Analysis

  • max time kernel
    1559s
  • max time network
    1561s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    16-07-2024 08:54

General

  • Target

    139a8bb2c5537190e747d2f651b423147018fd9a9a21bb36281d4ce1c61727c1.exe

  • Size

    178KB

  • MD5

    8d27d0c897ce21f1036bf659fc663cf2

  • SHA1

    afe3d0fb48092aeca4dcd3989a076e87fdbe69b2

  • SHA256

    139a8bb2c5537190e747d2f651b423147018fd9a9a21bb36281d4ce1c61727c1

  • SHA512

    531873e8faaf801a447f70848969865750f41fd5ff15bd8c47015e766a9bb8cc1fbb8dcae16ddbf1e4f9dbc5750af593ef8fdcf94cd1a61efa00c7790cda4374

  • SSDEEP

    3072:/gq2DKdMbv1S/n6rHBJK3V9LBSLrKa+HQXvMES/D3Yw7yZyYpEaI:/84X/19LUPMcMEw3kTI

Malware Config

Extracted

Path

C:\Program Files (x86)\warning !!!! Readme bl00dy Gang.txt

Ransom Note
GREETINGS FROM BL00DY RANSOMWARE GANG What happened ? Your entire company network is penetrated and encrypted. All files on servers and computers locked and not usable Dont panic All files are decryptable We will recover all your files to normal What Bl00dy Gang take / steal from your company network ? We download your company important files / documents / databases/ mails / accounts We publish it to the public if you dont cooperate . What BL00DY Gang needs from YOU ? We expect nothing except appreciating our work PAY US in this way you appreciate our work How to contact the BL00DY Gang for ransom negotiations ? [email protected] Telegram hall of shame , where all company private data will be PUBLISHED?? https://t.me/bl00dy_Ransomware_Gang What Quarantees ? we are not a politically motivated group and we do not need anything other than your money. If you pay, we provide you the programs for decryption and we will delete your data. If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. We will help protect your company from any other attacks ; we will give you tips to secure company network We always keep our promises. !!! BEWARE !!! If you have Backups and try to restore from backups . All entire company files / databases / everything will be posted online DON'T try to rename or modify encrypted files by yourself! If you will try to use any third party software for restoring your data or antivirus solutions - please make a backup for all encrypted files! - Don't try because you will damage all the files Any changes in encrypted files may entail damage of the private key and, as result, the loss all data. Do not report to Police or FBI , they dont care about your business .They will tell you not to pay and you will lose all your files. Recovery Company Cannot help You . things will get rather worse . speak for yourself.
URLs

