Resubmissions
13-07-2024 09:54
240713-lxbx6swdmm 1013-07-2024 09:50
240713-lvbvdsyapd 1013-07-2024 09:46
240713-lr1dksyajd 10Analysis
-
max time kernel
456s -
max time network
458s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
-
submitted
13-07-2024 09:54
Errors
Reason
Machine shutdown
General
-
Target
8a6aa9e5d58784428d0b1641e99f024438b20747993039e16b8d262f3f5fd347.exe
-
Size
604KB
-
MD5
697deef7b2ca6b79c3608ebdf9c70977
-
SHA1
64fb76029f4d7b3aa06646f286182daf4de2a27a
-
SHA256
8a6aa9e5d58784428d0b1641e99f024438b20747993039e16b8d262f3f5fd347
-
SHA512
18870c02d0193349748447d92eb1fd2540ad02d54b736e9ce42dbe275acee5cbaa09d4f95e188a94d29e69f9349ff0bbe60e937880a867d4573847d93f7b2f8e
-
SSDEEP
12288:/g1YsKMSiS9SW35dmhqoeBsGJGKlOD4BZXu3lKG3pHLb4:/gd5QSW3rQqoeBsGJGTyG3JLk
Score
10/10
Malware Config
Extracted
Path
C:\Users\Admin\3D Objects\# How to Decrypt Files-NJFD7.html
Ransom Note
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Decryption Instructions</title>
<style>
a {
color: #04a;
text-decoration: none;
}
a:hover {
text-decoration: underline;
}
body {
background-color: #e7e7e7;
color: #222;
font-family: "Lucida Sans Unicode", "Lucida Grande", sans-serif;
font-size: 12pt;
line-height: 16pt;
}
body,
h1 {
margin: 0;
padding: 0;
}
h1 {
color: #555;
text-align: center;
padding-bottom: 1.5em;
line-height: 1.2;
}
h2 {
color: #555;
text-align: center;
line-height: 1.2;
}
ol li {
padding-bottom: 13pt;
}
.container {
background-color: white;
border: 2pt solid #C7C7C7;
margin: 3%;
min-width: 600px;
padding: 5% 10%;
color: #444;
}
.header {
border-bottom: 2pt solid #c7c7c7;
padding-bottom: 5%;
}
.hr {
display: block;
height: 2pt;
margin-top: 1.5%;
margin-bottom: 1.5%;
overflow: hidden;
width: 100%;
}
.info {
border: 1px solid #888;
background-color: #E4E4E4;
padding: 0.5em 3em;
margin: 1em 0;
}
.text {
text-align: justify;
}
.lsb{
display: none;
margin: 3%;
text-align: center;
}
.ls {
cursor: pointer;
border: 1px solid #888;
border-radius: 3px;
padding: 0 0.5em;
margin: 0.2em 0.1em;
line-height: 2em;
display: inline-block;
}
.ls:hover {
background-color: #D0D0D0;
}
.l {
display: none;
}
.lu {
display: none;
}
#change_language {
float: right;
display: none;
}
</style>
</head>
<body onload='javascript:onPageLoaded()'>
<div class='lsb'>
</div>
<div class='container'>
<div class="text l l-en" style='display:block'>
<br>
<div>
<img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAL8AAAEICAMAAAA5jNVNAAAAeFBMVEX///8AAAD8/PxQUFCJiYk0NDSenp5TU1M9PT329vb6+vrv7+/z8/Pl5eXKyspfX18oKCjCwsKPj4/o6Oivr699fX1xcXGioqLa2tq7u7uTk5PS0tI6OjogICCCgoJoaGh1dXUXFxeqqqpHR0cODg4cHBxaWlotLS1/4KDGAAAHlUlEQVR4nO2daVciPRCFaRpkRzYXXNCGUf7/P3zldUZn6O6bSmrDc3I/a/IASaVSqVQ6HQWt55v97rpcLIo/el4cXnr77eNYoztBjZZ3L78KpPJqO/WmbNZks8PoX6p226437ZnuV0ca+9fvsB95M39ptqri4D91vfUGP6m7GabAf+rBey5MVunw/+t17Ug/e2XSu36CyY0A/Uk7j6ncvRKiP2lvjj9fhKkiVN6b0k9vRelPujLEX1bi+EUxMJvHPQX6k+Ym9OtSCd9mDD2+qeEXxa26X7dVpP9QqexQ3OniF8Vhpon/oI1fFH3FD2CAr/kBTPD1PoCkwwM1nGjgb6zwP6yQghmd2+EXxYs4/qyy5C9Wwvjjgyl+UQjv7eX95ZBENwSGc/ePDoKxxvv47qvypne1Xc5n6/lye9W7KavYFnZi+N1Ij7nsbdfTMxPYna43u7hI0VKKP2rhetlMWq33eH03oLe0EFrGIkZPuQn6v7OHitraqwz/O7k/ms3obqixC5ENJXXH8hrhdm1om7gnARs0pX1Zgzh73aXFTR/4/LSO4pfLGckYsV3pGaWX9yRLsSO0fMvlp8RoU3/lJaHtRx4+xXamrzOE1q95/AS/jeNoEUYny4YS2ufNsEmw/QGn+fDo5xqI8DfE+AEmwQNd/gr5GOqCMQOCtl8i4BrcWyRPsGnoTPpdAL/TCR0CJq8BQc9HKMwR8lBS/eiQ48lcW74UmsOJwYhQszdC+MHA5DHtfDU0ewU32IERlLTCj59wo5IRmkBwL8mEBgzzQRC/07nGnaUcTQbWXqnJ+6nAXEtYZ0bY+DP9wpqwo3iIt9SB4SP79Qdd6Xg3Cw+fUhg/NAOit0gjbH3EYmNfwiYoegDh3/NZHD+0BsQOILwkahz04yhlbI/Y99E4YMNbsUh7J9oYUXgGx31leDZtVPjxRibOXcEpPjr5dlPYZ5y3C8P0OsMnMICiYrl4+GtlC+LklhgfDg9/rUQ17MTFTDq4dekr4Xe6cAmLmQAvqKGeFj/2uYb0CYDPLPTS3rEFpa8Aa6F2YoX7pcf6YOBnoZcjOH5GHdPDKHD6so9EgOAujJ5UA5vRTDKFPuiCuuyP+qgZzSxffKJEnXh49dW8bIBdIOo3B/deleYdOjyBqSMXmmGZmHmb4MJJXYGh86y3+ga7HhAtNzxQ0M1xhy5oRZt6OF1J99IcjprRktNHcBKp5ocHDBAt6OdnPj++O9g3beMEtxFvuleQuzArheYBwUUwIRIcJWhAaSmJ0AZoem8nQQNKCxxA71PX/Afiln3S4IV5RQIZXVB4C0YyHnAIat+0xJEPygKAly/5wP+/wgsAZfHBB1/S50Zx/JTecQvaV41HMDOUEsPy5R/DX/+O0IKn+9AJHJxQrB90HxbqFUyg805ZfaAF66tfEIWrD4Ufuj9aof9vsWNPe19+GAKqb76758L8vfo/yAp3/177835NcPf19lT/B1nB7ou3s7/uwL++fGV+X2V+X2V+X2V+X2V+X2V+X2V+X2V+XzXyHwflBWrQlNXQxP80Ut7jpqlxZ9/Erx9jSBOVn3XjU1GZ31eZ31eZ31eZ31eZ31eZ31eZ31eZ31eZ31fW/N35ditZBdOW//F3Gt2NWMKxJf/krys0K6GcFUP++T+Fm4YyFybt+GtJnCLTwIy/oSOJS0tW/I0ZMAK/gBF/y+VDvhmy4W+7AXJkv0xgwr9uLRl3zTWjFvyoTje3JrgFP7xBzcz9NuDHFeN+8W4+6/Pj+9PckxF9/kAVLmbhEXX+cD1Y1ghS5w8UjDuJc/1Hm5/0wgRjFdPmJz2GR7mB4MM/puBzyvYp81OqORec6hfK/MRXAtJNqDI/8S3IdC9ImZ/4wkr6BVBlflj04lvp9QuU+Qmr10npN4Au4/tPN6DK/EHn7VPpPqgyP/El3XQPSJmf+LRfev0LZX7SSxOcQJC2/1aR+NMvUGrzU97jKF6T8dX5Se8MMe5vq++/CB4E5/7qBex/WRt4/fhD8Adg1Y7T5w++ZcE6BjCIvwWei7n0+FVnhB8sufT4YSCGcvnxW7gL5pausTl/aa3+wi4cZ3T+1VK6mP8WnBF/c+X6J/7D3Fbnp9OGGlwC+Ibn77UaJkOJZ9EN8x/O1rGDSNUXQ/6zBAiZt2QN+c9jiSI5QHb8NRPEiPp/y46/dg4p8h63Y/4P8+TXmr9+Cv+T8n+aKrBJPAZtxt8QyYooHu/P39SRgAU142+KRAuU/TXz3xralLjUasXfnETzc/zn5hwmfuFKI/5x8+MT/NcWjfhbwrg/Zv/YVsGWbUFt+FvLt7ItqA1/a/lNtgW14W8vIMy1oDb87WkcXAtqwj+uWvm5PqgJPzgE41pQ7/gt14Ka8KMsCOYu3oIfvj/A3MVb8OMTMF4YzoIfJ/HxdvEW/DiJj3eDwYAfv/9TlKwrJAb8uPY404Uw4A9lELAevzHg3x+HSH3W6xP5/rKvMr+vMr+vMr+vMr+vMr+vMr+vMr+vMr+vMr+vMr+vMr+vMr+vfjp/0wXRJv7jqneJWjVdLGji/0nK/L7K/L7K/L7K/L7K/L7K/L7K/L7K/L7K/L76DxuakMqfwNR4AAAAAElFTkSuQmCC" alt="LockLogo" />
</div>
<br>
<p><samp># All your files has been encrypted by "KRAKEN CRYPTOR".</samp></p>
<p><samp># Read the following instructions carefully to decrypt your files.</samp></p>
<br>
<div class="info">
-----BEGIN KRAKEN ENCRYPTED UNIQUE KEY-----
<br>
w4p7DOBESk+RHFLduZvNf6veYncATS+opvs+TSL+14+IypnTRjcRhLvuj9AbPdwH<br>jnagteVuUJ1asmsFJpEfg3JlSBGhFemFl8EP5qQDt+1/bGS03AxkEjhXeZYOS0eF<br>tVoGfNtlXYAHyrF+K1FRpEXz1DZUI7DLj10hEK+FyafSN/Pq4Hh2doM86z/1+nGQ<br>a3uZTYH8wSNyYVqodnBIr7gX4/sGpFu7wvBX3zzh72A7fPyeQUMbKKXnoU26ti2M<br>42t96V7BxBWaDb2MRjP1u60FH98nlEd+u3sJQVLGy4mzjokbJtAb4jJluMTg3Fwo<br>I3rxA28XV70U8sQcvKDyGEoSZWSHcu2OIFtl3/A2nDiQcLTd30242+AT2v8P93pU<br>iHQPA49umlX+XH8MQDVv67q1aNvO6DuxVlkcm8hkCoRvD912PcQyhWf7XDLMQmys<br>UYwwpcTQRXe7LliuDf11A+JuAWrRFru3/avyOBEvwQRlskldRwIVOY/8lRJOVQ0y<br>gNNGfkncG/4iG5Ziy+/v+saH6hJ1r47Me1pdD2sWx+wN/0dmMpjC+jMfUZAkB5wQ<br>u2TnznsqLuZ9ATRsptGr0xvDyqv8ngWuEUyMhsuwJCzZx0MmXlouc4d8IFsciwA5<br>fN3fzupc2nD9jqde4g8UDDgaNVRECvJBwX1CZZJgXYsmsJ2TfPjm+qWwBIxZUrXF<br>AnTohytoaVV9KezNRFpUssSdcCzAWIpoW/RgBA4=
<br>
-----END KRAKEN ENCRYPTED UNIQUE KEY-----
</div>
<br>
Extension
