Overview

overview

10

Static

static

10

6f21a85894...c8.exe

windows7-x64

10

6f21a85894...c8.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-01-2024 07:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6f21a85894e91b7082407e08e7c231c8.exe

  • Size

    1.2MB

  • MD5

    6f21a85894e91b7082407e08e7c231c8

  • SHA1

    f576ed4ae101088abcb2b6b9b0649b972b023546

  • SHA256

    f5fb7fa5231c18f0951c755c4cb0ec07b0889b5e320f42213cbf6bbbe499ad31

  • SHA512

    deada7181f11badc0d64d1cab50951eab6472c178382b2ceff52a8aae447578a97f640e4a74b34889146df7c435a2a29f72f140e50f8345543ef422e4cd41a44

  • SSDEEP

    12288:QmHAIqyfF/5ebyz1dpPlRnMRTD410ALP68kG3Jz4S9FUmnyJtgoiOHmabd8ornX3:HHRFfauvpPXnMKqJtfiOHmUd8QTH

Score
10/10
evasionpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

\Device\HarddiskVolume1\Boot\cs-CZ\!!!HOW_TO_DECRYPT!!!.mht

Ransom Note
From: =?utf-8?B?0RFQctTF0YDQcNC60IXQvdC+IEludGVybmV0IED4cGxvseVyIDEz?= Subject: Date: San, 00 Jan 2000 00:00:00 +0000 MIME-Version: 1.0 Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-MimeOLE: Produced By Microsoft MimeOLE =EF=BB=BF<!DOCTYPE HTML> <!DOCTYPE html PUBLIC "" "">=20 <HTML lang=3D"ru">=20 <HEAD>=20 <META = content=3D"IE = 3D11.0000" http-equiv=3D"X - UA - Compatible">=20 <META charset=3D"utf-8">=20 <TITLE>!!!HOW_TO_DECRYPT!!!</TITLE>=20 <LINK href=3D"style.css" rel=3D"stylesheet">=20 <META name=3D"GENERATOR" content=3D"MSHTML 11.00.10570.1001">=20 </HEAD>=20 <BODY>=20 <p class=3DMsoNormal align=3Dcenter style=3D'text-align:center'><span class=3DSpellE><b>=20 <span lang=3DEN-US style=3D'font-size:20.0pt;font-family:"Times New Roman","serif";mso-bidi-font-family:Arial;color:#C9211E'>=20 All your valiable data has been encrypted!</span></b></span></p><BR><BR>=20 <p class=3DMsoNormal style=3D'text-align:justify;text-justify:inter-ideograph'>=20 <span class=3DSpellE><span lang=3DEN-US style=3D'font-size:13.0pt;font-family:"Times New Roman","serif";mso-bidi-font-family:Arial'>=20 Hello!<BR>Sorry, but we have inform you that your order has been blocked due to the issue of securities. Make sure your data is not blocked.=20 All your valuable files were encrypted with strong encryption algorithms AES-256 + RSA-2048 + CHACHA and renamed. You can read about these algorithms in Google.=20 Your unique encryption key is stored securely on our server and your data can be decrypted quickly and securely.<BR><BR>=20 We can prove that we can decrypt all of your data. Please just send us 3 small encrypted files which are randomly stored on your server.=20 We will decrypt these files and send them to you as a proof. Please note that files for free test decryption should not contain valuable information.<BR><BR>=20 As you know information is the most valuable resource in the world. That's why all of your confidential data was uploaded to our servers.=20 If you need proof, just write us and we will show you that we have your files. If you will not start a dialogue with us in 72 hours=20 we will be forced to publish your files in the Darknet. Your customers and partners will be informed about the data leak by email or phone.<BR><BR>=20 This way, your reputation will be ruined. If you will not react, we will be forced to sell the most important information such as databases=20 to interested parties to generate some profit.<BR><BR>Please understand that we are just doing our job. We don't want to harm your company.=20 Think of this incident as an opportunity to improve your security. We are opened for dialogue and ready to help you. We are professionals,=20 please don't try to fool us.<BR></span></span></p><BR><BR><p class=3DMsoNormal align=3Dcenter style=3D'text-align:center'><b>=20 <span lang=3DEN-US style=3D'font-size:14.0pt;font-family:"Times New Roman","serif";mso-bidi-font-family:Arial'>=20 If you want to resolve this situation,<BR>please write to ALL of these 2 email addresses:<BR>=20 [email protected]<BR>[email protected]<BR>In subject line please write your ID: 4318695357558267501</span></b></p><BR><BR>=20 <p class=3DMsoNormal style=3D'text-align:justify;text-justify:inter-ideograph'><b>=20 <span lang=3DEN-US style=3D'font-family:"Times New Roman","serif";mso-bidi-font-family: Arial;color:#C9211E'>=20 Important!<BR>=20 * We asking to send your message to ALL of our 2 email adresses because for various reasons, your email may not be delivered.<BR>=20 * Our message may be recognized as spam, so be sure to check the spam folder.<BR>=20 * If we do not respond to you within 24 hours, write to us from another email address. Use Gmail, Yahoo, Hotmail, or any other well-known email service.<BR>=20 Important<BR>=20 * Please don't waste the time, it will result only additinal damage to your company!<BR>=20 * Please do not try to decrypt the files yourself. We will not be able to help you if files will be modified.<BR>=20 </span></b></p>=20 <BR>=20 </BODY><BR>=20 </HTML>
URLs

