Overview

overview

10

Static

static

3

2016-08-26...e2.exe

windows7-x64

10

2016-08-30...e2.exe

windows7-x64

10

2016-09-14...re.exe

windows7-x64

10

2016-09-16...e2.exe

windows7-x64

10

2016-09-19...e2.exe

windows7-x64

10

2016-09-21...om.exe

windows7-x64

10

2016-09-27...er.exe

windows7-x64

7

2016-09-28...om.exe

windows7-x64

10

2016-09-28...om.exe

windows7-x64

10

2016-09-29...e2.exe

windows7-x64

10

2016-09-29...e2.exe

windows7-x64

10

2016-10-04...er.exe

windows7-x64

7

2016-10-05...e2.exe

windows7-x64

10

2016-10-06...e2.exe

windows7-x64

10

2016-10-12...er.exe

windows7-x64

7

2016-10-14...er.exe

windows7-x64

7

2016-10-18...e2.exe

windows7-x64

10

2016-10-23...er.exe

windows7-x64

7

2016-10-28...e2.exe

windows7-x64

10

2016-11-07...e2.exe

windows7-x64

10

2016-11-08...e2.exe

windows7-x64

10

2016-11-09...e2.exe

windows7-x64

10

2016-11-15...e2.exe

windows7-x64

10

2016-11-16...e2.exe

windows7-x64

10

2016-11-21...e2.exe

windows7-x64

10

2017-03-15...si.exe

windows7-x64

10

2017-04-07...re.exe

windows7-x64

10

2017-04-07...re.exe

windows7-x64

10

2017-04-07...re.exe

windows7-x64

10

2018-01-28...re.exe

windows7-x64

10

Analysis

  • max time kernel
    1561s
  • max time network
    1562s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    11-11-2024 07:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2017-03-15-EITest-Rig-EK-payload-Revenge-ransomware-5uhcwesi.exe

  • Size

    113KB

  • MD5

    3bceadd4c2c546aba24e24307f1defcd

  • SHA1

    81e4110a72821a1b1f01a3f3a8bf89188af40067

  • SHA256

    8ab65ceef6b8a5d2d0c0fb3ddbe1c1756b5c224bafc8065c161424d63937721c

  • SHA512

    fbe80ee6902b76a533e8662e580cf887e7a6735752731a53a6189d7b8c1e1c7c881d817a137c3553ab1b6f40c673887d83460d35d01ad0ace18a89c7f5bea525

  • SSDEEP

    1536:eEzTqjcZdskFrWcN9JsWjcdZB+TMKVu0CcqDuvn+FsN7S1bdQlBrr2DYLN:bzocZGgrh92ZYTMKEHD0nj21bd01N

