Overview

overview

10

Static

static

10

d0dd0f7658...43.exe

windows7-x64

10

d0dd0f7658...43.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    137s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    17-03-2024 12:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d0dd0f7658b938f9a3036ce308f5018ae0cf3bc516aaf3c18b947afee136c043.exe

  • Size

    42KB

  • MD5

    8d809510a9ae7b8ef6fc6a25e5feaa22

  • SHA1

    eb0888326adbbbdf1537a965c4d26c71549d43f6

  • SHA256

    d0dd0f7658b938f9a3036ce308f5018ae0cf3bc516aaf3c18b947afee136c043

  • SHA512

    a9ed43be1285f73fda873ee0e39070d4cb3b4b5bd1e69b1506a42f4827f22d0d2f0ad2d25f204ea288f97f6eef787bf0133d0b3659bb8e815f55ff74210e557c

  • SSDEEP

    768:PO1oR/UVS1RzK4wbs+D/SIJX+ZZ1SQQwZuIOPzDRufTwsylLO/Ov:PoS1FKnDtkuImTlLOe

Score
10/10
ransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\+README-WARNING+.txt

Ransom Note
::: Greetings ::: Little FAQ: .1. Q: Whats Happen? A: Your files have been encrypted. The file structure was not damaged, we did everything possible so that this could not happen. .2. Q: How to recover files? A: If you wish to decrypt your files you will need to pay us. .3. Q: What about guarantees? A: Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests. To check the ability of returning files, you can send to us any 2 files with SIMPLE extensions(jpg,xls,doc, etc... not databases!) and low sizes(max 1 mb), we will decrypt them and send back to you. That is our guarantee. .4. Q: How to contact with you? A: You can write us to our mailbox: [email protected] .5. Q: How will the decryption process proceed after payment? A: After payment we will send to you our scanner-decoder program and detailed instructions for use. With this program you will be able to decrypt all your encrypted files. .6. Q: If I don�t want to pay bad people like you? A: If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause only we have the private key. In practice - time is much more valuable than money. :::BEWARE::: DON'T try to change encrypted files by yourself! If you will try to use any third party software for restoring your data or antivirus solutions - please make a backup for all encrypted files! Any changes in encrypted files may entail damage of the private key and, as result, the loss all data.

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Renames multiple (8275) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Deletes itself 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 64 IoCs
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies system certificate store 2 TTPs 5 IoCs
    evasionspywaretrojan
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\d0dd0f7658b938f9a3036ce308f5018ae0cf3bc516aaf3c18b947afee136c043.exe
    "C:\Users\Admin\AppData\Local\Temp\d0dd0f7658b938f9a3036ce308f5018ae0cf3bc516aaf3c18b947afee136c043.exe"
    1⤵
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1504
    • C:\Users\Admin\AppData\Local\Temp\d0dd0f7658b938f9a3036ce308f5018ae0cf3bc516aaf3c18b947afee136c043.exe
      "C:\Users\Admin\AppData\Local\Temp\d0dd0f7658b938f9a3036ce308f5018ae0cf3bc516aaf3c18b947afee136c043.exe" n1504
      2⤵
        PID:1948
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2332
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          3⤵
          • Interacts with shadow copies
          PID:1296
        • C:\Windows\system32\wbadmin.exe
          wbadmin delete catalog -quiet
          3⤵
          • Deletes backup catalog
          PID:2452
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic shadowcopy delete
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1580
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ping 1.1.1.1 -n 5 & fsutil file setZeroData offset=0 length=131072 "C:\Users\Admin\AppData\Local\Temp\d0dd0f7658b938f9a3036ce308f5018ae0cf3bc516aaf3c18b947afee136c043.exe" & del /q /f "C:\Users\Admin\AppData\Local\Temp\d0dd0f7658b938f9a3036ce308f5018ae0cf3bc516aaf3c18b947afee136c043.exe"
        2⤵
        • Deletes itself
        • Suspicious use of WriteProcessMemory
        PID:2240
        • C:\Windows\SysWOW64\PING.EXE
          ping 1.1.1.1 -n 5
          3⤵
          • Runs ping.exe
          PID:2128
        • C:\Windows\SysWOW64\fsutil.exe
          fsutil file setZeroData offset=0 length=131072 "C:\Users\Admin\AppData\Local\Temp\d0dd0f7658b938f9a3036ce308f5018ae0cf3bc516aaf3c18b947afee136c043.exe"
          3⤵
            PID:1008
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2608
      • C:\Windows\system32\wbengine.exe
        "C:\Windows\system32\wbengine.exe"
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2488
      • C:\Windows\System32\vdsldr.exe
        C:\Windows\System32\vdsldr.exe -Embedding
        1⤵
          PID:2444
        • C:\Windows\System32\vds.exe
          C:\Windows\System32\vds.exe
          1⤵
            PID:1316
          • C:\Windows\system32\Dwm.exe
            "C:\Windows\system32\Dwm.exe"
            1⤵
              PID:2832

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
              Filesize

              67KB

              MD5

              753df6889fd7410a2e9fe333da83a429

              SHA1

              3c425f16e8267186061dd48ac1c77c122962456e

              SHA256

              b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

              SHA512

              9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\+README-WARNING+.txt
              Filesize

              1KB

              MD5

              5050dfc1de9457c380804ea54d95eb96

              SHA1

              598f2d5997cc0bd0d5bcf49232d93be6876db913

              SHA256

              37659d4b3904b1ec1cf95165926116379293b4b0cd7730c81197109aa9af7ac0

              SHA512

              98860f03d6e694e1414d31ba7607349324ec63cb9f90831ec48a3fbd6694944c5ab49268d1bc2337092746fc34641e88a9a7df5cdc22bff2ebe88a9b3f9934ae

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\CabDA9.tmp
              Filesize

              65KB

              MD5

              ac05d27423a85adc1622c714f2cb6184

              SHA1

              b0fe2b1abddb97837ea0195be70ab2ff14d43198

              SHA256

              c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

              SHA512

              6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\Tar2101.tmp
              Filesize

              175KB

              MD5

              dd73cead4b93366cf3465c8cd32e2796

              SHA1

              74546226dfe9ceb8184651e920d1dbfb432b314e

              SHA256

              a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

              SHA512

              ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

              Download Submit