Overview

overview

10

Static

static

10

Brain Chip...an.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    88s
  • max time network
    51s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-06-2024 00:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Brain Chiper beneran.exe

  • Size

    147KB

  • MD5

    448f1796fe8de02194b21c0715e0a5f6

  • SHA1

    935c0b39837319fda571aa800b67d997b79c3198

  • SHA256

    eb82946fa0de261e92f8f60aa878c9fef9ebb34fdababa66995403b110118b12

  • SHA512

    0b93b2c881b1351ff688089abf12bbfcff279c5d6ca8733d6d821c83148d73c85cfedf5ab5bc02c2145970124b518551db3a9fc701d8084f01009ae20f71a831

  • SSDEEP

    3072:l6glyuxE4GsUPnliByocWep0yjEJ3hDRMK89nB2:l6gDBGpvEByocWeebbMjV4

Score
10/10
ransomwarespywarestealer

Malware Config

Extracted

Path

C:\sYMY1N6ah.README.txt

Ransom Note
*** Welcome to Brain Cipher Ransomware! *** Dear managers! If you're reading this, it means your systems have been hacked and encrypted and your data stolen. *** The most proper way to safely recover your data is through our support. We can recover your systems within 4-6 hours. In order for it to be successful, you must follow a few points: 1.Don't go to the police, etc. 2.Do not attempt to recover data on your own. 3.Do not take the help of third-party data recovery companies. In most cases, they are scammers who will pay us a ransom and take a for themselves. *** If you violate any 1 of these points, we will refuse to cooperate with you!!! 3 steps to data recovery: 1. Download and install Tor Browser (https://www.torproject.org/download/) 2. Go to our support page: http://mybmtbgd7aprdnw2ekxht5qap5daam2wch25coqerrq2zdioanob34ad.onion 3. Enter your encryption ID: M8AL5cWJEU5CnMMPwCdt4x9NVn0ZY2uNtIgnKwkDJwdPbnanVROYFzGmgUCImexTGDmINYgSZXdlhM7D199lNMb294TGY2 Email to support: [email protected]
URLs

http://mybmtbgd7aprdnw2ekxht5qap5daam2wch25coqerrq2zdioanob34ad.onion

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Brain Chiper beneran.exe
    "C:\Users\Admin\AppData\Local\Temp\Brain Chiper beneran.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:672
    • C:\ProgramData\6830.tmp
      "C:\ProgramData\6830.tmp"
      2⤵
      • Checks computer location settings
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:3052
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\6830.tmp >> NUL
        3⤵
          PID:4608
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\sYMY1N6ah.README.txt
      1⤵
      • Opens file in notepad (likely ransom note)
      • Suspicious use of FindShellTrayWindow
      PID:512

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\$Recycle.Bin\S-1-5-21-1337824034-2731376981-3755436523-1000\DDDDDDDDDDD
      Filesize

      129B

      MD5

      f9e6bf062a9d5555c6aa594cab15a9aa

      SHA1

      b04785b88ae7451507372401d81fd02924ece440

      SHA256

      91fdbc6499629860448a62c98e2c784e75703872b37541350b1bfc19ba56c619

      SHA512

      b8fff0b645b9ee1ec6e99d99941e15780935cd669a13394f4b1001ed8c3a033a36018d3c07854f98f5eac1786dda5bfe8768e1bd35de5b371122b3906657d410

      Download Submit

    • C:\ProgramData\6830.tmp
      Filesize

      14KB

      MD5

      294e9f64cb1642dd89229fff0592856b

      SHA1

      97b148c27f3da29ba7b18d6aee8a0db9102f47c9

      SHA256

      917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

      SHA512

      b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDD
      Filesize

      147KB

      MD5

      f37c2c101abe11c906e0dd3943e1a35e

      SHA1

      c4c63eb4e79f3256632076c0f866a0f1ba181f6c

      SHA256

      428a16680d423f74f58e7ad5cbdfd9c3c1cf2659bc97ca4daa6165cdbcb8065d

      SHA512

      db034b408ab595030104236b4e1b3bdbd4af179b14d186f6172d54d9641ab243f62cfc6aaded913719a3d53375921c42d74fbc5f2d81a290af0a0e4604b180d9

      Download Submit

    • C:\sYMY1N6ah.README.txt
      Filesize

      1KB

      MD5

      deb2e0756d331362d57ad9fe408c4ff3

      SHA1

      870865aad7c7cccafbca0c1f50f7eecaedbd4bf1

      SHA256

      1ddacee1d25936970279557169037a335b362f86c3797ded625d68077bd0145c

      SHA512

      e218624d2704517a358df0dfb794116bbeed3ad81daae8c07d5d969e61e7936ed043911008f4816d663de373fd23515219c8038dd22e5838af7df1678a0134a6

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-1337824034-2731376981-3755436523-1000\DDDDDDDDDDD
      Filesize

      129B

      MD5

      f940678443a8685055ee51c40abe8fca

      SHA1

      cef572968cc97a8330f0153edb2c80d58492a16b

      SHA256

      16c1b9597bf48046aa7a7f1f0169d483e11660e0c48bce82a34219e7310fc0cd

      SHA512

      c564e3efc4c9dec6a2da32f866a00fc7b3fa484cdd23675531b808f28a5b075dc222cabbf7a90fd73587b62f46c0468849f4b802546a398cfdf570e5f6e26380

      Download Submit

    • memory/672-1-0x00000000010C0000-0x00000000010D0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/672-2-0x00000000010C0000-0x00000000010D0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/672-0-0x00000000010C0000-0x00000000010D0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3052-2731-0x000000007FDC0000-0x000000007FDC1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3052-2730-0x000000007FE20000-0x000000007FE21000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3052-2729-0x0000000002360000-0x0000000002370000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3052-2728-0x000000007FE40000-0x000000007FE41000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3052-2761-0x000000007FE00000-0x000000007FE01000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3052-2760-0x000000007FDE0000-0x000000007FDE1000-memory.dmp

      Filesize

      4KB

      Download