hxxp://github[.]com

General

Target

http://github.com
Sample

240514-tdxpjade2y

Score

10^/10

Malware Config

Extracted

Path

C:\Windows\System32\TankRansom2.0.exe

Ransom Note

MZ��@�� !�L�!This program cannot be run in DOS mode. $��PE��L�;�P��"�0��<��&Z�� `��@�� @��Y�O��`�(��0Y�8�� H��.text��4:�� <�� `.rsrc��(��`��>��@��@.reloc��T��@��B��Z��H��d<��41��m��0�?��}��(�� (��{ ��#��N@(�� o�� o�� *�0��s1�� }��(�� r��p(�� r��p(�� s�� (�� ~�� r-��po�� r��pr��po�� ( �� (�� r��p(!�� ("�� r��p(!�� r��p(#�� r��p(!�� r��p(#�� {��o$�� {��o$�� {��o$�� (%�� }��s&�� % ��o'�� 2��s(�� o)�� o*�� {��o$�� * �* �* �* �*��0��{��o+�� r�p(,�� ,�r �prE�p(-�� &�8��{��o+�� rQ�p(,�� 9��rk�pr��p@(-�� &(�� r��p(!�� (.�� ,�(�� r��p(!�� (/�� ~0�� r��po�� r#�pr�po�� ~0�� rA�po�� r��p�?��o�� ~0�� r��po�� rW�p�?��o�� rc�p�?��o�� rs�p(/�� r��prs�p("�� r��p(/�� r��p(/�� (��~�� r-��po�� r��prC�po�� r]�p(1�� &r��p(2�� + ��o3�� X �i2�r��p(2�� + ��o3�� X �i2��+�r��pr��p(-�� &�*0�}��{��o4�� (�� r�p(!�� r��p(�� r��p(�� r�p(!�� (.�� , �(/�� (.�� , �(/�� {��o$�� *��0�R��{��o4�� r%�p(2�� +� � o3�� X�i2�r7�p(1�� &(5�� (��&*R�{��o4�� (��*�0��{��o4�� {��rs�po�� {��(6�� o7�� r��pr��p(8�� & r��p(2�� + ��o3�� X �i2�r��p(2�� +��o3�� X�i2�**�o9�� *��0��(��&(�� r��p(�� r��p(�� r��p(!�� r��p(:�� r��p(!�� r��p(:�� s.��rQ�p+� �o-��X �i�-� +� �o-�� X �i� -�*��0��(��&(�� r��p(�� r��p(�� r��p(!�� r��p(:�� r��p(!�� r��p(:�� s0��rQ�p+� �o/��X �i�-� +� �o/��(��&� X �i� -�*��0�D�� {��o;�� ,�{��o<�� +"{��o;�� ,�{��*o<�� *0�+�� ,{��+ ,�{��o=�� (>�� *�0�� s?�� }��(@�� sA�� s��}��sB�� }��sB�� }��sB�� }��sB�� }��sB�� }��sB�� }��sB�� } ��sB�� } ��sC�� }��sD�� }��sE�� } ��{��sF�� }��{��sF�� }��{��sF�� }��{��sF�� }��{��sF�� }��sB�� }��sG�� }��{��oH�� (I�� {��r��p"��\A ��sJ�� oK�� {��(L�� o7�� {�� s�� oM�� {��r��poN�� {�� asO�� oP�� {��o&��{�� o$��{��oQ�� {��r�po�� {��oR�� {��r��p"��@sJ�� oK�� {��(L�� o7�� {�� +��s�� oM�� {��r��poN�� {�� sO�� oP�� {��oQ�� {��r��po�� {��s(�� oS�� {��oR�� {��r��p"��A ��sJ�� oK�� {��(L�� o7�� {�� E��s�� oM�� {��r��poN�� {�� sO�� oP�� {��oQ�� {��r�poT�� o�� {��s(�� oS�� {��oR�� {��r��p"��@sJ�� oK�� {��(L�� o7�� {�� s�� oM�� {��r&�poN�� {�� sO�� oP�� {��oQ�� {��r4�po�� {��oR�� {��r��p"��A ��sJ�� oK�� {��(6�� o7�� {�� s�� oM�� {��rn�poN�� {�� 6sO�� oP�� {��oQ�� {��r|�po�� {��oR�� {��r��p"��@sJ�� oK�� {��(L�� o7�� {�� 8��s�� oM�� {��r��poN�� {��tsO�� oP�� {��oQ�� {��r �po�� {��s(�� oS�� {��oR�� {��r��p"��A ��sJ�� oK�� {��(L�� o7�� {�� Q��s�� oM�� {��r' �poN�� {�� HsO�� oP�� {��oQ�� {��r5 �poT�� o�� {��s(�� oS�� { ��oR�� { ��(U�� oV�� { ��oW�� { ��rM �p"��A ��sJ�� oK�� { ��(L�� o7�� { �� s�� oM�� { ��re �poN�� { �� 8sO�� oP�� { ��oQ�� { ��rs �po�� { ��oR�� { ��(U�� oV�� { ��r��p"��@sJ�� oK�� { ��(L�� o7�� { �� s�� oM�� { ��r� �poN�� { ��nsO�� oP�� { �� oQ�� { ��r� �po�� {��(X�� oV�� {��r��p"��A ��sJ�� oK�� {��(L�� o7�� {��1 8��s�� oM�� {��sY�� oZ�� {��r� �poN�� {�� )sO�� oP�� {�� oQ�� {��r� �po�� {��o[�� {��oR�� {��(\�� o7�� {��D ��s�� oM�� {��r� �poN�� {�� sO�� oP�� {��oQ�� {��r� �po�� {��o]�� { ��(^�� o_�� { ��o`�� { ��(L�� o7�� { ��1 h��s�� oM�� { ��r� �poN�� { �� )sO�� oP�� { ��oQ�� { ��r �po�� { ��o]�� { ��s(�� oS�� {��o*�� {�� s(�� o)�� {��o*�� {�� o'�� {��s(�� o)�� {�� '��o'�� {�� s(�� o)�� {��o*�� {�� 6�o'�� {��s(�� o)�� {��o*�� {�� ,��o'�� {��s(�� o)�� {��oR�� {��(U�� oV�� {��r��p"��@ ��sJ�� oK�� {��(L�� o7�� {�� s�� oM�� {��r �poN�� {�� sO�� oP�� {�� oQ�� {��r) �po�� {��(U�� oV�� {��rS �poa�� tS��ob�� {�� s�� oM�� {��rw �poN�� {�� sO�� oP�� {��oc�� {��od�� {��oe�� "��A"��Asf�� (g�� (h�� (X�� oV�� r� �poa�� tS��oi�� oj�� sO�� (k�� (l�� (m�� {��on�� (m�� {��on�� (m�� { ��on�� (m�� {��on�� (m�� {��on�� (m�� { ��on�� (m�� { ��on�� (m�� {��on�� (m�� {��on�� (m�� {��on�� (m�� {��on�� (m�� {��on�� (m�� {��on�� (m�� {��on�� (o�� (p�� (q�� r� �p(N�� (r�� (s�� (t�� r� �po�� su�� (v�� s(�� (w�� {��ox�� (y�� (z�� *j�({�� (|�� s��(}�� *&(~�� *0�9��~�� ,"�r� �p��(@�� o�� s�� ~��+�*��0�� ~�� +�*"��*0��~�� +�*"(�� *Vs��(�� t��*��0�u��s&�� }��}��(�� (�(�� oR�� (�� (�� }��{��"��s(�� o)�� }��{��o*�� *Z�{��o4�� (�� *F�(�� (�� *&�(�� *F�(�� (�� *��0��o�� s�� % �o�� (�� o�� , o=�� o+�� o�� (�� (�� [(�� [Yo�� s�� % �o�� o+�� o�� {��kko�� ,o=�� (�� *��&��e�&�� ^�{��o*�� (�� *0��o+�� o�� (�� (�� (�� ,!�{��o4�� }��(�� 8��(�� (�� /+�(�� (�� Y{�� , �}��{��eo�� o�� X��, �}��{��- {��Y+{��X}��(�� *2{��o�� *Z�{��o'�� (�� *{��*��0�8�� }��{��{��o*�� {�� ,�}��(�� *(+�� *Z�(�� {��o$�� *�0�� d��%��(�� s�� s�� o�� o�� s�� o�� [o�� o�� o�� [o�� o�� o�� o�� s�� io�� o�� ,o=�� o�� , o=�� ,o=�� +�*��(�� "��"(~�� *��0�� d��%��(�� s�� s�� o�� o�� s�� o�� [o�� o�� o�� [o�� o�� o�� o�� s�� io�� o�� ,o=�� o�� , o=�� ,o=�� +�*��(�� "��"(~�� *��0�3��(�� (�� o�� (�� o�� ()�� (�� *"(~�� *0�3��(�� (�� o�� (�� o�� (+�� (�� *"(~�� *"(~�� *��0�B��{��{ ��#��N@(�� (%�� {��(�� (�� r/�p(�� o�� *��BSJB��v4.0.30319��l��P��#~��#Strings��H ��H��#US��+��#GUID��+��#Blob��W�5 ��3��p��2��/�� >��Y��m �� !� �� ^� �w� �� u �� j��< �+ j ��j ��j �%j ��j ��j�� D� �0�� j��< �� \��<�� <�� <��%� �� %��<�� :} ��< �m< ��h �{ j �?j��C��o� ��\��u��7�� O j�� \�� j �Nj ��j �@ j�� r��/< �k\�� \�� < �M� �'� �H< �� j �dj �[j �zj ��j �|j ��j�� j�V� �r j ��j �j�� j �� j ��j�]� ��h �� j��c� �j�� <�� <��<�� <�� \��<�lE�<�� <��.��b��A�� e�� | e��| �� c��7��e��)��e��)�� e��+��|��e��-��m��e��/��e��1��d�D�h�[�l��l��l��l��l� l�l� l��p�|�t�h�x�R|�|�� |�0|��|�'l�p�� j��R��|�v��t��3��S��.�� :��P �� !��!��!��!�� !��#��l$��K��$��^��$��t��%��%�� `&�� ,'��|'��'��{��S5��# �n5��x5��5��R��5��^��5�� 5��6�� 6��6��6��P��6��b ��6��P��6��7��[P ��7��!��8�� #��8��#��8��bL$��8��l�$�9��Q2�%� 9��Z�%�89��&�L:��(�X:��(�l;��*�x;��*��;��,��;��,��;��.�<��.�<��3��.��b��b��b��b��b��b��b��b��b��b��b��b��b��b��b��b��b�� I��I��4��N �� )��1��9��A��I��Q��Y��a��i��q��y��)��1��9��Y� �� ,��2�iZ��B��I��8N��T��[ Z��@a��#e��k��t��N��fx��|x��!�~�� B��iQ2��~��a��] ��M�� i2 �� 1 �� ,��L��qP!��)��19^��g��n��A �i��I�ti��mi[ Z�i��T�i��i��i�i��A��iN ��8i��i( �� y\��.�ix�y��A��F��i��i��!��i]��3 ��_�� A�i�i,�� ,�,��1Y&A�,a��!?i��i�Hi*�i��i��i��i�Pib �i�Pi@f� q�liYr Kxi��p�i��i$f ��i��i[P� �i �I�� )��A<�A� ��A0�I�A�A��Af�A|�A��a�a�� A�� qq$y�*��0�� 7!� >�� I��)��.��.��.��.�#�&.�+�9.�3�9.�;�?.�C�&.�K�L.�S�9.�[�9.�c�k.�k��.�s��I��{��{��0��{��{��`��'�6��6GUY4:V��r��F��p��#� ��$� ��%��&��'� ��(� �R ��:�,Z��Rv��Rj��R� ��[�� ? �� TankRansom2.0�TankRansom2._0�<>c__DisplayClass2_0�<Form1_Load>b__0�eLearningSlidingLabel1�label1�Form1�button1�pictureBox1�checkBox1�textBox1�Microsoft.Win32�Int32�66840DDA154E8A113C31DD0AD32F7F3A366A80E8136979D8F5A101D3D29D6F72�label2�label3�label4�label5�SHA256�label6�label7�get_UTF8�label8�label9�<Module>�<PrivateImplementationDetails>�SizeF�System.IO�set_IV�get_Aqua�mscorlib�Form1_Load�add_Load�Add�get_Red�RijndaelManaged�OnForeColorChanged�OnBackColorChanged�get_Checked�set_Enabled�bytesToBeDecrypted�bytesToBeEncrypted�fileEncrypted�Synchronized�get_Hand�RegistryValueKind�password�defaultInstance�get_Slide�set_Slide�slide�set_Mode�set_AutoScaleMode�set_SizeMode�PictureBoxSizeMode�CryptoStreamMode�CipherMode�set_Image�set_BackgroundImage�GetEnvironmentVariable�IDisposable�RuntimeFieldHandle�RuntimeTypeHandle�GetTypeFromHandle�FillRectangle�get_ClientRectangle�DecryptionFile�EncryptionFile�DecryptFile�EncryptFile�file�set_BorderStyle�set_FormBorderStyle�set_FlatStyle�SetStyle�FontStyle�set_Name�GetProcessesByName�get_SlideTime�set_SlideTime�DateTime�startTime�Combine�LocalMachine�Type�get_Culture�set_Culture�resourceCulture�ButtonBase�ApplicationSettingsBase�Close�Dispose�Invalidate�Create�EditorBrowsableState�Delete�get_White�Write�STAThreadAttribute�CompilerGeneratedAttribute�GuidAttribute�GeneratedCodeAttribute�DebuggerNonUserCodeAttribute�DebuggableAttribute�EditorBrowsableAttribute�ComVisibleAttribute�AssemblyTitleAttribute�AssemblyTrademarkAttribute�TargetFrameworkAttribute�AssemblyFileVersionAttribute�AssemblyConfigurationAttribute�AssemblyDescriptionAttribute�CompilationRelaxationsAttribute�AssemblyProductAttribute�AssemblyCopyrightAttribute�AssemblyCompanyAttribute�RuntimeCompatibilityAttribute�Byte�SetValue�value�TankRansom2.0.exe�set_Size�get_BlockSize�set_BlockSize�set_AutoSize�set_ClientSize�get_KeySize�set_KeySize�ISupportInitialize�OnResize�Padding�Encoding�System.Runtime.Versioning�ToString�GetString�DrawString�Form1_FormClosing�add_FormClosing�disposing�System.Drawing�ComputeHash�SolidBrush�get_ExecutablePath�GetFolderPath�get_Width�set_Width�obj�get_Black�add_Tick�unhide_ransom_Tick�start_encryption_Tick�countdown_Tick�heck_desktop_Tick�timer_Tick�check_box_Tick�label1_Click�button1_Click�label2_Click�label5_Click�label6_Click�add_Click�block�get_Interval�set_Interval�eLearningSlidingLabel�set_Cancel�System.ComponentModel�user32.dll�Kill�OnCreateControl�ContainerControl�CryptoStream�MemoryStream�Program�System�SymmetricAlgorithm�HashAlgorithm�unhide_ransom�Form�ICryptoTransform�resourceMan�TimeSpan�CenterToScreen�set_TextAlign�Main�set_Margin�set_ShowIcon�MessageBoxIcon�Application�set_Location�System.Configuration�System.Globalization�op_Subtraction�System.Reflection�ControlCollection�set_StartPosition�FormStartPosition�SearchOption�CoreDecryption�CoreEncryption�start_encryption�Button�Run�countdown�CultureInfo�set_TabStop�heck_desktop

Emails

[email protected]

Targets

- Target
  
  http://github.com
Score

10^/10

discovery evasion exploit persistence ransomware
- Modifies WinLogon for persistence
  persistence
- Disables RegEdit via registry modification
  evasion
- Disables Task Manager via registry modification
  evasion
- Possible privilege escalation attempt
  exploit
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Modifies file permissions
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
behavioral1