http-equiv=3D"X

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Renames multiple (658) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes System State backups 3 TTPs 2 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Drops file in Drivers directory 13 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 1 IoCs
  • Enumerates connected drives 3 TTPs 39 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 2 TTPs 13 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\6f21a85894e91b7082407e08e7c231c8.exe
    "C:\Users\Admin\AppData\Local\Temp\6f21a85894e91b7082407e08e7c231c8.exe"
    1⤵
    • Drops file in Drivers directory
    • Checks computer location settings
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:840
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=401MB
      2⤵
      • Interacts with shadow copies
      PID:3816
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=unbounded
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:4524
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=401MB
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:5080
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=401MB
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:4344
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=unbounded
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:2816
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=401MB
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:4964
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=unbounded
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:2536
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=unbounded
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:1636
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=401MB
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:2740
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=401MB
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:3044
    • C:\Windows\SYSTEM32\bcdedit.exe
      bcdedit.exe /set {default} recoveryenabled No
      2⤵
      • Modifies boot configuration data using bcdedit
      PID:3876
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      2⤵
      • Interacts with shadow copies
      PID:3392
    • C:\Windows\SYSTEM32\wbadmin.exe
      wbadmin DELETE SYSTEMSTATEBACKUP
      2⤵
      • Deletes System State backups
      • Drops file in Windows directory
      PID:5020
    • C:\Windows\SYSTEM32\wbadmin.exe
      wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
      2⤵
      • Deletes System State backups
      • Drops file in Windows directory
      PID:2252
    • C:\Windows\SYSTEM32\bcdedit.exe
      bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
      2⤵
      • Modifies boot configuration data using bcdedit
      PID:2504
    • C:\Windows\System32\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1136
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=unbounded
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:3764
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=unbounded
      2⤵
      • Interacts with shadow copies
      PID:4544
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\6F21A8~1.EXE >> NUL
      2⤵
        PID:1600
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1116
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
      1⤵
      • Drops file in System32 directory
      PID:2460

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157.1btc
      Filesize

      814B

      MD5

      9f2408a11e7bc711877aabf9af56de1b

      SHA1

      a3c6e414099bb5bdc1664fbf9b6b6acb93701882

      SHA256

      5a2dd4cbfd5c46eecdd0d86bf8978594ae36b43280ef9bec5bb6684dadf86120

      SHA512

      bf1fdfb8d8f16ec59bdb9820444626fb39a086b5964812de11e4ccaeeb33dbdce28580542a170347a3abee6d49fb8b1eb60d27fc339594b590787fdcf020fb24

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506.1btc
      Filesize

      842B

      MD5

      691ebb1dfe759b548dd1357d25fd8c86

      SHA1

      f0992786df064f123d4ea6aff5f5a24641457241

      SHA256

      358f60463925cd51bea7153c0708eb3cd65f5de4fc07d4bddfaf4d6d2cd1d1bd

      SHA512

      f8c07b09d0f1ffe6808da442b20a42144017dc4229c162293bdac16d1f85bb41cd31664b0d203c81ec52e3f62f1c143709bf7a6e66541b902411c3749f61254f

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8DFDF057024880D7A081AFBF6D26B92F.1btc
      Filesize

      700B

      MD5

      dec635a5fa2389432a94620c5a598318

      SHA1

      cda225ce6ee41264050c19233e084a3802cc7d94

      SHA256

      027c4de46cb81cbb84e4bf09fd450d30a1291eec738daca73b26e93da1243710

      SHA512

      0333efc2bbae6734b56fcf8cec9bccdfdcd00e77fc5f83aac15069c3a5156c9d69ce3248920f0396f92a5e64929a15b203b166e9982bf697d0718c0fdb2ae743

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C86BD7751D53F10F65AAAD66BBDF33C7.1btc
      Filesize

      770B

      MD5

      19ccaea6e352273aff2c8f1c04088a7f

      SHA1

      697da24c4894e41b08885954285eb99756a31c8b

      SHA256

      ee6256401ffa16ee18c720dc62508885b752d8ac59b24a643548d72cfc03be90

      SHA512

      b054184d23dca084a7ad2d93c68282357be195fd16d6a5967ea1ea45713d1c43137d87d5b631bd449aaf997a10204c6a3b0584e5ab3e5007643491c5f425c0ea

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749.1btc
      Filesize

      842B

      MD5

      ff8c56c176101af09d10784495c846e0

      SHA1

      c2f7f6e3ae0716d37e7d172b209666b28be16219

      SHA256

      75819e0be3be6ffded1df1865b29ffd7b93e121ced104c4b035a90784a7c8dc2

      SHA512

      6b4d4c184f26d9690e0b3a6351fe0ce5a8b0464a89409d79032c9d04f463ad7775529ec9ae2c01339a3744415c1ff9f01cdc1012be436b752e2bb0ba6565aeaa

