Analysis
-
max time kernel
82s -
max time network
71s -
platform
windows11-21h2_x64 -
resource
win11-20240611-en -
resource tags
arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system -
submitted
15-06-2024 11:21
Behavioral task
behavioral1
Sample
55e070a86b3ef2488d0e58f945f432aca494bfe65c9c4363d739649225efbbd1.exe
Resource
win11-20240611-en
windows11-21h2-x64
General
-
Target
55e070a86b3ef2488d0e58f945f432aca494bfe65c9c4363d739649225efbbd1.exe
-
Size
1.6MB
-
MD5
334fd98ab462edc1274fecdb89fb0791
-
SHA1
e3496a341c96d77c0ef9bdeec333dd98e2215527
-
SHA256
55e070a86b3ef2488d0e58f945f432aca494bfe65c9c4363d739649225efbbd1
-
SHA512
150ff915ace0253dded6ed6ae860bcf2f3a43295cf434ceddf61554597665a159135011694321622d40ca1df3142afb1c6bed8ed61abf244799d820068ae4961
-
SSDEEP
24576:pBz37bSK2rgyik2VZGiOYnSadiUm6M551SaJkqFYUe3xHj96khCkyITnoXlIEvXX:px6Rvik2VUKnzhQ4IkWXUy
Malware Config
Extracted
agenda
-
company_id
gBBQsRxAcQ
-
note
-- Qilin Your network/system was encrypted. Encrypted files have new extension. -- Compromising and sensitive data We have downloaded compromising and sensitive data from you system/network If you refuse to communicate with us and we do not come to an agreementyour data will be published. Data includes: - Employees personal dataCVsDLSSN. - Complete network map including credentials for local and remote services. - Financial information including clients databillsbudgetsannual reportsbank statements. - Complete datagrams/schemas/drawings for manufacturing in solidworks format - And more... -- Warning 1) If you modify files - our decrypt software won't able to recover data 2) If you use third party software - you can damage/modify files (see item 1) 3) You need cipher key / our decrypt software to restore you files. 4) The police or authorities will not be able to help you get the cipher key. We encourage you to consider your decisions. -- Recovery 1) Download tor browser: https://www.torproject.org/download/ 2) Go to domain 3) Enter credentials -- Credentials Extension: gBBQsRxAcQ Domain: ru3q4ftbaqmpobhamqlnseorxywhhmqwhzx4pv4sqaacqz4m2ptleiid.onion login: 2200ffdb-68c4-43ed-83d8-52fe9d4d7a03 password:
Signatures
-
Agenda Ransomware
A ransomware with multiple variants written in Golang and Rust first seen in August 2022.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 Taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A Taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName Taskmgr.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4108 Taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4108 Taskmgr.exe Token: SeSystemProfilePrivilege 4108 Taskmgr.exe Token: SeCreateGlobalPrivilege 4108 Taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe 4108 Taskmgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\55e070a86b3ef2488d0e58f945f432aca494bfe65c9c4363d739649225efbbd1.exe"C:\Users\Admin\AppData\Local\Temp\55e070a86b3ef2488d0e58f945f432aca494bfe65c9c4363d739649225efbbd1.exe"1⤵PID:1428
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1892
-
C:\Windows\System32\Taskmgr.exe"C:\Windows\System32\Taskmgr.exe"1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4108