<div class="info">
.NJFD7
</div>
<br>
<p style="color: #D91E18;">What happened to my computer?</p>
<hr>
<p>All of your files such as documents, images, videos and other files with the different names and extensions are encrypted by "KRAKEN CRYPTOR"!</p>
<p>Don't delete .NJFD7 files! there are not virus and are your files, but encrypted!</p>
<p>The speed, power and complexity of this encryption have been high and if you are now viewing this guide.</p>
<p>It means that "KRAKEN CRYPTOR" immediately removed form your system!</p>
<p>No way to recovery your files without "KRAKEN DECRYPTOR" software and your computer "UNIQUE KEY"!</p>
<p>You need to buy it from us because only we can help you!</p>
<br>
<p style="color: #D91E18;">How can recovery my files?</p>
<hr>
<p>We guarantee that you can recover all your files soon safely.</p>
<p>You can decrypt one of your encrypted smaller file for free in the first contact with us.</p>
<p>For the decryption service, we also need your "KRAKEN ENCRYPTED UNIQUE KEY" you can see this in the top!</p>
<p>Are you want to decrypt all of your encrypted files? If yes! You need to pay for decryption service to us!</p>
<p>After your payment made, all of your encrypted files has been decrypted.</p>
<br>
<p style="color: #D91E18;">How much is need to pay?</p>
<hr>
<p>You need to pay (0.256 BTC), payment only can made as Bitcoins.</p>
<p>This links help you to understand whats is a Bitcoins and how it work.</p>
<p><a href="https://wikipedia.org/wiki/Bitcoin">https://en.wikipedia.org/wiki/Bitcoin</a></p>
<p><font size="3" color="red"> This price is for the contact with us in first week otherwise it will increase.</font></p>
<br>
<p style="color: #D91E18;">Where can buy Bitcoins?</p>
<hr>
<p>The easiest way to buy Bitcoins is LocalBitcoins website.</p>
<p>You must register on this site and click "BUY Bitcoins" then choose your country to find sellers and their prices.</p>
<p><a href="https://localBitcoins.com">https://localBitcoins.com</a></p>
<br>
<p>Other places to buy Bitcoins in exchange for other currencies worldwide:</p>
<p><a href="https://www.bestbitcoinexchange.io/">https://www.bestbitcoinexchange.io</a></p>
<br>
<p style="color: #D91E18;">How to contact you?</p>
<hr>
<p>We use best and easy way to communications. It's email support, you can see our emails below.</p>
<p>Please send your message with same subject to both address.</p>
<br>
E-Mail
<div class="info">
[email protected]
</div>
<br>
Alternative
<div class="info">
[email protected]
</div>
<br>
<p style="color: #D91E18;">Attention</p>
<hr>
<ul type="disc">
<li>DON'T MODIFY OR RENAME ENCRYPTED FILES.</li>
<li>DON'T MODIFY "KRAKEN ENCRYPT UNIQUE KEY".</li>
<li>DON'T USE THIRD PARTY, PUBLIC TOOLS/SOFTWARE TO DECRYPT YOUR FILES, THIS CAUSE DAMAGE YOUR FILES PERMANENTLY.</li>
<li>DON'T ASK PEOPLE OR DATA RECOVERY CENTERS, THEY ARE MAY ADD EXTRA CHARGE.</li>
</ul>
<br>
<p><b>Additional</b></p>
<hr>
<ul type="square">
<li>Project "KRAKEN CRYPTOR" doesn't damage any of your files, this action is reversible if you follow the instructions above.</li>
<li>Also, our policy is obvious: "NO PAYMENT, NO DECRYPT".</li>
</ul>
</div>
</div>
</body>
</html>
Signatures
