0622aed252556af50b834ae16392555e51d67b3a4c67a6836b98534a0d14d07d

General

Target

enc_windows_amd64.exe
Size

3.9MB
MD5

d1cd0d1ecf05b1c49c732e7070214676
SHA1

966752f12e81ffa1322da91f861fb0ee0ee771e7
SHA256

0622aed252556af50b834ae16392555e51d67b3a4c67a6836b98534a0d14d07d
SHA512

0034a06e2d0cdfd33795819d6a83794ed8eca02e22acd4da83fcef579ba235198e07a6bd9269022346f73e1d6e48064ea18109dfcbf340b7aaa404969dd04fa6
SSDEEP

49152:ihufkf4ncUrb/TpvO90d7HjmAFd4A64nsfJeVZGmrbqqCz+Qepylb5EmBamsgNTP:iknc4ZG2qepwE+0D+q

Score

10^/10

ransomware

Malware Config

Extracted

Path

C:\Users\Default\Documents\HOW_RETURN_YOUR_DATA.TXT

Ransom Note

Hello! Your files have been stolen from your network and encrypted with a strong algorithm. We work for money and are not associated with politics. All you need to do is contact us and pay. --- Our communication process: 1. You contact us. 1. We send you a list of files that were stolen. 2. We decrypt 1 file to confirm that our decryptor works. 3. We agree on the amount, which must be paid using BTC. 4. We delete your files, we give you a decryptor. 5. We give you a detailed report on how we compromised your company, and recommendations on how to avoid such situations in the future. --- Client area (use this site to contact us): Link for Tor Browser: http://panela3eefdzfzxzxcshfnbustdprtlhlbe3x2fqomdz7t33iqtzvjyd.onion/Url=ddb34da5-dce4-4b46-8f7d-4674ab38be9d >>> to begin the recovery process. * In order to access the site, you will need Tor Browser, you can download it from this link: https://www.torproject.org/ --- Recommendations: DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME OR MOVE the encrypted and readme files. DO NOT DELETE readme files. --- Important: If you refuse to pay or do not get in touch with us, we start publishing your files. Ehe decryptor will be destroyed and the files will be published on our blog. Blog: http://dataleakypypu7uwblm5kttv726l3iripago6p336xjnbstkjwrlnlid.onion Sincerely!

URLs

http://panela3eefdzfzxzxcshfnbustdprtlhlbe3x2fqomdz7t33iqtzvjyd.onion/Url=ddb34da5-dce4-4b46-8f7d-4674ab38be9d

http://dataleakypypu7uwblm5kttv726l3iripago6p336xjnbstkjwrlnlid.onion

Signatures

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	enc_windows_amd64.exe
File opened (read-only)	\??\N:	enc_windows_amd64.exe
File opened (read-only)	\??\T:	enc_windows_amd64.exe
File opened (read-only)	\??\X:	enc_windows_amd64.exe
File opened (read-only)	\??\Y:	enc_windows_amd64.exe
File opened (read-only)	\??\P:	enc_windows_amd64.exe
File opened (read-only)	\??\V:	enc_windows_amd64.exe
File opened (read-only)	\??\Z:	enc_windows_amd64.exe
File opened (read-only)	\??\S:	enc_windows_amd64.exe
File opened (read-only)	\??\W:	enc_windows_amd64.exe
File opened (read-only)	\??\A:	enc_windows_amd64.exe
File opened (read-only)	\??\J:	enc_windows_amd64.exe
File opened (read-only)	\??\K:	enc_windows_amd64.exe
File opened (read-only)	\??\L:	enc_windows_amd64.exe
File opened (read-only)	\??\M:	enc_windows_amd64.exe
File opened (read-only)	\??\Q:	enc_windows_amd64.exe
File opened (read-only)	\??\F:	enc_windows_amd64.exe
File opened (read-only)	\??\U:	enc_windows_amd64.exe
File opened (read-only)	\??\B:	enc_windows_amd64.exe
File opened (read-only)	\??\G:	enc_windows_amd64.exe
File opened (read-only)	\??\H:	enc_windows_amd64.exe
File opened (read-only)	\??\I:	enc_windows_amd64.exe
File opened (read-only)	\??\O:	enc_windows_amd64.exe
File opened (read-only)	\??\R:	enc_windows_amd64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1976	NOTEPAD.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	3024	vssvc.exe
Token: SeRestorePrivilege	3024	vssvc.exe
Token: SeAuditPrivilege	3024	vssvc.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\enc_windows_amd64.exe
"C:\Users\Admin\AppData\Local\Temp\enc_windows_amd64.exe"
1⤵
- Enumerates connected drives
PID:2336

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3024

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\HOW_RETURN_YOUR_DATA.TXT
1⤵
- Opens file in notepad (likely ransom note)
PID:1976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Default\Documents\HOW_RETURN_YOUR_DATA.TXT

Filesize
1KB

MD5
395d34dc36563e90fef8bb03778d3487

SHA1
dbcd404a78333833593786929d3c9428922eb779

SHA256
7ea3d3a1757eddac38af28aac572f871762ca84a7af6c951d40b6e673c4ce455

SHA512
404f2cf22d7c304d4b789410b96f56ae27c3f6ce2d1f0c910f2b938f15c4cf40825cee1f754d15192639ff0b350a24db22916117a85ef6e1031d584ded120086

Download Submit
memory/2336-389-0x000000C000000000-0x000000C000400000-memory.dmp

Filesize
4.0MB

Download
memory/2336-388-0x000000C000000000-0x000000C000400000-memory.dmp

Filesize
4.0MB

Download
memory/2336-390-0x000000C000000000-0x000000C000400000-memory.dmp

Filesize
4.0MB

Download
memory/2336-391-0x000000C000000000-0x000000C000400000-memory.dmp

Filesize
4.0MB

Download
memory/2336-392-0x000000C000000000-0x000000C000400000-memory.dmp

Filesize
4.0MB

Download

Analysis

Sharing