Resubmissions

20-06-2024 09:01

240620-ky7wkayglc 10

20-06-2024 08:49

240620-kq693aydpc 10

Analysis

  • max time kernel
    137s
  • max time network
    137s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    20-06-2024 09:01

General

  • Target

    dora.exe

  • Size

    49KB

  • MD5

    17356ef8f161730156c221300ea3cf5b

  • SHA1

    25a05bd0a9a4167b7fd08feb44de269910701c82

  • SHA256

    18ba97ec9c00b85d27d9d20c62ef7bd9484ad68a33e2a2121a1bcbed19f2eacd

  • SHA512

    df964b7aac2dbbaf7a04e935dbb566e1207b0d11971f28bba9c0c136adeff475bec31c92e54be7d4da786f70d9cb339ff37e6a8f9196ceb16ab185cc956912cf

  • SSDEEP

    768:daQRff0B31aCytHLykiKPT3JATD2qBwV2ckjbnsb0Ah99De0YADQT4J74:daD318HxZATvnsblYOJ

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\+README-WARNING+.txt

Ransom Note
!i!i!i!i!i!i!i!i!i!!i!i!i!i!i!i!i!i!i!i!i!i!i!i!i!!i!i!i!i!i!i!i!i!i!i!i!i!i!i!i!!i!i!i!i!i!i!i!i!i!i!i!i!i!i!i!!i!i! Your files are encrypted and an important part of your data is stolen!!! If you try to decrypt the files yourself, they may be corrupted and this may lead to the loss of your files! !i!i!i!i!i!i!i!i!i!!i!i!i!i!i!i!i!i!i!i!i!i!i!i!i!!i!i!i!i!i!i!i!i!i!i!i!i!i!i!i!!i!i!i!i!i!i!i!i!i!i!i!i!i!i!i!!i!i! You need to contact us at this email address: [email protected] If we do not receive a response from you, your data will end up on the Internet. !i!i!i!i!i!i!i!i!i!!i!i!i!i!i!i!i!i!i!i!i!i!i!i!i!!i!i!i!i!i!i!i!i!i!i!i!i!i!i!i!!i!i!i!i!i!i!i!i!i!i!i!i!i!i!i!!i!i! Send me ID, which is indicated in the name of your files, and you will receive instructions on how to decrypt all files. Do not ignore this message, contact us as soon as possible to quickly get your files back. !i!i!i!i!i!i!i!i!i!!i!i!i!i!i!i!i!i!i!i!i!i!i!i!i!!i!i!i!i!i!i!i!i!i!i!i!i!i!i!i!!i!i!i!i!i!i!i!i!i!i!i!i!i!i!i!!i!i!

Signatures

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Renames multiple (8278) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Blocklisted process makes network request 4 IoCs
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies registry class 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\dora.exe
    "C:\Users\Admin\AppData\Local\Temp\dora.exe"
    1⤵
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2796
    • C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe C:\Windows\system32\gameux.dll,GameUXShim {0f4e74a9-a0ef-4d45-a648-227991eae33d};C:\Users\Admin\AppData\Local\Temp\dora.exe;2796
      2⤵
      • Blocklisted process makes network request
      • Modifies registry class
      PID:2188
    • C:\Users\Admin\AppData\Local\Temp\dora.exe
      "C:\Users\Admin\AppData\Local\Temp\dora.exe" n2796
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2956
      • C:\Windows\SysWOW64\rundll32.exe
        C:\Windows\system32\rundll32.exe C:\Windows\system32\gameux.dll,GameUXShim {0f4e74a9-a0ef-4d45-a648-227991eae33d};C:\Users\Admin\AppData\Local\Temp\dora.exe;2956
        3⤵
        • Blocklisted process makes network request
        • Modifies registry class
        PID:2636
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2984
      • C:\Windows\system32\vssadmin.exe
        vssadmin delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:2676
      • C:\Windows\system32\wbadmin.exe
        wbadmin delete catalog -quiet
        3⤵
        • Deletes backup catalog
        PID:2512
      • C:\Windows\System32\Wbem\WMIC.exe
        wmic shadowcopy delete
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2352
    • C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\+README-WARNING+.txt
      2⤵
        PID:5356
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2604
    • C:\Windows\system32\wbengine.exe
      "C:\Windows\system32\wbengine.exe"
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2968
    • C:\Windows\System32\vdsldr.exe
      C:\Windows\System32\vdsldr.exe -Embedding
      1⤵
        PID:2124
      • C:\Windows\System32\vds.exe
        C:\Windows\System32\vds.exe
        1⤵
          PID:2768
        • C:\Windows\system32\Dwm.exe
          "C:\Windows\system32\Dwm.exe"
          1⤵
            PID:316

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\GameExplorer\{3146AA60-6BF6-4755-8526-1AA38554A1D0}\PlayTasks\0\Play.lnk

            Filesize

            1KB

            MD5

            0958b267664a4439bcf8812ca9c1b464

            SHA1

            08ee674251155c45059dd615ab7c31cce360911d

            SHA256

            822a98c905447c08728ffba1e1c71086029d8857897e9a74a4b69b89031e7f5c

            SHA512

            87f6dbc8bd3cb0f731663449c18c6fd02bfc3e74eb26b8fd82c7a6810703be906462f035e24393a3da2d595aff1af738d8440191229685f58032302fe21216c6

          • C:\Users\Admin\AppData\Local\Temp\+README-WARNING+.txt

            Filesize

            1KB

            MD5

            7e1d4905ff11f9dc3df19f14836427c9

            SHA1

            d361d63cf04c03aae86a9f83fe80d2e0400870a8

            SHA256

            046d2b796dacb9452b2a25aa12eefb31e79e8776c313e979b9b06d72b33b7278

            SHA512

            efcf9392e4213afe2804f2738a5a1067575d394163265987700ca6c981d59492b6dc7fb78ea0860514adb8f0cbf9428b3c0c1da6d4d82893873d6fea5463a3d0

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Games\Dora the Explorer Fairytale Adventureā„¢.lnk

            Filesize

            548B

            MD5

            46d3890e9a2495c7bb9c7fbfe678e5a2

            SHA1

            85124af16ac564ef73c06a5a7d864eb2a616b6e8

            SHA256

            099c21a1581d9485facc73a1db977827b21a033630075bc1d5be2a93bbd74b02

            SHA512

            6d9822ed7346985f84c1f5e781c9f8522d517297e3a67d8a5ff338e65ec47307bb8ff9cacfb69ae4fd4c2985f00f478521666c9c86a7138c4f389cd78d92b6dc