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 3 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in Program Files directory 2 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Modifies data under HKEY_USERS 15 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious use of AdjustPrivilegeToken 50 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 39 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\8a6aa9e5d58784428d0b1641e99f024438b20747993039e16b8d262f3f5fd347.exe"C:\Users\Admin\AppData\Local\Temp\8a6aa9e5d58784428d0b1641e99f024438b20747993039e16b8d262f3f5fd347.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tasklist.exe"tasklist" /V /FO CSV2⤵
- Enumerates processes with tasklist
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C cd C:\ProgramData\ && release.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Sysinternals\SDelete"3⤵
-
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Sysinternals\SDelete" /v EulaAccepted /t REG_DWORD /d 1 /f3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\ProgramData\sdelete.exe -c -z C:3⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\sdelete.exeC:\ProgramData\sdelete.exe -c -z C:4⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\ProgramData\sdelete.exe -z D:3⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\sdelete.exeC:\ProgramData\sdelete.exe -z D:4⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\ProgramData\sdelete.exe -z F:3⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\sdelete.exeC:\ProgramData\sdelete.exe -z F:4⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\shutdown.exeshutdown /S /F /T 300 /C "Unexpected shutdown due to maintenance break."3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic SHADOWCOPY DELETE3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 127.0.0.1 -n 3 > NUL&&del /Q /F /S "C:\Users\Admin\AppData\Local\Temp\8a6aa9e5d58784428d0b1641e99f024438b20747993039e16b8d262f3f5fd347.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 33⤵
- Runs ping.exe
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa395b855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
875B
MD5ed51564efba7197a56ad8d5fb508ac12
SHA16b79b10c6aab091fa722373ed6cc533f24febe79
SHA256de8036a2336605847f263fbd7db3204a63469ab9e96d5fcd167898ca0d14df69
SHA512eafe939d2b8a67f21f2672deb8667526e46d57fe74331dcba726acc573ebf9ed3fcfd79dff01457cdf9fdf5eb171da51d61e430b84f417eabd5ba12dbecd0fbb
-
Filesize
218KB
MD56a4e049d8c497d350a7bd54dfff99808
SHA17f1d32424c961542ae172c5b8c1611291c30fc4f
SHA25659e5ae1e99c6a4ccc01e8abdc2534210ec5faa945754a89524b06381da8c20a1
SHA51241169089fa67e1a0ff1360dc5428b89dcee0d642204ddb7dac80d6cf859caae3c2b14fa89ce72072fb780c0a93f53eb0ff9414a8e88b1d783bfa75c9c4ea353d
-
Filesize
9KB
MD548019a61a6ef2d49714be1cdadfbe91a
SHA166ca79f19f5ad8d46d1fcf09d433c5b0f8af57ae
SHA256848d2f24bca95ac44ce8b101febfa0701949f20654f7de79afc21ae50e83d3ed
SHA512a37c9ead7b5ecda48dc60c32eb31c94cfc44ae6deb4c7a56d8fa2cc72fe08d5fa6d62840ea82c4e213a742913d0b4f8e8574e94e78e97de1e8eff327c1f5aa28
-
Filesize
5.7MB
-
Filesize
4KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
4KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB