Analysis

  • max time kernel
    147s
  • max time network
    132s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-06-2024 11:51

General

  • Target

    8ea416fd97ba762b5fa6519906c56f6c98f078f398ff75be7ed43fa1cc5313a9.exe

  • Size

    147KB

  • MD5

    56331e7b131dec58aba05405aa1242f5

  • SHA1

    f2f3a1cf7786abacb972cf31378d056de564b7c6

  • SHA256

    8ea416fd97ba762b5fa6519906c56f6c98f078f398ff75be7ed43fa1cc5313a9

  • SHA512

    4412ff6e3d4b3f916f28ddd342e72b19a8249428249fbb20b5408e093564f3fa9044947e1e3ff7177d49f62d98a9210338a25dbc236338136e6bcf6328d170ba

  • SSDEEP

    3072:P6glyuxE4GsUPnliByocWepDnc6TQHR/BLv/p:P6gDBGpvEByocWeUHjv/

Malware Config

Extracted

Path

C:\523XaDi1i.README.txt

Ransom Note
Dear managment! ---Welcome! Your are locked by SenSayQ!--- If you are reading this message, means that: * Your network infrastructures have been compromized! * Critical data has leaked! * Files are encrypted! ----------------------------------------------------------------------- The best and only thing you can do is to contact us to settle the matter before any losses occurs. ----------------------------------------------------------------------- 1. If you modify files - our decrypt software won't able to recover data. 2. If you use third party software - you can damage/modify files (see item 1). 3. You need cipher key / our decrypt software to restore you files. 4. The police or authorities will not be able to help you get the cipher key. We encourage you to consider your decisions. Contacting us will be the fastest and safest solution to the problem. ----------------------------------------------------------------------- Attention! If you do not contact us within 72 hours, we will be forced to publish the stolen data on our website. To contact us: 1. Download and install Tor Browser - torproject.org/download 2. Follow the link: ppzmaodrgtg7r6zcputdlaqfliubmmjpo4u56l3ayckut3nyvw6dyayd.onion 3. Enter your ID: TFfgc8xENZ62nkC0Yt7oNeR3Uqg07IcLs1eEiuDcOAzAJl1GhJbs3QzbxidYAtsddy4JfaZE3wubaPiNbHhWaThiTHJI E-mail support: [email protected]
URLs

http://ppzmaodrgtg7r6zcputdlaqfliubmmjpo4u56l3ayckut3nyvw6dyayd.onion

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8ea416fd97ba762b5fa6519906c56f6c98f078f398ff75be7ed43fa1cc5313a9.exe
    "C:\Users\Admin\AppData\Local\Temp\8ea416fd97ba762b5fa6519906c56f6c98f078f398ff75be7ed43fa1cc5313a9.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:320
    • C:\ProgramData\7520.tmp
      "C:\ProgramData\7520.tmp"
      2⤵
      • Checks computer location settings
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:2936
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\7520.tmp >> NUL
        3⤵
          PID:548

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\$Recycle.Bin\S-1-5-21-4124900551-4068476067-3491212533-1000\desktop.ini

      Filesize

      129B

      MD5

      cdc176251f1133442a4e24801bfe5825

      SHA1

      8c9672fe23bd8fb6bb530877e99754f339c880ec

      SHA256

      059f40f74700ba58f1f3207213cf1ea69bd7a9fce30eb84aa5e061823fe82eb8

      SHA512

      340deac355c714ac6f1818b03ca0aae98b91890e4608f831b40c96bab48e16505324ea7081906346ff50b75bb6b9eb00a1e2058950e2b08657db792c4d76d694

    • C:\523XaDi1i.README.txt

      Filesize

      1KB

      MD5

      eeff0df021548b44338487d14288c5a8

      SHA1

      a8488008932b49dc1b8de6113b71462d8a329dce

      SHA256

      373c7f87fda765fd8ff40f77a06d1b969ba9766370a10e1ecf52465e49771052

      SHA512

      6dfc2fbe8a3d31e806f357016b0af93024aeabf40fcb1d4dc4c917227306f779c3c4a9019d18e46a17c7ade6769312dcee705e27362d226bc25b67c5e9bc77dc

    • C:\ProgramData\7520.tmp

      Filesize

      14KB

      MD5

      294e9f64cb1642dd89229fff0592856b

      SHA1

      97b148c27f3da29ba7b18d6aee8a0db9102f47c9

      SHA256

      917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

      SHA512

      b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

    • C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

      Filesize

      147KB

      MD5

      9704583065c92eb2694b719fbdf083df

      SHA1

      decbc8c29b2acf37dbf2d19051f83ad06e160bc6

      SHA256

      fa7d185ae4b5e1b1c58892b45ca0222031258d276665c08ffd5e4aadc44b241b

      SHA512

      2f02935cac0600486388856b280b4cfcd9d989797b4d323f62885c806d366931d47f676ab12ef36ccff151ec42057cd6717a8a5515b2da60ede60f899267bbba

    • F:\$RECYCLE.BIN\S-1-5-21-4124900551-4068476067-3491212533-1000\DDDDDDDDDDD

      Filesize

      129B

      MD5

      41e69d6f322ce06cf67e906662bd4d5a

      SHA1

      6a7e823776c0a26cd0668ee389a531afa0c0e890

      SHA256

      91ce9d96350b888c90e5ff6f2d380d90534cfc9597abd467dfe15a13b1610afb

      SHA512

      7089cf2f6984678dc32aaf83b12a6eca8407ae765f0c1b14baf80f2ec0f4dce64f3cb9fe031fdf878af435c75f1e37fe891489efff339e45adb5adb02e467f68

    • memory/320-2-0x0000000003110000-0x0000000003120000-memory.dmp

      Filesize

      64KB

    • memory/320-0-0x0000000003110000-0x0000000003120000-memory.dmp

      Filesize

      64KB

    • memory/320-1-0x0000000003110000-0x0000000003120000-memory.dmp

      Filesize

      64KB

    • memory/2936-2756-0x000000007FE00000-0x000000007FE01000-memory.dmp

      Filesize

      4KB

    • memory/2936-2755-0x000000007FDE0000-0x000000007FDE1000-memory.dmp

      Filesize

      4KB

    • memory/2936-2754-0x000000007FDC0000-0x000000007FDC1000-memory.dmp

      Filesize

      4KB

    • memory/2936-2753-0x000000007FE20000-0x000000007FE21000-memory.dmp

      Filesize

      4KB

    • memory/2936-2752-0x00000000025F0000-0x0000000002600000-memory.dmp

      Filesize

      64KB

    • memory/2936-2749-0x00000000025F0000-0x0000000002600000-memory.dmp

      Filesize

      64KB

    • memory/2936-2736-0x000000007FE40000-0x000000007FE41000-memory.dmp

      Filesize

      4KB