Analysis

  • max time kernel
    117s
  • max time network
    117s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    18-10-2024 02:27

General

  • Target

    aa99c913decb96133a013abe8d71a057862e3328e8297c959c8eeb063c283a66.exe

  • Size

    16KB

  • MD5

    c9fc5ead99455414732c85614c676afa

  • SHA1

    99ae4a704b37bd1c3f190f99b52493f68bcbe3df

  • SHA256

    aa99c913decb96133a013abe8d71a057862e3328e8297c959c8eeb063c283a66

  • SHA512

    45ffeb541e4124939243a61b982ff11ece9ae8d8171148d354a346766f95f22e85e4504dcb705ac83bbc96ce1d8567c294c5c5f6bdeb01c251dd51328ec89e72

  • SSDEEP

    384:5iNZKe9HBSEbVfBD6LeGzauQibQzisfIIG42RzRTK9oXjfdrMEn+eSkjvka95WVB:g3Ke9HBSEbVdUeGzBQoJKua6dsr

Score
10/10

Malware Config

Extracted

Path

C:\README.txt

Ransom Note
!!! ALL YOUR FILES ARE ENCRYPTED!!! All your files, documents, photos, databases and other important files are encrypted. The only way to recover your files is to get a decryptor. To get the decryptor, write to us by mail or telegram, specify the ID of the encrypted files in the letter: Email: [email protected] Telegram: https://t.me/returnbackcyberfearcom Warning!!! * Do not rename files. * Do not attempt to decrypt data using third party software, as this may result in permanent data loss. * Do not contact other people, only we can help you and recover your data. Your personal decryption ID: lGiKf865
URLs

https://t.me/returnbackcyberfearcom

Signatures

  • Renames multiple (292) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Drops desktop.ini file(s) 26 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

Processes

  • C:\Users\Admin\AppData\Local\Temp\aa99c913decb96133a013abe8d71a057862e3328e8297c959c8eeb063c283a66.exe
    "C:\Users\Admin\AppData\Local\Temp\aa99c913decb96133a013abe8d71a057862e3328e8297c959c8eeb063c283a66.exe"
    1⤵
    • Drops desktop.ini file(s)
    • System Location Discovery: System Language Discovery
    PID:1972

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Microsoft\Assistance\Client\1.0\it-IT\Help_MValidator.Lck

    Filesize

    4B

    MD5

    269c1d05f088fff4297fb48c1980bdc2

    SHA1

    00e0f93ebd3450d23ffc873017ac744d45526f54

    SHA256

    fd5f964f5a4229210a457da73443f87ef8c4ee2dcc4ba3ec09baa37a0d6f26de

    SHA512

    1190d959062c7374f655c2c7041fe5807520bfbd93f0881f7864d457e87a223c7efb0a6f112080dd3659dd0587b482e2243eaecaf95d7587018a718152f0624d

  • C:\ProgramData\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64\vc_runtimeMinimum_x64.msi

    Filesize

    148KB

    MD5

    b98059b4d884f2df2b320a5a105834bb

    SHA1

    5d65f1a7fd7d39c46c78efd645f5ce60cdd02124

    SHA256

    5aaaaa39919a6ecfa8c95a73693cd2324fd96fc41010e703e5e582e3566ff75e

    SHA512

    9034018bd82942d39fdeaf6e7e107ef7cda2a7420ab5175bf0f8d35b7f5943d7508ee4ece0bb08fbc03d72dfebccf7a186634dd11bca8ceda40bc124b0ec543f

  • C:\README.txt

    Filesize

    632B

    MD5

    e5947abbf99045df634eede07180fa46

    SHA1

    b3506e3118715199707ac9a62557fcb4512719ac

    SHA256

    98611e811a96098298daa934d52960ce9f716a36ae3fdfc316b2b75ae2b54830

    SHA512

    e8fe24857094c4f07dfd584120be204f41cf057e3cf3bd5ade2c5f7cc88bfaddba0f4d5d26a6d2e201894a0c284ba64393f68216556f48a4014a98be90b9a49c

  • C:\Users\Admin\Desktop\UnpublishRevoke.xlsx

    Filesize

    13KB

    MD5

    4f024e3d5e226405d5f29364a8fbc9a9

    SHA1

    35d0d604056a35d6cf82e66cd87e63bc3173059d

    SHA256

    86729d47b20a6e3083f7bff5f1ea41f520a49e24ac5e09ffda71939f45fdcf92

    SHA512

    c4db9aea04f7d91eba1cee2a9a249bf9f142067a8ab00171a5d4000e55a1d260a7f3e8233ca4be08d127499c78101f110fd5cf6f80daef9d7d57501a8efec898

  • memory/1972-0-0x000000007428E000-0x000000007428F000-memory.dmp

    Filesize

    4KB

  • memory/1972-1-0x0000000000BE0000-0x0000000000BEA000-memory.dmp

    Filesize

    40KB