Overview

overview

10

Static

static

1

RNSM00356.7z

windows7-x64

10

Analysis

  • max time kernel
    156s
  • max time network
    161s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    07-11-2024 21:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RNSM00356.7z

  • Size

    3.9MB

  • MD5

    376785ae266b5afd8aca391147462e44

  • SHA1

    35b982f366aaae74e368e935560a9040e5a16ce6

  • SHA256

    a5aad9efebed50cd31ba1f27ed16d7b56da8aa63407e2f949bed778e18233c51

  • SHA512

    6eb0f0869ec1954dfa14cb788b7b1557ab355d5f0a57bab0fa457a6ab272e80b802b8e36796cccdb3e83dcd0979e8178f6ed2ce19a35d04f3ba4c3bf3feb743c

  • SSDEEP

    98304:xhMqxdoBUoWTqmowUNWxnnruTPQaXbB7wfXyBsogDP2JEuqg9d:pzCgnrgP9ByyBsogilR9d

Score
10/10
gandcrabhawkeye_rebornm00nd3v_loggertroldeshbackdoorcollectioncredential_accessdefense_evasiondiscoveryevasionexecutionimpactinfostealerkeyloggerpersistenceransomwarespywarestealertrojanupx

Malware Config

Extracted

Path

C:\$Recycle.Bin\OZUGY-DECRYPT.txt

Ransom Note
---= GANDCRAB V5.0 =--- Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .OZUGY The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/c2e6ee19141949a8 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAOF6zMCioWWwHC5NYgiQKvZZ3f53oi5kB0AsYlxYVjD2mVr9UR8DlbFdaTFaHByt3rJxkmfvzvkCAepcyrpc/bXhc8yRh7j/Lxd47hbB+r3VxYBVTBcmhVJxVW7NIFVUHxO22Cdod2lqRqoa8QufzZq6I87MWOHWAJRNBAfQbpOAdCxb8Du7XI+StqxSBCWRNsf+zEFrwXeNGZ7YAXufK4O9y4i6UhWUvZeCHyaQx9wLBt0b2cPHx6WIwJi5H8aeu0Gev+z80kLYaVT+mGIbha49XwL3EyT7wFddzPSDCdQR/k2U3PWQZTFeiP67lmfumXqWVfj1qBnSOMVoyXCCnbB98XCoBfupMMu4aD+BC9ouX73wExzfH0jEc0EaEgkvrO7qwB/Vvc2B79m3J6eR3OzmABd5Eqy5dleAJO0JwLnVqdj0mMDpsGyLEPLtth0Kq07khzBy1W7PZqUHYur07tzSKBLLdAaTGxSXbwZBUX1poxQgiCU2pgTRq13rj9Dls+4v8mQdoWjD9gQ4Gm5H5YEptwKA+37EYzuF5Zb73unMIWLuL0Lm+QjFwihWj+PwcyHe+m0lAaCp7IEcy6hdQ6y9xD7NTM6mZQHW+l6sUI267vWtPdGQwOQVp/DJ2p0FdX6mKjAkK0SycI3fuOzFlkXCGBQsqJQlUPJYvAXc+thqcpMsjemUhyY0IIRtBCdKhNwdtGJC3aetkWH/niIKD4hJwcdo6iZCGtonYYnF2i+CcrUTNTrY49leOO5SNpwp9MxSs1wNNWZZL2IC8+eSj8iGrvMVAWRqKCKqwPRxSpWM7hdC9sFU+VJGQFZgtt1DHeXaO6EuQwB5MuLwY2IZHVgD5ZLworC9OEdmaV06f9jWvKFlSCRC16