Overview
overview
10Static
static
100A6172B017F62EAA.exe
windows7-x64
100A6172B017F62EAA.exe
windows10-2004-x64
102891E1D4BAC70EBA.exe
windows7-x64
102891E1D4BAC70EBA.exe
windows10-2004-x64
103472CB2D1AB89AAB.exe
windows7-x64
103472CB2D1AB89AAB.exe
windows10-2004-x64
10613788884CE0093F.exe
windows7-x64
10613788884CE0093F.exe
windows10-2004-x64
107189AED8B8AE6568.exe
windows7-x64
107189AED8B8AE6568.exe
windows10-2004-x64
10CC3B1F89FAA517E4.exe
windows7-x64
10CC3B1F89FAA517E4.exe
windows10-2004-x64
10F5657AC3DC58DC8C.exe
windows7-x64
10F5657AC3DC58DC8C.exe
windows10-2004-x64
10Analysis
-
max time kernel
121s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
02-12-2024 05:01
Behavioral task
behavioral1
Sample
0A6172B017F62EAA.exe
Resource
win7-20240903-en
windows7-x64
12 signatures
150 seconds
Behavioral task
behavioral2
Sample
0A6172B017F62EAA.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
15 signatures
150 seconds
Behavioral task
behavioral3
Sample
2891E1D4BAC70EBA.exe
Resource
win7-20240903-en
windows7-x64
12 signatures
150 seconds
Behavioral task
behavioral4
Sample
2891E1D4BAC70EBA.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
15 signatures
150 seconds
Behavioral task
behavioral5
Sample
3472CB2D1AB89AAB.exe
Resource
win7-20240903-en
windows7-x64
12 signatures
150 seconds
Behavioral task
behavioral6
Sample
3472CB2D1AB89AAB.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
15 signatures
150 seconds
Behavioral task
behavioral7
Sample
613788884CE0093F.exe
Resource
win7-20240903-en
windows7-x64
12 signatures
150 seconds
Behavioral task
behavioral8
Sample
613788884CE0093F.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
15 signatures
150 seconds
Behavioral task
behavioral9
Sample
7189AED8B8AE6568.exe
Resource
win7-20241023-en
windows7-x64
12 signatures
150 seconds
Behavioral task
behavioral10
Sample
7189AED8B8AE6568.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
15 signatures
150 seconds
Behavioral task
behavioral11
Sample
CC3B1F89FAA517E4.exe
Resource
win7-20240903-en
windows7-x64
12 signatures
150 seconds
Behavioral task
behavioral12
Sample
CC3B1F89FAA517E4.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
15 signatures
150 seconds
Behavioral task
behavioral13
Sample
F5657AC3DC58DC8C.exe
Resource
win7-20240903-en
windows7-x64
21 signatures
150 seconds
Behavioral task
behavioral14
Sample
F5657AC3DC58DC8C.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
19 signatures
150 seconds
General
-
Target
613788884CE0093F.exe
-
Size
137KB
-
MD5
0b6d033622c9ff929e98c5ef7e2f8860
-
SHA1
ece019cdcbfab97462461585c58a5cf62bc5deb6
-
SHA256
ecd80e30e6bae14ca7c1198e430651aa297e01361a0508acef591adc0d50159b
-
SHA512
a5308bab575e87825cef01ae01ed8da84e1d42e588509b7bda1e8f4ffadc5fcbb39b9c5d6a331d508d74c12ba077cb303706537cb15662076a1fde86106b73e6
-
SSDEEP
3072:hLIQ8YzXEMZK1A2czbFk58x+o+EFz9/t2f65q8h32bIoKb:hstYrEMw6Bxk5zOFNtgJ6CUb
Malware Config
Extracted
Path
C:\ProgramData\biobio ransmoware.txt
Ransom Note
kasper Ransmoware
ATTENTION!
At the moment, your system is not protected.
We can fix itand restore files.
To get started, send a file to decrypt trial.
You can trust us after opening the test file.
2.Do not use free programs to unlock.