https://t.me/bl00dy_Ransomware_Gang

Signatures

  • Renames multiple (7981) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 46 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\139a8bb2c5537190e747d2f651b423147018fd9a9a21bb36281d4ce1c61727c1.exe
    "C:\Users\Admin\AppData\Local\Temp\139a8bb2c5537190e747d2f651b423147018fd9a9a21bb36281d4ce1c61727c1.exe"
    1⤵
    • Drops startup file
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2660
    • C:\Windows\system32\cmd.exe
      cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{84B23760-D083-4387-974D-3C4546D42F6A}'" delete
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2816
      • C:\Windows\System32\wbem\WMIC.exe
        C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{84B23760-D083-4387-974D-3C4546D42F6A}'" delete
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2564
    • C:\Windows\system32\cmd.exe
      cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7F4FF19A-F0A9-4D37-804C-BBA1AC496F39}'" delete
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3040
      • C:\Windows\System32\wbem\WMIC.exe
        C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7F4FF19A-F0A9-4D37-804C-BBA1AC496F39}'" delete
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2384
    • C:\Windows\system32\cmd.exe
      cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{9F6E7A5F-91E3-42B9-9E2A-D87FADA45EB4}'" delete
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1660
      • C:\Windows\System32\wbem\WMIC.exe
        C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{9F6E7A5F-91E3-42B9-9E2A-D87FADA45EB4}'" delete
        3⤵
          PID:340
      • C:\Windows\system32\cmd.exe
        cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{314E70DD-6CC8-441F-8B30-A71AFD3666D4}'" delete
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2904
        • C:\Windows\System32\wbem\WMIC.exe
          C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{314E70DD-6CC8-441F-8B30-A71AFD3666D4}'" delete
          3⤵
            PID:2924
        • C:\Windows\system32\cmd.exe
          cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F28370CD-B12E-4E29-BDEC-FADD070A311C}'" delete
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:2088
          • C:\Windows\System32\wbem\WMIC.exe
            C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F28370CD-B12E-4E29-BDEC-FADD070A311C}'" delete
            3⤵
              PID:468
          • C:\Windows\system32\cmd.exe
            cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{9CFA1FAC-8B30-464C-A41C-E8A415E47E56}'" delete
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:1416
            • C:\Windows\System32\wbem\WMIC.exe
              C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{9CFA1FAC-8B30-464C-A41C-E8A415E47E56}'" delete
              3⤵
                PID:840
            • C:\Windows\system32\cmd.exe
              cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{CE807F35-9C0E-4446-B318-8485AF6C0259}'" delete
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:1480
              • C:\Windows\System32\wbem\WMIC.exe
                C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{CE807F35-9C0E-4446-B318-8485AF6C0259}'" delete
                3⤵
                  PID:2052
              • C:\Windows\system32\cmd.exe
                cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{ED089E91-80BF-4ED9-8981-C380E00AF48A}'" delete
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:2016
                • C:\Windows\System32\wbem\WMIC.exe
                  C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{ED089E91-80BF-4ED9-8981-C380E00AF48A}'" delete
                  3⤵
                    PID:2872
                • C:\Windows\system32\cmd.exe
                  cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D1A50FE4-92ED-419B-8E4F-FD59A2FB70FF}'" delete
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1648
                  • C:\Windows\System32\wbem\WMIC.exe
                    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D1A50FE4-92ED-419B-8E4F-FD59A2FB70FF}'" delete
                    3⤵
                      PID:1972
                  • C:\Windows\system32\cmd.exe
                    cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{95BCBF4B-AB01-429A-BC22-D699995F488D}'" delete
                    2⤵
                      PID:1616
                      • C:\Windows\System32\wbem\WMIC.exe
                        C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{95BCBF4B-AB01-429A-BC22-D699995F488D}'" delete
                        3⤵
                          PID:2996
                      • C:\Windows\system32\cmd.exe
                        cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D3411E52-7961-4272-BD9B-AC00A7C176FD}'" delete
                        2⤵
                          PID:1764
                          • C:\Windows\System32\wbem\WMIC.exe
                            C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D3411E52-7961-4272-BD9B-AC00A7C176FD}'" delete
                            3⤵
                              PID:2980
                          • C:\Windows\system32\cmd.exe
                            cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5A5BC5FA-1945-4C64-98AB-48EB9B258476}'" delete
                            2⤵
                              PID:2172
                              • C:\Windows\System32\wbem\WMIC.exe
                                C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5A5BC5FA-1945-4C64-98AB-48EB9B258476}'" delete
                                3⤵
                                  PID:2256
                              • C:\Windows\system32\cmd.exe
                                cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{4209BC2E-63F3-4311-B318-4266CE6427FD}'" delete
                                2⤵
                                  PID:1532
                                  • C:\Windows\System32\wbem\WMIC.exe
                                    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{4209BC2E-63F3-4311-B318-4266CE6427FD}'" delete
                                    3⤵
                                      PID:2232
                                  • C:\Windows\system32\cmd.exe
                                    cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{0FB96D71-416E-4221-B050-53851A8DFEFF}'" delete
                                    2⤵
                                      PID:1620
                                      • C:\Windows\System32\wbem\WMIC.exe
                                        C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{0FB96D71-416E-4221-B050-53851A8DFEFF}'" delete
                                        3⤵
                                          PID:2344
                                      • C:\Windows\system32\cmd.exe
                                        cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{CA9D1DC0-6918-4793-9B97-17DC4DC11B7A}'" delete
                                        2⤵
                                          PID:1028
                                          • C:\Windows\System32\wbem\WMIC.exe
                                            C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{CA9D1DC0-6918-4793-9B97-17DC4DC11B7A}'" delete
                                            3⤵
                                              PID:2500
                                          • C:\Windows\system32\cmd.exe
                                            cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5F3413EA-0DE7-4717-9100-512425AA05AF}'" delete
                                            2⤵
                                              PID:608
                                              • C:\Windows\System32\wbem\WMIC.exe
                                                C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5F3413EA-0DE7-4717-9100-512425AA05AF}'" delete
                                                3⤵
                                                  PID:1244
                                              • C:\Windows\system32\cmd.exe
                                                cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B69ED39F-CDDB-47E0-81FC-5EF4BC215C92}'" delete
                                                2⤵
                                                  PID:1524
                                                  • C:\Windows\System32\wbem\WMIC.exe
                                                    C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B69ED39F-CDDB-47E0-81FC-5EF4BC215C92}'" delete
                                                    3⤵
                                                      PID:1324
                                                  • C:\Windows\system32\cmd.exe
                                                    cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C44555B4-BF9B-4600-B9BC-43446450A014}'" delete
                                                    2⤵
                                                      PID:2348
                                                      • C:\Windows\System32\wbem\WMIC.exe
                                                        C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C44555B4-BF9B-4600-B9BC-43446450A014}'" delete
                                                        3⤵
                                                          PID:1724
                                                    • C:\Windows\system32\vssvc.exe
                                                      C:\Windows\system32\vssvc.exe
                                                      1⤵
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:1812

                                                    Network

                                                    MITRE ATT&CK Enterprise v15

                                                    Replay Monitor

                                                    Loading Replay Monitor...

                                                    Downloads

                                                    • C:\Program Files (x86)\warning !!!! Readme bl00dy Gang.txt

                                                      Filesize

                                                      1KB

                                                      MD5

                                                      8452263586a59f3c0d48b2490bd11f97

                                                      SHA1

                                                      2e144eb3cec2b43b80b0771af81e81f62b49bcd9

                                                      SHA256

                                                      239b6e678c94a409058ed84cac9b07f5880fdea1ab18af6090825bd9d78107ac

                                                      SHA512

                                                      53ba3f24bed5544f5b09ef55e90fd8219fb694f9c4b5c330ffbd078307a488c3a4f33b940c7a8644f9799f8bec8624d51029b8e6950de431ce2de2c599ea2ede