Analysis

  • max time kernel
    150s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    05/11/2024, 16:00

General

  • Target

    ransom.exe

  • Size

    7.8MB

  • MD5

    648bd793d9e54fc2741e0ba10980c7de

  • SHA1

    f5d0c94b2be91342dc01ecf2f89e7e6f21a74b90

  • SHA256

    102276ae1f518745695fe8f291bf6e69856b91723244881561bb1a2338d54b12

  • SHA512

    d1428b934a360d7f3651947d11081892c93c7cd29a17dc38190cbb46c95939928ac6f805adf586be2937e27fc20aec8bd1fc2c782c681e7e94e9e8d33b8ebf15

  • SSDEEP

    98304:9+v9K8MgmB4oIWcCJ3ZZVL8oYi5lTkZkmla1DXL:S4uWcCT9Gzl

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Adobe\Acrobat\9.0\CyberVolk_ReadMe.txt

Ransom Note
Greetings. All your files have been encrypted by CyberVolk ransomware. Please never try to recover your files without decryption key which I give you after pay. They could be disappeared� You should follow my words. Pay $1000 BTC to below address. My telegram : @hacker7 Our Team : https://t.me/cubervolk We always welcome you and your payment.
URLs

https://t.me/cubervolk

Signatures

  • Renames multiple (877) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

  • Drops startup file 6 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 64 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

Processes

  • C:\Users\Admin\AppData\Local\Temp\ransom.exe
    "C:\Users\Admin\AppData\Local\Temp\ransom.exe"
    1⤵
    • Drops startup file
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • System Location Discovery: System Language Discovery
    PID:1400

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\Package Cache\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi.cvenc

          Filesize

          141KB

          MD5

          9c4fc26dc3347657a018b49089a2e38a

          SHA1

          0c8bdde7159dba6633154243abeb9af2d7a25481

          SHA256

          6532d2a6e16c09212c9ed61503f0b4c27a1324c5ac03d602261c604526d30fae

          SHA512

          ba0a785c4cfb84d0b8e464d043e6ba12b7a95db2e4c92390edbaacab84bc1e289bbf4ae38d0c887103a698505b3859ce493d9026bb248055f37d50168152f161

        • C:\Users\Admin\AppData\Local\Adobe\Acrobat\9.0\CyberVolk_ReadMe.txt

          Filesize

          348B

          MD5

          ce7ff0a9361571a2dcb08f50500ace3f

          SHA1

          5d8bed459f55a37e2fcb801d04de337a01c5d623

          SHA256

          894bc59f5227b4d545412b2a2897367d7ac88090c86f5a1728bf733e70bd93ee

          SHA512

          bba6d46fae5b4099b047b192f7df21fdf01675b09f3da38a365710fc9aa5b126cc6a2c2547be48deecfaa360e1521cf04a9793af083735de4a8cb7be9bd4c52a

        • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\CURRENT.cvenc

          Filesize

          1KB

          MD5

          d1de577b1ce56dd27cac494d8b332ad5

          SHA1

          83911368e58a91c70a11a7018b0f0e4875a81587

          SHA256

          f2272df51e9c9411bc77d6751bba929062d8650f77c63e6865c066db7a495c59

          SHA512

          07431f68507cb5e964d86fc6502446d7f7c6797163b729d7704535f0f167257f2587cc5744d5f1d34a50ad5d687fffe3e7a20f0af252b5f3b3fd8503c0f17834

        • C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\L7XNHY48\desktop.ini.cvenc

          Filesize

          1KB

          MD5

          b763cf85bfa70bb63fd762b7afabe7f9

          SHA1

          05e36ed564729fe06a8f7419f897ac76e6cb9243

          SHA256

          ea9a76293b195d7a5c859f670ca95ae8a92967408c85f625fcb855e343ec43d9

          SHA512

          9e263abe914bb6923d079f5e3913c8801531f6b5a92ae784874d2eb49689df3aa6e978e37c3c5c652bb8c0e9f78df1570f6b3b9cc7e68bff18f6cbebe945afa4

        • C:\Users\Admin\AppData\Local\Microsoft\Feeds\Microsoft Feeds~\MSNBC News~.feed-ms.cvenc

          Filesize

          29KB

          MD5

          9dbdcf0e653349180f64452a1c29b1ad

          SHA1

          1a85c4ee7a5e00597919f4efb8035ec49d88590f

          SHA256

          5c2b723318e8b403db1b9b656c024c5c32eae2c554469071934137711d3df5f2

          SHA512

          697c2bd4d15a90573deaa5e222fa195dd003a4c097d47322cddf8c5b225046a581dad912e6a5a21e5e29a51426003f219925dc28354c56b737fa8ca7d154e3e5

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y8O71085\desktop.ini.cvenc

          Filesize

          1KB

          MD5

          2ec6f979d13d95746b4e63f22da8bd48

          SHA1

          52ba665e439d7651e0a8938b4687ff97d73859fb

          SHA256

          4381605bb6547c8e82108526d595118607cc6a31f8be0c7de413a67e5e987e1c

          SHA512

          ed63e624ee3cf77754aa9a4be2c135e721b8a1efd0680a8f430105c4da1528a7796a358c6f4b55c53a5a1c4e75e84eb48b5055d55bedabee69e034b635893170

        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite.cvenc

          Filesize

          49KB

          MD5

          70b9498e5564a6b4c0e463d238e121aa

          SHA1

          401bd7da5f3220ccd7d3033ad3e41d762479cf37

          SHA256

          74bbae7206fbe6e18fda6740d77e0e6266d69f863282e13148c4662baa82595f

          SHA512

          4a696d5354591f3c56dd14c0be95187a011731fe8eb7741da71b77ff0738457d52352c538ff63834b4f906db994428df1054c51f9c16192d702481d5b0a0d748