104b22a45e4166a5473c9db924394e1fe681ef374970ed112edd089c4c8b83f2

General

Target

104b22a45e4166a5473c9db924394e1fe681ef374970ed112edd089c4c8b83f2.exe
Size

5.4MB
MD5

cfb2286b45544fdb23569f59c02e3d58
SHA1

82793d93d987abb357809f069420d17a25a59f26
SHA256

104b22a45e4166a5473c9db924394e1fe681ef374970ed112edd089c4c8b83f2
SHA512

f72316b083f92763fc58e7826f63072141b845c7319e85ce256ba21297fc035925e95d16193a44d2188912892b1b08828a97a896181566a61d5e472543560d7a
SSDEEP

49152:jM4us5cOkWus2MYrRgGxznum8Uf3lDiFXnKZ5ERDLKJ5YVpWKUYg/4+6Wfctm1AE:haOvZ4rm1UdLEUqB+

Score

10^/10

ransomware

Malware Config

Extracted

Path

F:\$RECYCLE.BIN\S-1-5-21-3808065738-1666277613-1125846146-1000\How_To_Restore_Your_Files.txt

Ransom Note

>> What happens? Your data is stolen and encrypted.If you don't pay the ransom, the data will be published on our blog(http://knight3xppu263m7g4ag3xlit2qxpryjwueobh7vjdc3zrscqlfu3pqd.onion). Keep in mind that once your data appears on our blog, it could be bought by your competitors at any second, so don't hesitate for a long time. >> How to contact with us? 1. Download and install TOR Browser (https://www.torproject.org/).[If you don't know that, Google search!] 2. Open http://vogjzince7niuj34d7wckrqbfgf7klcokzgt7b2hw42bzwwzzvdvdsqd.onion/6ef9cc13508ab2863bf708dd841e549afa2cb5a44bffe987b8580c7006b37b9aa7b416e9d6d23d4893c74b167e395a41/ >>> Warning! Recovery recommendations. Do not MODIFY or REPAIR your files, Or they will be lost forever. Do not hire a recovery company.Can't solve anything without us,They always think they're expert negotiators, but the truth is they don't care about you and business Do not report to the Police, FBI,They don't care about your business and it's going to get worse.(You could be hit with a hefty fine.)

URLs

http://vogjzince7niuj34d7wckrqbfgf7klcokzgt7b2hw42bzwwzzvdvdsqd.onion/6ef9cc13508ab2863bf708dd841e549afa2cb5a44bffe987b8580c7006b37b9aa7b416e9d6d23d4893c74b167e395a41/

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (162) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

2504 vssadmin.exe

pid	process
2504	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

104b22a45e4166a5473c9db924394e1fe681ef374970ed112edd089c4c8b83f2.exe

pid	process
4820	104b22a45e4166a5473c9db924394e1fe681ef374970ed112edd089c4c8b83f2.exe
4820	104b22a45e4166a5473c9db924394e1fe681ef374970ed112edd089c4c8b83f2.exe
4820	104b22a45e4166a5473c9db924394e1fe681ef374970ed112edd089c4c8b83f2.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

vssvc.exeWMIC.exe

description	pid	process
Token: SeBackupPrivilege	4420	vssvc.exe
Token: SeRestorePrivilege	4420	vssvc.exe
Token: SeAuditPrivilege	4420	vssvc.exe
Token: SeIncreaseQuotaPrivilege	3448	WMIC.exe
Token: SeSecurityPrivilege	3448	WMIC.exe
Token: SeTakeOwnershipPrivilege	3448	WMIC.exe
Token: SeLoadDriverPrivilege	3448	WMIC.exe
Token: SeSystemProfilePrivilege	3448	WMIC.exe
Token: SeSystemtimePrivilege	3448	WMIC.exe
Token: SeProfSingleProcessPrivilege	3448	WMIC.exe
Token: SeIncBasePriorityPrivilege	3448	WMIC.exe
Token: SeCreatePagefilePrivilege	3448	WMIC.exe
Token: SeBackupPrivilege	3448	WMIC.exe
Token: SeRestorePrivilege	3448	WMIC.exe
Token: SeShutdownPrivilege	3448	WMIC.exe
Token: SeDebugPrivilege	3448	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3448	WMIC.exe
Token: SeRemoteShutdownPrivilege	3448	WMIC.exe
Token: SeUndockPrivilege	3448	WMIC.exe
Token: SeManageVolumePrivilege	3448	WMIC.exe
Token: 33	3448	WMIC.exe
Token: 34	3448	WMIC.exe
Token: 35	3448	WMIC.exe
Token: 36	3448	WMIC.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