ou2iwpugDmDBgO1Nhwqhe6LLLczIXmJYJoJXfZtNYrEC9rMJ6+cJ2JzZDZ2Hx6WwPxJt0sXvnTKEYA224xre4XR4urYiwA1E76LFPOXnt4vLVedlMC97ofWRKbqPKgCeeEeK4xAdF4WXxuv87ZwIhtII/IlOn/SGE9EfRFUDpS6971mjGN2kKvMi34uCaYFyDcvX42/HiY/svp5bsAkuNVGIndmzaKRl/rwJ9zl2keRklIIWq7sEJhxpyA36G92SlchCZJqJs86jCaQOM56PVzkDfiKpXx3RQu2H6Z3pB323OVUH9U/1aFNQjhcfi51+9Jr+BUQrtXW1bRYMBiil+pykiuX5jeZgc2XLxRp73ZLChVtyQI2XwI6UUDyAp8SKDfhy9+ygYiJS917A4ygEDNpjJs6SN2ABqFuwqoVYjPwJXPz3h5CK945vRbVIshEikVoc25DHaFljx/MS7IsDK8F0K22L2V+yQihm4butshoAhts+Mvn2fgBsYzpsuKdtwGIGZcmLN1X3VyTcvfKiOF5wTCQI4yibWdRTFV2DSO5jJhHgIUg6+OYIjKICzZW11VWTMTMIbr8uvYWHHIj+omkD/r6zKAU0WFjjlqLDZc1VAUSGyQOPwNQSGgToWjeM8Q0bae7p+NiPCH+v1oLjTSOwju9Xh/GLv+vQ6OZF8w+lvAfJ64XSQMTOcf16MwT9CrEIYRFkC2ojCKm31uAubDkElH+JrfcEBKedw/CVL6OCEmB+/wJH4fSs2p4K5GRzHeT/WGLHVG7PVuQ97+VzE90e/EZNi38jiPwyGoRUeK4RtNfO9G3a2tKnZRFIYnfoMIsgRJo1/FRyrnD+dILbf4nSPOz5l4Dh1wn+XmIh+r0v9NwwYUq211Stb/SKORWG8VcTKAJe4lHOtajTAOoLPwZV/PA2gGsFHO2uKmwrhZuo1IXO/Ad6KkgmpHmyfYjXpNaWgkRzIM6K4JsdsnXk151zv9EDbcFd3xUuiTKijghcgJ//DYjpT8vRNvOoRTOMahjSFDkf27+Qr4Rde00qhtMvaeGbpWJB30sMfIdokaGzKTgDAFhvth6tVUxBTbYJDKN6oNb21+3pigUuSEBzWiFDrUUEthZMD+Mwm1ID3ydCr7R8b/bzRwGipeIXdLpI2AkZ3pu20ArcSfYDVYu5VeojiLWzNNJr7FqQi20+gnpXGCGrTpq9LWOoifIg51OmC9idztNrT6wzlvjcR8muOESf80LVt6ktMrUzAzKAGxOr/9UREtrq8IrOZQBCDCsP2RLsioIyuvsjDjE4MY2udZhq0rJ9kMLLSgzT87b9VFXKPa4mlX9jvv8d2bmpVZbgVUQ34EJdoMOpPcVv8= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- wfKD6iudumBkmpL8IRr4U4exEVaoOXLtwDwmOrT1y1YWvOiWMx5GYaRdvZZVTpRRpnYN7nJWo7feTGSHhh5qBJzzs9MC7736UkGSDDniUJJG8/LFF//kmGmoAZAGLo2j5/wd2UrxMJK+iqKhTkS3ArgAxrZOOOiXrbnhbWMkLHQnbYuWlMClYZxYU6SDxpopRo5r292AV1KIZBZV4APBuUHcKSIr2MWMI0O1MKIP2IpKLE2TS5wLmpQodXZhP6M/UPrO1sZzkDbgjYlAG3g8l65nVd0/CBUxKQ7KDJYrtX0vSmnFXg/ykfgtJNiwqfCnqbr85+BisLFwkR3B5uLx/zM2EOsvGtpYaFqCBi7tqRHfEYgbqScE4oG4b6a1Y8ZyGoyp2Q2iuJRzTRoqGlPQJIAJppFrwNIoDBPOnKw+A+5ZALufjGEwg7NrKg3qxA9Kxg72Zi3pABFN3vLLNOar1wYZLXRgRl+KCjmo1jngAX95mSffmizzQU1nmrIqlsew6HIMVY3pdDfwfAscdcBnP3FNhn9WQ3XC06ZCEvXtdUj8BYRMbJHzHpMOar+NRZwP9okRV/rusrPFzMP9PnYFh9gzrewdRb9tHf+DbmDW4OIcXpVeLdQr9FRha1KO2vpgy2mFLQkzlAtXfjb5QmECiQ== ---END PC DATA---
URLs