Score
10/10
defense_evasiondiscoveryexecutionimpactpersistenceransomware

Malware Config

Extracted

Path

C:\Users\# !!!HELP_FILE!!! #.TXT

Ransom Note
===ENGLISH=== All of your files were encrypted using REVENGE Ransomware. The action required to restore the files. Your files are not lost, they can be returned to their normal state by decoding them. The only way to do this is to get the software and your personal decryption key. Using any other software that claims to be able to recover your files will result in corrupted or destroyed files. You can purchase the software and the decryption key by sending us an email with your ID. And we send instructions for payment . After payment, you receive the software to return all files. For proof, we can decrypt one file for free. Attach it to an e-mail. ===ITALIAN=== Tutti i file sono stati crittografati utilizzando REVENGE ransomware. L'azione richiesta per ripristinare i file. I file non sono persi, possono essere restituiti al loro normale stato di loro decodifica. L'unico modo per farlo è quello di ottenere il software e la decrittografia personale chiave. L'uso di qualsiasi altro software che sostiene di essere in grado di recuperare i file si tradurrà in file danneggiati o distrutti. È possibile acquistare la chiave di software e decifratura con l'invio di una e-mail con il tuo ID. E mandiamo le istruzioni per il pagamento. Dopo il pagamento, si riceve il software per ripristinare tutti i file. Per dimostrare che siamo in grado di decodificare il file. Inviaci un file di e-mail. ===GERMAN=== Alle Dateien wurden mit REVENGE Ransomware verschlüsselt. Die notwendigen Schritte, um die Dateien wiederherzustellen. Die Dateien werden nicht verloren, können sie dekodiert werden. Der einzige Weg, zu tun ist, um die Software zu erhalten, und den privaten Schlüssel zu entschlüsseln. Mit Software, die auf Ihre Dateien zu können behauptet, bewegen als Folge von beschädigten oder zerstörten Dateien wiederhergestellt werden. Sie können die Software und Entschlüsselungsschlüssel erwerben, indem Sie uns per E-Mail Ihre ID senden. Und wir werden Anweisungen für die Zahlung senden. Nach der Bezahlung werden Sie eine Rückkehr von Software erhalten, die alle Dateien wiederherstellen würde. Um zu beweisen, dass wir eine Datei kostenlos entschlüsseln kann. Anhängen einer Datei an eine E-Mail. ===POLISH=== Wszystkie pliki zostały zaszyfrowane przy użyciu REVENGE szkodnika. Konieczne działania w celu przywrócenia plików. Pliki nie są tracone, mogą one zostać zwrócone do swojego normalnego stanu poprzez ich dekodowania. Jedynym sposobem na to jest, aby oprogramowanie i swój osobisty klucz deszyfrowania. Korzystanie z innego oprogramowania, które twierdzi, że jest w stanie odzyskać pliki spowoduje uszkodzonych lub zniszczonych plików. Można kupić oprogramowanie i klucz deszyfrowania wysyłając do nas e-maila z ID. A my wyślemy instrukcje dotyczące płatności. Po dokonaniu płatności otrzymasz oprogramowanie do zwrotu plików. W celu udowodnienia, że możemy odszyfrować plik. Dołączyć go do wiadomości e-mail. ===KOREAN=== 모든 파일은 REVENGE Ransomware를 사용하여 암호화되었습니다. 파일을 복원하는 데 필요한 작업. 파일은 손실되지 않으며 디코딩하여 정상 상태로 되돌릴 수 있습니다. 이를 수행하는 유일한 방법은 소프트웨어와 개인 암호 해독 키를 얻는 것입니다. 파일을 복구 할 수 있다고 주장하는 다른 소프트웨어를 사용하면 파일이 손상되거나 파손됩니다. 신분증을 이메일로 보내 소프트웨어 및 암호 해독 키를 구입할 수 있습니다. 그리고 우리는 지불 지시를 보낸다. 지불 후 모든 파일을 반환하는 소프트웨어를 받게됩니다. 우리는 무료로 하나의 파일의 암호를 해독 할 수 있습니다. 전자 메일 파일을 보내 주시기 바랍니다. CONTACT E-MAILS: EMAIL: [email protected] EMAIL: [email protected] EMAIL: [email protected] ID (PERSONAL IDENTIFICATION): 6E5F31421C9B74EA

Signatures

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Interacts with shadow copies 3 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Runs net.exe
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 52 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\2017-03-15-EITest-Rig-EK-payload-Revenge-ransomware-5uhcwesi.exe
    "C:\Users\Admin\AppData\Local\Temp\2017-03-15-EITest-Rig-EK-payload-Revenge-ransomware-5uhcwesi.exe"
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:784
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C vssadmin.exe Delete Shadows /All /Quiet
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2668
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin.exe Delete Shadows /All /Quiet
        3⤵
        • System Location Discovery: System Language Discovery
        • Interacts with shadow copies
        PID:2632
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} recoveryenabled No
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2316
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2344
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C net stop vss
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2760
      • C:\Windows\SysWOW64\net.exe
        net stop vss
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2832
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop vss
          4⤵
          • System Location Discovery: System Language Discovery
          PID:572
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C vssadmin.exe Delete Shadows /All /Quiet
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2568
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin.exe Delete Shadows /All /Quiet
        3⤵
        • System Location Discovery: System Language Discovery
        • Interacts with shadow copies
        PID:1248
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C net stop vss
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2716
      • C:\Windows\SysWOW64\net.exe
        net stop vss
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:320
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop vss
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2168
    • C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Music\# !!!HELP_FILE!!! #.TXT
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2368
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1064

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\# !!!HELP_FILE!!! #.TXT
    Filesize

    6KB

    MD5

    109118cb68bb634c9a6b521e7901f638

    SHA1

    45c7c85d34c2e24ea3a90f701c61a216cb22752c

    SHA256

    6557f3d85aaa97c982233d917929394dc1bca283d7222474ac223457ee2bd05d

    SHA512

    995e82fd0dbb5965277122f4f29d8bbc41a9f772db2bfd9a6dacd4e40dbc5703c678a67b73018e6c660ebb4a6491f325db92a3ebc63d4f2394ec1e216811c88d

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\MSDN\windowsidx.prftmp
    Filesize

    271B

    MD5

    9e946d56a5bb77c92ab31c622aa7668a

    SHA1

    2f68a8553658c32c7c35e3d2e5fbeb75eeb4f3c1

    SHA256

    76e12d7bdf8548b9e751a276b4e9cd413569c5c4712bc7060eec456c8d495ed8

    SHA512

    18f5762832d38485ccb90262a1891be68a60e51b28b427d129b07b5190f879691c5d6d557650189169b02d6ee93a861691404f0f3a85599c83cafb04785aa48c

    Download Submit

  • memory/784-0-0x00000000001B0000-0x00000000001C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/784-628-0x00000000001B0000-0x00000000001C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/784-633-0x00000000001B0000-0x00000000001C0000-memory.dmp

    Filesize

    64KB

    Download