Overview
overview
10Static
static
32016-08-26...e2.exe
windows7-x64
102016-08-30...e2.exe
windows7-x64
102016-09-14...re.exe
windows7-x64
102016-09-16...e2.exe
windows7-x64
102016-09-19...e2.exe
windows7-x64
102016-09-21...om.exe
windows7-x64
102016-09-27...er.exe
windows7-x64
72016-09-28...om.exe
windows7-x64
102016-09-28...om.exe
windows7-x64
102016-09-29...e2.exe
windows7-x64
102016-09-29...e2.exe
windows7-x64
102016-10-04...er.exe
windows7-x64
72016-10-05...e2.exe
windows7-x64
102016-10-06...e2.exe
windows7-x64
102016-10-12...er.exe
windows7-x64
72016-10-14...er.exe
windows7-x64
72016-10-18...e2.exe
windows7-x64
102016-10-23...er.exe
windows7-x64
72016-10-28...e2.exe
windows7-x64
102016-11-07...e2.exe
windows7-x64
102016-11-08...e2.exe
windows7-x64
102016-11-09...e2.exe
windows7-x64
102016-11-15...e2.exe
windows7-x64
102016-11-16...e2.exe
windows7-x64
102016-11-21...e2.exe
windows7-x64
102017-03-15...si.exe
windows7-x64
102017-04-07...re.exe
windows7-x64
102017-04-07...re.exe
windows7-x64
102017-04-07...re.exe
windows7-x64
102018-01-28...re.exe
windows7-x64
10Analysis
-
max time kernel
1566s -
max time network
1571s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
11-11-2024 07:17
Static task
static1
Behavioral task
behavioral1
Sample
2016-08-26-EITest-Rig-EK-payload-CryptFile2.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2016-08-30-EITest-Rig-EK-payload-CryptFile2.exe
Resource
win7-20240903-en
Behavioral task
behavioral3
Sample
2016-09-14-EITest-Rig-EK-payload-Bart-ransomware.exe
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
2016-09-16-EITest-Rig-EK-payload-CryptFile2.exe
Resource
win7-20240903-en
Behavioral task
behavioral5
Sample
2016-09-19-EITest-Rig-EK-payload-CryptFile2.exe
Resource
win7-20241010-en
Behavioral task
behavioral6
Sample
2016-09-21-EITest-Rig-EK-payload-CryptFile2-after-germansuppliesinc.com.exe
Resource
win7-20241023-en
Behavioral task
behavioral7
Sample
2016-09-27-Afraidgate-Rig-EK-payload-Locky-downloader.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
2016-09-28-EITest-Rig-EK-payload-CryptFile2-after-beyondrpoxy.com.exe
Resource
win7-20240903-en
Behavioral task
behavioral9
Sample
2016-09-28-EITest-Rig-EK-payload-CryptFile2-after-orfab.com.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
2016-09-29-EITest-Rig-EK-payload-1st-run-CryptFile2.exe
Resource
win7-20240903-en
Behavioral task
behavioral11
Sample
2016-09-29-EITest-Rig-EK-payload-8th-run-CryptFile2.exe
Resource
win7-20240729-en
Behavioral task
behavioral12
Sample
2016-10-04-Afraidgate-Rig-EK-payload-Locky-downloader.exe
Resource
win7-20240903-en
Behavioral task
behavioral13
Sample
2016-10-05-EITest-Rig-EK-payload-CryptFile2.exe
Resource
win7-20240708-en
Behavioral task
behavioral14
Sample
2016-10-06-EITest-Rig-EK-payload-second-run-CryptFile2.exe
Resource
win7-20240903-en
Behavioral task
behavioral15
Sample
2016-10-12-Afraidgate-Rig-EK-payload-locky-downloader.exe
Resource
win7-20241010-en
Behavioral task
behavioral16
Sample
2016-10-14-Afraidgate-Rig-EK-payload-Locky-downloader.exe
Resource
win7-20240903-en
Behavioral task
behavioral17
Sample
2016-10-18-EITest-Rig-EK-payload-CryptFile2.exe
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
2016-10-23-Afraidgate-Rig-EK-payload-Locky-downloader.exe
Resource
win7-20240903-en
Behavioral task
behavioral19
Sample
2016-10-28-EITest-Rig-EK-payload-first-run-CryptFile2.exe
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
2016-11-07-EITest-Rig-EK-payload-CryptFile2.exe
Resource
win7-20240903-en
Behavioral task
behavioral21
Sample
2016-11-08-3rd-run-EITest-Rig-EK-payload-CryptFile2.exe
Resource
win7-20241010-en
Behavioral task
behavioral22
Sample
2016-11-09-1st-run-EITest-Rig-EK-payload-CryptFile2.exe
Resource
win7-20241023-en
Behavioral task
behavioral23
Sample
2016-11-15-2nd-run-Rig-standard-payload-CryptFile2.exe
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
2016-11-16-4th-run-Rig-standard-payload-CryptFile2.exe
Resource
win7-20240903-en
Behavioral task
behavioral25
Sample
2016-11-21-2nd-run-EITest-Rig-standard-payload-CryptFile2.exe
Resource
win7-20240729-en
Behavioral task
behavioral26
Sample
