Resubmissions
27-05-2024 14:10
240527-rg7b2afa9z 1022-02-2024 11:36
240222-nq2lcsge31 1022-02-2024 11:32
240222-nnhepsgh78 1019-02-2024 09:31
240219-lg1llabg3w 10Analysis
-
max time kernel
315s -
max time network
316s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
27-05-2024 14:10
Static task
static1
Behavioral task
behavioral1
Sample
e6a9f7e8cf2657bf61cb1d4331ea221fcc0189dc3be954b9535f9f619e65822e.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
e6a9f7e8cf2657bf61cb1d4331ea221fcc0189dc3be954b9535f9f619e65822e.exe
Resource
win10v2004-20240426-en
General
-
Target
e6a9f7e8cf2657bf61cb1d4331ea221fcc0189dc3be954b9535f9f619e65822e.exe
-
Size
3.8MB
-
MD5
f9309e569b3b98358501d05f194bc478
-
SHA1
0732a721765421573355b6882cc1911508d10a10
-
SHA256
e6a9f7e8cf2657bf61cb1d4331ea221fcc0189dc3be954b9535f9f619e65822e
-
SHA512
f3470354e87fd7ed3054aa993f6c846f88cb9886394b0a1747f572a150d654fd4213b8aeb4e422b9d4ef705cd2185c82b017cfe5b1f4f71dcb1a6dddaabe2a1d
-
SSDEEP
98304:Tf099mVIl+ZaCAF17l5uAmWVCkH9+sXsm9T3x5BOw6wafHtAjAz:T89odKTJo5WR9AQBOo0HtcA
Malware Config
Extracted
agenda
-
company_id
CdOrne8tjo
-
note
-- Qilin Your network/system was encrypted. Encrypted files have new extension. -- Compromising and sensitive data We have downloaded compromising and sensitive data from you system/network If you refuse to communicate with us and we do not come to an agreement, your data will be published. Data includes: - Employees personal data, CVs, DL , SSN. - Complete network map including credentials for local and remote services. - Financial information including clients data, bills, budgets, annual reports, bank statements. - Complete datagrams/schemas/drawings for manufacturing in solidworks format - And more... -- Warning 1) If you modify files - our decrypt software won't able to recover data 2) If you use third party software - you can damage/modify files (see item 1) 3) You need cipher key / our decrypt software to restore you files. 4) The police or authorities will not be able to help you get the cipher key. We encourage you to consider your decisions. -- Recovery 1) Download tor browser: https://www.torproject.org/download/ 2) Go to domain 3) Enter credentials-- Credentials Extension: CdOrne8tjo Domain: ez272bljrf7qhetc4bw5j2kem7cqy6r2babgfibuwdlxxyp24nnj5cqd.onion login: OypVyQm2s--xycMOEYzz8hjrv5CSUvWC password:
Signatures
-
Agenda Ransomware
A ransomware with multiple variants written in Golang and Rust first seen in August 2022.
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
AUDIODG.EXEdescription pid Process Token: 33 2176 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2176 AUDIODG.EXE Token: 33 2176 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2176 AUDIODG.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\e6a9f7e8cf2657bf61cb1d4331ea221fcc0189dc3be954b9535f9f619e65822e.exe"C:\Users\Admin\AppData\Local\Temp\e6a9f7e8cf2657bf61cb1d4331ea221fcc0189dc3be954b9535f9f619e65822e.exe"1⤵PID:1836
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:2456
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4941⤵
- Suspicious use of AdjustPrivilegeToken
PID:2176