Overview

overview

10

Static

static

3

VirusShare...ad.exe

windows7-x64

10

VirusShare...ad.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    10-06-2024 11:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    VirusShare_501d52bcc05636268a66a6e9f1c5c4ad.exe

  • Size

    368KB

  • MD5

    501d52bcc05636268a66a6e9f1c5c4ad

  • SHA1

    2199071c4190b6aae6ec7dc65ced83301883d714

  • SHA256

    7659872c938b820b351446509964ed4fcbc405b58e43694722f00bb42b277dd6

  • SHA512

    d72db00dad74a6d15d59cd7dbb401f5f86706242b95a6c57dc12c9b33590fefe951b56043eae3f0125bd5240baad46edd919872820e40a8dac5109a3a7e222b8

  • SSDEEP

    6144:GQNUdPR6oncUtPLJoJi8ju8FQNXsyR36GeHba2grj9F4SENppTUHtnvR3aF3J9PQ:jNUdc6wA8P2cyF6T7a2gH9F4dzhUl6rP

Score
10/10
defense_evasionexecutionimpactpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+ygepc.txt

Ransom Note
__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-4096. More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://prest54538hnksjn4kjfwdbhwere.hotchunman.com/140D20891A1181 2. http://b4youfred5485jgsa3453f.italazudda.com/140D20891A1181 3. http://5rport45vcdef345adfkksawe.bematvocal.at/140D20891A1181 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser and wait for initialization 3. Type in the address bar: fwgrhsao3aoml7ej.onion/140D20891A1181 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://prest54538hnksjn4kjfwdbhwere.hotchunman.com/140D20891A1181 http://b4youfred5485jgsa3453f.italazudda.com/140D20891A1181 http://5rport45vcdef345adfkksawe.bematvocal.at/140D20891A1181 *-*-* Your personal page Tor-Browser: fwgrhsao3aoml7ej.ONION/140D20891A1181 *-*-* Your personal identification ID: 140D20891A1181
URLs

http://prest54538hnksjn4kjfwdbhwere.hotchunman.com/140D20891A1181

http://b4youfred5485jgsa3453f.italazudda.com/140D20891A1181

http://5rport45vcdef345adfkksawe.bematvocal.at/140D20891A1181

http://fwgrhsao3aoml7ej.onion/140D20891A1181

http://fwgrhsao3aoml7ej.ONION/140D20891A1181

Signatures

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (420) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes itself 1 IoCs
  • Drops startup file 3 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
    adwarespyware
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 45 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\VirusShare_501d52bcc05636268a66a6e9f1c5c4ad.exe
    "C:\Users\Admin\AppData\Local\Temp\VirusShare_501d52bcc05636268a66a6e9f1c5c4ad.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1288
    • C:\Users\Admin\AppData\Local\Temp\VirusShare_501d52bcc05636268a66a6e9f1c5c4ad.exe
      "C:\Users\Admin\AppData\Local\Temp\VirusShare_501d52bcc05636268a66a6e9f1c5c4ad.exe"
      2⤵
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2660
      • C:\Windows\tvvwpnxiwcsk.exe
        C:\Windows\tvvwpnxiwcsk.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1164
        • C:\Windows\tvvwpnxiwcsk.exe
          C:\Windows\tvvwpnxiwcsk.exe
          4⤵
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2792
          • C:\Windows\System32\wbem\WMIC.exe
            "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1892
          • C:\Windows\SysWOW64\NOTEPAD.EXE
            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
            5⤵
            • Opens file in notepad (likely ransom note)
            PID:2304
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM
            5⤵
            • Modifies Internet Explorer settings
            PID:2052
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2052 CREDAT:275457 /prefetch:2
              6⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:2132
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\TVVWPN~1.EXE
            5⤵
              PID:2364
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\VIRUSS~1.EXE
          3⤵
          • Deletes itself
          PID:2468
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1532
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
      1⤵
      • Suspicious use of FindShellTrayWindow
      PID:1308

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+ygepc.html
      Filesize

      8KB

      MD5

      d7a7f524ff357bf2c7aee0faeada2f12

      SHA1

      23a81425d8958451ba8219d27f8f155cd8aef044

      SHA256

      af1ab3cca34ca879202026121759e9d07a938d8050acdc0f331d2ce4266344ec

      SHA512

      65e4226c01a032f95154f4b1e7d41897516547ffb4cec1c7c82f2147d1c6ed114c33b291a900fc337921c6bd17bc7d8bc99a95dfd4a47d27603b006e5fb50f09

      Download Submit

    • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+ygepc.png
      Filesize

      67KB

      MD5

      61abe745fd19ac044bfee41daa6793db

      SHA1

      b88500fc2ca15ee9e4306df8bf0d3863b48b8d9e

      SHA256

      253c27f37118a4eb50f8e3a7a040dee61cd7fadbc6db5027398959003fea6a26

      SHA512

      49216788b68bcf7a50a8677329793eeb921ce1d5c8e136d6454e375897739e4c56826ab770ef28b07c34ddd067799c32f91627afc712136cfe5437d87271ea95

      Download Submit

    • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+ygepc.txt
      Filesize

      2KB

      MD5

      f838012038ddc0b4e102017f536982f7

      SHA1

      8f39d36c29065a3c225b02bc2526fbb43c2aa301

      SHA256

      fa4ecbc8222f9cabcbe6d86a983eb7e9fc263c9ee07d459fbfbf22f0f53f3ffa

      SHA512

      879dd5ffee0eb1bd5d707db695316bc610c55f3520898b83a8452815aa1a316c8617ebd3332ac1118ab3bcb50f78204a966c740917d792aa4756c3d09697c863

