Overview

overview

10

Static

static

3

VirusShare...70.exe

windows7-x64

10

VirusShare...70.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-06-2024 11:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    VirusShare_4affa384ff6ab351df42fc3a02716670.exe

  • Size

    364KB

  • MD5

    4affa384ff6ab351df42fc3a02716670

  • SHA1

    7bebae1ad50fd27c3df625dc3995256f7d8bb8c2

  • SHA256

    4f1e783f68071d95e0b07e1f8b80ed49d0d94a089ae96016b197f846350cfe66

  • SHA512

    802616cac860ed2facd74387475e45ecd5a9e00fb106db801cd0168659fcecb9bb0ca6afb4cfeeca592d24d20c07add685e9a65c3178c839d37850a324906070

  • SSDEEP

    6144:rHDYm7R++Qhm/FxsB+lIB+0ODLawCi308Ki7B4iTK24D1sr:rHr2mwB+g03S5idVK24Zsr

Score
10/10
defense_evasionexecutionimpactpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\+REcovER+iivys+.txt

Ransom Note
{}_~_~+ -$.-_+$|~~_|| =|_$.**+-~| $+|=*.-=| !!! IMPORTANT INFORMATION !!!! All of your files are encrypted with RSA-4096. More information about the RSA algorythm can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) Decrypting of your files is only possible with the private key and decrypt program, which is on our secret server. To receive your private key follow one of the links: 1. http://88fga.ketteaero.com/F126583B6F187C94 2. http://2bdfb.spinakrosa.at/F126583B6F187C94 3. http://uj5nj.onanwhit.com/F126583B6F187C94 If all of the addresses are not available, follow these steps: 1. Download and install Tor Browser: https://www.torproject.org/download/download-easy.html 2. After a successful installation, run the browser and wait for initialization. 3. Type in the address bar: k7tlx3ghr3m4n2tu.onion/F126583B6F187C94 4. Follow the instructions on the site. !!! Your personal identification ID: F126583B6F187C94 !!! )(*=~_$~+$==-$*~=$$ __$-=-+*
URLs

http://88fga.ketteaero.com/F126583B6F187C94

http://2bdfb.spinakrosa.at/F126583B6F187C94

http://uj5nj.onanwhit.com/F126583B6F187C94

http://k7tlx3ghr3m4n2tu.onion/F126583B6F187C94

Signatures

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 4 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies data under HKEY_USERS 1 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\VirusShare_4affa384ff6ab351df42fc3a02716670.exe
    "C:\Users\Admin\AppData\Local\Temp\VirusShare_4affa384ff6ab351df42fc3a02716670.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3772
    • C:\Users\Admin\AppData\Local\Temp\VirusShare_4affa384ff6ab351df42fc3a02716670.exe
      "C:\Users\Admin\AppData\Local\Temp\VirusShare_4affa384ff6ab351df42fc3a02716670.exe"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:3956
      • C:\Users\Admin\Documents\usqurq.exe
        C:\Users\Admin\Documents\usqurq.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:440
        • C:\Users\Admin\Documents\usqurq.exe
          C:\Users\Admin\Documents\usqurq.exe
          4⤵
          • Checks computer location settings
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • Modifies data under HKEY_USERS
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2492
          • C:\Windows\System32\vssadmin.exe
            "C:\Windows\System32\vssadmin.exe" Delete Shadows /All /Quiet
            5⤵
            • Interacts with shadow copies
            PID:3608
          • C:\Windows\SysWOW64\NOTEPAD.EXE
            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\+REcovER+iivys+.txt
            5⤵
              PID:4116
            • C:\Windows\System32\vssadmin.exe
              "C:\Windows\System32\vssadmin.exe" Delete Shadows /All /Quiet
              5⤵
              • Interacts with shadow copies
              PID:3164
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\DOCUME~1\usqurq.exe >> NUL
              5⤵
                PID:1508
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\VIRUSS~1.EXE >> NUL
            3⤵
              PID:456
        • C:\Windows\system32\vssvc.exe
          C:\Windows\system32\vssvc.exe
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:4728

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files\7-Zip\Lang\+REcovER+iivys+.png
          Filesize

          37KB

          MD5

          9857d0da203e4efc59c5882ac243a6be

          SHA1

          174445b060b1f2118c0394f039d6e755235397a9

          SHA256

          07d13c68a619ac70ff416ea532bbadcf50a92ed5df465c9d79566bbb370922ea

          SHA512

          36fa87e49c3be02c563a4a39179bffccc395de1e75d29797e4d8374abd4d712c7637172dfab1c5b2bec365cde901112deaa9613eb9513ad23eca5430e3a15ef2

