Overview

overview

10

Static

static

3

7d1d299ab0...ab.exe

windows7-x64

10

7d1d299ab0...ab.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    129s
  • max time network
    117s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    20/09/2024, 14:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7d1d299ab02045a320bf42f47e74b1f8e846ef5f9b6bf8395760207c2ce886ab.exe

  • Size

    192KB

  • MD5

    156b09d46b8da539df1e85a0b25badb2

  • SHA1

    98ba6441f1a701a6c3242c65c84efeccdd463058

  • SHA256

    7d1d299ab02045a320bf42f47e74b1f8e846ef5f9b6bf8395760207c2ce886ab

  • SHA512

    a962489357e6678571ed04a0dd119eef31560436efafb989d6bf9f20fce77f077981938eb73a575995996481465e41f863b3ecc76973763bea73367235f43fb2

  • SSDEEP

    3072:U4hmS2KXMEsrQLOJgY8Zp8LHD4XWaNH71dLdG1iiFM2Z1uhQ5lF0KvNZH+zGmpMY:ES2KXXsrQLOJgpZp8LHD4GaNH71dLdGG

Score
10/10
credential_accessdefense_evasiondiscoveryevasionexecutionimpactpersistenceprivilege_escalationransomwarestealer

Malware Config

Extracted

Path

C:\Program Files\7-Zip\readme_for_unlock.txt

Ransom Note
!!! ATTENTION !!! Your network is hacked and files are encrypted. Including the encrypted data we also downloaded other confidential information: Data of your employees, customers, partners, as well as accounting and other internal documentation of your company. All data is stored until you will pay. After payment we will provide you the programs for decryption and we will delete your data. If you refuse to negotiate with us (for any reason) all your data will be put up for sale. What you will face if your data gets on the black market: 1) The personal information of your employees and customers may be used to obtain a loan or purchases in online stores. 2) You may be sued by clients of your company for leaking information that was confidential. 3) After other hackers obtain personal data about your employees, social engineering will be applied to your company and subsequent attacks will only intensify. 4) Bank details and passports can be used to create bank accounts and online wallets through which criminal money will be laundered. 5) You will forever lose the reputation. 6) You will be subject to huge fines from the government. You can learn more about liability for data loss here: https://en.wikipedia.org/wiki/General_Data_Protection_Regulation https://gdpr-info.eu/ Courts, fines and the inability to use important files will lead you to huge losses. The consequences of this will be irreversible for you. Contacting the police will not save you from these consequences, but will only make your situation worse. You can get out of this situation with minimal losses To do this you must strictly observe the following rules: DO NOT Modify, DO NOT rename, DO NOT copy, DO NOT move any files. Such actions may DAMAGE them and decryption will be impossible. DO NOT use any third party or public decryption software, it may also DAMAGE files. DO NOT Shutdown or Reboot the system this may DAMAGE files. DO NOT hire any third party negotiators (recovery/police, etc.) You need to contact us as soon as possible and start negotiations. Instructions for contacting our team: Download & Install TOR browser: https://torproject.org For contact us via LIVE CHAT open our > Website: http://fvfk3ckwdekoz3jrjwcgvmlh2xt7xl5t5rcniheahn26lz7ybvgnggad.onion > Login: CLIENT > Password: o82YDy5bSZ76VqD8pH6m If Tor is restricted in your area, use VPN�����������������������������������
URLs

https://gdpr-info.eu/

http://fvfk3ckwdekoz3jrjwcgvmlh2xt7xl5t5rcniheahn26lz7ybvgnggad.onion

Signatures

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (8179) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

    credential_accessstealer
  • Deletes itself 1 IoCs
  • Drops startup file 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 1 IoCs
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\7d1d299ab02045a320bf42f47e74b1f8e846ef5f9b6bf8395760207c2ce886ab.exe
    "C:\Users\Admin\AppData\Local\Temp\7d1d299ab02045a320bf42f47e74b1f8e846ef5f9b6bf8395760207c2ce886ab.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2960
    • C:\Users\Admin\AppData\Roaming\MicrosoftWindowsUpdate.exe
      "C:\Users\Admin\AppData\Local\Temp\7d1d299ab02045a320bf42f47e74b1f8e846ef5f9b6bf8395760207c2ce886ab.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops desktop.ini file(s)
      • Enumerates connected drives
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2116
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c TIMEOUT /T 2>NUL&START /b "" cmd /c DEL "C:\Users\Admin\AppData\Local\Temp\7d1d299ab02045a320bf42f47e74b1f8e846ef5f9b6bf8395760207c2ce886ab.exe" &EXIT
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1720
        • C:\Windows\SysWOW64\timeout.exe
          TIMEOUT /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Delays execution with timeout.exe
          PID:2684
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c DEL "C:\Users\Admin\AppData\Local\Temp\7d1d299ab02045a320bf42f47e74b1f8e846ef5f9b6bf8395760207c2ce886ab.exe"
          4⤵
          • Deletes itself
          • System Location Discovery: System Language Discovery
          PID:2732
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2744
        • C:\Windows\system32\vssadmin.exe
          vssadmin.exe delete shadows /all /quiet
          4⤵
          • Interacts with shadow copies
          PID:2852
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\System32\netsh.exe" advfirewall set allprofiles state off
        3⤵
        • Modifies Windows Firewall
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:2828
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Direct Volume Access

1
T1006

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Indicator Removal

3
T1070

File Deletion

3
T1070.004

Modify Registry

1
T1112

Credential Access

Credentials from Password Stores

1
T1555

Windows Credential Manager

1
T1555.004

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

1
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

2
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\7-Zip\readme_for_unlock.txt
    Filesize

    2KB

    MD5

    c4b5da2b27afee277ed91065d53890c9

    SHA1

    dfc23e0ed6bf3e27fa0c80710bc332987f88040c

    SHA256

    6ce77ceba9cddf695edf3d47965669b2b297f17e38707eb39037af4a8f995bc0

    SHA512

    0fb4f16c253e27257b864861c4ead3b438b454b314b91bbdb6a3c7a79382e572c77769e493bec5f716b8afdb08576c84d2f2c4b181b1c44bda0a48e2e7273489

    Download Submit

  • \Users\Admin\AppData\Roaming\MicrosoftWindowsUpdate.exe
    Filesize

    192KB

    MD5

    156b09d46b8da539df1e85a0b25badb2

    SHA1

    98ba6441f1a701a6c3242c65c84efeccdd463058

    SHA256

    7d1d299ab02045a320bf42f47e74b1f8e846ef5f9b6bf8395760207c2ce886ab

    SHA512

    a962489357e6678571ed04a0dd119eef31560436efafb989d6bf9f20fce77f077981938eb73a575995996481465e41f863b3ecc76973763bea73367235f43fb2

    Download Submit