Overview

overview

10

Static

static

10

eb82946fa0...12.exe

windows7-x64

10

eb82946fa0...12.exe

windows10-2004-x64

10

Resubmissions

18-06-2024 09:06

240618-k2pt6a1bjq 10

Analysis

  • max time kernel
    72s
  • max time network
    73s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-06-2024 09:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    eb82946fa0de261e92f8f60aa878c9fef9ebb34fdababa66995403b110118b12.exe

  • Size

    147KB

  • MD5

    448f1796fe8de02194b21c0715e0a5f6

  • SHA1

    935c0b39837319fda571aa800b67d997b79c3198

  • SHA256

    eb82946fa0de261e92f8f60aa878c9fef9ebb34fdababa66995403b110118b12

  • SHA512

    0b93b2c881b1351ff688089abf12bbfcff279c5d6ca8733d6d821c83148d73c85cfedf5ab5bc02c2145970124b518551db3a9fc701d8084f01009ae20f71a831

  • SSDEEP

    3072:l6glyuxE4GsUPnliByocWep0yjEJ3hDRMK89nB2:l6gDBGpvEByocWeebbMjV4

Score
10/10
ransomwarespywarestealer

Malware Config

Extracted

Path

C:\sYMY1N6ah.README.txt

Ransom Note
*** Welcome to Brain Cipher Ransomware! *** Dear managers! If you're reading this, it means your systems have been hacked and encrypted and your data stolen. *** The most proper way to safely recover your data is through our support. We can recover your systems within 4-6 hours. In order for it to be successful, you must follow a few points: 1.Don't go to the police, etc. 2.Do not attempt to recover data on your own. 3.Do not take the help of third-party data recovery companies. In most cases, they are scammers who will pay us a ransom and take a for themselves. *** If you violate any 1 of these points, we will refuse to cooperate with you!!! 3 steps to data recovery: 1. Download and install Tor Browser (https://www.torproject.org/download/) 2. Go to our support page: http://mybmtbgd7aprdnw2ekxht5qap5daam2wch25coqerrq2zdioanob34ad.onion 3. Enter your encryption ID: M8AL5cWJEU5CnMMPwCdt4x9NVn0ZY2uNtIgnKwkDJwdPbnanVROYFzGmgUCImexTGDmINYgSZXdlhM7D199lNMb294TGY2 Email to support: [email protected]
URLs

http://mybmtbgd7aprdnw2ekxht5qap5daam2wch25coqerrq2zdioanob34ad.onion

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 2 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eb82946fa0de261e92f8f60aa878c9fef9ebb34fdababa66995403b110118b12.exe
    "C:\Users\Admin\AppData\Local\Temp\eb82946fa0de261e92f8f60aa878c9fef9ebb34fdababa66995403b110118b12.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:964
    • C:\ProgramData\5515.tmp
      "C:\ProgramData\5515.tmp"
      2⤵
      • Checks computer location settings
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:2280
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\5515.tmp >> NUL
        3⤵
          PID:5048
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2388
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\q0eYagm.sYMY1N6ah
        2⤵
        • Opens file in notepad (likely ransom note)
        PID:4508
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\sYMY1N6ah.README.txt
      1⤵
      • Opens file in notepad (likely ransom note)
      PID:4216

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\$Recycle.Bin\S-1-5-21-200405930-3877336739-3533750831-1000\AAAAAAAAAAA
      Filesize

      129B

      MD5

      df000c7d5485aeb45bb245232e966447

      SHA1

      56b9a0d6f714c6d2d599303834e0d5748fad440f

      SHA256

      9a81ccf12304a432c6a00ec2204020e37c518325014f975f4c39713454e6a3b0

      SHA512

      286bcd30418172094d3782320947af16e6b007962ce5cf3a89cf797b7f2ae2eea4f251a1ffffb25c66f424274824d512370ed36ed11d1050e42f3e9cfe46e251

      Download Submit

    • C:\ProgramData\5515.tmp
      Filesize

      14KB

      MD5

      294e9f64cb1642dd89229fff0592856b

      SHA1

      97b148c27f3da29ba7b18d6aee8a0db9102f47c9

      SHA256

      917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

      SHA512

      b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE
      Filesize

      147KB

      MD5

      0f15a958c17c859666eae86a1d9acafc

      SHA1

      8c5fcd069916985aa10e1641b14eb2beef2158f7

      SHA256

      62400aacfacb725719171bf3da28f83561a929fc140580a3d719e0bd66c82775

      SHA512

      789bf59019d5fe73376d6c6294951e20482b324497575c823eb03edc781e3680e0e4fe477b82f97a18a8046f9e65f66b8fea342e6b3a905e75f1b21253f63242

      Download Submit

    • C:\Users\Admin\Desktop\q0eYagm.sYMY1N6ah
      Filesize

      671KB

      MD5

      3ef0dcf60405dbbc05388cc5b4862518

      SHA1

      7e73bc20b885b822d0dc19c0f8b3d9d87888eb78

      SHA256

      128f12a4596f95f62bc630abe9c6ae73fc283c977695cf529b422824fe18f296

      SHA512

      cc0f5253203c4a6edbe66ad7461f0ae14252391a4ca7f5eaa6bc1b602c28e420e624b537a0e29185259e6a2dd104f7b1dafa8d558d2f6dc160912931cc4d5294

      Download Submit

    • C:\sYMY1N6ah.README.txt
      Filesize

      1KB

      MD5

      deb2e0756d331362d57ad9fe408c4ff3

      SHA1

      870865aad7c7cccafbca0c1f50f7eecaedbd4bf1

      SHA256

      1ddacee1d25936970279557169037a335b362f86c3797ded625d68077bd0145c

      SHA512

      e218624d2704517a358df0dfb794116bbeed3ad81daae8c07d5d969e61e7936ed043911008f4816d663de373fd23515219c8038dd22e5838af7df1678a0134a6

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-200405930-3877336739-3533750831-1000\EEEEEEEEEEE
      Filesize

      129B

      MD5

      e8caa47cebd0a2bdbac9af1f55504dce

      SHA1

      4a94f2507240e1fc0f055b202babf24418b4d83e

      SHA256

      ab28c21ca4b109e5a2fe3ab6caedf729584a250039a882c03ff9f98da8095c4d

      SHA512

      8a60316748f22ad8b82e17d5dd71627ed009e25dad5440c53b92779b79259646e6a95a1597a4055c47b6d46a0cd08a72f2d0c93dcfe1de05a367b38c8f64f805

      Download Submit

    • memory/964-0-0x0000000002AD0000-0x0000000002AE0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/964-2-0x0000000002AD0000-0x0000000002AE0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/964-1-0x0000000002AD0000-0x0000000002AE0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2280-2724-0x000000007FDC0000-0x000000007FDC1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2280-2723-0x000000007FE20000-0x000000007FE21000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2280-2722-0x00000000006A0000-0x00000000006B0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2280-2721-0x00000000006A0000-0x00000000006B0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2280-2720-0x000000007FE40000-0x000000007FE41000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2280-2754-0x000000007FE00000-0x000000007FE01000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2280-2753-0x000000007FDE0000-0x000000007FDE1000-memory.dmp

      Filesize

      4KB

      Download