http://gandcrabmfe6mnef.onion/c2e6ee19141949a8

Extracted

Family

hawkeye_reborn

Version

9.0.1.6

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Princeboy1
Mutex

123f6b8d-bd46-482b-bbfe-b5cde1cc0d04

Attributes
  • fields

    map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:false _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:Princeboy1 _EmailPort:587 _EmailSSL:true _EmailServer:smtp.yandex.com _EmailUsername:[email protected] _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:false _LogInterval:300 _MeltFile:false _Mutex:123f6b8d-bd46-482b-bbfe-b5cde1cc0d04 _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:9.0.1.6 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]

  • name

    HawkEye Keylogger - Reborn v9, Version=9.0.1.6, Culture=neutral, PublicKeyToken=null

Signatures

  • Gandcrab

    Gandcrab is a Trojan horse that encrypts files on a computer.

    ransomwarebackdoorgandcrab
  • Gandcrab family
    gandcrab
  • HawkEye Reborn

    HawkEye Reborn is an enhanced version of the HawkEye malware kit.

    keyloggertrojanstealerspywarehawkeye_reborn
  • Hawkeye_reborn family
    hawkeye_reborn
  • M00nd3v_Logger

    M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.

    stealerspywarem00nd3v_logger
  • M00nd3v_logger family
    m00nd3v_logger
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
    evasiontrojan
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Troldesh family
    troldesh
  • Troldesh, Shade, Encoder.858

    Troldesh is a ransomware spread by malspam.

    ransomwaretrojantroldesh
  • Windows security bypass 2 TTPs 6 IoCs
    evasiontrojan
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Detected Nirsoft tools 4 IoCs

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • M00nD3v Logger payload 6 IoCs

    Detects M00nD3v Logger payload in memory.

    infostealer
  • NirSoft MailPassView 1 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 4 IoCs

