471f3fb1a953fab38be3081eb835574694bc72b94f239edc400d1ce3d7a8ecb0

Analysis

max time kernel
290s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-11-2024 03:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

97512f4617019c907cd0f88193039e7c.exe
Size

666KB
MD5

97512f4617019c907cd0f88193039e7c
SHA1

24cfa261ee30f697e7d1e2215eee1c21eebf4579
SHA256

438888ef36bad1079af79daf152db443b4472c5715a7b3da0ba24cc757c53499
SHA512

cfbb8dd91434f917d507cb919aa7e6b16b7b2056d56185f6ad5b6149e05629325cdb3df907f58bb3f634b17a9989bf5b6d6b81f5396a3a556431742ed742ac4a
SSDEEP

12288:bB/72HFAQBMiZB7fJJ2qDHKK/K5FJL+xQhrwjeI:bBKqFiT7fJJ2qbKK6F5+xQhrEJ

Score

10^/10

defense_evasion discovery execution impact ransomware upx

Malware Config

Extracted

Path

C:\MSOCache\All Users\README_HOW_TO_UNLOCK.TXT

Ransom Note

YOUR FILE HAS BEEN LOCKED In order to unlock your files, follow the instructions bellow: 1. Download and install Tor Browser 2. After a successful installation, run Tor Browser and wait for its initialization. 3. Type in the address bar: http://zvnvp2rhe3ljwf2m.onion 4. Follow the instructions on the site.

URLs

http://zvnvp2rhe3ljwf2m.onion

Signatures

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (84) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral26/memory/2376-0-0x0000000000400000-0x000000000058D000-memory.dmp	upx
behavioral26/memory/2376-310-0x0000000000400000-0x000000000058D000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

WMIC.exereg.exereg.exenet.exenet1.exenet1.exe97512f4617019c907cd0f88193039e7c.exenet.exenet.exenet1.exevssadmin.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	97512f4617019c907cd0f88193039e7c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe

Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Direct Volume Access
T1006

Processes:

vssadmin.exe

pid process

2596 vssadmin.exe
Runs net.exe

pid	process
2596	vssadmin.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

Processes:

WMIC.exevssvc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2092	WMIC.exe
Token: SeSecurityPrivilege	2092	WMIC.exe
Token: SeTakeOwnershipPrivilege	2092	WMIC.exe
Token: SeLoadDriverPrivilege	2092	WMIC.exe
Token: SeSystemProfilePrivilege	2092	WMIC.exe
Token: SeSystemtimePrivilege	2092	WMIC.exe
Token: SeProfSingleProcessPrivilege	2092	WMIC.exe
Token: SeIncBasePriorityPrivilege	2092	WMIC.exe
Token: SeCreatePagefilePrivilege	2092	WMIC.exe
Token: SeBackupPrivilege	2092	WMIC.exe
Token: SeRestorePrivilege	2092	WMIC.exe
Token: SeShutdownPrivilege	2092	WMIC.exe
Token: SeDebugPrivilege	2092	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2092	WMIC.exe
Token: SeRemoteShutdownPrivilege	2092	WMIC.exe
Token: SeUndockPrivilege	2092	WMIC.exe
Token: SeManageVolumePrivilege	2092	WMIC.exe
Token: 33	2092	WMIC.exe
Token: 34	2092	WMIC.exe
Token: 35	2092	WMIC.exe
Token: SeBackupPrivilege	776	vssvc.exe
Token: SeRestorePrivilege	776	vssvc.exe
Token: SeAuditPrivilege	776	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2092	WMIC.exe
Token: SeSecurityPrivilege	2092	WMIC.exe
Token: SeTakeOwnershipPrivilege	2092	WMIC.exe
Token: SeLoadDriverPrivilege	2092	WMIC.exe
Token: SeSystemProfilePrivilege	2092	WMIC.exe
Token: SeSystemtimePrivilege	2092	WMIC.exe
Token: SeProfSingleProcessPrivilege	2092	WMIC.exe
Token: SeIncBasePriorityPrivilege	2092	WMIC.exe
Token: SeCreatePagefilePrivilege	2092	WMIC.exe
Token: SeBackupPrivilege	2092	WMIC.exe
Token: SeRestorePrivilege	2092	WMIC.exe
Token: SeShutdownPrivilege	2092	WMIC.exe
Token: SeDebugPrivilege	2092	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2092	WMIC.exe
Token: SeRemoteShutdownPrivilege	2092	WMIC.exe
Token: SeUndockPrivilege	2092	WMIC.exe
Token: SeManageVolumePrivilege	2092	WMIC.exe
Token: 33	2092	WMIC.exe
Token: 34	2092	WMIC.exe
Token: 35	2092	WMIC.exe