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB5E2F83CE9B8330B0590B7CD2E5FF2E.1btc
      Filesize

      782B

      MD5

      a1131b4c823d44a0aaa5a88656fff0e4

      SHA1

      d097aedb5c000ac51c4327374e0709e3ca68b375

      SHA256

      553bc4721692c68ad497f131e16c6609e8ece96fe000a9a88bf36d4c03e51e74

      SHA512

      8c7e55261469ef985b5e1565eb1222500d64b40ce9d31c7997830c5535799e2f8f52c7038105f914cd7dbb2b46912e70fb393557b973fcbab8cdf0d43759e348

      Download Submit

    • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
      Filesize

      850B

      MD5

      b74058ae35c7467534f9be6e4e3eca3d

      SHA1

      a9943d479c0ba953fcb4584f539649a2050e495c

      SHA256

      4944826761569582516d606d28555954dd5deba377f6dc7ba1850f0c3aa2cbee

      SHA512

      d0790ce8da5369c1dd26123ff85d29dba6aea6e85d4af02dad4d28be7304cc51068c98ff9a47db0546df025d7f8862aca141aa331ff15d4b7eab39bf93bf7f3c

      Download Submit

    • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
      Filesize

      290B

      MD5

      ecf1a04b526b80a73ef024c15b7c8a4c

      SHA1

      4768f6c16722a03ab49225deab764c5295b01121

      SHA256

      b353f07bb52b61ed0c574551ab04e0b6da62f19f31edf9634b805e1490f9404d

      SHA512

      3191238e93fe6816b507a04c5d8dee6caa45a65e3ec533e1bca0557afa131cba718587b6f7a98e00d94101970cf01eb78e47da3affb1ebb1a438d90b3f912123

      Download Submit

    • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749
      Filesize

      330B

      MD5

      0c49030f83a3a145042110a424cb2037

      SHA1

      9223ccb56ee4ffae2fe2f61af070aa51a4eeea3e

      SHA256

      50122746853fd24589938b0516a7c3002df0d540923342b49e9ed862ddf62c78

      SHA512

      559ae8c8e4ab7baa408242e9d06166f3916e6ac84415bf5b8f9f68bb1290f6f0abd8dc34f664bdceaabf7fd7be53dbbb8bff13cb51d89a6e70a2f93e2765644a

      Download Submit

    • C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\!!!HOW_TO_DECRYPT!!!.mht
      Filesize

      1KB

      MD5

      a7c32371ff48b1f9d0295c2bfe403144

      SHA1

      991596fa732059ef5fd83c01eaf83f447eb3afef

      SHA256

      575f11cc26637ea1c4e60667aa0222e57222a12246f7386faae4780cf8d1ffea

      SHA512

      88ac4c25d86129985a40966ebde9d2263dd33b805b649ff4804d25a9004147295990701a6a963376fbecb84f218584f1d992e98c83b85a2d110d0fc8ca0d8f2f

      Download Submit

    • C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506.1btc
      Filesize

      802B

      MD5

      b918f3aa99b1385c8b9f73710b5a5f59

      SHA1

      f3a5618702f1af6d89cc40defbb97ba00d6b762d

      SHA256

      baab7c3f36981fdfbfea528d5608f07370a5c4dec44a9eb93aa6b347b72265c5

      SHA512

      a47b64b42baebe56e6b89b7891c3c5d3b716352898e9dac5e18058c32a85dbb9a07cbfbaedac2b7097516415cce8018d7cfd7f704cd3cbd411ba4e0a2c62a5f3

      Download Submit

    • C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749.1btc
      Filesize

      842B

      MD5

      21ea3b368c5607e4a24f1375e5020379

      SHA1

      efe61228cbf02522ce4abbd8d899abe48d7a46cb

      SHA256

      8fcf7e8488db6e8bf1666abcd2564719a8a08673fea2d2badb924d6027822410

      SHA512

      4dbc2f7250c9374471a45ad09ce25d940ca2ffcb4b31c135305a67264bcdf340b207077b1475737df45707ba8b1869479cf4529278f3da63d1c78be8c61676ce

      Download Submit

    • \Device\HarddiskVolume1\Boot\cs-CZ\!!!HOW_TO_DECRYPT!!!.mht
      Filesize

      4KB

      MD5

      3b0ad5d99ae2ee41963e95417601a566

      SHA1

      41b4b53a2ea197b2de7df715df385e8bd38d9ba2

      SHA256

      a5d4cd8251a31748fc26ed6bd87d522a899938f6171f266b80473f1f53412a69

      SHA512

      114664e22dd2fe15bd17f0bd73cd1bbb57f7313187730ef4071b65811e316991c50be659e82a095429f07c33291e307f96ca5cd9f9679d8d33aa6c1e406e1944

      Download Submit

    • memory/2460-868-0x0000024D750A0000-0x0000024D750B0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2460-862-0x0000024D74F40000-0x0000024D74F50000-memory.dmp

      Filesize

      64KB

      Download