Overview

overview

10

Static

static

10

084c57449c...0e.exe

windows7-x64

10

14b94844b9...c3.exe

windows7-x64

10

2daa514408...2e.exe

windows7-x64

10

2e6f094748...ec.exe

windows7-x64

2e96b55980...ea.exe

windows7-x64

1

34c392448f...ea.exe

windows7-x64

10

37d8add251...4c.exe

windows7-x64

10

3a72653053...59.exe

windows7-x64

10

49aca08f5b...24.exe

windows7-x64

10

4a2ad49c93...9f.exe

windows7-x64

3

5199b64b50...3c.exe

windows7-x64

55c30024ae...15.exe

windows7-x64

10

56f7b48f38...59.exe

windows7-x64

10

5a96b92938...a4.exe

windows7-x64

10

606b88fce1...c4.exe

windows7-x64

1

6bda9faf71...4b.exe

windows7-x64

10

71b46e95fb...a8.exe

windows7-x64

10

7d98972d5c...9c.exe

windows7-x64

9

87b9b910d5...cb.exe

windows7-x64

10

8958d7b8c5...e2.exe

windows7-x64

10

ab5be9e691...09.exe

windows7-x64

10

b228a698ee...c0.exe

windows7-x64

c864a70f78...1d.exe

windows7-x64

cfd5d9a4e6...f0.exe

windows7-x64

da6f543313...2e.exe

windows7-x64

6

e05323d9ca...62.exe

windows7-x64

1

e48bd2f16b...14.exe

windows7-x64

10

ecfb5c95d0...9d.exe

windows7-x64

10

f08c1c26d3...3f.exe

windows7-x64

6

f354148b5f...0f.exe

windows7-x64

6

f7caf7d69c...6a.exe

windows7-x64

10

fcb6844506...93.exe

windows7-x64

1

Analysis

  • max time kernel
    1565s
  • max time network
    1566s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    16-07-2024 08:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    084c57449c765416706301c723116da5073aa60da415c0eb3013239611135b0e.exe

  • Size

    49KB

  • MD5

    50248697e19117027d4823c6a3be6db5

  • SHA1

    fb81c35ffe11180c1d6269006db2fc775eec4741

  • SHA256

    084c57449c765416706301c723116da5073aa60da415c0eb3013239611135b0e

  • SHA512

    abc04de0ee5dfc9ca1afccc6b46f9bb4b56d3d9e9ec11165dfc9d3630a597e865941c2c33f4284807f155f69d8255ac3279c418f3bdb2a7f6b4e8678ba7fd6ed

  • SSDEEP

    768:acaQRffDB31aCytHLykiKPT3JATD2qBwV2ckjbnsb0Ah99De0YAD8hMWsddOC86t:acai318HxZATvnsblYO8hMWsdoC86+r

Score
10/10
defense_evasionexecutionimpactransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\+README-WARNING+.txt

Ransom Note
::: Hey ::: Small FAQ: .1. Q: What's going on? A: Your files have been encrypted. The file structure was not affected, we did our best to prevent this from happening. .2. Q: How to recover files? A: If you want to decrypt your files, you will need to pay us. .3. Q: What about guarantees? A: It's just business. We are absolutely not interested in you and your transactions, except for profit. If we do not fulfill our work and obligations, no one will cooperate with us. It's not in our interest. To check the possibility of returning files, you can send us any 2 files with SIMPLE extensions (jpg, xls, doc, etc... not databases!) and small sizes (max 1 mb), we will decrypt them and send them back to you. This is our guarantee. .4. Q: How to contact you? A: You can write to us at our mailboxes: [email protected] .5. Q: How will the decryption process take place after payment? A: After payment, we will send you our scanner-decoder program and detailed instructions for use. With this program you will be able to decrypt all your encrypted files. .6. Q: If I don't want to pay bad people like you? A: If you do not cooperate with our service - it does not matter to us. But you will lose your time and data because only we have the private key. In practice, time is much more valuable than money. :::BEWARE::: DO NOT try to modify encrypted files yourself! If you try to use third party software to recover your data or antivirus solutions - back up all encrypted files! Any changes to the encrypted files may result in damage to the private key and, as a result, the loss of all data. Note: ::::::IF WE HAVE NOT RESPONSE YOU BY MAIL WITHIN 24 HOURS:::::: Spare contact for communication: If we have not answered your email within 24 hours, you can contact us via the free messenger qTox Download from the link https://tox.chat/download.html Next go qTox 64-bit after downloading the program, install it and go through a short registration. Our Tox ID 37CDA60B5B593473E120366CCF68A8C08F503880D2AE7F0F4161C2C9C0502C6304DDA2B19D8E
URLs

https://tox.chat/download.html

Signatures

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\084c57449c765416706301c723116da5073aa60da415c0eb3013239611135b0e.exe
    "C:\Users\Admin\AppData\Local\Temp\084c57449c765416706301c723116da5073aa60da415c0eb3013239611135b0e.exe"
    1⤵
    • Sets desktop wallpaper using registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:1652
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2372
      • C:\Windows\system32\vssadmin.exe
        vssadmin delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:2920
      • C:\Windows\system32\wbadmin.exe
        wbadmin delete catalog -quiet
        3⤵
        • Deletes backup catalog
        PID:2772
      • C:\Windows\System32\Wbem\WMIC.exe
        wmic shadowcopy delete
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3000
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2700
  • C:\Windows\system32\wbengine.exe
    "C:\Windows\system32\wbengine.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2640
  • C:\Windows\System32\vdsldr.exe
    C:\Windows\System32\vdsldr.exe -Embedding
    1⤵
      PID:1740
    • C:\Windows\System32\vds.exe
      C:\Windows\System32\vds.exe
      1⤵
        PID:1016
      • C:\Windows\system32\Dwm.exe
        "C:\Windows\system32\Dwm.exe"
        1⤵
          PID:2976
        • C:\Windows\system32\NOTEPAD.EXE
          "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\+README-WARNING+.txt
          1⤵
          • Suspicious use of FindShellTrayWindow
          PID:1536

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Initial Access

        Execution

        Windows Management Instrumentation

        1
        T1047

        Command and Scripting Interpreter

        1
        T1059

        Persistence

        Privilege Escalation

        Defense Evasion

        Indicator Removal

        3
        T1070

        File Deletion

        3
        T1070.004

        Modify Registry

        1
        T1112

        Direct Volume Access

        1
        T1006

        Credential Access

        Discovery

        System Information Discovery

        1
        T1082

        Query Registry

        1
        T1012

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Web Service

        1
        T1102

        Impact

        Inhibit System Recovery

        3
        T1490

        Defacement

        1
        T1491

        Resource Development

        Reconnaissance

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\Desktop\+README-WARNING+.txt
          Filesize

          2KB

          MD5

          5d230c41f5f5f64ec6858756404c7a7e

          SHA1

          6e6ccd293641504eee97cb55d48566976f1bcf92

          SHA256

          2225eb49c5a55704c141e965cee16592f303ab5112a5df49b6a102a8bd34bb02

          SHA512

          1a058e1c77214546b5c978d77671f44a3d636c9ec69818da17064746a983aeeddd3068e2eef63bd54c2ad0a014ca943f50df588510107e8a02ef25f7d309c883

          Download Submit