Overview

overview

10

Static

static

10

323389cde5...f3.exe

windows7-x64

1

323389cde5...f3.exe

windows10-2004-x64

1

365712147d...a7.exe

windows7-x64

10

365712147d...a7.exe

windows10-2004-x64

10

5474e75872...06.exe

windows7-x64

10

5474e75872...06.exe

windows10-2004-x64

10

59c59ef90d...4d.exe

windows7-x64

10

59c59ef90d...4d.exe

windows10-2004-x64

10

63fb410fc5...22.exe

windows7-x64

7

63fb410fc5...22.exe

windows10-2004-x64

7

9443472de4...e5.exe

windows7-x64

1

9443472de4...e5.exe

windows10-2004-x64

1

97a877b999...8d.exe

windows7-x64

10

97a877b999...8d.exe

windows10-2004-x64

10

a0f5def5aa...93.exe

windows7-x64

1

a0f5def5aa...93.exe

windows10-2004-x64

1

abfe442282...b1.exe

windows7-x64

1

abfe442282...b1.exe

windows10-2004-x64

1

b21f34ecfa...73.exe

windows7-x64

9

b21f34ecfa...73.exe

windows10-2004-x64

9

svchost.exe

windows7-x64

9

svchost.exe

windows10-2004-x64

9

b8ce017478...a8.exe

windows7-x64

9

b8ce017478...a8.exe

windows10-2004-x64

9

bbb4627895...f2.exe

windows7-x64

1

bbb4627895...f2.exe

windows10-2004-x64

1

bdf06acf03...63.exe

windows7-x64

1

bdf06acf03...63.exe

windows10-2004-x64

1

db3529a2d9...81.exe

windows7-x64

1

db3529a2d9...81.exe

windows10-2004-x64

1

e24b84c020...db.exe

windows7-x64

9

e24b84c020...db.exe

windows10-2004-x64

9

Resubmissions

21-01-2024 14:52

240121-r8syqaeac7 10

21-01-2024 14:51

240121-r8k8waeac5 10

01-01-2024 13:55

240101-q776kscacp 10

Analysis

  • max time kernel
    118s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    21-01-2024 14:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    365712147d687fb2eb2d5cb612586c7d3d7364277441491a3ab379a4a1128ba7.exe

  • Size

    450KB

  • MD5

    e70b33103c17c000ac11025d2d8e70a1

  • SHA1

    df898d9d0e8e6f2d4eb5d4742d4c206092cdcb34

  • SHA256

    365712147d687fb2eb2d5cb612586c7d3d7364277441491a3ab379a4a1128ba7

  • SHA512

    632461a9c6bff4e013cf3e77a7262d1daaa8775156c61c70dab685ae59114b22d00a47a0214204f6c514c6be77ad5b0c371a889076072fdb1eaf574cb6d4c42c

  • SSDEEP

    12288:krYn2GbqdcOuAKi1kcwyEOywAx1gT+yFCv6oE4E:kcNbqdFtVkcwyEOix1GtFCv6F4E

Score
10/10
ransomware

Malware Config

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-3470981204-343661084-3367201002-1000\readme.txt

Ransom Note
Dear user! Your computer is encrypted! We demand a ransom! Decryption service is paid !!!! PAYMENT FOR BITCOIN !!! To decrypt your computer, you need to download the TOR browser at https://www.torproject.org/download/ Install it and visit our website for further action http://paymen45oxzpnouz.onion/5e1a7c2620 Also from your servers files, documents, databases SQL, PDF were uploaded to our cloud storage After we agree, you will receive a decryption program, valuable advice in order not to fall into this situation in the future, as well as all your files on our server will be deleted. Otherwise, they will fall into the open access of the Internet! Use any third party software for restoring your data or antivirus solutions will result in a loose of data. Please be sure that we will find common languge. We will restore all the data and give you recommedations how to configure the protection of your server.
URLs

http://paymen45oxzpnouz.onion/5e1a7c2620

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Renames multiple (8391) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes itself 1 IoCs
  • Drops desktop.ini file(s) 40 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\365712147d687fb2eb2d5cb612586c7d3d7364277441491a3ab379a4a1128ba7.exe
    "C:\Users\Admin\AppData\Local\Temp\365712147d687fb2eb2d5cb612586c7d3d7364277441491a3ab379a4a1128ba7.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2972
    • C:\Windows\SysWOW64\vssadmin.exe
      vssadmin delete shadows /all /quiet
      2⤵
      • Interacts with shadow copies
      PID:2748
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c timeout 1 && del "C:\Users\Admin\AppData\Local\Temp\365712147d687fb2eb2d5cb612586c7d3d7364277441491a3ab379a4a1128ba7.exe" >> NUL
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:2748
      • C:\Windows\SysWOW64\timeout.exe
        timeout 1
        3⤵
        • Delays execution with timeout.exe
        PID:972
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1132

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-3470981204-343661084-3367201002-1000\desktop.ini
    Filesize

    649B

    MD5

    a2bee75b24ec7a5775167b4eab1aead7

    SHA1

    1ebe8dc222db12326ca4f275323c0f2aa7f458ee

    SHA256

    c64072e2ebcec2adef983cedae01cd0e93ed83f53333d81764fd2da046425e05

    SHA512

    88f803c14ba145c6f4b2aa9be69dfcd648f92651fac4d3fde0d79e0bac2a16d7e075a5028116faa22ac994727ae67a98e9c8c8919664d685a6963f4ad8a57c00

    Download Submit

  • C:\$Recycle.Bin\S-1-5-21-3470981204-343661084-3367201002-1000\readme.txt
    Filesize

    1KB

    MD5

    690a32206c421c58a74635ba8623f06c

    SHA1

    e7ea197518fbcdb181184c5d6c60a49d0d776502

    SHA256

    2a41e7d3478a8c5023ceecbc9258e072a9db9bf154d10245035e227ab3180941

    SHA512

    26b03f299c71ba946b6333f77fb54063842d39ceb069728d8587da285c6947e010572bc7f67092651f150814f4dcbee4a7538d2111cfd3860a27e70a8eef2d1f

    Download Submit

  • memory/2972-9-0x0000000000220000-0x0000000000260000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2972-28-0x00000000002E0000-0x0000000000320000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2972-15-0x00000000002E0000-0x0000000000320000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2972-2-0x0000000000330000-0x00000000003B0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2972-1-0x0000000000590000-0x0000000000690000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2972-135-0x00000000002E0000-0x0000000000320000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2972-167-0x00000000002E0000-0x0000000000320000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2972-215-0x0000000000400000-0x00000000004DD000-memory.dmp

    Filesize

    884KB

    Download

  • memory/2972-253-0x0000000000400000-0x00000000004DD000-memory.dmp

    Filesize

    884KB

    Download

  • memory/2972-16897-0x0000000000400000-0x00000000004DD000-memory.dmp

    Filesize

    884KB

    Download

  • memory/2972-18870-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2972-18871-0x0000000000400000-0x00000000004DD000-memory.dmp

    Filesize

    884KB

    Download