a867deb1578088d066941c40e598e4523ab5fd6c3327d3afb951073bee59fb02

Analysis

max time kernel
141s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20/09/2024, 19:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a867deb1578088d066941c40e598e4523ab5fd6c3327d3afb951073bee59fb02.exe
Size

221KB
MD5

a04eb443870896fbe9a0b6468c4844f7
SHA1

e3001ef25b1386763caec9b5339ec6ddb0275a71
SHA256

a867deb1578088d066941c40e598e4523ab5fd6c3327d3afb951073bee59fb02
SHA512

28919641ecb89a7770a974992231bbdb9a7369e429d4b37d5b685bafab30b95c5bd87ce781d5a67db6c1b2823c85f9f3c6901285912f1bb641d9967d82d2660f
SSDEEP

6144:JrazEX0203RegvjxnpGhu3BJMIp2CuvY63:B+3JpGEBJMg2CuvY6

Score

10^/10

defense_evasion discovery execution impact ransomware

Malware Config

Extracted

Path

C:\CIopReadMe.txt

Ransom Note

------------------------Your networks has been penetrated--------------------------------------- All files on each host in the networks have been encrypted with a strong algorithm. Backups were either encrypted or deleted or backup disks were formatted. Shadow copies also removed, so F-8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation. ===No DECRYPTION software is AVAILABLE in the PUBLIC=== - DO NOT RENAME OR MOVE the encrypted and readme files. ========================DO NOT RESET OR SHUTDOWN – FILES MAY BE DAMAGED======================== ========================DO NOT RESET OR SHUTDOWN – FILES MAY BE DAMAGED======================== ========================DO NOT RESET OR SHUTDOWN – FILES MAY BE DAMAGED======================== ---THIS MAY LEAD TO THE IMPOSSIBILITY OF RECOVERY OF THE CERTAIN FILES--- ---ALL REPAIR TOOLS ARE USELESS AND CAN DESTROY YOUR FILES IRREVERSIBLY--- If you want to restore your files write to email. [CONTACTS ARE AT THE BOTTOM OF THE SHEET] and attach 4-6 encrypted files! [Less than 7 Mb each, non-archived and your files should not contain valuable information!!! [Databases,large excel sheets, backups etc...]]!!! ***You will receive decrypted samples and our conditions how to get the decoder*** *^*ATTENTION*^* =YOUR WARRANTY - DECRYPTED SAMPLES= -=-DO NOT TRY TO DECRYPT YOUR DATA USING THIRD PARTY SOFTWARE-=- -=-WE DONT NEED YOUR FILES AND YOUR INFORMATION-=- CONTACTS E-MAILS: [email protected] AND [email protected] OR [email protected] _-_ATTENTION_-_ In the letter, type your company name and site! ***The final price depends on how fast you write to us*** ^_*Nothing personal just business^_* CLOP^_- ----------------------------------------------------------------------------------------------

Emails

[email protected]

Signatures

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (142) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Enumerates connected drives 3 TTPs 39 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\L:	a867deb1578088d066941c40e598e4523ab5fd6c3327d3afb951073bee59fb02.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\J:	a867deb1578088d066941c40e598e4523ab5fd6c3327d3afb951073bee59fb02.exe
File opened (read-only)	\??\M:	a867deb1578088d066941c40e598e4523ab5fd6c3327d3afb951073bee59fb02.exe
File opened (read-only)	\??\P:	a867deb1578088d066941c40e598e4523ab5fd6c3327d3afb951073bee59fb02.exe
File opened (read-only)	\??\S:	a867deb1578088d066941c40e598e4523ab5fd6c3327d3afb951073bee59fb02.exe
File opened (read-only)	\??\K:	a867deb1578088d066941c40e598e4523ab5fd6c3327d3afb951073bee59fb02.exe
File opened (read-only)	\??\N:	a867deb1578088d066941c40e598e4523ab5fd6c3327d3afb951073bee59fb02.exe
File opened (read-only)	\??\O:	a867deb1578088d066941c40e598e4523ab5fd6c3327d3afb951073bee59fb02.exe
File opened (read-only)	\??\Q:	a867deb1578088d066941c40e598e4523ab5fd6c3327d3afb951073bee59fb02.exe
File opened (read-only)	\??\V:	a867deb1578088d066941c40e598e4523ab5fd6c3327d3afb951073bee59fb02.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\A:	a867deb1578088d066941c40e598e4523ab5fd6c3327d3afb951073bee59fb02.exe
File opened (read-only)	\??\B:	a867deb1578088d066941c40e598e4523ab5fd6c3327d3afb951073bee59fb02.exe
File opened (read-only)	\??\U:	a867deb1578088d066941c40e598e4523ab5fd6c3327d3afb951073bee59fb02.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\H:	a867deb1578088d066941c40e598e4523ab5fd6c3327d3afb951073bee59fb02.exe
File opened (read-only)	\??\I:	a867deb1578088d066941c40e598e4523ab5fd6c3327d3afb951073bee59fb02.exe
File opened (read-only)	\??\T:	a867deb1578088d066941c40e598e4523ab5fd6c3327d3afb951073bee59fb02.exe
File opened (read-only)	\??\X:	a867deb1578088d066941c40e598e4523ab5fd6c3327d3afb951073bee59fb02.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\E:	a867deb1578088d066941c40e598e4523ab5fd6c3327d3afb951073bee59fb02.exe
File opened (read-only)	\??\W:	a867deb1578088d066941c40e598e4523ab5fd6c3327d3afb951073bee59fb02.exe
File opened (read-only)	\??\Z:	a867deb1578088d066941c40e598e4523ab5fd6c3327d3afb951073bee59fb02.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\Y:	a867deb1578088d066941c40e598e4523ab5fd6c3327d3afb951073bee59fb02.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\G:	a867deb1578088d066941c40e598e4523ab5fd6c3327d3afb951073bee59fb02.exe
File opened (read-only)	\??\R:	a867deb1578088d066941c40e598e4523ab5fd6c3327d3afb951073bee59fb02.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a867deb1578088d066941c40e598e4523ab5fd6c3327d3afb951073bee59fb02.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe

Interacts with shadow copies 3 TTPs 14 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
2764	vssadmin.exe
2792	vssadmin.exe
2700	vssadmin.exe
2612	vssadmin.exe
1492	vssadmin.exe
340	vssadmin.exe
492	vssadmin.exe
2956	vssadmin.exe
2664	vssadmin.exe
2772	vssadmin.exe
2172	vssadmin.exe
2676	vssadmin.exe
296	vssadmin.exe
2296	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1632	a867deb1578088d066941c40e598e4523ab5fd6c3327d3afb951073bee59fb02.exe
1632	a867deb1578088d066941c40e598e4523ab5fd6c3327d3afb951073bee59fb02.exe
1632	a867deb1578088d066941c40e598e4523ab5fd6c3327d3afb951073bee59fb02.exe
1632	a867deb1578088d066941c40e598e4523ab5fd6c3327d3afb951073bee59fb02.exe
1632	a867deb1578088d066941c40e598e4523ab5fd6c3327d3afb951073bee59fb02.exe
1632	a867deb1578088d066941c40e598e4523ab5fd6c3327d3afb951073bee59fb02.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	2844	vssvc.exe
Token: SeRestorePrivilege	2844	vssvc.exe
Token: SeAuditPrivilege	2844	vssvc.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 1632 wrote to memory of 2892	1632	a867deb1578088d066941c40e598e4523ab5fd6c3327d3afb951073bee59fb02.exe	31
PID 1632 wrote to memory of 2892	1632	a867deb1578088d066941c40e598e4523ab5fd6c3327d3afb951073bee59fb02.exe	31
PID 1632 wrote to memory of 2892	1632	a867deb1578088d066941c40e598e4523ab5fd6c3327d3afb951073bee59fb02.exe	31
PID 1632 wrote to memory of 2892	1632	a867deb1578088d066941c40e598e4523ab5fd6c3327d3afb951073bee59fb02.exe	31
PID 2892 wrote to memory of 340	2892	cmd.exe	33
PID 2892 wrote to memory of 340	2892	cmd.exe	33
PID 2892 wrote to memory of 340	2892	cmd.exe	33
PID 2892 wrote to memory of 340	2892	cmd.exe	33
PID 2892 wrote to memory of 2764	2892	cmd.exe	35
PID 2892 wrote to memory of 2764	2892	cmd.exe	35
PID 2892 wrote to memory of 2764	2892	cmd.exe	35
PID 2892 wrote to memory of 2764	2892	cmd.exe	35
PID 2892 wrote to memory of 2772	2892	cmd.exe	36
PID 2892 wrote to memory of 2772	2892	cmd.exe	36
PID 2892 wrote to memory of 2772	2892	cmd.exe	36
PID 2892 wrote to memory of 2772	2892	cmd.exe	36
PID 2892 wrote to memory of 2792	2892	cmd.exe	37
PID 2892 wrote to memory of 2792	2892	cmd.exe	37
PID 2892 wrote to memory of 2792	2892	cmd.exe	37
PID 2892 wrote to memory of 2792	2892	cmd.exe	37
PID 2892 wrote to memory of 1492	2892	cmd.exe	38
PID 2892 wrote to memory of 1492	2892	cmd.exe	38
PID 2892 wrote to memory of 1492	2892	cmd.exe	38
PID 2892 wrote to memory of 1492	2892	cmd.exe	38
PID 2892 wrote to memory of 2664	2892	cmd.exe	39
PID 2892 wrote to memory of 2664	2892	cmd.exe	39
PID 2892 wrote to memory of 2664	2892	cmd.exe	39
PID 2892 wrote to memory of 2664	2892	cmd.exe	39
PID 2892 wrote to memory of 2612	2892	cmd.exe	40
PID 2892 wrote to memory of 2612	2892	cmd.exe	40
PID 2892 wrote to memory of 2612	2892	cmd.exe	40
PID 2892 wrote to memory of 2612	2892	cmd.exe	40
PID 2892 wrote to memory of 2676	2892	cmd.exe	41
PID 2892 wrote to memory of 2676	2892	cmd.exe	41
PID 2892 wrote to memory of 2676	2892	cmd.exe	41
PID 2892 wrote to memory of 2676	2892	cmd.exe	41
PID 2892 wrote to memory of 2172	2892	cmd.exe	42
PID 2892 wrote to memory of 2172	2892	cmd.exe	42
PID 2892 wrote to memory of 2172	2892	cmd.exe	42
PID 2892 wrote to memory of 2172	2892	cmd.exe	42
PID 2892 wrote to memory of 2296	2892	cmd.exe	43
PID 2892 wrote to memory of 2296	2892	cmd.exe	43
PID 2892 wrote to memory of 2296	2892	cmd.exe	43
PID 2892 wrote to memory of 2296	2892	cmd.exe	43
PID 2892 wrote to memory of 296	2892	cmd.exe	44
PID 2892 wrote to memory of 296	2892	cmd.exe	44
PID 2892 wrote to memory of 296	2892	cmd.exe	44
PID 2892 wrote to memory of 296	2892	cmd.exe	44
PID 2892 wrote to memory of 492	2892	cmd.exe	45
PID 2892 wrote to memory of 492	2892	cmd.exe	45
PID 2892 wrote to memory of 492	2892	cmd.exe	45
PID 2892 wrote to memory of 492	2892	cmd.exe	45
PID 2892 wrote to memory of 2700	2892	cmd.exe	46
PID 2892 wrote to memory of 2700	2892	cmd.exe	46
PID 2892 wrote to memory of 2700	2892	cmd.exe	46
PID 2892 wrote to memory of 2700	2892	cmd.exe	46
PID 2892 wrote to memory of 2956	2892	cmd.exe	47
PID 2892 wrote to memory of 2956	2892	cmd.exe	47
PID 2892 wrote to memory of 2956	2892	cmd.exe	47
PID 2892 wrote to memory of 2956	2892	cmd.exe	47