    Password recovery tool for various web browsers

  • Renames multiple (297) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

    credential_accessstealer
  • Drops startup file 4 IoCs
  • Executes dropped EXE 13 IoCs
  • Loads dropped DLL 14 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Uses the VBS compiler for execution 1 TTPs
  • Windows security modification 2 TTPs 7 IoCs
    evasiontrojan
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of SetThreadContext 4 IoCs
  • UPX packed file 19 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 56 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00356.7z"
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2660
  • C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2824
    • C:\Users\Admin\Desktop\00356\HEUR-Trojan-Ransom.MSIL.Blocker.gen-651652c6eb59a36cd2fe91699344641d1a28bff18f8d4cbe2437a5970904ee4a.exe
      HEUR-Trojan-Ransom.MSIL.Blocker.gen-651652c6eb59a36cd2fe91699344641d1a28bff18f8d4cbe2437a5970904ee4a.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2832
      • C:\Users\Admin\Desktop\00356\HEUR-Trojan-Ransom.MSIL.Blocker.gen-651652c6eb59a36cd2fe91699344641d1a28bff18f8d4cbe2437a5970904ee4a.exe
        "HEUR-Trojan-Ransom.MSIL.Blocker.gen-651652c6eb59a36cd2fe91699344641d1a28bff18f8d4cbe2437a5970904ee4a.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        PID:2380
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp956C.tmp"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:832
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp873A.tmp"
          4⤵
          • Accesses Microsoft Outlook accounts
          • System Location Discovery: System Language Discovery
          PID:1292
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2832 -s 1804
        3⤵
        • Loads dropped DLL
        • Program crash
        PID:2564
    • C:\Users\Admin\Desktop\00356\HEUR-Trojan-Ransom.MSIL.GandCrypt.gen-d302d51da513c1340b64683fbd78112085e1906a3a96928183518a8b489fa26c.exe
      HEUR-Trojan-Ransom.MSIL.GandCrypt.gen-d302d51da513c1340b64683fbd78112085e1906a3a96928183518a8b489fa26c.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      • Suspicious use of AdjustPrivilegeToken
      PID:2588
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1816
    • C:\Users\Admin\Desktop\00356\HEUR-Trojan-Ransom.Win32.Blocker.gen-17c51c73c265f45369b5e11280c1576858f812058807f3ba5bf33dd5ab5ac16c.exe
      HEUR-Trojan-Ransom.Win32.Blocker.gen-17c51c73c265f45369b5e11280c1576858f812058807f3ba5bf33dd5ab5ac16c.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2772
      • C:\Windows\T80050476080780\winsvcs32.exe
        C:\Windows\T80050476080780\winsvcs32.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Windows security bypass
        • Executes dropped EXE
        • Windows security modification
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:2064
    • C:\Users\Admin\Desktop\00356\HEUR-Trojan-Ransom.Win32.Encoder.gen-812f5627bbfa5311fc96d5894cea16788c4f81d644729ebaea432a45d65ab8fa.exe
      HEUR-Trojan-Ransom.Win32.Encoder.gen-812f5627bbfa5311fc96d5894cea16788c4f81d644729ebaea432a45d65ab8fa.exe
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Enumerates connected drives
      • Sets desktop wallpaper using registry
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2264
      • C:\Windows\SysWOW64\wbem\wmic.exe
        "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2844
    • C:\Users\Admin\Desktop\00356\HEUR-Trojan-Ransom.Win32.Shade.gen-ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe
      HEUR-Trojan-Ransom.Win32.Shade.gen-ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of UnmapMainImage
      PID:2196
    • C:\Users\Admin\Desktop\00356\Trojan-Ransom.Win32.Agent.autk-1ecb94b101c6229a60475748fee4ecbf656e6d77722d7b422378d47c9510d293.exe
      Trojan-Ransom.Win32.Agent.autk-1ecb94b101c6229a60475748fee4ecbf656e6d77722d7b422378d47c9510d293.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Enumerates connected drives
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      PID:2780
    • C:\Users\Admin\Desktop\00356\Trojan-Ransom.Win32.Blocker.mopc-defdfb21f88faa2c9c674737742f28c620c8939acd51ea237bfd54ac4a7d6656.exe
      Trojan-Ransom.Win32.Blocker.mopc-defdfb21f88faa2c9c674737742f28c620c8939acd51ea237bfd54ac4a7d6656.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2304
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows-SearchEnginee.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows-SearchEnginee.exe" NTFileIndexer
        3⤵
        • Modifies visibility of file extensions in Explorer
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        PID:1820
    • C:\Users\Admin\Desktop\00356\Trojan-Ransom.Win32.Crypren.adnc-721ccbb780b308c6c40817749b6764ad06cd2e56389bba1618a0dadc362d6429.exe
      Trojan-Ransom.Win32.Crypren.adnc-721ccbb780b308c6c40817749b6764ad06cd2e56389bba1618a0dadc362d6429.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1064
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" netsh firewall set opmode disable
        3⤵
        • System Location Discovery: System Language Discovery
        PID:764
    • C:\Users\Admin\Desktop\00356\Trojan-Ransom.Win32.GandCrypt.fre-0a3c367793c08a1002ba036e11b95839f9ef630b2763bb0e6d513fb9ea95a400.exe
      Trojan-Ransom.Win32.GandCrypt.fre-0a3c367793c08a1002ba036e11b95839f9ef630b2763bb0e6d513fb9ea95a400.exe
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Enumerates connected drives
      • Sets desktop wallpaper using registry
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Modifies system certificate store
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2472
      • C:\Windows\SysWOW64\wbem\wmic.exe
        "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2524
    • C:\Users\Admin\Desktop\00356\Trojan-Ransom.Win32.Shade.pnu-404ae50b0e1bce4b8421cc654b54591fcc84edd600c76e1a2dda1e0653a6cfe9.exe
      Trojan-Ransom.Win32.Shade.pnu-404ae50b0e1bce4b8421cc654b54591fcc84edd600c76e1a2dda1e0653a6cfe9.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of UnmapMainImage
      PID:2104
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:964
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2132
  • C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\00356\OZUGY-DECRYPT.txt
    1⤵
      PID:2404

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Command and Scripting Interpreter

    1
    T1059

    Windows Management Instrumentation

    1
    T1047

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Defense Evasion

    Hide Artifacts

    1
    T1564

    Hidden Files and Directories

    1
    T1564.001

    Impair Defenses

    3
    T1562

    Disable or Modify Tools

    3
    T1562.001

    Indicator Removal

    1
    T1070

    File Deletion

    1
    T1070.004

    Modify Registry

    7
    T1112

    Subvert Trust Controls

    1
    T1553

    Install Root Certificate

    1
    T1553.004

    Credential Access

    Credentials from Password Stores

    2
    T1555

    Credentials from Web Browsers

    1
    T1555.003

    Windows Credential Manager

    1
    T1555.004

    Unsecured Credentials

    1
    T1552

    Credentials In Files

    1
    T1552.001

    Discovery

    Peripheral Device Discovery

    1
    T1120

    Query Registry

    3
    T1012

    System Information Discovery

    3
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Email Collection

    1
    T1114

    Command and Control

    Exfiltration

    Impact

    Defacement

    1
    T1491

    Inhibit System Recovery

    1
    T1490

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\$Recycle.Bin\OZUGY-DECRYPT.txt
      Filesize

      8KB

      MD5

      919cca583c1af8c8e4296df5ff2a0d20

      SHA1

      6d4bf6dca3de6e496b84a72eba91f1db05347979

      SHA256

      587017a73dcf4520d5d9f752303c532f8e5c563e48c6af75b0640bcfbe85f083

      SHA512

      67137884ff3949ea61a8084eca4658bf2f4ef99c3c149301fe4af405871d1ddf5a70d200d3dde3a7c8179b1b2be04516ad75bc41b29f8d3653631f0ebdf433b8

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\CabA4F.tmp
      Filesize

      70KB

      MD5

      49aebf8cbd62d92ac215b2923fb1b9f5

      SHA1

      1723be06719828dda65ad804298d0431f6aff976

      SHA256

      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

      SHA512

      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\TarBB9.tmp
      Filesize

      181KB

      MD5

      4ea6026cf93ec6338144661bf1202cd1

      SHA1

      a1dec9044f750ad887935a01430bf49322fbdcb7

      SHA256

      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

      SHA512

      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp956C.tmp
      Filesize

      2B

      MD5

      f3b25701fe362ec84616a93a45ce9998

      SHA1

      d62636d8caec13f04e28442a0a6fa1afeb024bbb

      SHA256

      b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

      SHA512

      98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3692679935-4019334568-335155002-1000\0f5007522459c86e95ffcc62f32308f1_6110149a-fcf0-442a-a749-601093ba4822.ozugy
      Filesize

      586B

      MD5

      8e30c32b05ca2688e939689794d8abf7

      SHA1

      cd6c6e61d2e2291890f5ce01ddf7fa75de2bba79

      SHA256

      5d3ae90f4578bf1241a8b65a4c2249a01d5dc63878d1626d1ead41d4f748051f

      SHA512

      c1b508e546adb5924e7a5c6d832e5549cb9b94f873e512b5ed03a95c01ba885951aaa6fe50c2f75436dad3e6c07e26871932be6c06d9055b3ecd2a661317f1a4

      Download Submit

    • C:\Users\Admin\Desktop\00356\HEUR-Trojan-Ransom.MSIL.Blocker.gen-651652c6eb59a36cd2fe91699344641d1a28bff18f8d4cbe2437a5970904ee4a.exe
      Filesize

      768KB

      MD5

      7f202658dcb777cf61e8e315e8bddfcd

      SHA1

      1b173c702742d7c1b749223f4728520c5506f38a

      SHA256

      651652c6eb59a36cd2fe91699344641d1a28bff18f8d4cbe2437a5970904ee4a

      SHA512

      27cfb4dd0893646cfa01a39133d294f1b66721d6916382b9b710d062c487bf332c3d43669e8ca2268879b33ce46caf519581e271beea7d2e704a14582129a3ab

      Download Submit

    • C:\Users\Admin\Desktop\00356\HEUR-Trojan-Ransom.MSIL.GandCrypt.gen-d302d51da513c1340b64683fbd78112085e1906a3a96928183518a8b489fa26c.exe
      Filesize

      859KB

      MD5

      69957ec4e3c28854bb1b10d775bc8413

      SHA1

      0f52a047d7ed10504dca99b68fdea0f8dd5d5152

      SHA256

      d302d51da513c1340b64683fbd78112085e1906a3a96928183518a8b489fa26c

      SHA512

      29d36dcac4db79f1286a4a3504c972f24b797a8744c29fd5ff158ae1d07166dcfc2a7cd1b469ac5350a79395597b28561bc29672c1ea93c6766543f762ff2c6d

