ee65e9d7a7bc9d17e894e0b775fc0bbfb35e72c65c3d768e34bfe059d521cc16

Resubmissions

21/01/2024, 14:52 UTC

240121-r8syqaeac7 10

21/01/2024, 14:51 UTC

240121-r8k8waeac5 10

01/01/2024, 13:55 UTC

240101-q776kscacp 10

Analysis

max time kernel
144s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
21/01/2024, 14:52 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5474e75872eeb1e34cbe407c73409d4c65da7bd6aa9378b356bb3c12f316c506.exe
Size

263KB
MD5

111e7dd338f7a7db306c95e05797747f
SHA1

aff72034cbbc21693425306ad42b1bb182582743
SHA256

5474e75872eeb1e34cbe407c73409d4c65da7bd6aa9378b356bb3c12f316c506
SHA512

215ee93c5faf2af3a55cceed281b56aecb5990baf4ae508f02eb481c7c22081f05b73a2657279205ff5d4edfc63722ea1405a9e8cdf65939021c9f052ffb6fec
SSDEEP

6144:jeHgRe/IfHES0cVZrDjuNywKGOCWVoYkNMbU:jeHgM4HxZG1KGjWVoVO

Score

10^/10

ransomware upx

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\How To Recover Encrypted Files.hta

Ransom Note

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta charset="windows-1251"> <title>HOW TO DECRYPT YOUR FILES</title> <HTA:APPLICATION ICON="mstsc.exe" SINGLEINSTANCE="yes"> <script language="JScript"> window.moveTo(50, 50); window.resizeTo(screen.width - 100, screen.height - 100); </script> <style type="text/css"> body { font: 15px Tahoma, sans-serif; margin: 10px; line-height: 25px; background-color: #C1AB8F; } .bold { font-weight: bold; } .xx { border: 1px dashed #000; background: #E3D5F1; } .mark { background: #D0D0E8; padding: 2px 5px; } .header { font-size: 30px; height: 50px; line-height: 50px; font-weight: bold; border-bottom: 10px solid #D0D0E8; } .info { background: #D0D0E8; border-left: 10px solid #00008B; } .alert { background: #FFE4E4; border-left: 10px solid #FF0000; } .private { border: 1px dashed #000; background: #FFFFEF; } .note { height: auto; padding-bottom: 1px; margin: 15px 0; } .note .title { font-weight: bold; text-indent: 10px; height: 30px; line-height: 30px; padding-top: 10px; } .note .mark { background: #A2A2B5; } .note ul { margin-top: 0; } .note pre { margin-left: 15px; line-height: 13px; font-size: 13px; } </style> </head> <body> <div class="header">Your files are encrypted!</div> <div class="note private"> <div class="title">Your personal ID</div> <pre>2121799001076345843398507332297735432140395940899429037042670857175831500401266119286287252971283123 4495241325948945463131010101442835947155524655048827951478038478281115743408090469407154796500430651 1656415659115466750320384538396022671477191235175253064099845600822834070612521996255603114465590012 0368740700193747251300626987759436380742088937764114804984156784162938553827257042828448709915952061 9591386834580868785306595995567439326697111279941721974452866024950064318087298077539872215648240245 8561245373608898492764439102035002410606758391921866346896049768038179824074748755229201944362876391 540585417571153367</pre> </div> <div class="bold"> <div align="left">All your important data has been encrypted.</div> </div> <div class="bold">To recover data you need decryptor.</div> <div> <h2 align="center">To get the decryptor you should:</h2> <h1 align="left">pay for decrypt:</h1> <div class="note xx"> <div align="left"> <h1>to send 1 bitcoin today (tomorrow 2 bitcoins) to bitcoin the address 1EQiMGLApzDdPYLWoDMyUo27q5ashMXdQ<br> </h1> </div> <div align="left"> <strong>Here are our recommendations:</strong> </div> <div align="left"> <ol> <li><strong>If you have no Bitcoin address register https://blockchain.info/wallet</strong></li> <li><strong>fill up your wallet some of the ways:</strong></li> <li><strong>Btcdirect.eu - Good service for Europe</strong></li> <li><strong>Bittylicious.com - Bitcoins through Visa / MC or through SEPA (��) transfer</strong></li> <li><strong>Localbitcoins.com - Here you can find people who want to sell Bitcoins directly (WU, in cash, SEPA, Paypal u.s.).</strong></li> <li><strong>Cex.io - buy bitcoins with Visa / Mastercard or Wire Transfer.</strong></li> <li><strong>Coincafe.com - Designed for quick and easy service. Payment methods: Western Union, Bank of America, cash by FedEx, Moneygram, as money transfer</strong></li> <li><strong>Bitstamp.net - well known and established Bitcoins seller</strong></li> <li><strong>Coinmama.com - Visa / Mastercard</strong></li> <li><strong>Btc-e.com - Bitcoins vendor (Visa / Mastercard, etc.)</strong></li> <li><strong>If you have not found any bitcoins in your region, try to find them here:</strong></li> <li><strong>Buybitcoinworldwide.com - International Bicoins Exchange Directory</strong></li> <li><strong>Bitcoin-net.com - Another directory of Bitcoins sellers</strong></li> <li><strong>Howtobuybitcoins.info - International Bicoins Exchange Directory</strong></li> <li><strong>Bittybot.co/eu - Directory for countries of the European Union</strong></li> <li><strong>write to Google how to buy Bitcoin in your country?</strong></li> </ol> </div> <div align="left"> <h1>mail support hnumkhotep@india.com<br> </h1> </div> <h1>After the payment: </h1> </div> <div><p>Send screenshot of payment to mail support <span class="mark">hnumkhotep@india.com</span>. In the letter include your personal ID (look at the beginning of this document).</p> </div> <div> <h1 align="center">After you will receive a decryptor and instructions</h1> </div> <div class="note alert"> <div class="title">Attention!</div> <ul><li>No Payment = No decryption</li> <li>You really get the decryptor after payment</li> <li>Do not attempt to remove the program or run the anti-virus tools</li> <li>Attempts to self-decrypting files will result in the loss of your data</li> <li>Decoders other users are not compatible with your data, because each user's unique encryption key</li> </ul> </div> </body> </html>

