Analysis

  • max time kernel
    122s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    18-10-2024 17:30

General

  • Target

    ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe

  • Size

    52KB

  • MD5

    ba9210de03de945901f02792f7994871

  • SHA1

    20c4569cbb6f2650b02f6a5257faa8a8dfb298bd

  • SHA256

    ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d

  • SHA512

    277d26eea627b3da26664aaa4f72a7b79cd50311e45c59333563b4f58b76e6562cbaa1d55127c69d0830864721efa890fa824e1be381cca5e84bddc98f2b44d0

  • SSDEEP

    1536:EJJRZQJes5b0k5bbyu6hXOKJrkH6sNNW:oJRa4kLmNVOKJIasNE

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\README_1380491.txt

Ransom Note
Hello! All your files have been encrypted... Your personal Id: iygGOJHf9/kqAtHoMBP49Dnz62LcPXeh2YB4cCx1chhGQ19lzvWynRHPs607XGxnWj+JMMsvUtad+UOuHEWGCmsNf8juBmdgDTg7c4W/WYkR1JlZNr+dn82qsuE7MX2e9NErO+KGbfqfISnaXtNddG8Xin/3pRjpgjtoUHp+ALKPwf8T2A6+0ZhP4OV0preeMCICVttJELiwsmX91S16urAmYkRTlf9j2cWrVUaRQi1SA86Da9m+dqWmg22f/ZB5aLnivHjQ/bFJituFI8JqIpy4nJjvuTyQQmX7Z2KR6iNdQPe1vKsjAMLrp1xN33MwWFsz9ATpUPRNPpMDeLrY7g++ZW4tVVNfMTM4MDQ5MV9BZG1pbl8xMC8xOC8yMDI0IDU6MzA6MjkgUE1fV2luIDdfYmx1dDRfZWNmYjVjOTVkMGYzZDExMjY1MGVmNDA0NzkzNmU4ZmE1MjQ0YzIxYzkyMWY2YzdhNjk2M2U5MmFiYWI0OTQ5ZA To decrypt your files, write to email: [email protected] or [email protected] In the letter, send your personal Id and 2 small encrypted files for trial decryption. If you dont get answer from [email protected] or [email protected] in 72 hours, you need to install tor browser, you can download it here: https://www.torproject.org/download/download.html.en After installation, open the tor browser to website: http://t5vj34iny72dpdu4.onion and follow the instructions. Do not try restore files without our help, this is useless, and can destroy you data permanetly. However, the files can be recovered even after the removal of our program and even after reinstalling the operating system. Download the decoding video here: https://content.screencast.com/users/tywlgpwg/folders/Default/media/3c1aeb4c-5386-41df-8eee-346487877522/decryption.avi
URLs

http://t5vj34iny72dpdu4.onion

https://content.screencast.com/users/tywlgpwg/folders/Default/media/3c1aeb4c-5386-41df-8eee-346487877522/decryption.avi

Signatures

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
  • Disables Task Manager via registry modification
  • Deletes itself 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops desktop.ini file(s) 26 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Opens file in notepad (likely ransom note) 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
    "C:\Users\Admin\AppData\Local\Temp\ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe"
    1⤵
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2368
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Roaming\delback.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1668
      • C:\Windows\system32\vssadmin.exe
        vssadmin delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:2480
      • C:\Windows\system32\bcdedit.exe
        bcdedit.exe /set {default} recoveryenabled no
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:2232
      • C:\Windows\system32\bcdedit.exe
        bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:2636
    • C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\update.bat" "
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:2428
      • C:\Windows\system32\PING.EXE
        ping -n 1 -w 5000 10.10.254.254
        3⤵
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2380
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2892
  • C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\README_1380491.txt
    1⤵
    • Opens file in notepad (likely ransom note)
    PID:1120

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\README_1380491.txt

    Filesize

    1KB

    MD5

    8d5b641b3391762dec4dce32506026c7

    SHA1

    e0637fdc22706669c0c527f7002b88f001bbabac

    SHA256

    4b2e43d441ed23f1bb15dfadc51aff09b8ea7c416294642b8dc5593a298bd686

    SHA512

    10599148acf8f0f93cb789c750aeec47846fa3ca897233f8c66b4781bd7761ea7165e1078d2d8fdd05fafdd8ae71d798edf28ffd1f2d4943567eb7f1b05cf0a3