      Download Submit

    • C:\Users\Admin\Desktop\00356\HEUR-Trojan-Ransom.Win32.Blocker.gen-17c51c73c265f45369b5e11280c1576858f812058807f3ba5bf33dd5ab5ac16c.exe
      Filesize

      255KB

      MD5

      69d79bfa3e909d34c8f30deab7683fe4

      SHA1

      ff06f8e29dd9941037f22986edb08d883c5bd695

      SHA256

      17c51c73c265f45369b5e11280c1576858f812058807f3ba5bf33dd5ab5ac16c

      SHA512

      672d56c706603d161122792427a6056732929f0b672f7a64d4924b3e58eef10386b5c07f0a76ad837a72b967e351ee1781721222cfe7d0cfd37e7031edcd7913

      Download Submit

    • C:\Users\Admin\Desktop\00356\HEUR-Trojan-Ransom.Win32.Encoder.gen-812f5627bbfa5311fc96d5894cea16788c4f81d644729ebaea432a45d65ab8fa.exe
      Filesize

      99KB

      MD5

      d6fa60094f8c7417722016e0d1e4c474

      SHA1

      fbdb54ed582ba35fdfa38eaea0031db0dc31c91b

      SHA256

      812f5627bbfa5311fc96d5894cea16788c4f81d644729ebaea432a45d65ab8fa

      SHA512

      29435ab95b8d7e9e33e64a079a70e3d8ab4fede85e664013b9710ef57623c7410e32afe60025516d34d7671ca7df98166b80875181da8e3577a19046ddaf25ea

      Download Submit

    • C:\Users\Admin\Desktop\00356\HEUR-Trojan-Ransom.Win32.Shade.gen-ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab.exe
      Filesize

      1.2MB

      MD5

      87ab5f476d4351224d893e267cc30d3b

      SHA1

      22e1fefd40bde744c165d316db26e88b5f4e6e70

      SHA256

      ca233059d5f7370dfdadf37d8f6b27ebf72ddaf6458613c2084b705727cf68ab

      SHA512

      7eb4776b09d586364d88ab1992133d9a0788c2c6c2e3ea4993ed061f4d25db9c7a3755a8add4775273193b953ca79ada4167d4a3671abbf728a4d0a61dd4e183

      Download Submit

    • C:\Users\Admin\Desktop\00356\Trojan-Ransom.Win32.Agent.autk-1ecb94b101c6229a60475748fee4ecbf656e6d77722d7b422378d47c9510d293.exe
      Filesize

      714KB

      MD5

      97ec090821208e0ad47f4383d6977611

      SHA1

      3808de698552aabd19a0d9b8f3adf803641ae206

      SHA256

      1ecb94b101c6229a60475748fee4ecbf656e6d77722d7b422378d47c9510d293

      SHA512

      3c871b2cc01a956fcb60e7f48502649bcc31f6dcbf8d8f7a1eda06b751f3f89b301f63a4ba5dd18c30b7f31d9c3d2b84dc02ed3aa05852f26492f2dbee948a05

      Download Submit

    • C:\Users\Admin\Desktop\00356\Trojan-Ransom.Win32.Blocker.mopc-defdfb21f88faa2c9c674737742f28c620c8939acd51ea237bfd54ac4a7d6656.exe
      Filesize

      165KB

      MD5

      27cd0ab02b1244188ede241ea1e087f5

      SHA1

      19f150d1615da6b79d120cbc6fb857b0a8577c40

      SHA256

      defdfb21f88faa2c9c674737742f28c620c8939acd51ea237bfd54ac4a7d6656

      SHA512

      803ab429ddb123392ff8db0b0b9b2987b1092935172d0999d6ea4984cae7f5a9b2b5ef703e82f17c0c7b7d2e808e4caf3138c0f2228c654f4d4169cca8ffd55d

      Download Submit

    • C:\Users\Admin\Desktop\00356\Trojan-Ransom.Win32.Crypren.adnc-721ccbb780b308c6c40817749b6764ad06cd2e56389bba1618a0dadc362d6429.exe
      Filesize