Emails

hnumkhotep@india.com<br>

class="mark">hnumkhotep@india.com</span>

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	5474e75872eeb1e34cbe407c73409d4c65da7bd6aa9378b356bb3c12f316c506.exe

Executes dropped EXE 1 IoCs

pid	Process
4816	svchost.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral6/memory/3852-0-0x0000000000400000-0x0000000000478000-memory.dmp	upx
behavioral6/files/0x000f000000023151-5.dat	upx
behavioral6/files/0x000f000000023151-7.dat	upx
behavioral6/files/0x000f000000023151-8.dat	upx
behavioral6/memory/3852-9-0x0000000000400000-0x0000000000478000-memory.dmp	upx
behavioral6/memory/4816-694-0x0000000000400000-0x0000000000478000-memory.dmp	upx
behavioral6/memory/4816-747-0x0000000000400000-0x0000000000478000-memory.dmp	upx

Drops desktop.ini file(s) 25 IoCs

description	ioc	Process
File opened for modification	C:\Users\Public\Music\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
840	4816	WerFault.exe	62

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3852 wrote to memory of 4816	3852	5474e75872eeb1e34cbe407c73409d4c65da7bd6aa9378b356bb3c12f316c506.exe	62
PID 3852 wrote to memory of 4816	3852	5474e75872eeb1e34cbe407c73409d4c65da7bd6aa9378b356bb3c12f316c506.exe	62
PID 3852 wrote to memory of 4816	3852	5474e75872eeb1e34cbe407c73409d4c65da7bd6aa9378b356bb3c12f316c506.exe	62
PID 3852 wrote to memory of 2768	3852	5474e75872eeb1e34cbe407c73409d4c65da7bd6aa9378b356bb3c12f316c506.exe	61
PID 3852 wrote to memory of 2768	3852	5474e75872eeb1e34cbe407c73409d4c65da7bd6aa9378b356bb3c12f316c506.exe	61
PID 3852 wrote to memory of 2768	3852	5474e75872eeb1e34cbe407c73409d4c65da7bd6aa9378b356bb3c12f316c506.exe	61
PID 4816 wrote to memory of 3460	4816	svchost.exe	60
PID 4816 wrote to memory of 3460	4816	svchost.exe	60
PID 4816 wrote to memory of 3460	4816	svchost.exe	60

