Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-03-2024 19:17

General

  • Target

    cc3652c078fa2bdfbbfae33335c30bda.exe

  • Size

    1.2MB

  • MD5

    cc3652c078fa2bdfbbfae33335c30bda

  • SHA1

    b3d3ad0c2c9d526717f55c431d51c2f1e957325b

  • SHA256

    0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad

  • SHA512

    d027e1df8c10516b81e47ef840f0e2baf971c0e0c4e77ff0fdc0122bbbb66ed210fd78336cb40d05c76d91838ae89ebb3304050dbf7fb7eeec73d47d1d26ec3d

  • SSDEEP

    12288:QKMzISi3LAStu+KxSgNrc+YCiYKjqxJUZGhEzXMOalwmtnvXigwwdAnIK4RHLrog:vMsSibWXpNrcVEnvXigwwdAIK4R/W3

Malware Config

Extracted

Path

\Device\HarddiskVolume1\Boot\cs-CZ\!!!HOW_TO_DECRYPT!!!.mht

Ransom Note
From: =?utf-8?B?0RFQctTF0YDQcNC60IXQvdC+IEludGVybmV0IED4cGxvseVyIDEz?= Subject: Date: San, 00 Jan 2000 00:00:00 +0000 MIME-Version: 1.0 Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-MimeOLE: Produced By Microsoft MimeOLE =EF=BB=BF<!DOCTYPE HTML> <!DOCTYPE html PUBLIC "" "">=20 <HTML lang=3D"ru">=20 <HEAD>=20 <META = content=3D"IE = 3D11.0000" http-equiv=3D"X - UA - Compatible">=20 <META charset=3D"utf-8">=20 <TITLE>!!!HOW_TO_DECRYPT!!!</TITLE>=20 <LINK href=3D"style.css" rel=3D"stylesheet">=20 <META name=3D"GENERATOR" content=3D"MSHTML 11.00.10570.1001">=20 </HEAD>=20 <BODY>=20 <p class=3DMsoNormal align=3Dcenter style=3D'text-align:center'><span class=3DSpellE><b>=20 <span lang=3DEN-US style=3D'font-size:20.0pt;font-family:"Times New Roman","serif";mso-bidi-font-family:Arial;color:#C9211E'>=20 All your valiable data has been encrypted!</span></b></span></p><BR><BR>=20 <p class=3DMsoNormal style=3D'text-align:justify;text-justify:inter-ideograph'>=20 <span class=3DSpellE><span lang=3DEN-US style=3D'font-size:13.0pt;font-family:"Times New Roman","serif";mso-bidi-font-family:Arial'>=20 Hello!<BR>Sorry, but we have inform you that your order has been blocked due to the issue of securities. Make sure your data is not blocked.=20 All your valuable files were encrypted with strong encryption algorithms AES-256 + RSA-2048 + CHACHA and renamed. You can read about these algorithms in Google.=20 Your unique encryption key is stored securely on our server and your data can be decrypted quickly and securely.<BR><BR>=20 We can prove that we can decrypt all of your data. Please just send us 3 small encrypted files which are randomly stored on your server.=20 We will decrypt these files and send them to you as a proof. Please note that files for free test decryption should not contain valuable information.<BR><BR>=20 As you know information is the most valuable resource in the world. That's why all of your confidential data was uploaded to our servers.=20 If you need proof, just write us and we will show you that we have your files. If you will not start a dialogue with us in 72 hours=20 we will be forced to publish your files in the Darknet. Your customers and partners will be informed about the data leak by email or phone.<BR><BR>=20 This way, your reputation will be ruined. If you will not react, we will be forced to sell the most important information such as databases=20 to interested parties to generate some profit.<BR><BR>Please understand that we are just doing our job. We don't want to harm your company.=20 Think of this incident as an opportunity to improve your security. We are opened for dialogue and ready to help you. We are professionals,=20 please don't try to fool us.<BR></span></span></p><BR><BR><p class=3DMsoNormal align=3Dcenter style=3D'text-align:center'><b>=20 <span lang=3DEN-US style=3D'font-size:14.0pt;font-family:"Times New Roman","serif";mso-bidi-font-family:Arial'>=20 If you want to resolve this situation,<BR>please write to ALL of these 2 email addresses:<BR>=20 [email protected]<BR>[email protected]<BR>In subject line please write your ID: 2537304393796936756</span></b></p><BR><BR>=20 <p class=3DMsoNormal style=3D'text-align:justify;text-justify:inter-ideograph'><b>=20 <span lang=3DEN-US style=3D'font-family:"Times New Roman","serif";mso-bidi-font-family: Arial;color:#C9211E'>=20 Important!<BR>=20 * We asking to send your message to ALL of our 2 email adresses because for various reasons, your email may not be delivered.<BR>=20 * Our message may be recognized as spam, so be sure to check the spam folder.<BR>=20 * If we do not respond to you within 24 hours, write to us from another email address. Use Gmail, Yahoo, Hotmail, or any other well-known email service.<BR>=20 Important<BR>=20 * Please don't waste the time, it will result only additinal damage to your company!<BR>=20 * Please do not try to decrypt the files yourself. We will not be able to help you if files will be modified.<BR>=20 </span></b></p>=20 <BR>=20 </BODY><BR>=20 </HTML>
URLs