      Download Submit

    • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt
      Filesize

      11KB

      MD5

      8a16e2cb3a9d1eb6d4314f1269b8df6a

      SHA1

      fb40c0c73a57cf8b0775622a22c354a03bb9b9bc

      SHA256

      80b96504b6f7444f954222095de028224106d48c3fe760a96de4eac43f462af9

      SHA512

      6abcf7d7910f32fd1e5900767be930058e963299ad84a44192928a1cb4353a535bc84553019153084e48cde16bb1349a1cec8874a65ac4d1357f9e2d594979c3

      Download Submit

    • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt
      Filesize

      109KB

      MD5

      56c419502487fdf029a9b8b13e5d4867

      SHA1

      8442ca1d0969d1b82e29a4049349ce2a6e1fe87d

      SHA256

      9d1156683ca5f6355c1c3a51640d0edcdf97f9d71466a8c3bc18c558096a16ff

      SHA512

      8c05dabb970148f8efbe633b5e5900123eb86b87ee2f390e252e32578ddcadf955f1418e49c67fe6a6877ea2d73ef91b0f7839912f284fd7debb5bcd3fdc69af

      Download Submit

    • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt
      Filesize

      173KB

      MD5

      195a065a0e8a23ee7839d15d1d45ac61

      SHA1

      b4113c3d179e2ae501adfdef7fc479b84b0475cb

      SHA256

      20a0b7c1291ce3378c4b29be53db7fd895177d77af8b0d759c9455d6747c4dae

      SHA512

      1f289e536ca6c5c265b03d6501e1768aa603ab52f4755083c4a83fabfd4e072e58353610cb1960856dae6796e9c49deda79440520fb97f91f08e0e005753402e

      Download Submit

    • C:\Windows\tvvwpnxiwcsk.exe
      Filesize

      368KB

      MD5

      501d52bcc05636268a66a6e9f1c5c4ad

      SHA1

      2199071c4190b6aae6ec7dc65ced83301883d714

      SHA256

      7659872c938b820b351446509964ed4fcbc405b58e43694722f00bb42b277dd6

      SHA512

      d72db00dad74a6d15d59cd7dbb401f5f86706242b95a6c57dc12c9b33590fefe951b56043eae3f0125bd5240baad46edd919872820e40a8dac5109a3a7e222b8

      Download Submit

    • memory/1164-31-0x0000000000400000-0x00000000005AF000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/1164-51-0x0000000000400000-0x00000000005AF000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/1288-18-0x0000000000360000-0x0000000000363000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1288-0-0x0000000000360000-0x0000000000363000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1288-1-0x0000000000360000-0x0000000000363000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1308-6023-0x0000000000160000-0x0000000000162000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2660-10-0x0000000000400000-0x0000000000485000-memory.dmp

      Filesize

      532KB

      Download

    • memory/2660-19-0x0000000000400000-0x0000000000485000-memory.dmp

      Filesize

      532KB

      Download

    • memory/2660-2-0x0000000000400000-0x0000000000485000-memory.dmp

      Filesize

      532KB

      Download

    • memory/2660-6-0x0000000000400000-0x0000000000485000-memory.dmp

      Filesize

      532KB

      Download

    • memory/2660-4-0x0000000000400000-0x0000000000485000-memory.dmp

      Filesize

      532KB

      Download

    • memory/2660-16-0x0000000000400000-0x0000000000485000-memory.dmp

      Filesize

      532KB

      Download

    • memory/2660-30-0x0000000000400000-0x0000000000485000-memory.dmp

      Filesize

      532KB

      Download

    • memory/2660-8-0x0000000000400000-0x0000000000485000-memory.dmp

      Filesize

      532KB

      Download

    • memory/2660-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2660-20-0x0000000000400000-0x0000000000485000-memory.dmp

      Filesize

      532KB

      Download

    • memory/2792-57-0x0000000000400000-0x0000000000485000-memory.dmp

      Filesize

      532KB

      Download

    • memory/2792-55-0x0000000000400000-0x0000000000485000-memory.dmp

      Filesize

      532KB

      Download

    • memory/2792-1321-0x0000000000400000-0x0000000000485000-memory.dmp

      Filesize

      532KB

      Download

    • memory/2792-53-0x0000000000400000-0x0000000000485000-memory.dmp

      Filesize

      532KB

      Download

    • memory/2792-50-0x0000000000400000-0x0000000000485000-memory.dmp

      Filesize

      532KB

      Download

    • memory/2792-2405-0x0000000000400000-0x0000000000485000-memory.dmp

      Filesize

      532KB

      Download

    • memory/2792-5055-0x0000000000400000-0x0000000000485000-memory.dmp

      Filesize

      532KB

      Download

    • memory/2792-6016-0x0000000000400000-0x0000000000485000-memory.dmp

      Filesize

      532KB

      Download

    • memory/2792-6022-0x0000000002D00000-0x0000000002D02000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2792-52-0x0000000000400000-0x0000000000485000-memory.dmp

      Filesize

      532KB

      Download

    • memory/2792-6024-0x0000000000400000-0x0000000000485000-memory.dmp

      Filesize

      532KB

      Download

    • memory/2792-6027-0x0000000000400000-0x0000000000485000-memory.dmp

      Filesize

      532KB

      Download

    • memory/2792-6029-0x0000000000400000-0x0000000000485000-memory.dmp

      Filesize

      532KB

      Download