Analysis

  • max time kernel
    146s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    14-03-2024 04:10

General

  • Target

    3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe

  • Size

    153KB

  • MD5

    35560fff8fc990948a9252bf20cfc8f5

  • SHA1

    66163cb283c8792ac32c0e2361adc7143d8d319d

  • SHA256

    3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1

  • SHA512

    9bf7b5aeec71b74012fa36d2af4dc4704e859a564cfbf3b35e44b1af8195a9885292c22a9297b691903c3245a6fae85746590988706e6a4d5dab29937ac13d77

  • SSDEEP

    3072:j6glyuxE4GsUPnliByocWepvdHFdjFpZ/fgyVF0djk:j6gDBGpvEByocWetdHZ/fgKF0

Malware Config

Extracted

Path

C:\cHpfiXA9s.README.txt

Ransom Note
~~~ XeqtR Ransomeware The world's fastest ransomware ~~~ >>>> Your data is now stolen and encrypted, pleaes read the following carefully, as it is in your best interest. We are sorry to inform you that a Ransomware Virus has taken control of your computer. ALL of your important files and folders on your computer have been encrypted with a military grade encryption algorithm. Your documents, videos, images and every other forms of data are now inaccessible and completely locked, and cannot be unlocked without the sole decryption key, in which we are the ONLY ones in possession of this key. This key is currently being stored on a remote server. To acquire this key and have all files restored, transfer the amount of 500 USD in the cryptocurrency BITCOIN to the below specified bitcoin wallet address before the time runs out. Once you have read this you now have 36 hours until your files are lost forever. If you fail to take action within this time window, the decryption key will be destroyed and access to your files will be permanently lost. If you are not familiar with cryptocurrency and bitcoin, just do a google search, visit bitcoin.org, go on your mobile to Cash App, or pretty much just ask someone and most likely they can explain it. Once again, 500 USD in the form of Bitcoin to this wallet address bc1q8wqyacjzzvrn57d2g7aj35lnr5r8fqv0dn0394 The second you have sent the bitcoin and the transaction verifies another text file will appear on your desktop with the website to get your key, and the simple instructions on how to use it to get your files back. 36 hours starts now, we suggest you do not waste time. For any reason you should need customer service, email [email protected]

Signatures

  • Renames multiple (9338) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 3 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Modifies Control Panel 2 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
    "C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe"
    1⤵
    • Loads dropped DLL
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Program Files directory
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2208
    • C:\ProgramData\8353.tmp
      "C:\ProgramData\8353.tmp"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:704
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\8353.tmp >> NUL
        3⤵
          PID:1960

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\$Recycle.Bin\S-1-5-21-1650401615-1019878084-3673944445-1000\desktop.ini

      Filesize

      129B

      MD5

      3d45a3d675c22e2cecbc0009d7149401

      SHA1

      a7bbec5d20a853e6ab80f0dd1794efc7815fdaca

      SHA256

      13168b3cf2a382b3f7115787313d800e64933e618cd30eca77b84eb477a580ef

      SHA512

      4927926a153184967633fcde9f4002b2a67326031d91e27eaa1c8223f8a0c9ff9b357d423dabe91d30baff0e3058ada46f87050bcdf2fddfcc6e52046988964b

    • C:\ProgramData\cHpfiXA9s.ico

      Filesize

      14KB

      MD5

      808afa42f285dcf66cfd572405a9b4e6

      SHA1

      a554caa2abb014e8e6c0855eb8b1d87cd066ccfc

      SHA256

      241a17958f0bf3ed293bd7395aab74f4e27e0c4cd1a61698941d9239dbefe0cd

      SHA512

      80f63b55eea9565b4e3fdeb83e4c4a4d38ded7331abc9b76c24f072b83c493e41b8d6245f2e5e9930422501ce815c277b8f15454bd8a8a91ef94b019557de474

    • C:\Users\Admin\AppData\Local\Temp\CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC

      Filesize

      153KB

      MD5

      42170eb01a5d68c5e8ffcdb296aec666

      SHA1

      f5c178247c075ba02f519175c58b4439b8b45315

      SHA256

      f79f2a6617fe3965b6292b9620f8b4096d778ae3d3934714e6bba8fc384a1e4c

      SHA512

      7ab108ad7f15a054e93e1509ffea8a1436b3160d3beb383fb79885ccd2d0d343c0ba522a973b66c225d874932145ecc6c6696900e9d30bb37172467b3f5b8132

    • C:\cHpfiXA9s.README.txt

      Filesize

      1KB

      MD5

      3605fdc69caa6b331eaf96ea07e4157d

      SHA1

      fc6bce8fc36aa774fb5e02cc1b25df8b59c6fa44

      SHA256

      0ec8c3830d53015c531dd0d8c540bc961f67888bb44731f87af6ba8be1268df3

      SHA512

      8b3eddd76b231bf1cca7e26d83756d418fab432afb6c7fc46e3e1356c8a580b78e09f29ef3adbadf72a8258c29d4855dac9b4b5c4519535b93a982469519c226

    • F:\$RECYCLE.BIN\S-1-5-21-1650401615-1019878084-3673944445-1000\DDDDDDDDDDD

      Filesize

      129B

      MD5

      96649f8b0d95fb03ffad76ef4a515618

      SHA1

      28ac81089b41eefeda7da0b69a89c34d934bb676

      SHA256

      7c2219d049eeb477356a4df38110552dce1bb39d26176f132ab01ca70b67e871

      SHA512

      79c87da0340266dabd1dca6b84bcc717d999531921873923a3d7adf3522f03aee9deb8fd9aae8610124a92390910312050a9d3c84888fbd46c12931d62b42138

    • \ProgramData\8353.tmp

      Filesize

      14KB

      MD5

      294e9f64cb1642dd89229fff0592856b

      SHA1

      97b148c27f3da29ba7b18d6aee8a0db9102f47c9

      SHA256

      917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

      SHA512

      b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

    • memory/704-13621-0x0000000000400000-0x0000000000407000-memory.dmp

      Filesize

      28KB

    • memory/704-13623-0x0000000000310000-0x0000000000350000-memory.dmp

      Filesize

      256KB

    • memory/704-13624-0x0000000000310000-0x0000000000350000-memory.dmp

      Filesize

      256KB

    • memory/704-13632-0x000000007EF80000-0x000000007EF81000-memory.dmp

      Filesize

      4KB

    • memory/704-13633-0x000000007EF20000-0x000000007EF21000-memory.dmp

      Filesize

      4KB

    • memory/704-13634-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

      Filesize

      4KB

    • memory/704-13657-0x0000000000400000-0x0000000000407000-memory.dmp

      Filesize

      28KB

    • memory/704-13656-0x000000007EF40000-0x000000007EF41000-memory.dmp

      Filesize

      4KB

    • memory/2208-0-0x0000000000CF0000-0x0000000000D30000-memory.dmp

      Filesize

      256KB