Overview

overview

10

Static

static

3

SecuriteIn...72.exe

windows7-x64

10

SecuriteIn...72.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/07/2024, 16:30

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.Heur.Ransom.Imps.3.6527.6272.exe

  • Size

    13KB

  • MD5

    d9c6f876be8e6ca42e876475c616b416

  • SHA1

    bdd3d39b6a7f01dbdcceaa21e413e274522d759a

  • SHA256

    4e7db8c290d280ce238b3ccc7e46e76b3f1413b114250819879f13cccfc74d78

  • SHA512

    69dcff8daee6da53179faf8b3bc4df5ddc72f8b0c5634bf86b7099f4d5f20dd94bb823a352c56788dba3205c3849f155692051eb98ff42baf1f94258c6518a75

  • SSDEEP

    192:NsO//ItyyXP7j9VLs2Wc8vkYcV6qU2FJFEs2+:NsE/KZVQ2Wc6kYcV6qUiJFnh

Score
10/10
ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\README.txt

Ransom Note
You became victim of the keygroup777 RANSOMWARE! The files on your computer have been encrypted with an military grade encryption algorithm. There is no way to restore your data without a special key. You can purchase this key on the telegram page shown in step 2. To purchase your key and restore your data, please follow these three easy steps: register a bitcoin 300$ @keygroup777Rezerv1 bc1qqlwuhksw3xfuug055acl7qgr8uz5l7m9qm9vcn . 2. register a bitcoin wallet : https://bitcoin-wallet.org/ru/ https://bitcoin-wallet.org/ru/ 3. Enter your personal decryption code there: e5Pc4P8WjF35 URL:https://keygroup777.github.io/keygroup777/ https://ababa1ds.github.io/keygroup777/
URLs

https://bitcoin-wallet.org/ru/

https://ababa1ds.github.io/keygroup777/

Signatures

  • Drops file in Drivers directory 4 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 21 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.Ransom.Imps.3.6527.6272.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.Ransom.Imps.3.6527.6272.exe"
    1⤵
    • Drops file in Drivers directory
    • Checks computer location settings
    • Drops startup file
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1540
    • C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\README.txt
      2⤵
        PID:3808
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\README.html
        2⤵
        • Enumerates system info in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:1360
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffca15846f8,0x7ffca1584708,0x7ffca1584718
          3⤵
            PID:2004
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,4118728066455575605,17049718146671331929,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
            3⤵
              PID:2532
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,4118728066455575605,17049718146671331929,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
              3⤵
              • Suspicious behavior: EnumeratesProcesses
              PID:3300
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,4118728066455575605,17049718146671331929,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2804 /prefetch:8
              3⤵
                PID:916
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,4118728066455575605,17049718146671331929,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
                3⤵
                  PID:392
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,4118728066455575605,17049718146671331929,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
                  3⤵
                    PID:4380
                  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,4118728066455575605,17049718146671331929,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4080 /prefetch:8
                    3⤵
                      PID:4432
                    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,4118728066455575605,17049718146671331929,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4080 /prefetch:8
                      3⤵
                      • Suspicious behavior: EnumeratesProcesses
                      PID:3204
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,4118728066455575605,17049718146671331929,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:1
                      3⤵
                        PID:3836
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,4118728066455575605,17049718146671331929,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:1
                        3⤵
                          PID:3452
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,4118728066455575605,17049718146671331929,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
                          3⤵
                            PID:2000
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,4118728066455575605,17049718146671331929,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
                            3⤵
                              PID:1200
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,4118728066455575605,17049718146671331929,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1048 /prefetch:2
                              3⤵
                              • Suspicious behavior: EnumeratesProcesses
                              PID:4240
                        • C:\Windows\System32\CompPkgSrv.exe
                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                          1⤵
                            PID:2744
                          • C:\Windows\System32\CompPkgSrv.exe
                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                            1⤵
                              PID:2296

                            Network

                                  MITRE ATT&CK Enterprise v15

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                    Filesize

                                    152B

                                    MD5

                                    9622e603d436ca747f3a4407a6ca952e

                                    SHA1

                                    297d9aed5337a8a7290ea436b61458c372b1d497

                                    SHA256

                                    ace0e47e358fba0831b508cd23949a503ae0e6a5c857859e720d1b6479ff2261

                                    SHA512

                                    f774c5c44f0fcdfb45847626f6808076dccabfbcb8a37d00329ec792e2901dc59636ef15c95d84d0080272571542d43b473ce11c2209ac251bee13bd611b200a

