Overview

overview

10

Static

static

10

323389cde5...f3.exe

windows7-x64

1

323389cde5...f3.exe

windows10-2004-x64

1

365712147d...a7.exe

windows7-x64

10

365712147d...a7.exe

windows10-2004-x64

10

5474e75872...06.exe

windows7-x64

10

5474e75872...06.exe

windows10-2004-x64

10

out.exe

windows7-x64

3

out.exe

windows10-2004-x64

3

59c59ef90d...4d.exe

windows7-x64

10

59c59ef90d...4d.exe

windows10-2004-x64

1

63fb410fc5...22.exe

windows7-x64

7

63fb410fc5...22.exe

windows10-2004-x64

7

9443472de4...e5.exe

windows7-x64

1

9443472de4...e5.exe

windows10-2004-x64

1

97a877b999...8d.exe

windows7-x64

10

97a877b999...8d.exe

windows10-2004-x64

10

a0f5def5aa...93.exe

windows7-x64

1

a0f5def5aa...93.exe

windows10-2004-x64

1

abfe442282...b1.exe

windows7-x64

1

abfe442282...b1.exe

windows10-2004-x64

1

b21f34ecfa...73.exe

windows7-x64

9

b21f34ecfa...73.exe

windows10-2004-x64

9

b4b97aa67e...a9.zip

windows7-x64

1

b4b97aa67e...a9.zip

windows10-2004-x64

1

svchost.exe

windows7-x64

9

svchost.exe

windows10-2004-x64

9

b8ce017478...a8.exe

windows7-x64

9

b8ce017478...a8.exe

windows10-2004-x64

9

bbb4627895...f2.exe

windows7-x64

1

bbb4627895...f2.exe

windows10-2004-x64

1

bdf06acf03...63.exe

windows7-x64

1

bdf06acf03...63.exe

windows10-2004-x64

1

Resubmissions

21-01-2024 14:52

240121-r8syqaeac7 10

21-01-2024 14:51

240121-r8k8waeac5 10

01-01-2024 13:55

240101-q776kscacp 10

Analysis

  • max time kernel
    119s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    21-01-2024 14:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    365712147d687fb2eb2d5cb612586c7d3d7364277441491a3ab379a4a1128ba7.exe

  • Size

    450KB

  • MD5

    e70b33103c17c000ac11025d2d8e70a1

  • SHA1

    df898d9d0e8e6f2d4eb5d4742d4c206092cdcb34

  • SHA256

    365712147d687fb2eb2d5cb612586c7d3d7364277441491a3ab379a4a1128ba7

  • SHA512

    632461a9c6bff4e013cf3e77a7262d1daaa8775156c61c70dab685ae59114b22d00a47a0214204f6c514c6be77ad5b0c371a889076072fdb1eaf574cb6d4c42c

  • SSDEEP

    12288:krYn2GbqdcOuAKi1kcwyEOywAx1gT+yFCv6oE4E:kcNbqdFtVkcwyEOix1GtFCv6F4E

Score
10/10
ransomware

Malware Config

Extracted

Path

C:\$Recycle.Bin\readme.txt

Ransom Note
Dear user! Your computer is encrypted! We demand a ransom! Decryption service is paid !!!! PAYMENT FOR BITCOIN !!! To decrypt your computer, you need to download the TOR browser at https://www.torproject.org/download/ Install it and visit our website for further action http://paymen45oxzpnouz.onion/a08e87d5a7 Also from your servers files, documents, databases SQL, PDF were uploaded to our cloud storage After we agree, you will receive a decryption program, valuable advice in order not to fall into this situation in the future, as well as all your files on our server will be deleted. Otherwise, they will fall into the open access of the Internet! Use any third party software for restoring your data or antivirus solutions will result in a loose of data. Please be sure that we will find common languge. We will restore all the data and give you recommedations how to configure the protection of your server.
URLs

http://paymen45oxzpnouz.onion/a08e87d5a7

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Renames multiple (8412) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes itself 1 IoCs
  • Drops desktop.ini file(s) 40 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\365712147d687fb2eb2d5cb612586c7d3d7364277441491a3ab379a4a1128ba7.exe
    "C:\Users\Admin\AppData\Local\Temp\365712147d687fb2eb2d5cb612586c7d3d7364277441491a3ab379a4a1128ba7.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2052
    • C:\Windows\SysWOW64\vssadmin.exe
      vssadmin delete shadows /all /quiet
      2⤵
      • Interacts with shadow copies
      PID:2788
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c timeout 1 && del "C:\Users\Admin\AppData\Local\Temp\365712147d687fb2eb2d5cb612586c7d3d7364277441491a3ab379a4a1128ba7.exe" >> NUL
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:3224
      • C:\Windows\SysWOW64\timeout.exe
        timeout 1
        3⤵
        • Delays execution with timeout.exe
        PID:3260
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2572

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-1268429524-3929314613-1992311491-1000\desktop.ini
    Filesize

    649B

    MD5

    86a323f45692066cc71e028e5c00fa63

    SHA1

    ff1b82801bd42e6fdb9b31f4fc69dbd3da44156d

    SHA256

    79970377990345ee1ea73f1273405b7d4fb48a2d96230ab1fce3b4e3746ee749

    SHA512

    689e1f37add93a014feadd2bbab7a7e1428e75e212aca788a2ff92bbb314218563aa36218e8388d00524e3a4c15e8331e0dabd051c5f1f69d837bee07db0211a

    Download Submit

  • C:\$Recycle.Bin\readme.txt
    Filesize

    1KB

    MD5

    8d3d4dfef5dc32f2278f520d3e952244

    SHA1

    1a3e7e1fdea51b6ce3924ba71851f7125b2debf2

    SHA256

    d9b9434e33e7454a843043152e216d412b5c5753f61d1c9ce50bd7f0d7c46016

    SHA512

    296b7f7505f0af96dd33ecf7f8dcf14d69104072bb4463f0060343e71b29f104bc2a1557a500055f26a574fc44678e515dc0c3199286a90599599ac413fd1d2b

    Download Submit

  • memory/2052-3-0x00000000002A0000-0x00000000002E0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2052-13-0x0000000000400000-0x00000000004DD000-memory.dmp

    Filesize

    884KB

    Download

  • memory/2052-2-0x0000000000320000-0x00000000003A0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2052-9-0x00000000002A0000-0x00000000002E0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2052-1-0x0000000000550000-0x0000000000650000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2052-6705-0x0000000000400000-0x00000000004DD000-memory.dmp

    Filesize

    884KB

    Download

  • memory/2052-6706-0x0000000000550000-0x0000000000650000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2052-6708-0x0000000000320000-0x00000000003A0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2052-9327-0x0000000000400000-0x00000000004DD000-memory.dmp

    Filesize

    884KB

    Download

  • memory/2052-16376-0x0000000000400000-0x00000000004DD000-memory.dmp

    Filesize

    884KB

    Download

  • memory/2052-18916-0x00000000002E0000-0x00000000002E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2052-18917-0x0000000000400000-0x00000000004DD000-memory.dmp

    Filesize

    884KB

    Download