http-equiv=3D"X

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
  • Renames multiple (624) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Deletes System State backups 3 TTPs 2 IoCs

    Uses wbadmin.exe to inhibit system recovery.

  • Drops file in Drivers directory 13 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops desktop.ini file(s) 1 IoCs
  • Enumerates connected drives 3 TTPs 39 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 2 TTPs 13 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs
  • System policy modification 1 TTPs 1 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\cc3652c078fa2bdfbbfae33335c30bda.exe
    "C:\Users\Admin\AppData\Local\Temp\cc3652c078fa2bdfbbfae33335c30bda.exe"
    1⤵
    • Drops file in Drivers directory
    • Checks computer location settings
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2392
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=401MB
      2⤵
      • Interacts with shadow copies
      PID:2316
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=unbounded
      2⤵
      • Interacts with shadow copies
      PID:688
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=401MB
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:1812
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=unbounded
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:2284
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=401MB
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:952
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=unbounded
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:1096
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=401MB
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:3692
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=unbounded
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:2616
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=401MB
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:4636
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=unbounded
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:220
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=401MB
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:4380
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=unbounded
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:812
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      2⤵
      • Interacts with shadow copies
      PID:2972
    • C:\Windows\SYSTEM32\bcdedit.exe
      bcdedit.exe /set {default} recoveryenabled No
      2⤵
      • Modifies boot configuration data using bcdedit
      PID:3508
    • C:\Windows\SYSTEM32\bcdedit.exe
      bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
      2⤵
      • Modifies boot configuration data using bcdedit
      PID:3048
    • C:\Windows\SYSTEM32\wbadmin.exe
      wbadmin DELETE SYSTEMSTATEBACKUP
      2⤵
      • Deletes System State backups
      • Drops file in Windows directory
      PID:3216
    • C:\Windows\SYSTEM32\wbadmin.exe
      wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
      2⤵
      • Deletes System State backups
      • Drops file in Windows directory
      PID:1448
    • C:\Windows\System32\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1732
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\CC3652~1.EXE >> NUL
      2⤵
        PID:2476
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4764
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
      1⤵
        PID:2248

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157.gpay

        Filesize

        850B

        MD5

        78779818b95f1b220fbd0888d08ccfec

        SHA1

        1a3839e110dc31063696970d3e017ed0a21665bd

        SHA256

        5ecf0da8f8a50e4b638b84110a643e160b531c8fe1d7af0b8d04a276d5cc9362

        SHA512

        4cd0ee045c28044bc3b2fc5cfcd7686f5047a78033de1b8d303ce31dbfe799b41014f909343a472610f2eeb03d1df8566bf9ba28b65cdeb3c25bd8cea6d94293

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506.gpay

        Filesize

        842B

        MD5

        68d29d055340e302f35bd82d212021c8

        SHA1

        5662d309aaa945cea219c7a71474bd5e74f0ac35

        SHA256

        924fdeeefdffba5821d1ebce5ebd5987a8d8d43c53ecd74de8f08d105d957c32

        SHA512

        2a2d336408f59167c8fd73ab805b0fa8367f24b2738493964778059e0fc7d14e90b8dc8651516f13e8f18014264cb483e3cdbc3eae2592ffc7688114e69c6c94

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8DFDF057024880D7A081AFBF6D26B92F.gpay

        Filesize

        700B

        MD5

        32faadc8be68d71a2d201c9d15531bc8

        SHA1

        ea348e7bdcc8b5718a504e360f8a1cc7cccf3864

        SHA256

        30137b7cdc17c11eb79c55cf31b1a7e2a8823ebc4234aab0f1002847fe8ad628

        SHA512

        486e6a3784e631979e8bc9d74886a6157fff26f40d167642247870d96e46a880eee0326f24546fdeb530ec4d7afc10fd2f8efa3e21f69589d4f7a837d9c781ae

