Analysis
-
max time kernel
135s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
16-08-2024 18:22
Behavioral task
behavioral1
Sample
c26ce932f3609ecd710a3a1ca7f7b96f1b103a11b49a86e9423e03664eaabd40.dll
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
c26ce932f3609ecd710a3a1ca7f7b96f1b103a11b49a86e9423e03664eaabd40.dll
Resource
win10v2004-20240802-en
General
-
Target
c26ce932f3609ecd710a3a1ca7f7b96f1b103a11b49a86e9423e03664eaabd40.dll
-
Size
2.7MB
-
MD5
88bb86494cb9411a9692f9c8e67ed32c
-
SHA1
82f8060575de96dc4edc4f7b02ec31ba7637fa03
-
SHA256
c26ce932f3609ecd710a3a1ca7f7b96f1b103a11b49a86e9423e03664eaabd40
-
SHA512
670acd30005be75bbced78a505b4f0ded7f39cb4f4d55f9b09f31964d20bebb62908d40da4c9a103c87e83f4b31e0435ffd9ec78ee7a585c216e5551e0c67ebb
-
SSDEEP
49152:MxmXXxQjiQspGXtwB0pnkF7TosNjLSq6Pq3Ecv9dsiPTg3pg:DQeQVmB0pni7TosNKq6adsi
Malware Config
Extracted
agenda
-
company_id
feGDg5BHWw
-
note
-- Qilin Your network/system was encrypted. Encrypted files have new extension. -- Compromising and sensitive data We have downloaded compromising and sensitive data from you system/network If you refuse to communicate with us and we do not come to an agreement, your data will be published. Data includes: - Employees personal data, CVs, DL , SSN. - Complete network map including credentials for local and remote services. - Financial information including clients data, bills, budgets, annual reports, bank statements. - Complete datagrams/schemas/drawings for manufacturing in solidworks format - And more... -- Warning 1) If you modify files - our decrypt software won't able to recover data 2) If you use third party software - you can damage/modify files (see item 1) 3) You need cipher key / our decrypt software to restore you files. 4) The police or authorities will not be able to help you get the cipher key. We encourage you to consider your decisions. -- Recovery 1) Download tor browser: https://www.torproject.org/download/ 2) Go to domain 3) Enter credentials-- Credentials Extension: feGDg5BHWw Domain: e3v6tjarcltwc4hdkn6fxnpkzq42ul7swf5cfqw6jzvic4577vxsxhid.onion login: _RgxgvCfv_3rQI5oinfr9gj5JS6_AGP7 password:
Signatures
-
Agenda Ransomware
A ransomware with multiple variants written in Golang and Rust first seen in August 2022.
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 1864 wrote to memory of 1792 1864 rundll32.exe rundll32.exe PID 1864 wrote to memory of 1792 1864 rundll32.exe rundll32.exe PID 1864 wrote to memory of 1792 1864 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c26ce932f3609ecd710a3a1ca7f7b96f1b103a11b49a86e9423e03664eaabd40.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c26ce932f3609ecd710a3a1ca7f7b96f1b103a11b49a86e9423e03664eaabd40.dll,#12⤵
- System Location Discovery: System Language Discovery
PID:1792