Overview

overview

10

Static

static

3

0adde4246a...ca.exe

windows7-x64

10

0adde4246a...ca.exe

windows10-2004-x64

Analysis

  • max time kernel
    59s
  • max time network
    65s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/03/2024, 19:15

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    0adde4246aaa9fb3964d1d6cf3c29b1b13074015b250eb8e5591339f92e1e3ca.exe

  • Size

    224KB

  • MD5

    8a23347b733420472a1ec0a1eeada597

  • SHA1

    21eae7e488b145fa3618627da99c3234696c0f15

  • SHA256

    0adde4246aaa9fb3964d1d6cf3c29b1b13074015b250eb8e5591339f92e1e3ca

  • SHA512

    f667fe8d23482226241fd7a9cae66327a4bc2317ec01bffddb1243b936a44e0ec7a2a809f75e3e3cb02c3b9415df2401a6b2fe598251079472481114e0ce9b5e

  • SSDEEP

    3072:FnS2A9r4wpzL3syZUmMkZFfAQ2FUAElR8MRC3KevxEwYSidYj6zxe8pxU4iR:ZSFr4EzLvC1kP4Q7XlR8MRCXYZR5c/R

Score
10/10
ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Music\Readme.f58A66B51.txt

Ransom Note
!!! DoNex ransomware warning !!! >>>> Your data are stolen and encrypted The data will be published on TOR website if you do not pay the ransom Links for Tor Browser: http://g3h3klsev3eiofxhykmtenmdpi67wzmaixredk5pjuttbx7okcfkftqd.onion >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future. Therefore to us our reputation is very important. We attack the companies worldwide and there is no dissatisfied victim after payment. >>>> You need contact us and decrypt one file for free on these TOR sites with your personal DECRYPTION ID Download and install TOR Browser https://www.torproject.org/ Write to a chat and wait for the answer, we will always answer you. You can install qtox to contanct us online https://tox.chat/download.html Tox ID Contact: 2793D009872AF80ED9B1A461F7B9BD6209744047DC1707A42CB622053716AD4BA624193606C9 Mail (OnionMail) Support: [email protected] >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems! >>>> Warning! If you do not pay the ransom we will attack your company repeatedly again!
URLs

http://g3h3klsev3eiofxhykmtenmdpi67wzmaixredk5pjuttbx7okcfkftqd.onion

https://tox.chat/download.html

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Renames multiple (150) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Kills process with taskkill 48 IoCs
    evasion
  • Modifies data under HKEY_USERS 15 IoCs
  • Modifies registry class 5 IoCs
  • Runs ping.exe 1 TTPs 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\0adde4246aaa9fb3964d1d6cf3c29b1b13074015b250eb8e5591339f92e1e3ca.exe
    "C:\Users\Admin\AppData\Local\Temp\0adde4246aaa9fb3964d1d6cf3c29b1b13074015b250eb8e5591339f92e1e3ca.exe"
    1⤵
    • Enumerates connected drives
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2736
    • C:\Windows\SYSTEM32\cmd.exe
      cmd /c "wmic shadowcopy delete /nointeractive"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2420
      • C:\Windows\System32\Wbem\WMIC.exe
        wmic shadowcopy delete /nointeractive
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1724
    • C:\Windows\SYSTEM32\cmd.exe
      cmd /c "vssadmin Delete Shadows /All /Quiet"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1828
      • C:\Windows\system32\vssadmin.exe
        vssadmin Delete Shadows /All /Quiet
        3⤵
        • Interacts with shadow copies
        PID:2360
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\ProgramData\1.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1572
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 2
        3⤵
        • Runs ping.exe
        PID:3648
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im sql*
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4628
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im oracle*
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:5092
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im mysq*
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1580
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im chrome*
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2264
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im veeam*
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4592
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im firefox*
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3204
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im excel*
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4480
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im msaccess*
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3428
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im onenote*
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4768
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im outlook*
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:5016
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im powerpnt*
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4652
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im winword*
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:456
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im wuauclt*
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4128
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 2
        3⤵
        • Runs ping.exe
        PID:272
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im sql*
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2104
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im oracle*
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4328
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im mysq*
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3604
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im chrome*
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3048
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im veeam*
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3220
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im firefox*
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4088
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im excel*
        3⤵
        • Kills process with taskkill
        PID:4132
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im msaccess*
        3⤵
        • Kills process with taskkill
        PID:3644
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im onenote*
        3⤵
        • Kills process with taskkill
        PID:1660
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im outlook*
        3⤵
        • Kills process with taskkill
        PID:2600
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im powerpnt*
        3⤵
        • Kills process with taskkill
        PID:2184
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im winword*
        3⤵
        • Kills process with taskkill
        PID:4380
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im wuauclt*
        3⤵
        • Kills process with taskkill
        PID:4472
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 2
        3⤵
        • Runs ping.exe
        PID:3224
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im sql*
        3⤵
        • Kills process with taskkill
        PID:2456
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im oracle*
        3⤵
        • Kills process with taskkill
        PID:4964
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im mysq*
        3⤵
        • Kills process with taskkill
        PID:2192
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im chrome*
        3⤵
        • Kills process with taskkill
        PID:112
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im veeam*
        3⤵
        • Kills process with taskkill
        PID:3876
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im firefox*
        3⤵
        • Kills process with taskkill
        PID:4912
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im excel*
        3⤵
        • Kills process with taskkill
        PID:4176
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im msaccess*
        3⤵
        • Kills process with taskkill
        PID:3052
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im onenote*
        3⤵
        • Kills process with taskkill
        PID:3568
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im outlook*
        3⤵
        • Kills process with taskkill
        PID:4396
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im powerpnt*
        3⤵
        • Kills process with taskkill
        PID:4476
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im winword*
        3⤵
        • Kills process with taskkill
        PID:2696
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im wuauclt*
        3⤵
        • Kills process with taskkill
        PID:1196
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 2
        3⤵
        • Runs ping.exe
        PID:3304
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im sql*
        3⤵
        • Kills process with taskkill
        PID:1176
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im oracle*
        3⤵
        • Kills process with taskkill
        PID:4032
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im mysq*
        3⤵
        • Kills process with taskkill
        PID:5020
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im chrome*
        3⤵
        • Kills process with taskkill
        PID:1660
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im veeam*
        3⤵
        • Kills process with taskkill
        PID:2224
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im firefox*
        3⤵
        • Kills process with taskkill
        PID:3044
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im excel*
        3⤵
        • Kills process with taskkill
        PID:4376
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im msaccess*
        3⤵
        • Kills process with taskkill
        PID:2240
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c "taskkill /f /im cmd.exe & taskkill /f /im conhost.exe"
      2⤵
        PID:1452
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im cmd.exe
          3⤵
          • Kills process with taskkill
          PID:952
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c "ping 127.0.0.1 & del C:\ProgramData\1.bat & del C:\Users\Admin\AppData\Local\Temp\0adde4246aaa9fb3964d1d6cf3c29b1b13074015b250eb8e5591339f92e1e3ca.exe & shutdown -r -f -t 0"
        2⤵
          PID:3552
          • C:\Windows\SysWOW64\PING.EXE
            ping 127.0.0.1
            3⤵
            • Runs ping.exe
            PID:2472
          • C:\Windows\SysWOW64\shutdown.exe
            shutdown -r -f -t 0
            3⤵
              PID:2320
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 2736 -s 1028
            2⤵
            • Program crash
            PID:4196
        • C:\Windows\system32\vssvc.exe
          C:\Windows\system32\vssvc.exe
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:5104
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2736 -ip 2736
          1⤵
            PID:2948
          • C:\Windows\system32\LogonUI.exe
            "LogonUI.exe" /flags:0x4 /state0:0xa3961055 /state1:0x41c64e6d
            1⤵
            • Modifies data under HKEY_USERS
            • Suspicious use of SetWindowsHookEx
            PID:412

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\ProgramData\1.bat
            Filesize

            385B

            MD5

            4a4d03743fd3a7ee1d03d89d0e3b8011

            SHA1

            127d72408c87d866c72331fb0f16d13fef6a92ec

            SHA256

            2b15e09b98bc2835a4430c4560d3f5b25011141c9efa4331f66e9a707e2a23c0

            SHA512

            d26e5865bef6a7c7a5991c34ef8c0ae7e4c78c40b5f0c68f3490e89de50401e13e53321ee98def52ee7da390bcd3eb895f3ec1485a50cd63c94f0b640e1cfa60

            Download Submit

          • C:\Users\Admin\Music\Readme.f58A66B51.txt
            Filesize

            1KB

            MD5

            fc7bfcccede2ded230fd7232e98a88ab

            SHA1

            5618256ed1efa84e0e114c73bf9386b8e0bd5402

            SHA256

            3e3ad61d467d38c0ca3cff1b3ea6280cebb71c775ef1b86f9aacaaa6ef5ae85d

            SHA512

            12cbf36161b30455d97c5ad105d6cba2fc02ec32a2aca364b352bc65560d6ccac0ef4440a6b04f9973606212611af0adae8ff090908f185f4d18b1abcd35df84

            Download Submit