Overview

overview

10

Static

static

10

3e5ca77f29...dc.exe

windows7-x64

10

3e5ca77f29...dc.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    01/02/2024, 07:31

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    3e5ca77f299d56fad7ebca8259eecd6f47efce6265e8ed621e7b7081f9230cdc.exe

  • Size

    270KB

  • MD5

    ef2b61de2c6f393844e1de9ad7ffa3d4

  • SHA1

    d3e04a5e5154d8cb5051dda8e73c75e241265082

  • SHA256

    3e5ca77f299d56fad7ebca8259eecd6f47efce6265e8ed621e7b7081f9230cdc

  • SHA512

    f5e5400874e19a1018e7ecb807f2eb56ef83d9cdfa2c977efe9094a362a830da00f753865616590461dc2a859359e839f04fa132ab601e38e8fe39927794ccd1

  • SSDEEP

    6144:XqohGYel4VQg/U+Dgx3bMAVVzddi6jWGPxF:XqoglK53DgZMSVFjW0x

Score
10/10
ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Contacts\Data breach warning.txt

Ransom Note
# RA World ---- ## Notification Your data are stolen and encrypted when you read this letter. We have copied all data to our server. Don't worry, your data will not be made public if you do what I want. But if you don't pay, we will release the data, contact your customers and regulators and destroy your system again. We can decrypt some files to prove that the decrypt tool works correctly. ## What we want? Contact us, pay for ransom. If you pay, we will provide you the programs for decryption and we will delete your data where on our servers. If not, we will leak your datas and your company will appear in the shame list below. If not, we will email to your customers and report to supervisory authority. ## How contact us? We use qTox to contact, you can download qTox from office website: https://qtox.github.io Our qTox ID is: 358AC0F6C813DD4FD243524F040E2F77969278274BD8A8945B5041A249786E32CC784580F2EC We have no other contacts. If there is no contact within 3 days, you will appear on our website and we will make sample files public. If there is no contact within 7 days, we will stop communicating and release data in batches. The longer time, the higher ransom. ## RA World Office Site: [Permanent address] http://raworldw32b2qxevn3gp63pvibgixr4v75z62etlptg3u3pmajwra4ad.onion [Temporary address] http://161.35.200.18 ## Sample files release link: Sample files: https://gofile.io/d/ufuFye ## Unpay Victim Lists *** You'll be here too if you don't pay! *** *** More and more people will get your files! *** [NIDEC GPM GmbH] [Die Unfallkasse Th�ringen] [HALLIDAYS GROUP LIMITED] [Rockford Gastroenterology Associates] [Di Martino Group] [Alablaboratoria] [Comer] [Informist Media] [SUMMIT VETERINARY PHARMACEUTICALS LIMITED] [Chung Hwa Chemical Industrial Works] [Aceromex] [247ExpressLogistics] [Yuxin Automobile Co.Ltd] [Piex Group] [Zurvita] [BiscoIndustries] [Decimal Point Analytics Pvt] [DeepNoid] [Eastern Media International Corporation] [EyeGene] [Insurance Providers Group] [Thaire] [Wealth Enhancement Group] You can use Tor Browser to open .onion url. Ger more information from Tor office website: https://www.torproject.org
URLs

https://qtox.github.io

http://raworldw32b2qxevn3gp63pvibgixr4v75z62etlptg3u3pmajwra4ad.onion

http://161.35.200.18

https://gofile.io/d/ufuFye

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Renames multiple (212) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\3e5ca77f299d56fad7ebca8259eecd6f47efce6265e8ed621e7b7081f9230cdc.exe
    "C:\Users\Admin\AppData\Local\Temp\3e5ca77f299d56fad7ebca8259eecd6f47efce6265e8ed621e7b7081f9230cdc.exe"
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2132
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2400
      • C:\Windows\system32\vssadmin.exe
        vssadmin.exe delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:2720
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1756
      • C:\Windows\system32\vssadmin.exe
        vssadmin.exe delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:1580
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2816

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\Contacts\Data breach warning.txt
          Filesize

          2KB

          MD5

          e7264a4c331eac851fa75438919e0531

          SHA1

          38f6dc2b0c5e86d38c2a9bd7f5aaf4447be97a61

          SHA256

          07ab218d5c865cb4fe78353340ab923e24a1f2881ec7206520651c5246b1a492

          SHA512

          f8aca867b199f5494dbc6919423788533b4b55f249ac1ab2707c38788212b585eb39234be74d1f2b039d00ee096b5d2036c1066e19e4fa304b048ffb61ca1edb

          Download Submit