      556KB

      MD5

      4a8228f5109bc509936eb5286d86322a

      SHA1

      36f1b50c1df1249e816944d0288604336d2b7a1e

      SHA256

      721ccbb780b308c6c40817749b6764ad06cd2e56389bba1618a0dadc362d6429

      SHA512

      6013d5daaef69c99d61afb30aa273413eebe9b5b8fe0055d879ee236817d3cb4a9d3bdb82553c8cd3f6e725bd99a076389a94a8ec8d6b0da66fc17b0fb7a1164

      Download Submit

    • C:\Users\Admin\Desktop\00356\Trojan-Ransom.Win32.GandCrypt.fre-0a3c367793c08a1002ba036e11b95839f9ef630b2763bb0e6d513fb9ea95a400.exe
      Filesize

      231KB

      MD5

      d948aff488563010237654f4b1db016c

      SHA1

      a7772df8a860b4a0d5ca079741a957691704b5ab

      SHA256

      0a3c367793c08a1002ba036e11b95839f9ef630b2763bb0e6d513fb9ea95a400

      SHA512

      2d75f52f393b281a844f3d31bef05a7eddda932c55a35cfa23a3449ed0961225f4b143fe2da2801c086c12f90447ce0feeefa9594232e0f98335cdb8e8cb5ab4

      Download Submit

    • C:\Users\Admin\Desktop\00356\Trojan-Ransom.Win32.Shade.pnu-404ae50b0e1bce4b8421cc654b54591fcc84edd600c76e1a2dda1e0653a6cfe9.exe
      Filesize

      1.5MB

      MD5

      050522542461760a14f494ebf773b379

      SHA1

      cb8fe1a86a10d92370437a79a0c7fab89c84ab9d

      SHA256

      404ae50b0e1bce4b8421cc654b54591fcc84edd600c76e1a2dda1e0653a6cfe9

      SHA512

      feda6015ea1625ecb1300a867210820c8ad477424e8cc9051f9e7890d4b823929d0fe2030e5e8c245b66d2d17ed8fa90ac85f0d6fbcc2c36714bc757e0a6f3b3

      Download Submit

    • F:\_How_To_Decrypt_My_File_.Dic
      Filesize

      783B

      MD5

      e554d50d9e779cbc6e848d0e369ef490

      SHA1

      bf2a6ff2706b08aac84f56403d42a56469ee0b3f

      SHA256

      8fdb37aa2c3fdfbf83c9f0e7fadab656db6126fe3f25e7ce7cfd3e25e205093f

      SHA512

      31510cd492483a304e07ff95ec6a4edeaf52998aacf68c135ed71a8ce309d893b4375ffaf4728b348263a5e63ee86b6b44cab369599d83b9ae48951d94fa3463

      Download Submit

    • memory/832-938-0x0000000000400000-0x000000000045B000-memory.dmp

      Filesize

      364KB

      Download

    • memory/832-942-0x0000000000400000-0x000000000045B000-memory.dmp

      Filesize

      364KB

      Download

    • memory/832-936-0x0000000000400000-0x000000000045B000-memory.dmp

      Filesize

      364KB

      Download

    • memory/832-954-0x0000000000400000-0x000000000045B000-memory.dmp

      Filesize

      364KB

      Download

    • memory/832-940-0x0000000000400000-0x000000000045B000-memory.dmp

      Filesize

      364KB

      Download

    • memory/832-948-0x0000000000400000-0x000000000045B000-memory.dmp

      Filesize

      364KB

      Download

    • memory/832-947-0x0000000000400000-0x000000000045B000-memory.dmp

      Filesize

      364KB

      Download

    • memory/832-946-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/832-944-0x0000000000400000-0x000000000045B000-memory.dmp

      Filesize

      364KB

      Download

    • memory/1064-49-0x0000000001390000-0x0000000001420000-memory.dmp

      Filesize

      576KB

      Download

    • memory/2064-683-0x0000000000400000-0x0000000000448000-memory.dmp

      Filesize

      288KB

      Download

    • memory/2064-63-0x0000000000400000-0x0000000000448000-memory.dmp

      Filesize

      288KB

      Download

    • memory/2104-84-0x0000000000400000-0x0000000000608000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/2104-90-0x0000000000400000-0x0000000000608000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/2104-85-0x0000000000400000-0x0000000000608000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/2104-86-0x0000000000400000-0x0000000000608000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/2104-87-0x0000000000400000-0x0000000000608000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/2104-83-0x0000000000400000-0x0000000000608000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/2104-964-0x0000000000400000-0x0000000000608000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/2132-903-0x0000000140000000-0x00000001405E8000-memory.dmp

      Filesize

      5.9MB

      Download

    • memory/2132-961-0x0000000000110000-0x0000000000120000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2132-927-0x0000000140000000-0x00000001405E8000-memory.dmp

      Filesize

      5.9MB

      Download

    • memory/2132-892-0x0000000140000000-0x00000001405E8000-memory.dmp

      Filesize

      5.9MB

      Download

    • memory/2132-1033-0x0000000140000000-0x00000001405E8000-memory.dmp

      Filesize

      5.9MB

      Download

    • memory/2132-893-0x0000000140000000-0x00000001405E8000-memory.dmp

      Filesize

      5.9MB

      Download

    • memory/2132-888-0x0000000140000000-0x00000001405E8000-memory.dmp

      Filesize

      5.9MB

      Download

    • memory/2132-889-0x0000000140000000-0x00000001405E8000-memory.dmp

      Filesize

      5.9MB

      Download

    • memory/2196-604-0x0000000000400000-0x0000000000608000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/2196-113-0x0000000000400000-0x0000000000608000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/2196-112-0x0000000000400000-0x0000000000608000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/2196-114-0x0000000000400000-0x0000000000608000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/2196-115-0x0000000000400000-0x0000000000608000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/2304-37-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/2380-912-0x0000000000400000-0x0000000000490000-memory.dmp

      Filesize

      576KB

      Download

    • memory/2380-915-0x0000000000400000-0x0000000000490000-memory.dmp

      Filesize

      576KB

      Download

    • memory/2380-914-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2380-910-0x0000000000400000-0x0000000000490000-memory.dmp

      Filesize

      576KB

      Download

    • memory/2380-908-0x0000000000400000-0x0000000000490000-memory.dmp

      Filesize

      576KB

      Download

    • memory/2380-906-0x0000000000400000-0x0000000000490000-memory.dmp

      Filesize

      576KB

      Download

    • memory/2380-919-0x0000000000400000-0x0000000000490000-memory.dmp

      Filesize

      576KB

      Download

    • memory/2380-920-0x0000000005A80000-0x0000000005AF6000-memory.dmp

      Filesize

      472KB

      Download

    • memory/2380-917-0x0000000000400000-0x0000000000490000-memory.dmp

      Filesize

      576KB

      Download

    • memory/2472-387-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2472-885-0x0000000000400000-0x000000000043F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2588-50-0x0000000001280000-0x000000000135A000-memory.dmp

      Filesize

      872KB

      Download

    • memory/2588-76-0x00000000003B0000-0x00000000003CC000-memory.dmp

      Filesize

      112KB

      Download

    • memory/2772-65-0x0000000000400000-0x0000000000448000-memory.dmp

      Filesize

      288KB

      Download

    • memory/2772-40-0x0000000000400000-0x0000000000448000-memory.dmp

      Filesize

      288KB

      Download

    • memory/2772-61-0x0000000000220000-0x0000000000268000-memory.dmp

      Filesize

      288KB

      Download

    • memory/2772-60-0x0000000000220000-0x0000000000268000-memory.dmp

      Filesize

      288KB

      Download

    • memory/2780-105-0x0000000000400000-0x000000000061D000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/2780-933-0x0000000000400000-0x000000000061D000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/2780-386-0x0000000000400000-0x000000000061D000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/2780-921-0x0000000000400000-0x000000000061D000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/2780-41-0x0000000000400000-0x000000000061D000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/2832-74-0x0000000006E90000-0x0000000006F3A000-memory.dmp

      Filesize

      680KB

      Download

    • memory/2832-89-0x0000000000470000-0x0000000000490000-memory.dmp

      Filesize

      128KB

      Download

    • memory/2832-905-0x0000000000580000-0x000000000058C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2832-51-0x0000000000E80000-0x0000000000F48000-memory.dmp

      Filesize

      800KB

      Download