Analysis

  • max time kernel
    1566s
  • max time network
    1571s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    11-11-2024 07:17

General

  • Target

    2016-09-14-EITest-Rig-EK-payload-Bart-ransomware.exe

  • Size

    121KB

  • MD5

    6de7324c37519831cf586e3b2c786e53

  • SHA1

    abb423454abd2caa431634667903640037b6ee9b

  • SHA256

    45fcdd90b1268f6d5dd2a99a78c3df1a95b7809cbe13b68d9f164edd2264005e

  • SHA512

    6172a9b52749e89017c4ad2f685a4399e5d092e0517ef98dff6d071b61e5db7343ca5298d00c57b1fed2d5a7afc9b63d2be8cd89b83af0c09b3e6c950c227227

  • SSDEEP

    3072:3s+7qZCqeKW9cafSypBCaJDftXdCD66X:377qZCqeKW9cotpBfVVoDX

Malware Config

Extracted

Path

C:\ProgramData\Microsoft\User Account Pictures\recover.txt

Ransom Note
!!! IMPORTANT INFORMATION !!! All your files are encrypted. Decrypting of your files is only possible with the private key, which is on our secret server. To receive your private key follow one of the links: 1. http://s3clm4lufbmfhmeb.tor2web.org/?id=AvO6haKJeV%2bM6hD6ca2gXMuGKnaXVmWikP37fANScmQJ3A%3d%3d 2. http://s3clm4lufbmfhmeb.onion.to/?id=AvO6haKJeV%2bM6hD6ca2gXMuGKnaXVmWikP37fANScmQJ3A%3d%3d 3. http://s3clm4lufbmfhmeb.onion.cab/?id=AvO6haKJeV%2bM6hD6ca2gXMuGKnaXVmWikP37fANScmQJ3A%3d%3d 4. http://s3clm4lufbmfhmeb.onion.link/?id=AvO6haKJeV%2bM6hD6ca2gXMuGKnaXVmWikP37fANScmQJ3A%3d%3d If all addresses are not available, follow these steps: 1. Download and install Tor Browser: https://torproject.org/download/download-easy.html 2. After successfull installation, run the browser and wait for initialization. 3. Type in the address bar: s3clm4lufbmfhmeb.onion/?id=AvO6haKJeV%2bM6hD6ca2gXMuGKnaXVmWikP37fANScmQJ3A%3d%3d 4. Follow the instructions on the site. !!! Your personal identification ID: AvO6haKJeV+M6hD6ca2gXMuGKnaXVmWikP37fANScmQJ3A== !!!
URLs

http://s3clm4lufbmfhmeb.tor2web.org/?id=AvO6haKJeV%2bM6hD6ca2gXMuGKnaXVmWikP37fANScmQJ3A%3d%3d

http://s3clm4lufbmfhmeb.onion.to/?id=AvO6haKJeV%2bM6hD6ca2gXMuGKnaXVmWikP37fANScmQJ3A%3d%3d

http://s3clm4lufbmfhmeb.onion.cab/?id=AvO6haKJeV%2bM6hD6ca2gXMuGKnaXVmWikP37fANScmQJ3A%3d%3d

http://s3clm4lufbmfhmeb.onion.link/?id=AvO6haKJeV%2bM6hD6ca2gXMuGKnaXVmWikP37fANScmQJ3A%3d%3d

http://s3clm4lufbmfhmeb.onion/?id=AvO6haKJeV%2bM6hD6ca2gXMuGKnaXVmWikP37fANScmQJ3A%3d%3d

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Opens file in notepad (likely ransom note) 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2016-09-14-EITest-Rig-EK-payload-Bart-ransomware.exe
    "C:\Users\Admin\AppData\Local\Temp\2016-09-14-EITest-Rig-EK-payload-Bart-ransomware.exe"
    1⤵
    • Modifies visibility of file extensions in Explorer
    • Checks computer location settings
    • Sets desktop wallpaper using registry
    • System Location Discovery: System Language Discovery
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:2380
    • C:\Windows\SysWOW64\notepad.exe
      notepad.exe "C:\Users\Admin\Desktop\recover.txt"o
      2⤵
      • System Location Discovery: System Language Discovery
      • Opens file in notepad (likely ransom note)
      • Suspicious use of FindShellTrayWindow
      PID:2308
  • C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\recover.txt
    1⤵
    • Opens file in notepad (likely ransom note)
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    PID:948

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Microsoft\User Account Pictures\recover.txt

    Filesize

    2KB

    MD5

    7bae23804f25184fded46f61162cbd01

    SHA1

    712c64b61160ac32df2e3def8b8f25432a849fb5

    SHA256

    9a3030e4a92e93d515c80dfdf8d500b4a99455f9528963b7695c9875237585ed

    SHA512

    75723dc0759130857e5db9d8e318646561b6cc34ee78b8edaeef36743a5cba0b5c80a622071b07a7db0f4d0653ef087412176f22ba72c668ec63027e875fbc72

  • C:\Users\Admin\AppData\Local\Temp\nfq343.log

    Filesize

    6KB

    MD5

    4e0e81b7ba9f1fe408b2f9c56e22b5b8

    SHA1

    b846ad94306423f2cf033df57bdb1b74157d3d37

    SHA256

    c221cdc91baf7c64f119a98d10af5b7c748b6e42d81ff381dee8a3e971cfc946

    SHA512

    26a425e252ac3d2e58c07ad8ed95391a4285dae2aef127d9812552a4b6c0c7b71e3f5b3c05f6d298edb92fb691b62d92843b2f1918d3a229a7b71d745cffcd91

  • memory/2380-1-0x00000000020F0000-0x0000000002100000-memory.dmp

    Filesize

    64KB

  • memory/2380-3-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

  • memory/2380-10-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

  • memory/2380-6-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

  • memory/2380-8-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

  • memory/2380-13-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

  • memory/2380-320-0x00000000020F0000-0x0000000002100000-memory.dmp

    Filesize

    64KB

  • memory/2380-324-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

  • memory/2380-544-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

  • memory/2380-545-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB