Overview

overview

10

Static

static

10

323389cde5...f3.exe

windows7-x64

1

323389cde5...f3.exe

windows10-2004-x64

1

365712147d...a7.exe

windows7-x64

10

365712147d...a7.exe

windows10-2004-x64

10

5474e75872...06.exe

windows7-x64

10

5474e75872...06.exe

windows10-2004-x64

10

59c59ef90d...4d.exe

windows7-x64

10

59c59ef90d...4d.exe

windows10-2004-x64

10

63fb410fc5...22.exe

windows7-x64

7

63fb410fc5...22.exe

windows10-2004-x64

7

9443472de4...e5.exe

windows7-x64

1

9443472de4...e5.exe

windows10-2004-x64

1

97a877b999...8d.exe

windows7-x64

10

97a877b999...8d.exe

windows10-2004-x64

10

a0f5def5aa...93.exe

windows7-x64

1

a0f5def5aa...93.exe

windows10-2004-x64

1

abfe442282...b1.exe

windows7-x64

1

abfe442282...b1.exe

windows10-2004-x64

1

b21f34ecfa...73.exe

windows7-x64

9

b21f34ecfa...73.exe

windows10-2004-x64

9

svchost.exe

windows7-x64

9

svchost.exe

windows10-2004-x64

9

b8ce017478...a8.exe

windows7-x64

9

b8ce017478...a8.exe

windows10-2004-x64

9

bbb4627895...f2.exe

windows7-x64

1

bbb4627895...f2.exe

windows10-2004-x64

1

bdf06acf03...63.exe

windows7-x64

1

bdf06acf03...63.exe

windows10-2004-x64

1

db3529a2d9...81.exe

windows7-x64

1

db3529a2d9...81.exe

windows10-2004-x64

1

e24b84c020...db.exe

windows7-x64

9

e24b84c020...db.exe

windows10-2004-x64

9

Resubmissions

21-01-2024 14:52

240121-r8syqaeac7 10

21-01-2024 14:51

240121-r8k8waeac5 10

01-01-2024 13:55

240101-q776kscacp 10

Analysis

  • max time kernel
    122s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    21-01-2024 14:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    59c59ef90d1370297375d4e3195eabe2a031251bc939fae962a835d8336a8a4d.exe

  • Size

    477KB

  • MD5

    ebbb782bafaa3ab64a3e4b006a698fe0

  • SHA1

    2800cd4dd62ba63f38d0452bf80cb35b4359a3dd

  • SHA256

    59c59ef90d1370297375d4e3195eabe2a031251bc939fae962a835d8336a8a4d

  • SHA512

    cd6681d7987901eb27064c4a833052abccef60383f9b0e53360ae9e3e66a19d0d0405bdeb5a609c7d668aa8720eb49f5fc3f060920ec042ec6584eebfd9f09ae

  • SSDEEP

    6144:ko4FuDncVzUJOH5bpX3Q92J6fHgaEFx9BQOJvZTsMJfOg2lOMxPEiarVb0J0:kzuwVzUW5bN3Y6LmO13Gg2IMyxrt0u

Score
10/10
ransomware

Malware Config

Extracted

Path

F:\$RECYCLE.BIN\readme.txt

Ransom Note
Dear user! Your computer is encrypted! We demand a ransom! Decryption service is paid !!!! PAYMENT FOR BITCOIN !!! To decrypt your computer, you need to download the TOR browser at https://www.torproject.org/download/ Install it and visit our website for further action http://paymen45oxzpnouz.onion/d128dec973 Also from your servers files, documents, databases SQL, PDF were uploaded to our cloud storage After we agree, you will receive a decryption program, valuable advice in order not to fall into this situation in the future, as well as all your files on our server will be deleted. Otherwise, they will fall into the open access of the Internet! Use any third party software for restoring your data or antivirus solutions will result in a loose of data. Please be sure that we will find common languge. We will restore all the data and give you recommedations how to configure the protection of your server.
URLs

http://paymen45oxzpnouz.onion/d128dec973

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Renames multiple (8414) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes itself 1 IoCs
  • Drops desktop.ini file(s) 40 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\59c59ef90d1370297375d4e3195eabe2a031251bc939fae962a835d8336a8a4d.exe
    "C:\Users\Admin\AppData\Local\Temp\59c59ef90d1370297375d4e3195eabe2a031251bc939fae962a835d8336a8a4d.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1720
    • C:\Windows\SysWOW64\vssadmin.exe
      vssadmin delete shadows /all /quiet
      2⤵
      • Interacts with shadow copies
      PID:2192
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c timeout 1 && del "C:\Users\Admin\AppData\Local\Temp\59c59ef90d1370297375d4e3195eabe2a031251bc939fae962a835d8336a8a4d.exe" >> NUL
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:2648
      • C:\Windows\SysWOW64\timeout.exe
        timeout 1
        3⤵
        • Delays execution with timeout.exe
        PID:3180
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2344

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-3627615824-4061627003-3019543961-1000\desktop.ini
    Filesize

    649B

    MD5

    593d89fc55b6a6e97d8b54b1c32bf8c8

    SHA1

    d83f28f6643bdaa67dc9ed005a190a5e96c2f080

    SHA256

    209f36f9fa412f72cdcd37738c5afd3c4451085837e30f087ca0618fbbac642d

    SHA512

    40a9b10075810439383d27cfc001d28a595dc93ddd4b0fc7529ac8f0d1ba06b48d6680fce921b666c8009a056c3004b9af6db46a351f157e74b597857d5d8896

    Download Submit

  • F:\$RECYCLE.BIN\readme.txt
    Filesize

    1KB

    MD5

    18f6f8d0d6d806bd9faaba45aa6380ce

    SHA1

    1ca6782021093560c94af991cd440937d0682559

    SHA256

    e9544a8e92c5f9afadde6d8dbe07e56eafa1e851105397e625e45fa052df5c3e

    SHA512

    468addb65acb9dd124c2b1bb33220b53b8b2134dad3c5c6f2e749cff45383de5550084824700db2378f29142bf20644a4985fff4097b418f2d87a9094c6cd873

    Download Submit

  • memory/1720-245-0x00000000003C0000-0x0000000000400000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1720-8-0x0000000000220000-0x00000000002A0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1720-82-0x0000000000400000-0x00000000004E3000-memory.dmp

    Filesize

    908KB

    Download

  • memory/1720-135-0x0000000000360000-0x0000000000361000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1720-1-0x00000000005E0000-0x00000000006E0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/1720-236-0x00000000003C0000-0x0000000000400000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1720-270-0x00000000003C0000-0x0000000000400000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1720-329-0x00000000003C0000-0x0000000000400000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1720-328-0x00000000003C0000-0x0000000000400000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1720-327-0x00000000003C0000-0x0000000000400000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1720-18917-0x0000000000400000-0x00000000004E3000-memory.dmp

    Filesize

    908KB

    Download

  • memory/1720-18918-0x0000000000320000-0x0000000000321000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1720-18919-0x0000000000400000-0x00000000004E3000-memory.dmp

    Filesize

    908KB

    Download