  • C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\branding.xml

    Filesize

    582KB

    MD5

    e46f85bdfcca5ec364000f2f88c2baa8

    SHA1

    8525e2af26e86270bb30e2bbeb9c0df6d521e7cd

    SHA256

    a15cccaf159a125e9e0488d42c1644fed6d29a7e520973f335e461e977a4038b

    SHA512

    b9c3f601d2073ae1de71a1b47f504c07bf55b3a8091da8e3a65abc805178a6efcfd1c8650919f983f99ade0abd76897cb72f01c3f4a4e36504e48748f2ca213a

  • C:\ProgramData\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\vc_runtimeAdditional_x64.msi

    Filesize

    140KB

    MD5

    428efff3b60eeccce32784ea04af985b

    SHA1

    1a49e22dfb489bde1465868fc3d28da8afb481ea

    SHA256

    0b9f5561eb0d2946bc980794ce06b2dc09bb7388efd67b7cb74e819ba0734805

    SHA512

    63f34c4f959419a1fb72e63dc7c9762f3881a1794c7e153e2f743d306b259fce16dfaac36ba5cf9382ad367e72e4822b7b932d20465d9dfb746ee53c2682c702

  • C:\Users\Admin\AppData\Local\Temp\update.bat

    Filesize

    167B

    MD5

    d1df9bb96b34b2b9cba30dc139a00ef8

    SHA1

    44e80d8b875f296f7087eadc0584276fb68fa323

    SHA256

    17bdd9c1355d56e607eae45138d64ed86ebb1369dfcdf4f7ef313124c2f098bc

    SHA512

    7029c53a5de207b495c512bbfc160ccb1d76fb0101ff5bef497cc0bfa570228b5d641e3fb34ee4d17585a19e4ce0b1337f7e14750c70a014d69c1d8afa4f7ec2

  • C:\Users\Admin\AppData\Roaming\delback.bat

    Filesize

    147B

    MD5

    2450c91afcc2d4cc3dea374820bed314

    SHA1

    dd1b61d0aa6d1769018c1d3144de9bb960a64d3c

    SHA256

    4f157084c6e48b547e698ed83ae9a853a4db4b7a115249db272e3eb93316f7df

    SHA512

    b0b21d16b7f35bfc5526ed07407ec85a221a7a036827b65dce0a449d02a31f3f6f5ce2fbf94f0af01ce4a248b27ccf5f287dd2746ee423766be8d366f78ccc91

  • C:\Users\Admin\Desktop\EditSend.xlsx

    Filesize

    10KB

    MD5

    0f383341d3b9e4a24ae27b830680bbcf

    SHA1

    eccadca878ddac156559769cefcff551fe70fc16

    SHA256

    4dce23601ec1586449fd2e8a380968ab4e97ab22e71bc30089544acfa5913518

    SHA512

    3b073ce7b6ff31fe41286227e2db5e9b7adf1f9490b5e969f4894152650f6580cc899348fb6d88665f11b30c738022de56f6fa660bd73e113e14743e3cc74288

  • C:\vcredist2010_x86.log.html

    Filesize

    81KB

    MD5

    582e5f42e471b3ef867f7dae450cb1dd

    SHA1

    f2a4530ad0e1f6d9afe0ca377191f8b9ca4e93a6

    SHA256

    9361f676f7786cb46aa217858166442611b8e5ce3e3119026b7eff22a037aa87

    SHA512

    7eaf5cee54791ca532fe6607ee31e3d9a91efc78042886d90253dfab69851a398964ab6059d6dc3418ba759df947cfd1f677daf46a7d7c07171265270e2077c0

  • memory/2368-3-0x000007FEF6343000-0x000007FEF6344000-memory.dmp

    Filesize

    4KB

  • memory/2368-94-0x000007FEF6340000-0x000007FEF6D2C000-memory.dmp

    Filesize

    9.9MB

  • memory/2368-2-0x000007FEF6340000-0x000007FEF6D2C000-memory.dmp

    Filesize

    9.9MB

  • memory/2368-1-0x0000000001200000-0x0000000001214000-memory.dmp

    Filesize

    80KB

  • memory/2368-0-0x000007FEF6343000-0x000007FEF6344000-memory.dmp

    Filesize

    4KB

  • memory/2368-1044-0x000007FEF6340000-0x000007FEF6D2C000-memory.dmp

    Filesize

    9.9MB