Resubmissions

20-06-2024 09:01

240620-ky7wkayglc 10

20-06-2024 08:49

240620-kq693aydpc 10

Analysis

  • max time kernel
    143s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-06-2024 08:49

General

  • Target

    dora.exe

  • Size

    49KB

  • MD5

    17356ef8f161730156c221300ea3cf5b

  • SHA1

    25a05bd0a9a4167b7fd08feb44de269910701c82

  • SHA256

    18ba97ec9c00b85d27d9d20c62ef7bd9484ad68a33e2a2121a1bcbed19f2eacd

  • SHA512

    df964b7aac2dbbaf7a04e935dbb566e1207b0d11971f28bba9c0c136adeff475bec31c92e54be7d4da786f70d9cb339ff37e6a8f9196ceb16ab185cc956912cf

  • SSDEEP

    768:daQRff0B31aCytHLykiKPT3JATD2qBwV2ckjbnsb0Ah99De0YADQT4J74:daD318HxZATvnsblYOJ

Malware Config

Extracted

Path

C:\Program Files\Common Files\microsoft shared\ClickToRun\+README-WARNING+.txt

Ransom Note
!i!i!i!i!i!i!i!i!i!!i!i!i!i!i!i!i!i!i!i!i!i!i!i!i!!i!i!i!i!i!i!i!i!i!i!i!i!i!i!i!!i!i!i!i!i!i!i!i!i!i!i!i!i!i!i!!i!i! Your files are encrypted and an important part of your data is stolen!!! If you try to decrypt the files yourself, they may be corrupted and this may lead to the loss of your files! !i!i!i!i!i!i!i!i!i!!i!i!i!i!i!i!i!i!i!i!i!i!i!i!i!!i!i!i!i!i!i!i!i!i!i!i!i!i!i!i!!i!i!i!i!i!i!i!i!i!i!i!i!i!i!i!!i!i! You need to contact us at this email address: [email protected] If we do not receive a response from you, your data will end up on the Internet. !i!i!i!i!i!i!i!i!i!!i!i!i!i!i!i!i!i!i!i!i!i!i!i!i!!i!i!i!i!i!i!i!i!i!i!i!i!i!i!i!!i!i!i!i!i!i!i!i!i!i!i!i!i!i!i!!i!i! Send me ID, which is indicated in the name of your files, and you will receive instructions on how to decrypt all files. Do not ignore this message, contact us as soon as possible to quickly get your files back. !i!i!i!i!i!i!i!i!i!!i!i!i!i!i!i!i!i!i!i!i!i!i!i!i!!i!i!i!i!i!i!i!i!i!i!i!i!i!i!i!!i!i!i!i!i!i!i!i!i!i!i!i!i!i!i!!i!i!

Signatures

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Renames multiple (3371) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Drops file in System32 directory 6 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\dora.exe
    "C:\Users\Admin\AppData\Local\Temp\dora.exe"
    1⤵
    • Checks computer location settings
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:3252
    • C:\Users\Admin\AppData\Local\Temp\dora.exe
      "C:\Users\Admin\AppData\Local\Temp\dora.exe" n3252
      2⤵
        PID:4180
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3976
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          3⤵
          • Interacts with shadow copies
          PID:1456
        • C:\Windows\system32\wbadmin.exe
          wbadmin delete catalog -quiet
          3⤵
          • Deletes backup catalog
          PID:1660
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic shadowcopy delete
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:3496
      • C:\Windows\SysWOW64\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\+README-WARNING+.txt
        2⤵
          PID:2940
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1836
      • C:\Windows\system32\wbengine.exe
        "C:\Windows\system32\wbengine.exe"
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1504
      • C:\Windows\System32\vdsldr.exe
        C:\Windows\System32\vdsldr.exe -Embedding
        1⤵
          PID:3152
        • C:\Windows\System32\vds.exe
          C:\Windows\System32\vds.exe
          1⤵
          • Checks SCSI registry key(s)
          PID:5064
        • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
          "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
          1⤵
          • Drops file in System32 directory
          • Checks processor information in registry
          • Enumerates system info in registry
          • Modifies data under HKEY_USERS
          • Suspicious use of SetWindowsHookEx
          PID:4588

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files\Common Files\microsoft shared\ClickToRun\+README-WARNING+.txt

          Filesize

          1KB

          MD5

          7e1d4905ff11f9dc3df19f14836427c9

          SHA1

          d361d63cf04c03aae86a9f83fe80d2e0400870a8

          SHA256

          046d2b796dacb9452b2a25aa12eefb31e79e8776c313e979b9b06d72b33b7278

          SHA512

          efcf9392e4213afe2804f2738a5a1067575d394163265987700ca6c981d59492b6dc7fb78ea0860514adb8f0cbf9428b3c0c1da6d4d82893873d6fea5463a3d0