Overview

overview

10

Static

static

10

e90bdaaf5f...27.exe

windows10-1703-x64

10

Resubmissions

15-01-2024 10:33

240115-mln9sseben 10

30-01-2023 02:12

230130-cnc97seh7x 10

Analysis

  • max time kernel
    89s
  • max time network
    166s
  • platform
    windows10-1703_x64
  • resource
    win10-20231215-en
  • resource tags

    arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
  • submitted
    15-01-2024 10:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e90bdaaf5f9ca900133b699f18e4062562148169b29cb4eb37a0577388c22527.exe

  • Size

    1.6MB

  • MD5

    6a93e618e467ed13f98819172e24fffa

  • SHA1

    d34550ebc2bee47c708c8e048eb78881468e6bca

  • SHA256

    e90bdaaf5f9ca900133b699f18e4062562148169b29cb4eb37a0577388c22527

  • SHA512

    ac78fcd5ab3340fa691eb9941c729a58291ae58372ed8f535ae2a7ac23b99b0f57448343a020b4e889a7b7a822d116df32c8c5c14a4def0720987c2d6b966192

  • SSDEEP

    24576:KBz37bSK2rgyik2VZGiOYnSadiUm6M551SaJkqFYUe3xHj96khwkyITnoXlIEvXX:Kx6Rvik2VUKnzhQ4akWXUy

Score
10/10
agendaransomware

Malware Config

Extracted

Family

agenda

Attributes
  • company_id

    MmXReVIxLV

  • note

    -- Qilin Your network/system was encrypted. Encrypted files have new extension. -- Compromising and sensitive data We have downloaded compromising and sensitive data from you system/network If you refuse to communicate with us and we do not come to an agreementyour data will be published. Data includes: - Employees personal dataCVsDLSSN. - Complete network map including credentials for local and remote services. - Financial information including clients databillsbudgetsannual reportsbank statements. - Complete datagrams/schemas/drawings for manufacturing in solidworks format - And more... -- Warning 1) If you modify files - our decrypt software won't able to recover data 2) If you use third party software - you can damage/modify files (see item 1) 3) You need cipher key / our decrypt software to restore you files. 4) The police or authorities will not be able to help you get the cipher key. We encourage you to consider your decisions. -- Recovery 1) Download tor browser: https://www.torproject.org/download/ 2) Go to domain 3) Enter credentials -- Credentials Extension: MmXReVIxLV Domain: ueegj65kwr3v3sjhli73gjtmfnh2uqlte3vyg2kkyqq7cja2yx2ptaad.onion login: 6f031ccd-526a-4806-82a8-2e7d926243d4 password:

rsa_pubkey.plain

Extracted

Path

C:\Users\README-RECOVER-MmXReVIxLV.txt

Family

agenda

Ransom Note
-- Qilin Your network/system was encrypted. Encrypted files have new extension. -- Compromising and sensitive data We have downloaded compromising and sensitive data from you system/network If you refuse to communicate with us and we do not come to an agreementyour data will be published. Data includes: - Employees personal dataCVsDLSSN. - Complete network map including credentials for local and remote services. - Financial information including clients databillsbudgetsannual reportsbank statements. - Complete datagrams/schemas/drawings for manufacturing in solidworks format - And more... -- Warning 1) If you modify files - our decrypt software won't able to recover data 2) If you use third party software - you can damage/modify files (see item 1) 3) You need cipher key / our decrypt software to restore you files. 4) The police or authorities will not be able to help you get the cipher key. We encourage you to consider your decisions. -- Recovery 1) Download tor browser: https://www.torproject.org/download/ 2) Go to domain 3) Enter credentials -- Credentials Extension: MmXReVIxLV Domain: ueegj65kwr3v3sjhli73gjtmfnh2uqlte3vyg2kkyqq7cja2yx2ptaad.onion login: 6f031ccd-526a-4806-82a8-2e7d926243d4 password: AgendaPass
URLs

http://ueegj65kwr3v3sjhli73gjtmfnh2uqlte3vyg2kkyqq7cja2yx2ptaad.onion

Signatures

  • Agenda Ransomware

    A ransomware with multiple variants written in Golang and Rust first seen in August 2022.

    ransomwareagenda
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Renames multiple (152) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Drops file in Windows directory 1 IoCs
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\e90bdaaf5f9ca900133b699f18e4062562148169b29cb4eb37a0577388c22527.exe
    "C:\Users\Admin\AppData\Local\Temp\e90bdaaf5f9ca900133b699f18e4062562148169b29cb4eb37a0577388c22527.exe"
    1⤵
      PID:4684
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:1516
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe"
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:1832
        • C:\Users\Admin\AppData\Local\Temp\e90bdaaf5f9ca900133b699f18e4062562148169b29cb4eb37a0577388c22527.exe
          e90bdaaf5f9ca900133b699f18e4062562148169b29cb4eb37a0577388c22527.exe --password AgendaPass
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:4252
          • C:\Windows\system32\cmd.exe
            "cmd" /C "vssadmin.exe delete shadows /all /quiet"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:4728
            • C:\Windows\system32\vssadmin.exe
              vssadmin.exe delete shadows /all /quiet
              4⤵
              • Interacts with shadow copies
              PID:1392
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc
        1⤵
        • Drops file in Windows directory
        PID:3932
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2256

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\README-RECOVER-MmXReVIxLV.txt
        Filesize

        1KB

        MD5

        0b080299bd4389f496cb40d4f87be3bf

        SHA1

        a11d1769af2a91c04e4bead82e8a64e785980015

        SHA256

        16cbd60f0e147c4998e3c3d140af23365e77c3403737be0157b878753bf4f999

        SHA512

        a0b43797e67fdc7035e4041b32ed15ef5a8e0fba5845a4f0b43d998cd7615e74f2bef49e31903b3ea8f484e7693064a389e0aeaba4ffb35044417caaacdfdc1c

        Download Submit

      • memory/3932-1-0x000002646FE90000-0x000002646FEA0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3932-5-0x00000264702D0000-0x00000264702E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3932-9-0x0000026474980000-0x0000026474981000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4252-11-0x00000000002B0000-0x0000000000448000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/4252-344-0x00000000002B0000-0x0000000000448000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/4684-0-0x00000000002B0000-0x0000000000448000-memory.dmp

        Filesize

        1.6MB

        Download