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

97512f4617019c907cd0f88193039e7c.exenet.exenet.exenet.exe

description	pid	process	target process
PID 2376 wrote to memory of 2092	2376	97512f4617019c907cd0f88193039e7c.exe	WMIC.exe
PID 2376 wrote to memory of 2092	2376	97512f4617019c907cd0f88193039e7c.exe	WMIC.exe
PID 2376 wrote to memory of 2092	2376	97512f4617019c907cd0f88193039e7c.exe	WMIC.exe
PID 2376 wrote to memory of 2092	2376	97512f4617019c907cd0f88193039e7c.exe	WMIC.exe
PID 2376 wrote to memory of 2596	2376	97512f4617019c907cd0f88193039e7c.exe	vssadmin.exe
PID 2376 wrote to memory of 2596	2376	97512f4617019c907cd0f88193039e7c.exe	vssadmin.exe
PID 2376 wrote to memory of 2596	2376	97512f4617019c907cd0f88193039e7c.exe	vssadmin.exe
PID 2376 wrote to memory of 2596	2376	97512f4617019c907cd0f88193039e7c.exe	vssadmin.exe
PID 2376 wrote to memory of 2460	2376	97512f4617019c907cd0f88193039e7c.exe	reg.exe
PID 2376 wrote to memory of 2460	2376	97512f4617019c907cd0f88193039e7c.exe	reg.exe
PID 2376 wrote to memory of 2460	2376	97512f4617019c907cd0f88193039e7c.exe	reg.exe
PID 2376 wrote to memory of 2460	2376	97512f4617019c907cd0f88193039e7c.exe	reg.exe
PID 2376 wrote to memory of 1032	2376	97512f4617019c907cd0f88193039e7c.exe	reg.exe
PID 2376 wrote to memory of 1032	2376	97512f4617019c907cd0f88193039e7c.exe	reg.exe
PID 2376 wrote to memory of 1032	2376	97512f4617019c907cd0f88193039e7c.exe	reg.exe
PID 2376 wrote to memory of 1032	2376	97512f4617019c907cd0f88193039e7c.exe	reg.exe
PID 2376 wrote to memory of 2784	2376	97512f4617019c907cd0f88193039e7c.exe	net.exe
PID 2376 wrote to memory of 2784	2376	97512f4617019c907cd0f88193039e7c.exe	net.exe
PID 2376 wrote to memory of 2784	2376	97512f4617019c907cd0f88193039e7c.exe	net.exe
PID 2376 wrote to memory of 2784	2376	97512f4617019c907cd0f88193039e7c.exe	net.exe
PID 2376 wrote to memory of 2884	2376	97512f4617019c907cd0f88193039e7c.exe	net.exe
PID 2376 wrote to memory of 2884	2376	97512f4617019c907cd0f88193039e7c.exe	net.exe
PID 2376 wrote to memory of 2884	2376	97512f4617019c907cd0f88193039e7c.exe	net.exe
PID 2376 wrote to memory of 2884	2376	97512f4617019c907cd0f88193039e7c.exe	net.exe
PID 2376 wrote to memory of 2632	2376	97512f4617019c907cd0f88193039e7c.exe	net.exe
PID 2376 wrote to memory of 2632	2376	97512f4617019c907cd0f88193039e7c.exe	net.exe
PID 2376 wrote to memory of 2632	2376	97512f4617019c907cd0f88193039e7c.exe	net.exe
PID 2376 wrote to memory of 2632	2376	97512f4617019c907cd0f88193039e7c.exe	net.exe
PID 2784 wrote to memory of 2764	2784	net.exe	net1.exe
PID 2784 wrote to memory of 2764	2784	net.exe	net1.exe
PID 2784 wrote to memory of 2764	2784	net.exe	net1.exe
PID 2784 wrote to memory of 2764	2784	net.exe	net1.exe
PID 2884 wrote to memory of 2792	2884	net.exe	net1.exe
PID 2884 wrote to memory of 2792	2884	net.exe	net1.exe
PID 2884 wrote to memory of 2792	2884	net.exe	net1.exe
PID 2884 wrote to memory of 2792	2884	net.exe	net1.exe
PID 2632 wrote to memory of 1668	2632	net.exe	net1.exe
PID 2632 wrote to memory of 1668	2632	net.exe	net1.exe
PID 2632 wrote to memory of 1668	2632	net.exe	net1.exe
PID 2632 wrote to memory of 1668	2632	net.exe	net1.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\97512f4617019c907cd0f88193039e7c.exe
"C:\Users\Admin\AppData\Local\Temp\97512f4617019c907cd0f88193039e7c.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Windows\SysWOW64\wbem\WMIC.exe
  "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2092
- C:\Windows\SysWOW64\vssadmin.exe
  "C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet
  2⤵
  - System Location Discovery: System Language Discovery
  - Interacts with shadow copies
  PID:2596
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\services\VSS" /v Start /t REG_DWORD /d 4 /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2460
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1032
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop vss
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop vss
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2764
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop swprv
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2884
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop swprv
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2792
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop srservice
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop srservice
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1668

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Privilege Escalation

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\README_HOW_TO_UNLOCK.HTML

Filesize
1KB

MD5
c784d96ca311302c6f2f8f0bee8c725b

SHA1
dc68b518ce0eef4f519f9127769e3e3fa8edce46

SHA256
a7836550412b0e0963d16d8442b894a1148326b86d119e4d30f1b11956380ef0

SHA512
f97891dc3c3f15b9bc3446bc9d5913431f374aa54cced33d2082cf14d173a8178e29a8d9487c2a1ab87d2f6abf37e915f69f45c0d8b747ad3f17970645c35d98

Download Submit
C:\MSOCache\All Users\README_HOW_TO_UNLOCK.TXT

Filesize
330B

MD5
04b892b779d04f3a906fde1a904d98bb

SHA1
1a0d6cb6f921bc06ba9547a84b872ef61eb7e8a5

SHA256
eb22c6ecfd4d7d0fcea5063201ccf5e7313780e007ef47cca01f1369ee0e6be0

SHA512
e946aa4ac3ec9e5a178eac6f4c63a98f46bc85bed3efd6a53282d87aa56e53b4c11bb0d1c58c6c670f9f4ad9952b5e7fd1bb310a8bd7b5b04e7c607d1b74238a

Download Submit
memory/2376-0-0x0000000000400000-0x000000000058D000-memory.dmp

Filesize
1.6MB

Download
memory/2376-1-0x0000000000590000-0x00000000005D3000-memory.dmp

Filesize
268KB

Download
memory/2376-310-0x0000000000400000-0x000000000058D000-memory.dmp

Filesize
1.6MB

Download
memory/2376-312-0x0000000000590000-0x00000000005D3000-memory.dmp

Filesize
268KB

Download