C:\Users\Admin\AppData\Local\Temp\5474e75872eeb1e34cbe407c73409d4c65da7bd6aa9378b356bb3c12f316c506.exe
"C:\Users\Admin\AppData\Local\Temp\5474e75872eeb1e34cbe407c73409d4c65da7bd6aa9378b356bb3c12f316c506.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3852
- C:\Windows\SysWOW64\mshta.exe
  mshta.exe "javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('C:\\Users\\Admin\\AppData\\Local\\Temp\\5474E7~1.EXE');close()}catch(e){}},10);"
  2⤵
  PID:2768
- C:\Users\Admin\AppData\Roaming\svchost.exe
  "C:\Users\Admin\AppData\Roaming\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Suspicious use of WriteProcessMemory
  PID:4816
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4816 -s 604
    3⤵
    - Program crash
    PID:840

C:\Windows\SysWOW64\mshta.exe
mshta.exe "javascript:o=new ActiveXObject('WScript.Shell');setInterval(function(){try{o.RegWrite('HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\Scanner','C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe');}catch(e){}},10);"
1⤵
PID:3460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4816 -ip 4816
1⤵
PID:4384

Network

DNS

58.55.71.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

58.55.71.13.in-addr.arpa

IN PTR

Response
DNS

194.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

194.178.17.96.in-addr.arpa

IN PTR

Response

194.178.17.96.in-addr.arpa

IN PTR

a96-17-178-194deploystaticakamaitechnologiescom
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

140.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

140.32.126.40.in-addr.arpa

IN PTR

Response
DNS

183.142.211.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

183.142.211.20.in-addr.arpa

IN PTR

Response
DNS

183.142.211.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

183.142.211.20.in-addr.arpa

IN PTR
DNS

232.168.11.51.in-addr.arpa

Remote address:

8.8.8.8:53

Request

232.168.11.51.in-addr.arpa

IN PTR

Response
DNS

157.123.68.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

157.123.68.40.in-addr.arpa

IN PTR

Response
DNS

171.39.242.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

171.39.242.20.in-addr.arpa

IN PTR

Response
DNS

217.135.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

217.135.221.88.in-addr.arpa

IN PTR

Response

217.135.221.88.in-addr.arpa

IN PTR

a88-221-135-217deploystaticakamaitechnologiescom
DNS

209.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

209.178.17.96.in-addr.arpa

IN PTR

Response

209.178.17.96.in-addr.arpa

IN PTR

a96-17-178-209deploystaticakamaitechnologiescom
DNS

29.243.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

29.243.111.52.in-addr.arpa

IN PTR

Response
DNS

181.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

181.178.17.96.in-addr.arpa

IN PTR

Response

181.178.17.96.in-addr.arpa

IN PTR

a96-17-178-181deploystaticakamaitechnologiescom
DNS

11.179.89.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

11.179.89.13.in-addr.arpa

IN PTR

Response

20.231.121.79:80

156 B
3

8.8.8.8:53

58.55.71.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

58.55.71.13.in-addr.arpa
8.8.8.8:53

194.178.17.96.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

194.178.17.96.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

140.32.126.40.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

140.32.126.40.in-addr.arpa
8.8.8.8:53

183.142.211.20.in-addr.arpa

dns

146 B
159 B
2
1

DNS Request

183.142.211.20.in-addr.arpa

DNS Request

183.142.211.20.in-addr.arpa
8.8.8.8:53

232.168.11.51.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

232.168.11.51.in-addr.arpa
8.8.8.8:53

157.123.68.40.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

157.123.68.40.in-addr.arpa
8.8.8.8:53

171.39.242.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

171.39.242.20.in-addr.arpa
8.8.8.8:53

217.135.221.88.in-addr.arpa

dns

73 B
139 B
1
1

DNS Request

217.135.221.88.in-addr.arpa
8.8.8.8:53

209.178.17.96.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

209.178.17.96.in-addr.arpa
8.8.8.8:53

29.243.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

29.243.111.52.in-addr.arpa
8.8.8.8:53

181.178.17.96.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

181.178.17.96.in-addr.arpa
8.8.8.8:53

11.179.89.13.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

11.179.89.13.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
208KB

MD5
f3eb7c3ea106f1a43d1a45456b0f2746

SHA1
ab77c708cecd48ad8381a691c043045c5990c445

SHA256
9d3822bf3ff386a5e89bf66da549c37821dcc9970dca59d737385619940e4993

SHA512
7f3ca6f588454c4256d912e984e33b66ec2d963be75a2250bd564ecd17add01822626ec8809634d94f4f05144b87b92f9fde350aae93518e7880cb2196075897

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
108KB

MD5
068d7914edcf3475a09418db41f7ed57

SHA1
24a449e033d18e8f61b2419befdbf9198e65cf13

SHA256
3726c7f72f1b7eb2e615bcf6e8a5abe34f9bf9fbb230a54e5b37b75c219ec6df

SHA512
ded9b193e4a36edb75efea06d95f0e4128b8760ae0af932ea00e3c7db4f36e0921a9e8a26402f35e9f5d6d428bbf506204b0d07153e98ffba5ed2bbfef5d72da

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
67KB

MD5
a671b60d5b926410a9eab25ee2d2a110

SHA1
7038e939d41b24a7946aa46a6f983a3194dcb22f

SHA256
992bd377f1d151b618723cf95010ded6452a879e147b9eb30cb42a87eb644d1e

SHA512
cf3dff24e2a5f42945de42dda2bd2178a3fc11a72a494f6e2635165b32e21be466645f0c61d3b35cb40b0009872162d4e47b3ff71f5d625f64c3f718bd8ede2e

Download Submit
C:\Users\Admin\Contacts\YwmZGQQTYj63wn6c354PsfW6CwNwg+9ctE-KNgkfHzI5QU+BLmK1pt37-T3eLvVo.hnumkhotep@india.com.hnumkhotep

Filesize
5KB

MD5
c005b7fa252db4957217cbf7151ab0e9

SHA1
8c18a196f8d71713332e2c19cff53e843f1d657b

SHA256
84a321da94e38308ef315fcceeb0e1ed6159e45ae96290d91eddd235fa3417ba

SHA512
16be43fd291623d0fcddb92b5ab85759cb63340bfba5c1194168425afac61d5b33ad98ede11550c79d18ccdfee205844fcb71388fc5996f8f14a34a5fb9449e4

Download Submit
C:\Users\Admin\Downloads\How To Recover Encrypted Files.hta

Filesize
5KB

MD5
422abb0922c1865bb043b42d1abfe41e

SHA1
af0c2916214bce86047640e34e0026642b65ae81

SHA256
7adcbd479ff9197622ad2c1f2cce0f6ed3dd765d0c50bb88a5bad96f3feb88c9

SHA512
e4c40b8e21aa88760f501eb7e6313b6530bc7b1f4a5a34551f0562cca15a602ba671520e770c491d218a8fa6b0901c9e49e53403eddc6a66633d04374939852a

Download Submit
C:\VIr974pDePhgfYIPcAlGCkcZp63dJQIG0RI4Eo4hr9k.hnumkhotep@india.com.hnumkhotep

Filesize
82KB

MD5
f579e6615698e2c2dd91b4be91927c6c

SHA1
29e6d536e1564749f4b5fdb0efbe950ea6d360c0

SHA256
4d4baf422ada331cc3d80ca07683734254469fdbb6cd7dc53b16177e0275107e

SHA512
72a6385d2fad12a2dcccafcb91172169df4486e14d958f12964f2de4b64e1e072ae80beaabe0a33bf5adeb58fd9a137b423c1446d352fa58818f8c458af1e1d7

Download Submit
memory/3852-0-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3852-9-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4816-694-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4816-747-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.