Overview
overview
10Static
static
3main.exe
windows7-x64
1main.exe
windows10-2004-x64
1ransom.exe
windows7-x64
10ransom.exe
windows10-2004-x64
10key_gen/main.exe
windows7-x64
1key_gen/main.exe
windows10-2004-x64
1key_gen/ransom.exe
windows7-x64
9key_gen/ransom.exe
windows10-2004-x64
9ransom/Rel...om.exe
windows7-x64
6ransom/Rel...om.exe
windows10-2004-x64
6ransom/ran...ts.vbs
windows7-x64
1ransom/ran...ts.vbs
windows10-2004-x64
1ransom/ran...hic.js
windows7-x64
3ransom/ran...hic.js
windows10-2004-x64
3ransom/ran...som.js
windows7-x64
3ransom/ran...som.js
windows10-2004-x64
3Analysis
-
max time kernel
150s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
05/11/2024, 16:00
Static task
static1
Behavioral task
behavioral1
Sample
main.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
main.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
ransom.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
ransom.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
key_gen/main.exe
Resource
win7-20240729-en
Behavioral task
behavioral6
Sample
key_gen/main.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
key_gen/ransom.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
key_gen/ransom.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
ransom/Release/ransom.exe
Resource
win7-20240729-en
Behavioral task
behavioral10
Sample
ransom/Release/ransom.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
ransom/ransom/Crypto/RSA/bigdigits.vbs
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
ransom/ransom/Crypto/RSA/bigdigits.vbs
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
ransom/ransom/Cryptographic.js
Resource
win7-20241010-en
Behavioral task
behavioral14
Sample
ransom/ransom/Cryptographic.js
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
ransom/ransom/ransom.js
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
ransom/ransom/ransom.js
Resource
win10v2004-20241007-en
General
-
Target
ransom.exe
-
Size
7.8MB
-
MD5
648bd793d9e54fc2741e0ba10980c7de
-
SHA1
f5d0c94b2be91342dc01ecf2f89e7e6f21a74b90
-
SHA256
102276ae1f518745695fe8f291bf6e69856b91723244881561bb1a2338d54b12
-
SHA512
d1428b934a360d7f3651947d11081892c93c7cd29a17dc38190cbb46c95939928ac6f805adf586be2937e27fc20aec8bd1fc2c782c681e7e94e9e8d33b8ebf15
-
SSDEEP
98304:9+v9K8MgmB4oIWcCJ3ZZVL8oYi5lTkZkmla1DXL:S4uWcCT9Gzl
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Adobe\Acrobat\9.0\CyberVolk_ReadMe.txt
https://t.me/cubervolk
Signatures
-
Renames multiple (877) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Drops startup file 6 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini ransom.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.cvenc ransom.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CyberVolk_ReadMe.txt ransom.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\CyberVolk_ReadMe.txt ransom.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CyberVolk_ReadMe.txt ransom.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\CyberVolk_ReadMe.txt ransom.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\GKATPXW1\desktop.ini ransom.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini ransom.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini ransom.exe File opened for modification C:\Users\Admin\Videos\desktop.ini ransom.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini ransom.exe File opened for modification C:\Users\Public\Downloads\desktop.ini ransom.exe File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini ransom.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\L7XNHY48\desktop.ini ransom.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini ransom.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini ransom.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini ransom.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini ransom.exe File opened for modification C:\Users\Admin\Music\desktop.ini ransom.exe File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini ransom.exe File opened for modification C:\Users\Public\Videos\desktop.ini ransom.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini ransom.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\GY8QW6M2\desktop.ini ransom.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\75GKCLJR\desktop.ini ransom.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini ransom.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini ransom.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini ransom.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini ransom.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini ransom.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini ransom.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini ransom.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini ransom.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini ransom.exe File opened for modification C:\Users\Public\Music\desktop.ini ransom.exe File opened for modification C:\Users\Admin\Links\desktop.ini ransom.exe File opened for modification C:\Users\Admin\Searches\desktop.ini ransom.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini ransom.exe File opened for modification C:\Users\Public\Libraries\desktop.ini ransom.exe File opened for modification C:\Users\Public\Pictures\desktop.ini ransom.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini ransom.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini ransom.