3730e9cba4a93bc985ef7cd2368ccbf5eccd4724f514b38b20e320e5553dd08d

Analysis

max time kernel
1561s
max time network
1563s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
16-07-2024 08:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

87b9b910d5d5a053e3b39989cc6fd51601abdaea207a26c765f21f43a4cd4dcb.exe
Size

79KB
MD5

c8579ccb6690e1f2102f9ba887c12f9e
SHA1

e8e46e3f88011aa43c90cde3c9945e3508986a25
SHA256

87b9b910d5d5a053e3b39989cc6fd51601abdaea207a26c765f21f43a4cd4dcb
SHA512

f579e9b39400a0b3879dc8a1c41bd829d8f6b399d9d0a97302f7157a76f036ede5e4391eeb12bd2285a7f523969d572a92f482cf415ed2fb023d96d745f82244
SSDEEP

1536:hxpkWBeG/vEbKsrQLOJgY8ZZP8LHD4XWaNH71dLdG1iiFM2iG2Xsf8:/BeQsKsrQLOJgY8Zp8LHD4XWaNH71dLH

Score

10^/10

defense_evasion execution impact ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Contacts\How To Restore Your Files.txt

Ransom Note

----------- [ Hello! ] -------------> ******BY ANUBIZ LOCKER****** What happend? ---------------------------------------------- Your computers and servers are encrypted, backups are deleted from your network and copied. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - a universal decoder. This program will restore your entire network. Follow our instructions below and you will recover all your data. If you continue to ignore this for a long time, we will start reporting the hack to mainstream media and posting your data to the dark web. What guarantees? ---------------------------------------------- We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. How to contact us? ---------------------------------------------- Using EMAIL: 1) Open your mail 2) Write this ID in the title of your message: kFdfAV0C4B 3) Write us: [email protected] !!! DANGER !!! DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them. !!! DANGER !!

Emails

[email protected]

Signatures

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (219) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

87b9b910d5d5a053e3b39989cc6fd51601abdaea207a26c765f21f43a4cd4dcb.exe

description	ioc	process
File opened (read-only)	\??\B:	87b9b910d5d5a053e3b39989cc6fd51601abdaea207a26c765f21f43a4cd4dcb.exe
File opened (read-only)	\??\E:	87b9b910d5d5a053e3b39989cc6fd51601abdaea207a26c765f21f43a4cd4dcb.exe
File opened (read-only)	\??\U:	87b9b910d5d5a053e3b39989cc6fd51601abdaea207a26c765f21f43a4cd4dcb.exe
File opened (read-only)	\??\I:	87b9b910d5d5a053e3b39989cc6fd51601abdaea207a26c765f21f43a4cd4dcb.exe
File opened (read-only)	\??\A:	87b9b910d5d5a053e3b39989cc6fd51601abdaea207a26c765f21f43a4cd4dcb.exe
File opened (read-only)	\??\Z:	87b9b910d5d5a053e3b39989cc6fd51601abdaea207a26c765f21f43a4cd4dcb.exe
File opened (read-only)	\??\X:	87b9b910d5d5a053e3b39989cc6fd51601abdaea207a26c765f21f43a4cd4dcb.exe
File opened (read-only)	\??\R:	87b9b910d5d5a053e3b39989cc6fd51601abdaea207a26c765f21f43a4cd4dcb.exe
File opened (read-only)	\??\P:	87b9b910d5d5a053e3b39989cc6fd51601abdaea207a26c765f21f43a4cd4dcb.exe
File opened (read-only)	\??\S:	87b9b910d5d5a053e3b39989cc6fd51601abdaea207a26c765f21f43a4cd4dcb.exe
File opened (read-only)	\??\V:	87b9b910d5d5a053e3b39989cc6fd51601abdaea207a26c765f21f43a4cd4dcb.exe
File opened (read-only)	\??\T:	87b9b910d5d5a053e3b39989cc6fd51601abdaea207a26c765f21f43a4cd4dcb.exe
File opened (read-only)	\??\O:	87b9b910d5d5a053e3b39989cc6fd51601abdaea207a26c765f21f43a4cd4dcb.exe
File opened (read-only)	\??\H:	87b9b910d5d5a053e3b39989cc6fd51601abdaea207a26c765f21f43a4cd4dcb.exe
File opened (read-only)	\??\L:	87b9b910d5d5a053e3b39989cc6fd51601abdaea207a26c765f21f43a4cd4dcb.exe
File opened (read-only)	\??\K:	87b9b910d5d5a053e3b39989cc6fd51601abdaea207a26c765f21f43a4cd4dcb.exe
File opened (read-only)	\??\N:	87b9b910d5d5a053e3b39989cc6fd51601abdaea207a26c765f21f43a4cd4dcb.exe
File opened (read-only)	\??\F:	87b9b910d5d5a053e3b39989cc6fd51601abdaea207a26c765f21f43a4cd4dcb.exe
File opened (read-only)	\??\Q:	87b9b910d5d5a053e3b39989cc6fd51601abdaea207a26c765f21f43a4cd4dcb.exe
File opened (read-only)	\??\W:	87b9b910d5d5a053e3b39989cc6fd51601abdaea207a26c765f21f43a4cd4dcb.exe
File opened (read-only)	\??\Y:	87b9b910d5d5a053e3b39989cc6fd51601abdaea207a26c765f21f43a4cd4dcb.exe
File opened (read-only)	\??\G:	87b9b910d5d5a053e3b39989cc6fd51601abdaea207a26c765f21f43a4cd4dcb.exe
File opened (read-only)	\??\J:	87b9b910d5d5a053e3b39989cc6fd51601abdaea207a26c765f21f43a4cd4dcb.exe
File opened (read-only)	\??\M:	87b9b910d5d5a053e3b39989cc6fd51601abdaea207a26c765f21f43a4cd4dcb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Interacts with shadow copies 3 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Direct Volume Access
T1006

