Analysis

  • max time kernel
    141s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-04-2024 19:10

General

  • Target

    104b22a45e4166a5473c9db924394e1fe681ef374970ed112edd089c4c8b83f2.exe

  • Size

    5.4MB

  • MD5

    cfb2286b45544fdb23569f59c02e3d58

  • SHA1

    82793d93d987abb357809f069420d17a25a59f26

  • SHA256

    104b22a45e4166a5473c9db924394e1fe681ef374970ed112edd089c4c8b83f2

  • SHA512

    f72316b083f92763fc58e7826f63072141b845c7319e85ce256ba21297fc035925e95d16193a44d2188912892b1b08828a97a896181566a61d5e472543560d7a

  • SSDEEP

    49152:jM4us5cOkWus2MYrRgGxznum8Uf3lDiFXnKZ5ERDLKJ5YVpWKUYg/4+6Wfctm1AE:haOvZ4rm1UdLEUqB+

Score
10/10

Malware Config

Extracted

Path

F:\$RECYCLE.BIN\S-1-5-21-3808065738-1666277613-1125846146-1000\How_To_Restore_Your_Files.txt

Ransom Note
>> What happens? Your data is stolen and encrypted.If you don't pay the ransom, the data will be published on our blog(http://knight3xppu263m7g4ag3xlit2qxpryjwueobh7vjdc3zrscqlfu3pqd.onion). Keep in mind that once your data appears on our blog, it could be bought by your competitors at any second, so don't hesitate for a long time. >> How to contact with us? 1. Download and install TOR Browser (https://www.torproject.org/).[If you don't know that, Google search!] 2. Open http://vogjzince7niuj34d7wckrqbfgf7klcokzgt7b2hw42bzwwzzvdvdsqd.onion/6ef9cc13508ab2863bf708dd841e549afa2cb5a44bffe987b8580c7006b37b9aa7b416e9d6d23d4893c74b167e395a41/ >>> Warning! Recovery recommendations. Do not MODIFY or REPAIR your files, Or they will be lost forever. Do not hire a recovery company.Can't solve anything without us,They always think they're expert negotiators, but the truth is they don't care about you and business Do not report to the Police, FBI,They don't care about your business and it's going to get worse.(You could be hit with a hefty fine.)
URLs

http://vogjzince7niuj34d7wckrqbfgf7klcokzgt7b2hw42bzwwzzvdvdsqd.onion/6ef9cc13508ab2863bf708dd841e549afa2cb5a44bffe987b8580c7006b37b9aa7b416e9d6d23d4893c74b167e395a41/

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Renames multiple (162) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\104b22a45e4166a5473c9db924394e1fe681ef374970ed112edd089c4c8b83f2.exe
    "C:\Users\Admin\AppData\Local\Temp\104b22a45e4166a5473c9db924394e1fe681ef374970ed112edd089c4c8b83f2.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4820
    • C:\Windows\system32\cmd.exe
      cmd /c vssadmin Delete Shadows /All /Quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2036
      • C:\Windows\system32\vssadmin.exe
        vssadmin Delete Shadows /All /Quiet
        3⤵
        • Interacts with shadow copies
        PID:2504
    • C:\Windows\system32\cmd.exe
      cmd /c wmic SHADOWCOPY /nointeractive
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1428
      • C:\Windows\System32\Wbem\WMIC.exe
        wmic SHADOWCOPY /nointeractive
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3448
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\104b22a45e4166a5473c9db924394e1fe681ef374970ed112edd089c4c8b83f2.exe
      2⤵
        PID:3992
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4420
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1696 --field-trial-handle=2328,i,5873823382323802923,13134441441264702821,262144 --variations-seed-version /prefetch:8
      1⤵
        PID:928

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • F:\$RECYCLE.BIN\S-1-5-21-3808065738-1666277613-1125846146-1000\How_To_Restore_Your_Files.txt

        Filesize

        1KB

        MD5

        6cc604c8f095c4481ad80f3f1d9aa1bf

        SHA1

        92accd8797aba99b04cc523e22e6d07aca3464c2

        SHA256

        2cb3b4a36b4aa80ae6850da590caab3b2caa74b1049a5c868a1e821feb036741

        SHA512

        9acd74acd8973ac8ef443337899fabb54b8e0334408d7dc203256e6d43cd30a67be88bd68a3b373cee43237ea7e320aa5ef18c058f7dee39515c70f33965916c