          Download Submit

        • C:\Program Files\7-Zip\Lang\+REcovER+iivys+.txt
          Filesize

          1KB

          MD5

          2e4535e7708073e4552658dd8aac9e14

          SHA1

          ac1d45963a83d7d510e37b08032b9c189cab2ebd

          SHA256

          3cc6bf2c49873dec140bfb241749d3ab9b9f2c9968279b6119a2489cdfbb2931

          SHA512

          5e10a512d6bfbf2bb6c4bf3512992c70d32f2ef065a939767d8afa58ec7d5a94824b79824662604b1ca5545f072e8c38bf9f092b6ffad80fc844867d731f7cda

          Download Submit

        • C:\Users\Admin\Documents\usqurq.exe
          Filesize

          364KB

          MD5

          4affa384ff6ab351df42fc3a02716670

          SHA1

          7bebae1ad50fd27c3df625dc3995256f7d8bb8c2

          SHA256

          4f1e783f68071d95e0b07e1f8b80ed49d0d94a089ae96016b197f846350cfe66

          SHA512

          802616cac860ed2facd74387475e45ecd5a9e00fb106db801cd0168659fcecb9bb0ca6afb4cfeeca592d24d20c07add685e9a65c3178c839d37850a324906070

          Download Submit

        • memory/440-13-0x0000000000400000-0x00000000004CB000-memory.dmp

          Filesize

          812KB

          Download

        • memory/2492-24-0x0000000000400000-0x0000000000475000-memory.dmp

          Filesize

          468KB

          Download

        • memory/2492-3376-0x0000000000400000-0x0000000000475000-memory.dmp

          Filesize

          468KB

          Download

        • memory/2492-6662-0x0000000000400000-0x0000000000475000-memory.dmp

          Filesize

          468KB

          Download

        • memory/2492-6665-0x0000000073F20000-0x0000000073F59000-memory.dmp

          Filesize

          228KB

          Download

        • memory/2492-6658-0x0000000000400000-0x0000000000475000-memory.dmp

          Filesize

          468KB

          Download

        • memory/2492-6659-0x0000000000400000-0x0000000000475000-memory.dmp

          Filesize

          468KB

          Download

        • memory/2492-6653-0x0000000000400000-0x0000000000475000-memory.dmp

          Filesize

          468KB

          Download

        • memory/2492-6652-0x0000000000400000-0x0000000000475000-memory.dmp

          Filesize

          468KB

          Download

        • memory/2492-20-0x0000000000400000-0x0000000000475000-memory.dmp

          Filesize

          468KB

          Download

        • memory/2492-22-0x0000000000400000-0x0000000000475000-memory.dmp

          Filesize

          468KB

          Download

        • memory/2492-21-0x0000000000400000-0x0000000000475000-memory.dmp

          Filesize

          468KB

          Download

        • memory/2492-23-0x0000000073F20000-0x0000000073F59000-memory.dmp

          Filesize

          228KB

          Download

        • memory/2492-5654-0x0000000000400000-0x0000000000475000-memory.dmp

          Filesize

          468KB

          Download

        • memory/2492-26-0x0000000000400000-0x0000000000475000-memory.dmp

          Filesize

          468KB

          Download

        • memory/2492-29-0x0000000000400000-0x0000000000475000-memory.dmp

          Filesize

          468KB

          Download

        • memory/2492-3385-0x0000000000400000-0x0000000000475000-memory.dmp

          Filesize

          468KB

          Download

        • memory/2492-1478-0x0000000000400000-0x0000000000475000-memory.dmp

          Filesize

          468KB

          Download

        • memory/2492-158-0x0000000000400000-0x0000000000475000-memory.dmp

          Filesize

          468KB

          Download

        • memory/3772-1-0x0000000000730000-0x0000000000736000-memory.dmp

          Filesize

          24KB

          Download

        • memory/3772-0-0x0000000000730000-0x0000000000736000-memory.dmp

          Filesize

          24KB

          Download

        • memory/3772-4-0x0000000000730000-0x0000000000736000-memory.dmp

          Filesize

          24KB

          Download

        • memory/3956-6-0x0000000000400000-0x0000000000475000-memory.dmp

          Filesize

          468KB

          Download

        • memory/3956-2-0x0000000000400000-0x0000000000475000-memory.dmp

          Filesize

          468KB

          Download

        • memory/3956-16-0x0000000000400000-0x0000000000475000-memory.dmp

          Filesize

          468KB

          Download

        • memory/3956-17-0x0000000074D40000-0x0000000074D79000-memory.dmp

          Filesize

          228KB

          Download

        • memory/3956-3-0x0000000000400000-0x0000000000475000-memory.dmp

          Filesize

          468KB

          Download

        • memory/3956-7-0x0000000074D40000-0x0000000074D79000-memory.dmp

          Filesize

          228KB

          Download

        • memory/3956-5-0x0000000000400000-0x0000000000475000-memory.dmp

          Filesize

          468KB

          Download