Overview

overview

10

Static

static

10

6e07da2360...17.exe

windows7-x64

10

6e07da2360...17.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-06-2024 08:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe

  • Size

    147KB

  • MD5

    9c5698924d4d1881efaf88651a304cb3

  • SHA1

    c60a0b99729eb6d95c2d9f8b76b9714411a3a751

  • SHA256

    6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417

  • SHA512

    1e9cc0d7c831a496e3dbcc56f2d5d477e7a7546c2f223b0278fedfa10fc1bebb0412fd5d81ac02a77aa503ddc99dea1d59d9120d076ae7a0f5137c9260a64eea

  • SSDEEP

    3072:+6glyuxE4GsUPnliByocWepMT0CY2gbP39m3Lpdp:+6gDBGpvEByocWeAYTbPN8p

Score
10/10
ransomwarespywarestealer

Malware Config

Extracted

Path

C:\flzQgniJJ.README.txt

Ransom Note
*** Welcome to Brain Cipher Ransomware! *** Dear managers! If you're reading this, it means your systems have been hacked and encrypted and your data stolen. *** The most proper way to safely recover your data is through our support. We can recover your systems within 4-6 hours. In order for it to be successful, you must follow a few points: 1.Don't go to the police, etc. 2.Do not attempt to recover data on your own. 3.Do not take the help of third-party data recovery companies. In most cases, they are scammers who will pay us a ransom and take a for themselves. *** If you violate any 1 of these points, we will refuse to cooperate with you!!! 3 steps to data recovery: 1. Download and install Tor Browser (https://www.torproject.org/download/) 2. Go to our support page: http://mybmtbgd7aprdnw2ekxht5qap5daam2wch25coqerrq2zdioanob34ad.onion 3. Enter your encryption ID: uYrTA6hpRFsWQR0nqlFk5WK8S+zUIHNd9T3L6aykdR27ztPJwC3xHOsdSBkZhmr+yKcnVLCct0ffjVRy5yvFQydzhzQWJR Email to support: [email protected]
URLs

http://mybmtbgd7aprdnw2ekxht5qap5daam2wch25coqerrq2zdioanob34ad.onion

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe
    "C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4744
    • C:\ProgramData\685F.tmp
      "C:\ProgramData\685F.tmp"
      2⤵
      • Checks computer location settings
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:4764
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\685F.tmp >> NUL
        3⤵
          PID:4204

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\$Recycle.Bin\S-1-5-21-1337824034-2731376981-3755436523-1000\DDDDDDDDDDD
      Filesize

      129B

      MD5

      2f28b8616a4c438d508c4f7f7bddf3a3

      SHA1

      dc7eea5646841bee7df758bbac39293773585ac9

      SHA256

      fef5b3d1e2869fa6944f2435892338a01c7b462a8a6e65c62954f5ff04844cb6

      SHA512

      4518696f3b95a5ab6819e5d197ca7053cd331909e4cef10573c9071f45cecdbdd1314e5e85a288200792b701bd98403c15484d25341d23bc9dfe8376036a0911

      Download Submit

    • C:\ProgramData\685F.tmp
      Filesize

      14KB

      MD5

      294e9f64cb1642dd89229fff0592856b

      SHA1

      97b148c27f3da29ba7b18d6aee8a0db9102f47c9

      SHA256

      917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

      SHA512

      b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
      Filesize

      147KB

      MD5

      8e77cbc488b929ab2416f8fd94c3f628

      SHA1

      0fbac12caef05f4cd87711a26c1dfef680361197

      SHA256

      f777835f05b42968c4e8a35a0d36fc680e2e01f6f14bc672936b7a0e1bd74f05

      SHA512

      64aa2cd4141fa0226137a8fcb735074de82d294d2d948f13ea440e0d3f108d80b5cb16a8d41db25f76e1e1c0c45d2f873ae8cfc4f04d550dd6bc285709f375e3

      Download Submit

    • C:\flzQgniJJ.README.txt
      Filesize

      1KB

      MD5

      3bebb5494e1c3d4753ce92a479e7eda5

      SHA1

      243685d0515d19210e4e2f354d367be6212e98ff

      SHA256

      13d69c85aeb5beab58caefaa2cdc257d668f568103a5cebbd98038b3b66b66bd

      SHA512

      0e31e7bf96fbd6bb91fbe96e59acf96dd0fef5e9db9e93e924afd17fe1066c04b0d9bf9e2d60c335db4f0347107a63d92dfc9ba9b166d2e3151e5440232f63da

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-1337824034-2731376981-3755436523-1000\DDDDDDDDDDD
      Filesize

      129B

      MD5

      2aba11a756d0a3172450acbee69c65b9

      SHA1

      5098c81b763ab3b6cd9b514a58c5d55ccab78391

      SHA256

      994de272bc2f1531afe2406461aa18616f33d8efe3f8f90806de97eea210f70f

      SHA512

      e2489a6e3a12bddd93e9c8938a4edd660f88211efd21c8dc40104619cd4a6bbd26f95bb89f0e561bf3f297f009303aba2a6a437f6b8d8e6d203b2079740d0f2a

      Download Submit

    • memory/4744-0-0x0000000002910000-0x0000000002920000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4744-2-0x0000000002910000-0x0000000002920000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4744-1-0x0000000002910000-0x0000000002920000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4764-2754-0x000000007FE20000-0x000000007FE21000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4764-2753-0x0000000002540000-0x0000000002550000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4764-2752-0x0000000002540000-0x0000000002550000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4764-2751-0x000000007FE40000-0x000000007FE41000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4764-2755-0x000000007FDC0000-0x000000007FDC1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4764-2785-0x000000007FE00000-0x000000007FE01000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4764-2784-0x000000007FDE0000-0x000000007FDE1000-memory.dmp

      Filesize

      4KB

      Download