Processes:

vssadmin.exevssadmin.exe

pid process

2616 vssadmin.exe
2860 vssadmin.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

87b9b910d5d5a053e3b39989cc6fd51601abdaea207a26c765f21f43a4cd4dcb.exe

pid process

2076 87b9b910d5d5a053e3b39989cc6fd51601abdaea207a26c765f21f43a4cd4dcb.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 1432 vssvc.exe
Token: SeRestorePrivilege 1432 vssvc.exe
Token: SeAuditPrivilege 1432 vssvc.exe

pid	process
2616	vssadmin.exe
2860	vssadmin.exe

pid	process
2076	87b9b910d5d5a053e3b39989cc6fd51601abdaea207a26c765f21f43a4cd4dcb.exe

description	pid	process
Token: SeBackupPrivilege	1432	vssvc.exe
Token: SeRestorePrivilege	1432	vssvc.exe
Token: SeAuditPrivilege	1432	vssvc.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

87b9b910d5d5a053e3b39989cc6fd51601abdaea207a26c765f21f43a4cd4dcb.execmd.execmd.exe

description	pid	process	target process
PID 2076 wrote to memory of 924	2076	87b9b910d5d5a053e3b39989cc6fd51601abdaea207a26c765f21f43a4cd4dcb.exe	cmd.exe
PID 2076 wrote to memory of 924	2076	87b9b910d5d5a053e3b39989cc6fd51601abdaea207a26c765f21f43a4cd4dcb.exe	cmd.exe
PID 2076 wrote to memory of 924	2076	87b9b910d5d5a053e3b39989cc6fd51601abdaea207a26c765f21f43a4cd4dcb.exe	cmd.exe
PID 2076 wrote to memory of 924	2076	87b9b910d5d5a053e3b39989cc6fd51601abdaea207a26c765f21f43a4cd4dcb.exe	cmd.exe
PID 924 wrote to memory of 2616	924	cmd.exe	vssadmin.exe
PID 924 wrote to memory of 2616	924	cmd.exe	vssadmin.exe
PID 924 wrote to memory of 2616	924	cmd.exe	vssadmin.exe
PID 2076 wrote to memory of 2872	2076	87b9b910d5d5a053e3b39989cc6fd51601abdaea207a26c765f21f43a4cd4dcb.exe	cmd.exe
PID 2076 wrote to memory of 2872	2076	87b9b910d5d5a053e3b39989cc6fd51601abdaea207a26c765f21f43a4cd4dcb.exe	cmd.exe
PID 2076 wrote to memory of 2872	2076	87b9b910d5d5a053e3b39989cc6fd51601abdaea207a26c765f21f43a4cd4dcb.exe	cmd.exe
PID 2076 wrote to memory of 2872	2076	87b9b910d5d5a053e3b39989cc6fd51601abdaea207a26c765f21f43a4cd4dcb.exe	cmd.exe
PID 2872 wrote to memory of 2860	2872	cmd.exe	vssadmin.exe
PID 2872 wrote to memory of 2860	2872	cmd.exe	vssadmin.exe
PID 2872 wrote to memory of 2860	2872	cmd.exe	vssadmin.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\87b9b910d5d5a053e3b39989cc6fd51601abdaea207a26c765f21f43a4cd4dcb.exe
"C:\Users\Admin\AppData\Local\Temp\87b9b910d5d5a053e3b39989cc6fd51601abdaea207a26c765f21f43a4cd4dcb.exe"
1⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2076
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:924
- - C:\Windows\system32\vssadmin.exe
    vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2616
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2872
- - C:\Windows\system32\vssadmin.exe
    vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2860

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Privilege Escalation

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Contacts\How To Restore Your Files.txt

Filesize
1KB

MD5
ebfe047c67a2417117d61c8842520c31

SHA1
f58cf8c05f16d62e93b9907ff7d50a7a3d607224

SHA256
66d838f930938b43b51e90e4066ec28b3099337b4504b6884696d3029a1cbc3b

SHA512
e35b5f7e5cf3a64150826c3addee3435120942419ed0aa2cf95ef41850f1238bb300f58a67668102cfc211e116fafec871bbc02364189e25c658384cf3c49565

Download Submit