Overview

overview

10

Static

static

10

220629-p7hp9ahfel.exe

windows7-x64

9

220629-p7hp9ahfel.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-03-2024 10:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    220629-p7hp9ahfel.exe

  • Size

    7.7MB

  • MD5

    a7ab0969bf6641cd0c7228ae95f6d217

  • SHA1

    002971b6d178698bf7930b5b89c201750d80a07e

  • SHA256

    117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464

  • SHA512

    7e1cce428e3b80b60635c354801af6e86354c9437ba7a661ca6a922c17057a16439a97d1ea11873eb359c05018df9eb6040b72fa97b30cf4d04cae56bf052b8a

  • SSDEEP

    49152:mwHittZSrb/TjvO90dL3BmAFd4A64nsfJTGNHltPgQjre0Q2hEsj2kcR9RsU/2LU:mwUs3dfC2at9kDXdmG55wuzZqGdE

Score
10/10
agendapersistenceransomware

Malware Config

Extracted

Family

agenda

Attributes
  • company_id

    OnHnnBvUej

  • note

    -- Agenda Your network/system was encrypted. Encrypted files have new extension. -- Compromising and sensitive data We have downloaded compromising and sensitive data from you system/network If you refuse to communicate with us and we do not come to an agreementyour data will be published. Data includes: - Employees personal dataCVsDLSSN. - Complete network map including credentials for local and remote services. - Financial information including clients databillsbudgetsannual reportsbank statements. - Complete datagrams/schemas/drawings for manufacturing in solidworks format - And more... -- Warning 1) If you modify files - our decrypt software won't able to recover data 2) If you use third party software - you can damage/modify files (see item 1) 3) You need cipher key / our decrypt software to restore you files. 4) The police or authorities will not be able to help you get the cipher key. We encourage you to consider your decisions. -- Recovery 1) Download tor browser: https://www.torproject.org/download/ 2) Go to domain 3) Enter credentials -- Credentials Extension: OnHnnBvUej Domain: login: bd61eb78-64a3-4ee0-9a8e-543b8bc12b5e password: 14158620-fb98-4889-87cb-f5251368fc21

rsa_pubkey.plain

Extracted

Path

C:\$Recycle.Bin\OnHnnBvUej-RECOVER-README.txt

Family

agenda

Ransom Note
-- Agenda Your network/system was encrypted. Encrypted files have new extension. -- Compromising and sensitive data We have downloaded compromising and sensitive data from you system/network If you refuse to communicate with us and we do not come to an agreementyour data will be published. Data includes: - Employees personal dataCVsDLSSN. - Complete network map including credentials for local and remote services. - Financial information including clients databillsbudgetsannual reportsbank statements. - Complete datagrams/schemas/drawings for manufacturing in solidworks format - And more... -- Warning 1) If you modify files - our decrypt software won't able to recover data 2) If you use third party software - you can damage/modify files (see item 1) 3) You need cipher key / our decrypt software to restore you files. 4) The police or authorities will not be able to help you get the cipher key. We encourage you to consider your decisions. -- Recovery 1) Download tor browser: https://www.torproject.org/download/ 2) Go to domain 3) Enter credentials -- Credentials Extension: OnHnnBvUej Domain: login: bd61eb78-64a3-4ee0-9a8e-543b8bc12b5e password: 14158620-fb98-4889-87cb-f5251368fc21%!(EXTRA string=same as login)

Signatures

  • Agenda Ransomware

    A ransomware with multiple variants written in Golang and Rust first seen in August 2022.

    ransomwareagenda
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Detects command variations typically used by ransomware 1 IoCs
  • Detects executables containing many references to VEEAM. Observed in ransomware 1 IoCs
  • Detects executables referencing many IR and analysis tools 1 IoCs
  • Renames multiple (158) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 2 TTPs 3 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:4560
    • C:\Users\Public\enc.exe
      "C:\Users\Public\enc.exe"
      2⤵
      • Executes dropped EXE
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2708
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1168
        • C:\Windows\system32\vssadmin.exe
          vssadmin.exe delete shadows /all /quiet
          4⤵
          • Interacts with shadow copies
          PID:4616
    • C:\Users\Public\enc.exe
      "C:\Users\Public\enc.exe"
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1368
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4936
        • C:\Windows\system32\vssadmin.exe
          vssadmin.exe delete shadows /all /quiet
          4⤵
          • Interacts with shadow copies
          PID:2476
  • C:\Users\Admin\AppData\Local\Temp\220629-p7hp9ahfel.exe
    "C:\Users\Admin\AppData\Local\Temp\220629-p7hp9ahfel.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2036
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3936
      • C:\Windows\system32\vssadmin.exe
        vssadmin.exe delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:1316
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1676
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    PID:4484
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    PID:3456

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\OnHnnBvUej-RECOVER-README.txt
    Filesize

    1KB

    MD5

    3a29ccf8fcbac5d1797999d3699375b1

    SHA1

    9993778053593d2704992f9e9cd7b79f4bd4a244

    SHA256

    534b085697b8406738b3281c1ca067cc90290ca8d44d2608eecdf4c0626c7e16

    SHA512

    99c1c76acd7e6ba366505000a21dc77400cb5531203f658d311d4b3926db90f331b870bb4d0bd6cd7731a41657b97d62feedb6fab74cee602c8fd91cc1d73600

    Download Submit

  • C:\Users\Public\enc.exe
    Filesize

    7.7MB

    MD5

    a7ab0969bf6641cd0c7228ae95f6d217

    SHA1

    002971b6d178698bf7930b5b89c201750d80a07e

    SHA256

    117fc30c25b1f28cd923b530ab9f91a0a818925b0b89b8bc9a7f820a9e630464

    SHA512

    7e1cce428e3b80b60635c354801af6e86354c9437ba7a661ca6a922c17057a16439a97d1ea11873eb359c05018df9eb6040b72fa97b30cf4d04cae56bf052b8a

    Download Submit

  • C:\Users\Public\pwndll.dll
    Filesize

    91KB

    MD5

    e966c38c5b1a05d0bd86eb0edc1d3b84

    SHA1

    f10443e13b82c93f203c0428a357205aa55f2dee

    SHA256

    28aeb2d6576b2437ecab535c0a1bf41713ee9864611965bf1d498a87cbdd2fab

    SHA512

    6c80ec34f0d581e0924cb58f22e5bc70e36fcc6119db779744fad007bd943d95e5f646f06244e9a5aa40685649b7730e46dded68c0732e81559dded33a4dbe7b

    Download Submit

  • \??\PIPE\wkssvc
    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

    Download Submit