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                    Filesize

                                    152B

                                    MD5

                                    04b60a51907d399f3685e03094b603cb

                                    SHA1

                                    228d18888782f4e66ca207c1a073560e0a4cc6e7

                                    SHA256

                                    87a9d9f1bd99313295b2ce703580b9d37c3a68b9b33026fdda4c2530f562e6a3

                                    SHA512

                                    2a8e3da94eaf0a6c4a2f29da6fec2796ba6a13cad6425bb650349a60eb3204643fc2fd1ab425f0251610cb9cce65e7dba459388b4e00c12ba3434a1798855c91

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                    Filesize

                                    6KB

                                    MD5

                                    c9512c417118bc0f180c16faf51eab84

                                    SHA1

                                    cd05a1f15e3ec6f328e6b696848e843b36af0bc6

                                    SHA256

                                    0bee7d8e4ffbc36fa0cea0b4a940c36f0d0e0df8b88551b39284b5ce7d26775d

                                    SHA512

                                    c094c34af28b9acee62c95115e9e858ab99a23effeddbeed8f0ab61a82a99d315b8360802719fe3dcc1398b4a897503e69584abc59d66e36cc4a872994e42f78

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                    Filesize

                                    6KB

                                    MD5

                                    f61c1796bf34cb072624bf6f24651a9f

                                    SHA1

                                    04595831659d2227089a8b349c0a8aaa2c6fb4bd

                                    SHA256

                                    d150ee1694e43ec113a5721eafdcad05c31d5ba729d108be1e6d01b0d24fff3f

                                    SHA512

                                    097cfe126d94662d2f33b4822c151abb4e658efc3bf571cce9b9eaf1069a053c5deb937d2a77b89c91130a18039fd6775a4a954076e1b9457d50aa9484eea549

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                    Filesize

                                    16B

                                    MD5

                                    46295cac801e5d4857d09837238a6394

                                    SHA1

                                    44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                    SHA256

                                    0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                    SHA512

                                    8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                    Filesize

                                    16B

                                    MD5

                                    206702161f94c5cd39fadd03f4014d98

                                    SHA1

                                    bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                                    SHA256

                                    1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                                    SHA512

                                    0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                    Filesize

                                    11KB

                                    MD5

                                    f977d61bb98738d86b15bf81d59ab858

                                    SHA1

                                    41cad88996c020e5cc0e8feb47616d56c86f6dd1

                                    SHA256

                                    75932dd8e54e9ae69a440ab1b25ced9050efbb1f521ea4af1ce50af0f7bf4183

                                    SHA512

                                    15a2d313311a18a5373f6b67c1fa2bd079554a978c2ac42997269d6716dc95b5538a09b4f7d5ed90e4c62a8119fcfc5ff52342e35a4d3e5ce4142021c110bec0

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Temp\README.html
                                    Filesize

                                    1018B

                                    MD5

                                    3abe2df286dc282fbd6d510e6113ac28

                                    SHA1

                                    74ec4c1d24256f268ee0336446ba6cddf51530e7

                                    SHA256

                                    e626db3b0b0390cda5d615e008706213af0dac7a262a1b7bf2ef9522e434eb24

                                    SHA512

                                    060ae9bddba74090af4830b346dffb66cda7e4f516fff9149ffb5b76648e0cf9f7f5b74b2a2ad6fd2a90ccdb8ece5b359f75cc9bacaaf8bcc2a54fa3c05d88e0

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Temp\README.txt
                                    Filesize

                                    685B

                                    MD5

                                    58d04864c57c501ce152970e1343f442

                                    SHA1

                                    497553dcee6400ec9c75d0924572740d2bce8fdc

                                    SHA256

                                    4f20be006f67f6a57b069b473f16b346b9297e33418286c23537e13bd42cf12d

                                    SHA512

                                    29783776ff3aa907de3aa45fbd422fdd64815c8c518688ad1791e55e2b5984ffbdfd4d1656ab1de432f93b5c289c514078f0fbae2775f05f332f8d66c8956bd5

                                    Download Submit

                                  • memory/1540-0-0x00000000743EE000-0x00000000743EF000-memory.dmp

                                    Filesize

                                    4KB

                                    Download

                                  • memory/1540-1-0x00000000003D0000-0x00000000003D8000-memory.dmp

                                    Filesize

                                    32KB

                                    Download