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C86BD7751D53F10F65AAAD66BBDF33C7.gpay

        Filesize

        770B

        MD5

        345921bc2030930f4167702f820c10c2

        SHA1

        f60fa1838251f3e46789f86bc21b35c75bd84bfd

        SHA256

        32f0ff29847766d45fe5f56958c8dc69e2b81625a5f9f12d572037023d12e522

        SHA512

        35bd362798e725e2a8e572da78a91d88d8dfb4cd93919da2989edda793c5b65378103e66b9a294d5156dfd7005c1242f6a50b30bc4ae12b150b2ea248acd2a98

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749.gpay

        Filesize

        802B

        MD5

        42663cb50d325da1d9bb3657c3e7f59f

        SHA1

        2e037802dd3be0d688abd6d3a596412cf409a22e

        SHA256

        0f21a3eaa8827750bdbe4d40171fa5164328b2426fe2b468645ba8b6b10101bd

        SHA512

        48c038db319a97b20d8890b4d75434f9a6f3d64c054225e8cf621e6ce15d57dbe73ae9930c424c41aaabec37b07d9d8be794cb0e1c2445a85d4d00b7ee3d6004

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB5E2F83CE9B8330B0590B7CD2E5FF2E.gpay

        Filesize

        782B

        MD5

        d0b39da9eafb984138251b8d367679cd

        SHA1

        bad73230f3d333b2fe8e86bb0acea320bdace7ec

        SHA256

        4e5ac14a78240e92aa3577524f10fcf2b482402d5576cf3ddc8979947b4c58f1

        SHA512

        16281284b02adac16a605db9bde148259ffd98db9b6225c812e15811579309351ea169e79b4bbbb6601535b5db99d9806a8f9fc8dcf2018e004485a71d3243d5

      • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

        Filesize

        850B

        MD5

        40bfb50e2742c10d2ef8bba691c58880

        SHA1

        dfbef1386f0845962b1ea59be8870a5ee4bd9082

        SHA256

        a541696eb68e2ddc437b2066afe2f7253871f397f1d826babcaea61ebee88eee

        SHA512

        269a533f7a22cd8fc5910586039d00add272b7395d6e8fe1a204a1c4d6728fe8106e57ba444154a4012b425da91b0dfa3574f6cb0de551486973739aaae2e6c6

      • C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506.gpay

        Filesize

        802B

        MD5

        198c82704047feaaafeb88c1f5e82936

        SHA1

        e9a8f11adc7a16ec489d6feaad362411159fe77f

        SHA256

        b00b3a0c6ece91a0bc9c6c0c75462a7f2af18a9125b56e75ff3fc56396ecdef8

        SHA512

        e800b0aa36277ad42f4923f738ce4e52ee9878d93477af164b6f5553e2472933605fdbe621cf1cfe87c28e7fa66f937b89abe37a2cfeec5db88cb06d8b4d891d

      • C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749.gpay

        Filesize

        802B

        MD5

        7e88f7e6d8686f46d0d03282b35bdcbb

        SHA1

        2bfaeafec4eb27d622e5ea9c51424a050d3738e1

        SHA256

        caa5df5b5f249c3629f156ad12967576b0d1f1326bd83685f30a006428e452a6

        SHA512

        4909a0161e2a90b4b6340320ea0462648212f047c1f7875dd154bffc81a9a44693f8deabf47d152717c53e4b5b729bcc84661a5bc54c9eb1ae3619b41642ccfe

      • \Device\HarddiskVolume1\Boot\cs-CZ\!!!HOW_TO_DECRYPT!!!.mht

        Filesize

        4KB

        MD5

        d550cc7e69effa9d0a0f45b05096c206

        SHA1

        0b25906bc035c00062d50f99fa85be9618a4e86c

        SHA256

        d8f40de9fd20fa3a64fc53db598b9ce1ea70a9f5955c2192d917c1c585687a5a

        SHA512

        287f0aaa55c92e1ae9705dc09239003a8cfd43bd1809c603102e5e86de4f8dfea3fbdb3ca3c7c6bfd6b1bdf02714208c56415041a23663ee3cfe7ddc533fb2ae

      • memory/2248-802-0x0000023A866C0000-0x0000023A866D0000-memory.dmp

        Filesize

        64KB

      • memory/2248-796-0x0000023A86660000-0x0000023A86670000-memory.dmp

        Filesize

        64KB