2017-03-15-EITest-Rig-EK-payload-Revenge-ransomware-5uhcwesi.exe
Resource
win7-20240708-en
Behavioral task
behavioral27
Sample
2017-04-07-1st-run-EITest-HoeflerText-payload-Spora-ransomware.exe
Resource
win7-20240903-en
Behavioral task
behavioral28
Sample
2017-04-07-2nd-run-EITest-HoeflerText-payload-Spora-ransomware.exe
Resource
win7-20241010-en
Behavioral task
behavioral29
Sample
2017-04-07-3rd-run-EITest-HoeflerText-payload-Spora-ransomware.exe
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
2018-01-28-Seamless-campaign-Rig-EK-payload-GandCrab-ransomware.exe
Resource
win7-20241023-en
General
-
Target
2016-09-14-EITest-Rig-EK-payload-Bart-ransomware.exe
-
Size
121KB
-
MD5
6de7324c37519831cf586e3b2c786e53
-
SHA1
abb423454abd2caa431634667903640037b6ee9b
-
SHA256
45fcdd90b1268f6d5dd2a99a78c3df1a95b7809cbe13b68d9f164edd2264005e
-
SHA512
6172a9b52749e89017c4ad2f685a4399e5d092e0517ef98dff6d071b61e5db7343ca5298d00c57b1fed2d5a7afc9b63d2be8cd89b83af0c09b3e6c950c227227
-
SSDEEP
3072:3s+7qZCqeKW9cafSypBCaJDftXdCD66X:377qZCqeKW9cotpBfVVoDX
Malware Config
Extracted
C:\ProgramData\Microsoft\User Account Pictures\recover.txt
http://s3clm4lufbmfhmeb.tor2web.org/?id=AvO6haKJeV%2bM6hD6ca2gXMuGKnaXVmWikP37fANScmQJ3A%3d%3d
http://s3clm4lufbmfhmeb.onion.to/?id=AvO6haKJeV%2bM6hD6ca2gXMuGKnaXVmWikP37fANScmQJ3A%3d%3d
http://s3clm4lufbmfhmeb.onion.cab/?id=AvO6haKJeV%2bM6hD6ca2gXMuGKnaXVmWikP37fANScmQJ3A%3d%3d
http://s3clm4lufbmfhmeb.onion.link/?id=AvO6haKJeV%2bM6hD6ca2gXMuGKnaXVmWikP37fANScmQJ3A%3d%3d
http://s3clm4lufbmfhmeb.onion/?id=AvO6haKJeV%2bM6hD6ca2gXMuGKnaXVmWikP37fANScmQJ3A%3d%3d
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "0" 2016-09-14-EITest-Rig-EK-payload-Bart-ransomware.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\Geo\Nation 2016-09-14-EITest-Rig-EK-payload-Bart-ransomware.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\recover.bmp" 2016-09-14-EITest-Rig-EK-payload-Bart-ransomware.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2016-09-14-EITest-Rig-EK-payload-Bart-ransomware.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe -
Opens file in notepad (likely ransom note) 2 IoCs
pid Process 2308 notepad.exe 948 NOTEPAD.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 948 NOTEPAD.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2308 notepad.exe 948 NOTEPAD.EXE -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 2380 2016-09-14-EITest-Rig-EK-payload-Bart-ransomware.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2380 wrote to memory of 2308 2380 2016-09-14-EITest-Rig-EK-payload-Bart-ransomware.exe 36 PID 2380 wrote to memory of 2308 2380 2016-09-14-EITest-Rig-EK-payload-Bart-ransomware.exe 36 PID 2380 wrote to memory of 2308 2380 2016-09-14-EITest-Rig-EK-payload-Bart-ransomware.exe 36 PID 2380 wrote to memory of 2308 2380 2016-09-14-EITest-Rig-EK-payload-Bart-ransomware.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\2016-09-14-EITest-Rig-EK-payload-Bart-ransomware.exe"C:\Users\Admin\AppData\Local\Temp\2016-09-14-EITest-Rig-EK-payload-Bart-ransomware.exe"1⤵
- Modifies visibility of file extensions in Explorer
- Checks computer location settings
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\notepad.exenotepad.exe "C:\Users\Admin\Desktop\recover.txt"o2⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
- Suspicious use of FindShellTrayWindow
PID:2308
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\recover.txt1⤵
- Opens file in notepad (likely ransom note)
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:948
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD57bae23804f25184fded46f61162cbd01
SHA1712c64b61160ac32df2e3def8b8f25432a849fb5
SHA2569a3030e4a92e93d515c80dfdf8d500b4a99455f9528963b7695c9875237585ed
SHA51275723dc0759130857e5db9d8e318646561b6cc34ee78b8edaeef36743a5cba0b5c80a622071b07a7db0f4d0653ef087412176f22ba72c668ec63027e875fbc72
-
Filesize
6KB
MD54e0e81b7ba9f1fe408b2f9c56e22b5b8
SHA1b846ad94306423f2cf033df57bdb1b74157d3d37
SHA256c221cdc91baf7c64f119a98d10af5b7c748b6e42d81ff381dee8a3e971cfc946
SHA51226a425e252ac3d2e58c07ad8ed95391a4285dae2aef127d9812552a4b6c0c7b71e3f5b3c05f6d298edb92fb691b62d92843b2f1918d3a229a7b71d745cffcd91