102276ae1f518745695fe8f291bf6e69856b91723244881561bb1a2338d54b12

General

Target

ransom.exe
Size

7.8MB
MD5

648bd793d9e54fc2741e0ba10980c7de
SHA1

f5d0c94b2be91342dc01ecf2f89e7e6f21a74b90
SHA256

102276ae1f518745695fe8f291bf6e69856b91723244881561bb1a2338d54b12
SHA512

d1428b934a360d7f3651947d11081892c93c7cd29a17dc38190cbb46c95939928ac6f805adf586be2937e27fc20aec8bd1fc2c782c681e7e94e9e8d33b8ebf15
SSDEEP

98304:9+v9K8MgmB4oIWcCJ3ZZVL8oYi5lTkZkmla1DXL:S4uWcCT9Gzl

Score

10^/10

ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\Cache\CyberVolk_ReadMe.txt

Ransom Note

Greetings. All your files have been encrypted by CyberVolk ransomware. Please never try to recover your files without decryption key which I give you after pay. They could be disappeared� You should follow my words. Pay $1000 BTC to below address. My telegram : @hacker7 Our Team : https://t.me/cubervolk We always welcome you and your payment.

URLs

https://t.me/cubervolk

Signatures

Renames multiple (1667) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 10 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	ransom.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	ransom.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini	ransom.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	ransom.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	ransom.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	ransom.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	ransom.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	ransom.exe
File opened for modification	\??\f:\$RECYCLE.BIN\S-1-5-21-2636447293-1148739154-93880854-1000\desktop.ini	ransom.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	ransom.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\k:	ransom.exe
File opened (read-only)	\??\n:	ransom.exe
File opened (read-only)	\??\p:	ransom.exe
File opened (read-only)	\??\u:	ransom.exe
File opened (read-only)	\??\y:	ransom.exe
File opened (read-only)	\??\e:	ransom.exe
File opened (read-only)	\??\g:	ransom.exe
File opened (read-only)	\??\i:	ransom.exe
File opened (read-only)	\??\t:	ransom.exe
File opened (read-only)	\??\v:	ransom.exe
File opened (read-only)	\??\w:	ransom.exe
File opened (read-only)	\??\z:	ransom.exe
File opened (read-only)	\??\h:	ransom.exe
File opened (read-only)	\??\m:	ransom.exe
File opened (read-only)	\??\s:	ransom.exe
File opened (read-only)	\??\l:	ransom.exe
File opened (read-only)	\??\q:	ransom.exe
File opened (read-only)	\??\a:	ransom.exe
File opened (read-only)	\??\b:	ransom.exe
File opened (read-only)	\??\j:	ransom.exe
File opened (read-only)	\??\o:	ransom.exe
File opened (read-only)	\??\r:	ransom.exe
File opened (read-only)	\??\x:	ransom.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\tmp.bmp"	ransom.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
4220	taskkill.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4220	taskkill.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3708	ransom.exe

C:\Users\Admin\AppData\Local\Temp\ransom.exe
"C:\Users\Admin\AppData\Local\Temp\ransom.exe"
1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Suspicious use of FindShellTrayWindow
PID:3708

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /F /IM ransom.exe
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4220

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\Cache\CyberVolk_ReadMe.txt

Filesize
348B

MD5
ce7ff0a9361571a2dcb08f50500ace3f

SHA1
5d8bed459f55a37e2fcb801d04de337a01c5d623

SHA256
894bc59f5227b4d545412b2a2897367d7ac88090c86f5a1728bf733e70bd93ee

SHA512
bba6d46fae5b4099b047b192f7df21fdf01675b09f3da38a365710fc9aa5b126cc6a2c2547be48deecfaa360e1521cf04a9793af083735de4a8cb7be9bd4c52a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Office_SETLANG_EXE_15.cvenc

Filesize
37KB

MD5
1486522a6b1fa8690c9fdf57af2c3c52

SHA1
37c4aebe485d8f99252b5ca471f47dfef978c087

SHA256
1ba41e9ef08b8f27aece113faa167283f8445043a745c6352b18ea899d1fc087

SHA512
9b112e2b7d9954a4e4c0e3e4fbddf31028d739f7dc59511bbfc747be463c55c6f6679976edf41066a446339bef596911411eee40f55de79187847c2877e2c1e9

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_WindowsPowerShell_v1_0_powershell_exe.cvenc

Filesize
37KB

MD5
13e3e05b9a7e010d5a722fbadffbbf42

SHA1
8023caecda04f62529d3a8625b9ad090d66b657a

SHA256
c4b054ebf2132016e3f8209ce0615b1525bfed7368ef7c879abc1984c25722c1

SHA512
8b0b2425db041698c162ff70489885032f305ec2e29bd5e0008394446c8c9c2702fc5fb76b4772e59dc9d6e153be7cbbe7a96b21a83a1128bff6d621957ed584

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_comexp_msc.cvenc

Filesize
37KB

MD5
d8d548e68fe0e15f8c1ed9dd025d19d5

SHA1
e4a3e23663ef938a87cf824e6a5fb54ffb13abf1

SHA256
32fc77aa26faa104691ffd74f8cb4296f26ed03fe7e7e8ff8169da0721571336

SHA512
731384674452e28a91c8a86bc458472dde34d45ca1f94908e6e7289e6247f1ba3da396fd453f14f374fc09b7b27f8b4270d29bffa0fadcbc1bcf7df0a40add90

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133650075481724226.txt.cvenc

Filesize
78KB

MD5
acb08f6331ee5b249acd65359273e9e2

SHA1
61b564ff459403f352adf0f9ecd113f20a97c208

SHA256
603fb959046a75ddf4913f6e1fee18f171243789aa2c2eec86bb866c26fd3333

SHA512
d463b4cec085ce817783e3b26eccb5c38416514470bac6cd7ed0918b6eacbb07a139f4bca6441633386730375e83cc6749bd48908a14b1829c7d4f14754fa16c

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133650077594646987.txt.cvenc

Filesize
48KB

MD5
9e393e083a96572c9c2c1dc011baa9bd

SHA1
0eb7317b7f232793d3d7a93445b381fc9d19d8c2

SHA256
26fc27e9264f7fedf6cfa79ca84352e244d16691259349d7c4dae7621b1eec52

SHA512
53365071155bedd7645a537b90c734bc9f2f8c4c3e7bc9f8bb4c3d572c57d17eb93bcbb9322c5680b43e34919a3b096cf20077005b5e574104d660392a1afe24

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133650083195983942.txt.cvenc

Filesize
65KB

MD5
1eb763516cfe6c18665ba99f11e0b99e

SHA1
b24f2511b0a11c056f4b478eefd8de2149595e25

SHA256
9015aaf41354177d92feead3add4daa781164cb9b942148e36e7167be3ed22bf

SHA512
8c2e8f70e8cfd48bb77eac0df733d673055aeaa6a2e063878d165bef92cd9b2a2f43b01c155b250ddee73e008572ed0cea6b3b7c176b029d685e08f0ba8ee25a

Download Submit

Resubmissions

Analysis

Sharing