Overview

overview

10

Static

static

10

e351d4a21e...4b.exe

windows7-x64

10

e351d4a21e...4b.exe

windows10-2004-x64

10

Resubmissions

25-06-2024 12:19

240625-phcgyayhqe 10

28-11-2021 04:49

211128-ff255sfhgj 10

Analysis

  • max time kernel
    120s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    25-06-2024 12:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe

  • Size

    128KB

  • MD5

    99e949ddd57dbc19457eba5f235516f3

  • SHA1

    99f9270e85ec53b8dada459279d30e8b169462c1

  • SHA256

    e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b

  • SHA512

    4b4746c6d23be8d445876e5e6931d48ebbac8eca6c4ad545b6dc94c400f768df87ad03984c1c83a7e7d0225fd8cdd6305e4f7ef4d580378b42424288def7fa41

  • SSDEEP

    3072:pfco6OkRGbNsjjZviLhrafY1Cv95dzo5:pf6OwGBs3Z6LhrqYGNzo

Score
10/10
targetcompanydefense_evasionevasionexecutionimpactransomware

Malware Config

Extracted

Path

C:\Program Files\DVD Maker\How to decrypt files.txt

Family

targetcompany

Ransom Note
Your personal identifier: BRD454A21JS All files on BRG Precision Products network have been encrypted due to insufficient security. The only way to quickly and reliably regain access to your files is to contact us. The price depends on how fast you write to us. In other cases, you risk losing your time and access to data. Usually time is much more valuable than money. In addition, we downloaded about 100 gb of data from your network. We will publish the data if you do not negotiate with us. FAQ Q: How to contact us A: * Download Tor Browser - https://www.torproject.org/ * Open link in Tor Browser http://eghv5cpdsmuj5e6tpyjk5icgq642hqubildf6yrfnqlq3rmsqk2zanid.onion/contact * Follow the instructions on the website. Q: What guarantees? A: Before paying, we can decrypt several of your test files. Files should not contain valuable information. Q: Can I decrypt my data for free or through intermediaries? A: Use third party programs and intermediaries at your own risk. Third party software may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price or you can become a victim of a scam. �
URLs

http://eghv5cpdsmuj5e6tpyjk5icgq642hqubildf6yrfnqlq3rmsqk2zanid.onion/contact

Signatures

  • TargetCompany,Mallox

    TargetCompany (aka Mallox) is a ransomware which encrypts files using a combination of ChaCha20, AES-128, and Curve25519, first seen in June 2021.

    ransomwaretargetcompany
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Renames multiple (6841) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes itself 1 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe
    "C:\Users\Admin\AppData\Local\Temp\e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe"
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2032
    • C:\Windows\system32\vssadmin.exe
      "C:\Windows\sysnative\vssadmin.exe" delete shadows /all /quiet
      2⤵
      • Interacts with shadow copies
      PID:2776
    • C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd.exe" /c bcdedit /set {current} bootstatuspolicy ignoreallfailures
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2068
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set {current} bootstatuspolicy ignoreallfailures
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:2568
    • C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd.exe" /c bcdedit /set {current} recoveryenabled no
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2464
      • C:\Windows\system32\bcdedit.exe
        bcdedit /set {current} recoveryenabled no
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:2640
    • C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\e351d4a21e6f455c6fca41ed4c410c045b136fa47d40d4f2669416ee2574124b.exe" >> NUL
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:1732
      • C:\Windows\system32\PING.EXE
        ping 127.0.0.1
        3⤵
        • Runs ping.exe
        PID:1844
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2916

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\DVD Maker\How to decrypt files.txt
    Filesize

    1KB

    MD5

    ef0b6f818162e1cb90f601e0d1fbcecf

    SHA1

    33fab6593738af52393884c589fb40417d9292aa

    SHA256

    0b2fd826cd23e013dba97e5e398af8992b9b48d69a0bbb6cffa1ea5fa896b4fe

    SHA512

    89c141064843766fbd10fc64e0be403cd40e79788ced2934a99d435ae0643290f6f697ae7214c0f0fb23c62b37d8074ee2bd7881005541e272231dca62849502

    Download Submit