Overview

overview

10

Static

static

10

e4a319f7af...42.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    128s
  • max time network
    2s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240611-en
  • resource tags

    arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    17-06-2024 06:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e4a319f7afafbbd710ff2dbe8d0883ef332afcb0363efd4e919ed3c3faba0342.exe

  • Size

    7.7MB

  • MD5

    54d801a914165802062aea8e5fdae516

  • SHA1

    5f99214d68883e91f586e85d8db96deda5ca54af

  • SHA256

    e4a319f7afafbbd710ff2dbe8d0883ef332afcb0363efd4e919ed3c3faba0342

  • SHA512

    ce5546e60976db6e0c6736ccd32ac623d564e4b7dff91c86a2ddfae6cc8e86f49e70d67d663da61f077a8d244eedc4d6c19e2f185e945395faf522bbc858d5a9

  • SSDEEP

    98304:9h3Hhpg9fmvPQ6awFDwqNmabuc0aZJPE:/BpyV6/CcukM

Score
10/10
defense_evasionexecutionimpactpersistenceransomware

Malware Config

Extracted

Path

C:\Users\NBSHhgXuCt-RECOVER-README.txt

Ransom Note
-- Agenda Your network/system was encrypted. Encrypted files have new extension. -- Compromising and sensitive data We have downloaded compromising and sensitive data from you system/network If you refuse to communicate with us and we do not come to an agreementyour data will be published. Data includes: - Employees personal dataCVsDLSSN. - Complete network map including credentials for local and remote services. - Financial information including clients databillsbudgetsannual reportsbank statements. - Complete datagrams/schemas/drawings for manufacturing in solidworks format - And more... -- Warning 1) If you modify files - our decrypt software won't able to recover data 2) If you use third party software - you can damage/modify files (see item 1) 3) You need cipher key / our decrypt software to restore you files. 4) The police or authorities will not be able to help you get the cipher key. We encourage you to consider your decisions. -- Recovery 1) Download tor browser: https://www.torproject.org/download/ 2) Go to domain 3) Enter credentials -- Credentials Extension: NBSHhgXuCt Domain: 24kckepr3tdbcomkimbov5nqv2alos6vmrmlxdr76lfmkgegukubctyd.onion login: b6c6347c-39aa-4a5d-a34b-9f73692c3487 password: 3859f83b-e7dc-4fb2-bd6e-70e84ababd72
URLs

http://24kckepr3tdbcomkimbov5nqv2alos6vmrmlxdr76lfmkgegukubctyd.onion

Signatures

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (165) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\e4a319f7afafbbd710ff2dbe8d0883ef332afcb0363efd4e919ed3c3faba0342.exe
    "C:\Users\Admin\AppData\Local\Temp\e4a319f7afafbbd710ff2dbe8d0883ef332afcb0363efd4e919ed3c3faba0342.exe"
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • Modifies WinLogon
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1488
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3560
      • C:\Windows\system32\vssadmin.exe
        vssadmin.exe delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:3356
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "\"{get-service LanmanWorkstation |Restart-Service –Force}\""
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:3700
    • C:\Windows\system32\net.exe
      net use
      2⤵
        PID:2808
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1908
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe"
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2376
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k NetworkService -p
      1⤵
        PID:484
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3796
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\NBSHhgXuCt-RECOVER-README.txt
        1⤵
          PID:4560
        • C:\Windows\System32\rundll32.exe
          C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
          1⤵
            PID:3576

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
            Filesize

            14KB

            MD5

            4228a74e3c04871fe7d294ffaf7ba541

            SHA1

            166aa74376c99ed86ddd27e576098e4c86aacf84

            SHA256

            cc517badf732c6a38c4a33efe6f7e54752695d9dcae1cba2b2dc72581e0301ba

            SHA512

            344e9fb947b59867d930d600c627989180441f381e6e7b7572ba09a9a5501958dc0a79a55299cabe8ec51d7f7025d8198412a427abd5017455a79142e061662c

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kddrppi4.ajf.ps1
            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

            Download Submit

          • C:\Users\NBSHhgXuCt-RECOVER-README.txt
            Filesize

            1KB

            MD5

            dc4896bee712a59e16536179117c4043

            SHA1

            11706d9537c43f6abaa9412907bf7b386d9ab9fb

            SHA256

            08d5ff40c311cae6dd91d359f230cca5036fe4161da6180cac79aec19b6724a2

            SHA512

            c7f89907bec388b3da6feca9e6d51a16c33eeafc20dc9d0c5f6ca7f9b26cf1d4af410ae760efb8d6ee659e925c7990151d984443877d048d2489081226e1a05e

            Download Submit

          • memory/484-24-0x000002065F560000-0x000002065F570000-memory.dmp

            Filesize

            64KB

            Download

          • memory/484-32-0x000002065FB40000-0x000002065FB50000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2376-7-0x0000021791990000-0x0000021791991000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2376-11-0x0000021791990000-0x0000021791991000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2376-10-0x0000021791990000-0x0000021791991000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2376-9-0x0000021791990000-0x0000021791991000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2376-8-0x0000021791990000-0x0000021791991000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2376-12-0x0000021791990000-0x0000021791991000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2376-0-0x0000021791990000-0x0000021791991000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2376-6-0x0000021791990000-0x0000021791991000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2376-1-0x0000021791990000-0x0000021791991000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2376-2-0x0000021791990000-0x0000021791991000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3700-15-0x0000025BFD6B0000-0x0000025BFD6D2000-memory.dmp

            Filesize

            136KB

            Download