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\a867deb1578088d066941c40e598e4523ab5fd6c3327d3afb951073bee59fb02.exe
"C:\Users\Admin\AppData\Local\Temp\a867deb1578088d066941c40e598e4523ab5fd6c3327d3afb951073bee59fb02.exe"
1⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1632
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\clearnetworkdns_11-22-33.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2892
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /all /quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:340
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2764
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2772
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2792
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:1492
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2664
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2612
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2676
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2172
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2296
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:296
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:492
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2700
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /all /quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:2956

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Privilege Escalation

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\CIopReadMe.txt

Filesize
1KB

MD5
e04a195c34b605286fbf1b6e3ae48ea8

SHA1
aabf5de2dbe86487229b9a39e050c2af76679dc7

SHA256
d686127553bc8f72d8441ad441afa795fde914550fdb9fad46889e8fe1019ed7

SHA512
cac64382c8d5f17b4a2da6f24f006e41716406c3efd147cae6fca7c9e2fcdf256f58457a6d17fadf0a7a08c4e70d17c7191bc8cd8f698ddb13cc1dcb4d442158

Download Submit
C:\Users\Admin\AppData\Local\Temp\clearnetworkdns_11-22-33.bat

Filesize
948B

MD5
f7840e8e5f106572107932598b7c2592

SHA1
379bd55eb0bf40eb1a7804959af8022b8eb6f0e7

SHA256
0f107cd86bcfca29408499d6e0631a482623ad25f26e74898c26072e94fa6000

SHA512
ae7301ef444dce57e0c238c65070ff928c5b0c67a1c71e45d329d78eafbbbb5ac66ec85acc977e414343ceffa7b618aa6f0659d38c1a43969ae5c5768113ebba

Download Submit
memory/1632-1-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1632-0-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/1632-11-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1632-12-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download