104b22a45e4166a5473c9db924394e1fe681ef374970ed112edd089c4c8b83f2.execmd.execmd.exe

description	pid	process	target process
PID 4820 wrote to memory of 2036	4820	104b22a45e4166a5473c9db924394e1fe681ef374970ed112edd089c4c8b83f2.exe	cmd.exe
PID 4820 wrote to memory of 2036	4820	104b22a45e4166a5473c9db924394e1fe681ef374970ed112edd089c4c8b83f2.exe	cmd.exe
PID 2036 wrote to memory of 2504	2036	cmd.exe	vssadmin.exe
PID 2036 wrote to memory of 2504	2036	cmd.exe	vssadmin.exe
PID 4820 wrote to memory of 1428	4820	104b22a45e4166a5473c9db924394e1fe681ef374970ed112edd089c4c8b83f2.exe	cmd.exe
PID 4820 wrote to memory of 1428	4820	104b22a45e4166a5473c9db924394e1fe681ef374970ed112edd089c4c8b83f2.exe	cmd.exe
PID 1428 wrote to memory of 3448	1428	cmd.exe	WMIC.exe
PID 1428 wrote to memory of 3448	1428	cmd.exe	WMIC.exe
PID 4820 wrote to memory of 3992	4820	104b22a45e4166a5473c9db924394e1fe681ef374970ed112edd089c4c8b83f2.exe	cmd.exe
PID 4820 wrote to memory of 3992	4820	104b22a45e4166a5473c9db924394e1fe681ef374970ed112edd089c4c8b83f2.exe	cmd.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\104b22a45e4166a5473c9db924394e1fe681ef374970ed112edd089c4c8b83f2.exe
"C:\Users\Admin\AppData\Local\Temp\104b22a45e4166a5473c9db924394e1fe681ef374970ed112edd089c4c8b83f2.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4820
- C:\Windows\system32\cmd.exe
  cmd /c vssadmin Delete Shadows /All /Quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2036
- - C:\Windows\system32\vssadmin.exe
    vssadmin Delete Shadows /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:2504
- C:\Windows\system32\cmd.exe
  cmd /c wmic SHADOWCOPY /nointeractive
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1428
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic SHADOWCOPY /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3448
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\104b22a45e4166a5473c9db924394e1fe681ef374970ed112edd089c4c8b83f2.exe
  2⤵
  PID:3992

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4420

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1696 --field-trial-handle=2328,i,5873823382323802923,13134441441264702821,262144 --variations-seed-version /prefetch:8
1⤵
PID:928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

2

T1070

File Deletion

2

T1070.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

F:\$RECYCLE.BIN\S-1-5-21-3808065738-1666277613-1125846146-1000\How_To_Restore_Your_Files.txt

Filesize
1KB

MD5
6cc604c8f095c4481ad80f3f1d9aa1bf

SHA1
92accd8797aba99b04cc523e22e6d07aca3464c2

SHA256
2cb3b4a36b4aa80ae6850da590caab3b2caa74b1049a5c868a1e821feb036741

SHA512
9acd74acd8973ac8ef443337899fabb54b8e0334408d7dc203256e6d43cd30a67be88bd68a3b373cee43237ea7e320aa5ef18c058f7dee39515c70f33965916c

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads