01730b45f4f714e990c8
-
SHA1
c429e959e19074f54aebb54729a874cc643472c7
-
SHA256
c0d49fbd02250d69cba143f3988029beaef67aad3626ea9ad07e4d0a80cb9c14
-
SHA512
bcf8cb3984ab87e7d03218d5d2508fe18ca0015babbb4e75ddff9999664db008220981fb14887e00554b2f9add2f8b634562208768a880ebb1e15b4a8701beb5
-
SSDEEP
98304:uVO2EnehcAOW1hRsTJch1zCkygPBFwPD+8th5Vm:uVO2EdjW1HsFchtCkyg+2
Malware Config
Extracted
agenda
-
company_id
Y4aYnqmoKD
-
note
-- Qilin Your network/system was encrypted. Encrypted files have new extension. -- Compromising and sensitive data We have downloaded compromising and sensitive data from you system/network If you refuse to communicate with us and we do not come to an agreement, your data will be published. Data includes: - Employees personal data, CVs, DL , SSN. - Complete network map including credentials for local and remote services. - Financial information including clients data, bills, budgets, annual reports, bank statements. - Complete datagrams/schemas/drawings for manufacturing in solidworks format - And more... -- Warning 1) If you modify files - our decrypt software won't able to recover data 2) If you use third party software - you can damage/modify files (see item 1) 3) You need cipher key / our decrypt software to restore you files. 4) The police or authorities will not be able to help you get the cipher key. We encourage you to consider your decisions. -- Recovery 1) Download tor browser: https://www.torproject.org/download/ 2) Go to domain 3) Enter credentials-- Credentials Extension: Y4aYnqmoKD Domain: mc3lcg4lqmwcrk34geaqokyjyhvjeh2alsiklpgnaqe25466isopv3id.onion login: R5ZHFB-RiA_94UGXxYDObv6Xriy7JCxb password:
Signatures
-
Agenda Ransomware
A ransomware with multiple variants written in Golang and Rust first seen in August 2022.
-
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 2480 wrote to memory of 2056 2480 rundll32.exe rundll32.exe PID 2480 wrote to memory of 2056 2480 rundll32.exe rundll32.exe PID 2480 wrote to memory of 2056 2480 rundll32.exe rundll32.exe PID 2480 wrote to memory of 2056 2480 rundll32.exe rundll32.exe PID 2480 wrote to memory of 2056 2480 rundll32.exe rundll32.exe PID 2480 wrote to memory of 2056 2480 rundll32.exe rundll32.exe PID 2480 wrote to memory of 2056 2480 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c0d49fbd02250d69cba143f3988029beaef67aad3626ea9ad07e4d0a80cb9c14.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c0d49fbd02250d69cba143f3988029beaef67aad3626ea9ad07e4d0a80cb9c14.dll,#12⤵PID:2056