To restore the system write to both : [email protected] and [email protected]
Telegram id:@biobiorans
Your Decryption ID: 613788884CE0093F
Signatures
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (9083) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: 613788884CE0093F.exe File opened (read-only) \??\D: 613788884CE0093F.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSPTLS.DLL.EMAIL=[[email protected]]ID=[613788884CE0093F].biobio 613788884CE0093F.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00656_.WMF 613788884CE0093F.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libdvdnav_plugin.dll 613788884CE0093F.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18221_.WMF 613788884CE0093F.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Paramaribo.EMAIL=[[email protected]]ID=[613788884CE0093F].biobio 613788884CE0093F.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\eclipse_update_120.jpg 613788884CE0093F.exe File opened for modification C:\Program Files\7-Zip\Lang\va.txt 613788884CE0093F.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipssrb.xml 613788884CE0093F.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-util-enumerations.xml.EMAIL=[[email protected]]ID=[613788884CE0093F].biobio 613788884CE0093F.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\uninstall.log.EMAIL=[[email protected]]ID=[613788884CE0093F].biobio 613788884CE0093F.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Publisher.en-us\PublisherMUI.XML.EMAIL=[[email protected]]ID=[613788884CE0093F].biobio 613788884CE0093F.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\css\biobio ransmoware.txt 613788884CE0093F.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_FormsHomePageSlice.gif 613788884CE0093F.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OMSXP32.DLL 613788884CE0093F.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME45.CSS.EMAIL=[[email protected]]ID=[613788884CE0093F].biobio 613788884CE0093F.exe File opened for modification C:\Program Files (x86)\Common Files\System\msadc\ja-JP\msaddsr.dll.mui 613788884CE0093F.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Kabul 613788884CE0093F.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\TABOFF.JPG 613788884CE0093F.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02263_.WMF.EMAIL=[[email protected]]ID=[613788884CE0093F].biobio 613788884CE0093F.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01840_.GIF 613788884CE0093F.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\css\slideShow.css 613788884CE0093F.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02791_.WMF 613788884CE0093F.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR51B.GIF 613788884CE0093F.exe File opened for modification C:\Program Files (x86)\Internet Explorer\en-US\ieinstal.exe.mui 613788884CE0093F.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ENVELOPE.DLL 613788884CE0093F.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\PDDom.api.EMAIL=[[email protected]]ID=[613788884CE0093F].biobio 613788884CE0093F.exe File created C:\Program Files\Internet Explorer\es-ES\biobio ransmoware.txt 613788884CE0093F.exe File created C:\Program Files\Windows Defender\fr-FR\biobio ransmoware.txt 613788884CE0093F.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CATWIZ.POC.EMAIL=[[email protected]]ID=[613788884CE0093F].biobio 613788884CE0093F.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGATNGET.XML 613788884CE0093F.exe File opened for modification C:\Program Files\Common Files\System\msadc\es-ES\msadcer.dll.mui 613788884CE0093F.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CNFNOT32.EXE 613788884CE0093F.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0285444.WMF 613788884CE0093F.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_browser.gif.EMAIL=[[email protected]]ID=[613788884CE0093F].biobio 613788884CE0093F.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Sort\AUTHOR.XSL.EMAIL=[[email protected]]ID=[613788884CE0093F].biobio 613788884CE0093F.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\localizedStrings.js 613788884CE0093F.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-templates.jar.EMAIL=[[email protected]]ID=[613788884CE0093F].biobio 613788884CE0093F.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SoftBlue\TAB_ON.GIF.EMAIL=[[email protected]]ID=[613788884CE0093F].biobio 613788884CE0093F.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-multitabs_ja.jar 613788884CE0093F.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00222_.WMF 613788884CE0093F.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OneNote\SendToOneNote-PipelineConfig.xml 613788884CE0093F.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\COUPON.POC.EMAIL=[[email protected]]ID=[613788884CE0093F].biobio 613788884CE0093F.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\bPrev.png 613788884CE0093F.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\SplashScreen.zip 613788884CE0093F.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Access.en-us\AccessMUISet.XML.EMAIL=[[email protected]]ID=[613788884CE0093F].biobio 613788884CE0093F.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa.fca.EMAIL=[[email protected]]ID=[613788884CE0093F].biobio 613788884CE0093F.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\AppConfigurationInternal.zip 613788884CE0093F.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099151.WMF 613788884CE0093F.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGREPFRM.DPV 613788884CE0093F.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AXIS\THMBNAIL.PNG.EMAIL=[[email protected]]ID=[613788884CE0093F].biobio 613788884CE0093F.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_HighMask.bmp 613788884CE0093F.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Scenes_INTRO_BG.wmv 613788884CE0093F.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\visualization\libgoom_plugin.dll 613788884CE0093F.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSTH7FR.DLL 613788884CE0093F.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Boa_Vista 613788884CE0093F.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoAcq.dll.mui 613788884CE0093F.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341654.JPG 613788884CE0093F.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00267_.WMF.EMAIL=[[email protected]]ID=[613788884CE0093F].biobio 613788884CE0093F.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02398U.BMP 613788884CE0093F.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CONTACTINFOBB.POC 613788884CE0093F.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\flavormap.properties 613788884CE0093F.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\2 Right.accdt.EMAIL=[[email protected]]ID=[613788884CE0093F].biobio 613788884CE0093F.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Port_Moresby.EMAIL=[[email protected]]ID=[613788884CE0093F].biobio 613788884CE0093F.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Angles.thmx.EMAIL=[[email protected]]ID=[613788884CE0093F].biobio 613788884CE0093F.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 613788884CE0093F.exe -
Interacts with shadow copies 3 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2348 vssadmin.exe 2892 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2528 613788884CE0093F.exe 2528 613788884CE0093F.exe 2528 613788884CE0093F.exe 2528 613788884CE0093F.exe 2528 613788884CE0093F.exe 2528 613788884CE0093F.exe 2528 613788884CE0093F.exe 2528 613788884CE0093F.exe 2528 613788884CE0093F.exe 2528 613788884CE0093F.exe 2528 613788884CE0093F.exe 2528 613788884CE0093F.exe 2528 613788884CE0093F.exe 2528 613788884CE0093F.exe 2528 613788884CE0093F.exe 2528 613788884CE0093F.exe 2528 613788884CE0093F.exe 2528 613788884CE0093F.exe 2528 613788884CE0093F.exe 2528 613788884CE0093F.exe 2528 613788884CE0093F.exe 2528 613788884CE0093F.exe 2528 613788884CE0093F.exe 2528 613788884CE0093F.exe 2528 613788884CE0093F.exe 2528 613788884CE0093F.exe 2528 613788884CE0093F.exe 2528 613788884CE0093F.exe 2528 613788884CE0093F.exe 2528 613788884CE0093F.exe 2528 613788884CE0093F.exe 2528 613788884CE0093F.exe 2528 613788884CE0093F.exe 2528 613788884CE0093F.exe 2528 613788884CE0093F.exe 2528 613788884CE0093F.exe 2528 613788884CE0093F.exe 2528 613788884CE0093F.exe 2528 613788884CE0093F.exe 2528 613788884CE0093F.exe 2528 613788884CE0093F.exe 2528 613788884CE0093F.exe 2528 613788884CE0093F.exe 2528 613788884CE0093F.exe 2528 613788884CE0093F.exe 2528 613788884CE0093F.exe 2528 613788884CE0093F.exe 2528 613788884CE0093F.exe 2528 613788884CE0093F.exe 2528 613788884CE0093F.exe 2528 613788884CE0093F.exe 2528 613788884CE0093F.exe 2528 613788884CE0093F.exe 2528 613788884CE0093F.exe 2528 613788884CE0093F.exe 2528 613788884CE0093F.exe 2528 613788884CE0093F.exe 2528 613788884CE0093F.exe 2528 613788884CE0093F.exe 2528 613788884CE0093F.exe 2528 613788884CE0093F.exe 2528 613788884CE0093F.exe 2528 613788884CE0093F.exe 2528 613788884CE0093F.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
description pid Process Token: SeDebugPrivilege 2528 613788884CE0093F.exe Token: SeRestorePrivilege 2528 613788884CE0093F.exe Token: SeBackupPrivilege 2528 613788884CE0093F.exe Token: SeTakeOwnershipPrivilege 2528 613788884CE0093F.exe Token: SeAuditPrivilege 2528 613788884CE0093F.exe Token: SeSecurityPrivilege 2528 613788884CE0093F.exe Token: SeIncBasePriorityPrivilege 2528 613788884CE0093F.exe Token: SeBackupPrivilege 2828 vssvc.exe Token: SeRestorePrivilege 2828 vssvc.exe Token: SeAuditPrivilege 2828 vssvc.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 2528 wrote to memory of 1600 2528 613788884CE0093F.exe 31 PID 2528 wrote to memory of 1600 2528 613788884CE0093F.exe 31 PID 2528 wrote to memory of 1600 2528 613788884CE0093F.exe 31 PID 2528 wrote to memory of 1600 2528 613788884CE0093F.exe 31 PID 1600 wrote to memory of 2348 1600 cmd.exe 33 PID 1600 wrote to memory of 2348 1600 cmd.exe 33 PID 1600 wrote to memory of 2348 1600 cmd.exe 33 PID 2528 wrote to memory of 1516 2528 613788884CE0093F.exe 38 PID 2528 wrote to memory of 1516 2528 613788884CE0093F.exe 38 PID 2528 wrote to memory of 1516 2528 613788884CE0093F.exe 38 PID 2528 wrote to memory of 1516 2528 613788884CE0093F.exe 38 PID 1516 wrote to memory of 2892 1516 cmd.exe 40 PID 1516 wrote to memory of 2892 1516 cmd.exe 40 PID 1516 wrote to memory of 2892 1516 cmd.exe 40 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe"C:\Users\Admin\AppData\Local\Temp\613788884CE0093F.exe"1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:2348
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:2892
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2828
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
402B
MD59dd4c0412b91c85abdcd4925e5a10577
SHA1f34a9a8a866d410d03bb26a13652c0754658d40c
SHA256b05da8fb81352f7f573a1f010068cf0346ff8bc370fe14ecef1da1805bbc3138
SHA512deb3f6bd3a982cd5396de1239c2b7d63a6640608c9a9749495ad9c19bfe863106a153550d3535a7ca938cf6c756511df026ca9cc9a4b8d52424b222e69adaadc