Overview

overview

10

Static

static

10

323389cde5...f3.exe

windows7-x64

1

323389cde5...f3.exe

windows10-2004-x64

1

365712147d...a7.exe

windows7-x64

10

365712147d...a7.exe

windows10-2004-x64

10

5474e75872...06.exe

windows7-x64

10

5474e75872...06.exe

windows10-2004-x64

10

out.exe

windows7-x64

3

out.exe

windows10-2004-x64

3

59c59ef90d...4d.exe

windows7-x64

10

59c59ef90d...4d.exe

windows10-2004-x64

1

63fb410fc5...22.exe

windows7-x64

7

63fb410fc5...22.exe

windows10-2004-x64

7

9443472de4...e5.exe

windows7-x64

1

9443472de4...e5.exe

windows10-2004-x64

1

97a877b999...8d.exe

windows7-x64

10

97a877b999...8d.exe

windows10-2004-x64

10

a0f5def5aa...93.exe

windows7-x64

1

a0f5def5aa...93.exe

windows10-2004-x64

1

abfe442282...b1.exe

windows7-x64

1

abfe442282...b1.exe

windows10-2004-x64

1

b21f34ecfa...73.exe

windows7-x64

9

b21f34ecfa...73.exe

windows10-2004-x64

9

b4b97aa67e...a9.zip

windows7-x64

1

b4b97aa67e...a9.zip

windows10-2004-x64

1

svchost.exe

windows7-x64

9

svchost.exe

windows10-2004-x64

9

b8ce017478...a8.exe

windows7-x64

9

b8ce017478...a8.exe

windows10-2004-x64

9

bbb4627895...f2.exe

windows7-x64

1

bbb4627895...f2.exe

windows10-2004-x64

1

bdf06acf03...63.exe

windows7-x64

1

bdf06acf03...63.exe

windows10-2004-x64

1

Resubmissions

21-01-2024 14:52

240121-r8syqaeac7 10

21-01-2024 14:51

240121-r8k8waeac5 10

01-01-2024 13:55

240101-q776kscacp 10

Analysis

  • max time kernel
    117s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    21-01-2024 14:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    59c59ef90d1370297375d4e3195eabe2a031251bc939fae962a835d8336a8a4d.exe

  • Size

    477KB

  • MD5

    ebbb782bafaa3ab64a3e4b006a698fe0

  • SHA1

    2800cd4dd62ba63f38d0452bf80cb35b4359a3dd

  • SHA256

    59c59ef90d1370297375d4e3195eabe2a031251bc939fae962a835d8336a8a4d

  • SHA512

    cd6681d7987901eb27064c4a833052abccef60383f9b0e53360ae9e3e66a19d0d0405bdeb5a609c7d668aa8720eb49f5fc3f060920ec042ec6584eebfd9f09ae

  • SSDEEP

    6144:ko4FuDncVzUJOH5bpX3Q92J6fHgaEFx9BQOJvZTsMJfOg2lOMxPEiarVb0J0:kzuwVzUW5bN3Y6LmO13Gg2IMyxrt0u

Score
10/10
ransomware

Malware Config

Extracted

Path

F:\$RECYCLE.BIN\readme.txt

Ransom Note
Dear user! Your computer is encrypted! We demand a ransom! Decryption service is paid !!!! PAYMENT FOR BITCOIN !!! To decrypt your computer, you need to download the TOR browser at https://www.torproject.org/download/ Install it and visit our website for further action http://paymen45oxzpnouz.onion/68454b34bb Also from your servers files, documents, databases SQL, PDF were uploaded to our cloud storage After we agree, you will receive a decryption program, valuable advice in order not to fall into this situation in the future, as well as all your files on our server will be deleted. Otherwise, they will fall into the open access of the Internet! Use any third party software for restoring your data or antivirus solutions will result in a loose of data. Please be sure that we will find common languge. We will restore all the data and give you recommedations how to configure the protection of your server.
URLs

http://paymen45oxzpnouz.onion/68454b34bb

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Renames multiple (8388) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes itself 1 IoCs
  • Drops desktop.ini file(s) 40 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\59c59ef90d1370297375d4e3195eabe2a031251bc939fae962a835d8336a8a4d.exe
    "C:\Users\Admin\AppData\Local\Temp\59c59ef90d1370297375d4e3195eabe2a031251bc939fae962a835d8336a8a4d.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2928
    • C:\Windows\SysWOW64\vssadmin.exe
      vssadmin delete shadows /all /quiet
      2⤵
      • Interacts with shadow copies
      PID:2500
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c timeout 1 && del "C:\Users\Admin\AppData\Local\Temp\59c59ef90d1370297375d4e3195eabe2a031251bc939fae962a835d8336a8a4d.exe" >> NUL
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:3524
      • C:\Windows\SysWOW64\timeout.exe
        timeout 1
        3⤵
        • Delays execution with timeout.exe
        PID:2768
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3700

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-3601492379-692465709-652514833-1000\desktop.ini
    Filesize

    649B

    MD5

    39c2f58e0b0f46b6475382aa9e7f1477

    SHA1

    79fca6376e150a81d32b739546ebb82a7ec69f94

    SHA256

    1e0325122b4d2432406d44f5960562a4ba6888257b386cfbcb6c3cbaf37d4e1a

    SHA512

    4754e045a00a92b4024fdfb2998ff338bad0c7048669165eb148d6066eebebbdbc0b06e1366a6facabc5c887b634c14540fbb3799dbbfb6598ed424b43172b93

    Download Submit

  • F:\$RECYCLE.BIN\readme.txt
    Filesize

    1KB

    MD5

    fa878a2f0dcb564b190e458c33dd2f46

    SHA1

    d7fe4ccef2145412e270fc749822c44c01ec518b

    SHA256

    fe6978d41640be50d74af8e169e8741ae47d9a44f0bc586e9dd288dbdab9faac

    SHA512

    2ffce88467f19ebea0e01ea5c73cd240d5c77e5186c0f3f40d88976fe5a3b394d7ed19c5ed82f636e3b9324d4c74ea7e71b12eec07ad1da8fa895fea6d290576

    Download Submit

  • memory/2928-107-0x0000000000400000-0x00000000004E3000-memory.dmp

    Filesize

    908KB

    Download

  • memory/2928-3-0x00000000004F0000-0x0000000000570000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2928-40-0x0000000000400000-0x00000000004E3000-memory.dmp

    Filesize

    908KB

    Download

  • memory/2928-94-0x0000000000400000-0x00000000004E3000-memory.dmp

    Filesize

    908KB

    Download

  • memory/2928-1-0x0000000000250000-0x0000000000350000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2928-75-0x0000000000400000-0x00000000004E3000-memory.dmp

    Filesize

    908KB

    Download

  • memory/2928-195-0x0000000000400000-0x00000000004E3000-memory.dmp

    Filesize

    908KB

    Download

  • memory/2928-427-0x0000000000400000-0x00000000004E3000-memory.dmp

    Filesize

    908KB

    Download

  • memory/2928-906-0x0000000000400000-0x00000000004E3000-memory.dmp

    Filesize

    908KB

    Download

  • memory/2928-908-0x0000000000400000-0x00000000004E3000-memory.dmp

    Filesize

    908KB

    Download

  • memory/2928-17732-0x0000000000400000-0x00000000004E3000-memory.dmp

    Filesize

    908KB

    Download

  • memory/2928-18868-0x00000000001B0000-0x00000000001B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2928-18869-0x0000000000400000-0x00000000004E3000-memory.dmp

    Filesize

    908KB

    Download