Overview

overview

10

Static

static

10

528502657c...63.exe

windows7-x64

10

528502657c...63.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    94s
  • max time network
    97s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240704-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-07-2024 10:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe

  • Size

    1.3MB

  • MD5

    9e6c3801e0ac1c1fee4150e48777f3f6

  • SHA1

    1e21dd960332e36051244fcc8180fa62a87d889d

  • SHA256

    528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263

  • SHA512

    73f114f6a31e9a8267086b80c731c30a9c0808a775bdcf07b1fae439da79f789b4fdf2d1a0ef8906e8cd0139f85fc47bf7c76e4bf81753b4670c8cb777883845

  • SSDEEP

    12288:QmHAIqyfF/5ebyz1dpPlRnMRTD410ALP68kG3Jz4S9FUmnyJtgoiOHmabd8ornXz:HHRFfauvpPXnMKqJtfiOHmUd8QTHj

Score
10/10
defense_evasionevasionexecutionimpactpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

\Device\HarddiskVolume1\Boot\bg-BG\!!!HOW_TO_DECRYPT!!!.mht

Ransom Note
From: =?utf-8?B?0RFQctTF0YDQcNC60IXQvdC+IEludGVybmV0IED4cGxvseVyIDEz?= Subject: Date: San, 00 Jan 2000 00:00:00 +0000 MIME-Version: 1.0 Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-MimeOLE: Produced By Microsoft MimeOLE =EF=BB=BF<!DOCTYPE HTML> <!DOCTYPE html PUBLIC "" "">=20 <HTML lang=3D"ru">=20 <HEAD>=20 <META = content=3D"IE = 3D11.0000" http-equiv=3D"X - UA - Compatible">=20 <META charset=3D"utf-8">=20 <TITLE>!!!HOW_TO_DECRYPT!!!</TITLE>=20 <LINK href=3D"style.css" rel=3D"stylesheet">=20 <META name=3D"GENERATOR" content=3D"MSHTML 11.00.10570.1001">=20 </HEAD>=20 <BODY>=20 <p class=3DMsoNormal align=3Dcenter style=3D'text-align:center'><span class=3DSpellE><b>=20 <span lang=3DEN-US style=3D'font-size:20.0pt;font-family:"Times New Roman","serif";mso-bidi-font-family:Arial;color:#C9211E'>=20 All your valiable data has been encrypted!</span></b></span></p><BR><BR>=20 <p class=3DMsoNormal style=3D'text-align:justify;text-justify:inter-ideograph'>=20 <span class=3DSpellE><span lang=3DEN-US style=3D'font-size:13.0pt;font-family:"Times New Roman","serif";mso-bidi-font-family:Arial'>=20 Hello!<BR>Sorry, but we have inform you that your order has been blocked due to the issue of securities. Make sure your data is not blocked.=20 All your valuable files were encrypted with strong encryption algorithms AES-256 + RSA-2048 + CHACHA and renamed. You can read about these algorithms in Google.=20 Your unique encryption key is stored securely on our server and your data can be decrypted quickly and securely.<BR><BR>=20 We can prove that we can decrypt all of your data. Please just send us 3 small encrypted files which are randomly stored on your server.=20 We will decrypt these files and send them to you as a proof. Please note that files for free test decryption should not contain valuable information.<BR><BR>=20 As you know information is the most valuable resource in the world. That's why all of your confidential data was uploaded to our servers.=20 If you need proof, just write us and we will show you that we have your files. If you will not start a dialogue with us in 72 hours=20 we will be forced to publish your files in the Darknet. Your customers and partners will be informed about the data leak by email or phone.<BR><BR>=20 This way, your reputation will be ruined. If you will not react, we will be forced to sell the most important information such as databases=20 to interested parties to generate some profit.<BR><BR>Please understand that we are just doing our job. We don't want to harm your company.=20 Think of this incident as an opportunity to improve your security. We are opened for dialogue and ready to help you. We are professionals,=20 please don't try to fool us.<BR></span></span></p><BR><BR><p class=3DMsoNormal align=3Dcenter style=3D'text-align:center'><b>=20 <span lang=3DEN-US style=3D'font-size:14.0pt;font-family:"Times New Roman","serif";mso-bidi-font-family:Arial'>=20 If you want to resolve this situation,<BR>please write to ALL of these 2 email addresses:<BR>=20 [email protected]<BR>[email protected]<BR>In subject line please write your ID: 11794824878273212370</span></b></p><BR><BR>=20 <p class=3DMsoNormal style=3D'text-align:justify;text-justify:inter-ideograph'><b>=20 <span lang=3DEN-US style=3D'font-family:"Times New Roman","serif";mso-bidi-font-family: Arial;color:#C9211E'>=20 Important!<BR>=20 * We asking to send your message to ALL of our 2 email adresses because for various reasons, your email may not be delivered.<BR>=20 * Our message may be recognized as spam, so be sure to check the spam folder.<BR>=20 * If we do not respond to you within 24 hours, write to us from another email address. Use Gmail, Yahoo, Hotmail, or any other well-known email service.<BR>=20 Important<BR>=20 * Please don't waste the time, it will result only additinal damage to your company!<BR>=20 * Please do not try to decrypt the files yourself. We will not be able to help you if files will be modified.<BR>=20 </span></b></p>=20 <BR>=20 </BODY><BR>=20 </HTML>
URLs

