Overview

overview

10

Static

static

3

____ __ __...__.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    51s
  • max time network
    49s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240412-en
  • resource tags

    arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    25-04-2024 16:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ____ __ __ _____240423 _ _____ ________.exe

  • Size

    318KB

  • MD5

    bbda482f1ecce55c24e1a444c03da58e

  • SHA1

    57f3b40785acb35fd76a56334084a32ab3a41bca

  • SHA256

    7e2de46d2c37fb24bee5223bd3f26bd6f49b54688a528a851898b0459adec3cd

  • SHA512

    d6e21971ac6226692afcfbbd57cc8fdb178b98cd96f8a6a8a9fb6ce1d66f59323e171493a581f60c37817333db824333a83482aacac3634af4d769b352902adb

  • SSDEEP

    3072:dT0VHJezp57AexD5EbZ+AQAZXczGSkr4baGtnzL35AhCgr6e+49AkIKCnXrLcXgc:qczLhMH1Uygc6749RIJXrLcXx5KqbI

Score
10/10
ransomware

Malware Config

Extracted

Path

C:\Users\Admin\README.TXT

Ransom Note
YOUR FILES ARE ENCRYPTED! Your files, documents, photos, databases and other important files are encrypted. If you found this document in a zip, do not modify the contents of that archive! Do not edit, add or remove files from it! You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] or tox: B91B5EFDAD03A1D81EA550341794E330F192DFB3000922E461858955CC3AF55FBA0761C657B0 and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: [email protected] TOX: B91B5EFDAD03A1D81EA550341794E330F192DFB3000922E461858955CC3AF55FBA0761C657B0 How to use tox: 1. Download a uTox client: http://utox.org 2. Run it 3. Add our TOX id: B91B5EFDAD03A1D81EA550341794E330F192DFB3000922E461858955CC3AF55FBA0761C657B0 Attention! * Do not rename or edit encrypted files and archives containing encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. * We have been in your network for a long time. We know everything about your company most of your information has already been downloaded to our server. We recommend you to do not waste your time if you dont wont we start 2nd part. * You have 24 hours to contact us. * Otherwise, your data will be sold or made public.
URLs

http://utox.org

Signatures

  • Renames multiple (140) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 62 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\____ __ __ _____240423 _ _____ ________.exe
    "C:\Users\Admin\AppData\Local\Temp\____ __ __ _____240423 _ _____ ________.exe"
    1⤵
    • Enumerates connected drives
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:4140
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:892
  • C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\README.TXT
    1⤵
    • Opens file in notepad (likely ransom note)
    PID:5388

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\README.TXT
    Filesize

    1KB

    MD5

    ada14f8bea03439fbd03a5df8a1389c2

    SHA1

    24fc1a97f00be8647e99ec6eb3134b46f2f84271

    SHA256

    9078bfdd733e1b115b922bc206342ce2c43e4c7c2d6d1ca89867e68936c4567a

    SHA512

    e757ade99ef103d5e6c6919567c614e904b0f1d05094321ce8fbc32c3dd575bae134166024da11f8935b0cf282a36796dbd3922d7e6e78a24c2269ed1c8cc692

    Download Submit

  • memory/4140-2-0x00000000046F0000-0x0000000004705000-memory.dmp

    Filesize

    84KB

    Download

  • memory/4140-1-0x0000000004270000-0x0000000004370000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/4140-4-0x0000000000400000-0x0000000004040000-memory.dmp

    Filesize

    60.2MB

    Download

  • memory/4140-338-0x0000000000400000-0x0000000004040000-memory.dmp

    Filesize

    60.2MB

    Download

  • memory/4140-339-0x0000000004270000-0x0000000004370000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/4140-340-0x00000000046F0000-0x0000000004705000-memory.dmp

    Filesize

    84KB

    Download

  • memory/4140-342-0x0000000000400000-0x0000000004040000-memory.dmp

    Filesize

    60.2MB

    Download

  • memory/4140-343-0x0000000000400000-0x0000000004040000-memory.dmp

    Filesize

    60.2MB

    Download

  • memory/4140-344-0x0000000000400000-0x0000000004040000-memory.dmp

    Filesize

    60.2MB

    Download