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini ransom.exe File opened for modification C:\Users\Admin\Documents\desktop.ini ransom.exe File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini ransom.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini ransom.exe File opened for modification \??\f:\$RECYCLE.BIN\S-1-5-21-1846800975-3917212583-2893086201-1000\desktop.ini ransom.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\3W44XPEP\desktop.ini ransom.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini ransom.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini ransom.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini ransom.exe File opened for modification C:\Users\Public\Documents\desktop.ini ransom.exe File opened for modification C:\Users\Public\Recorded TV\desktop.ini ransom.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y8O71085\desktop.ini ransom.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini ransom.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini ransom.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini ransom.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini ransom.exe File opened for modification C:\Users\Public\Desktop\desktop.ini ransom.exe File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini ransom.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini ransom.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini ransom.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini ransom.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\desktop.ini ransom.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini ransom.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini ransom.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini ransom.exe File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini ransom.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini ransom.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini ransom.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini ransom.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\i: ransom.exe File opened (read-only) \??\p: ransom.exe File opened (read-only) \??\r: ransom.exe File opened (read-only) \??\s: ransom.exe File opened (read-only) \??\w: ransom.exe File opened (read-only) \??\x: ransom.exe File opened (read-only) \??\a: ransom.exe File opened (read-only) \??\h: ransom.exe File opened (read-only) \??\k: ransom.exe File opened (read-only) \??\z: ransom.exe File opened (read-only) \??\g: ransom.exe File opened (read-only) \??\m: ransom.exe File opened (read-only) \??\n: ransom.exe File opened (read-only) \??\t: ransom.exe File opened (read-only) \??\v: ransom.exe File opened (read-only) \??\y: ransom.exe File opened (read-only) \??\e: ransom.exe File opened (read-only) \??\j: ransom.exe File opened (read-only) \??\l: ransom.exe File opened (read-only) \??\o: ransom.exe File opened (read-only) \??\q: ransom.exe File opened (read-only) \??\u: ransom.exe File opened (read-only) \??\b: ransom.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\tmp.bmp" ransom.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ransom.exe
Processes
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Package Cache\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi.cvenc
Filesize141KB
MD59c4fc26dc3347657a018b49089a2e38a
SHA10c8bdde7159dba6633154243abeb9af2d7a25481
SHA2566532d2a6e16c09212c9ed61503f0b4c27a1324c5ac03d602261c604526d30fae
SHA512ba0a785c4cfb84d0b8e464d043e6ba12b7a95db2e4c92390edbaacab84bc1e289bbf4ae38d0c887103a698505b3859ce493d9026bb248055f37d50168152f161
-
Filesize
348B
MD5ce7ff0a9361571a2dcb08f50500ace3f
SHA15d8bed459f55a37e2fcb801d04de337a01c5d623
SHA256894bc59f5227b4d545412b2a2897367d7ac88090c86f5a1728bf733e70bd93ee
SHA512bba6d46fae5b4099b047b192f7df21fdf01675b09f3da38a365710fc9aa5b126cc6a2c2547be48deecfaa360e1521cf04a9793af083735de4a8cb7be9bd4c52a
-
Filesize
1KB
MD5d1de577b1ce56dd27cac494d8b332ad5
SHA183911368e58a91c70a11a7018b0f0e4875a81587
SHA256f2272df51e9c9411bc77d6751bba929062d8650f77c63e6865c066db7a495c59
SHA51207431f68507cb5e964d86fc6502446d7f7c6797163b729d7704535f0f167257f2587cc5744d5f1d34a50ad5d687fffe3e7a20f0af252b5f3b3fd8503c0f17834
-
Filesize
1KB
MD5b763cf85bfa70bb63fd762b7afabe7f9
SHA105e36ed564729fe06a8f7419f897ac76e6cb9243
SHA256ea9a76293b195d7a5c859f670ca95ae8a92967408c85f625fcb855e343ec43d9
SHA5129e263abe914bb6923d079f5e3913c8801531f6b5a92ae784874d2eb49689df3aa6e978e37c3c5c652bb8c0e9f78df1570f6b3b9cc7e68bff18f6cbebe945afa4
-
Filesize
29KB
MD59dbdcf0e653349180f64452a1c29b1ad
SHA11a85c4ee7a5e00597919f4efb8035ec49d88590f
SHA2565c2b723318e8b403db1b9b656c024c5c32eae2c554469071934137711d3df5f2
SHA512697c2bd4d15a90573deaa5e222fa195dd003a4c097d47322cddf8c5b225046a581dad912e6a5a21e5e29a51426003f219925dc28354c56b737fa8ca7d154e3e5
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y8O71085\desktop.ini.cvenc
Filesize1KB
MD52ec6f979d13d95746b4e63f22da8bd48
SHA152ba665e439d7651e0a8938b4687ff97d73859fb
SHA2564381605bb6547c8e82108526d595118607cc6a31f8be0c7de413a67e5e987e1c
SHA512ed63e624ee3cf77754aa9a4be2c135e721b8a1efd0680a8f430105c4da1528a7796a358c6f4b55c53a5a1c4e75e84eb48b5055d55bedabee69e034b635893170
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite.cvenc
Filesize49KB
MD570b9498e5564a6b4c0e463d238e121aa
SHA1401bd7da5f3220ccd7d3033ad3e41d762479cf37
SHA25674bbae7206fbe6e18fda6740d77e0e6266d69f863282e13148c4662baa82595f
SHA5124a696d5354591f3c56dd14c0be95187a011731fe8eb7741da71b77ff0738457d52352c538ff63834b4f906db994428df1054c51f9c16192d702481d5b0a0d748