http-equiv=3D"X

Signatures

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Renames multiple (622) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes System State backups 3 TTPs 2 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Drops file in Drivers directory 13 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 1 IoCs
  • Enumerates connected drives 3 TTPs 39 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 3 TTPs 13 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe
    "C:\Users\Admin\AppData\Local\Temp\528502657c770fd56ebd10c11c1a7fab24be2a41ad8f24af617222c069310263.exe"
    1⤵
    • Drops file in Drivers directory
    • Checks computer location settings
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1652
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=401MB
      2⤵
      • Interacts with shadow copies
      PID:4240
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=unbounded
      2⤵
      • Interacts with shadow copies
      PID:2228
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=401MB
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:3572
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=unbounded
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:2948
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=401MB
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:3380
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=unbounded
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:1136
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=401MB
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:732
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=unbounded
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:928
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=401MB
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:3388
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=unbounded
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:4948
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=401MB
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:1988
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=unbounded
      2⤵
      • Enumerates connected drives
      • Interacts with shadow copies
      PID:2980
    • C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      2⤵
      • Interacts with shadow copies
      PID:892
    • C:\Windows\SYSTEM32\bcdedit.exe
      bcdedit.exe /set {default} recoveryenabled No
      2⤵
      • Modifies boot configuration data using bcdedit
      PID:760
    • C:\Windows\SYSTEM32\bcdedit.exe
      bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
      2⤵
      • Modifies boot configuration data using bcdedit
      PID:2256
    • C:\Windows\SYSTEM32\wbadmin.exe
      wbadmin DELETE SYSTEMSTATEBACKUP
      2⤵
      • Deletes System State backups
      • Drops file in Windows directory
      PID:4284
    • C:\Windows\SYSTEM32\wbadmin.exe
      wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
      2⤵
      • Deletes System State backups
      • Drops file in Windows directory
      PID:700
    • C:\Windows\System32\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2556
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\528502~1.EXE >> NUL
      2⤵
        PID:3244
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4032

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \Device\HarddiskVolume1\Boot\bg-BG\!!!HOW_TO_DECRYPT!!!.mht
      Filesize

      4KB

      MD5

      0cb353b3ecb14f62c98aeef498069ce2

      SHA1

      65e233b506299a5a094e94eed2ef227bb15ecaf2

      SHA256

      cb76556e8580ecfb176d118e3c0dbde648973e2c437ddf7d1b3eae9436b5ca98

      SHA512

      789679e0d0fac7eb71d4962ca4440819fdf5b64b26f0b3d9ba307acec97a1f3a61d7db1ac5bb88f9e76d34b532864f4f7622323819831e382526e3c3c6f341ae

      Download Submit