Analysis

  • max time kernel
    18s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    12-12-2024 19:50

General

  • Target

    3c380d5492add3084df3876e715ef641ae0ba910cf84395e2f1f22bee33dad97.exe

  • Size

    4.6MB

  • MD5

    87ed0fc8118723ea66be965e8cea3764

  • SHA1

    bcc642835880fbf922cc2b029d362b3d82fac938

  • SHA256

    3c380d5492add3084df3876e715ef641ae0ba910cf84395e2f1f22bee33dad97

  • SHA512

    70974198ed89c9a325c03b3c78c1576d90b8a83b7adf3735fdfe2f30ea83309ba76bc34a3c78e9eb52defb161e5d5fb0e8813690a3960ce74975a2655b3f359a

  • SSDEEP

    98304:lpzHHcNCDnfENtGVKSqnJe9pANQvlsisx:ldHHcN2nfENGOYvlsjx

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\HOW TO RESTORE YOUR FILES.TXT

Ransom Note
Hello! All your files are encrypted and only we can decrypt them. Contact us: [email protected] or [email protected] Write us if you want to return your files - we can do it very quickly! The header of letter must contain extension of encrypted files. We always reply within 24 hours. If not - check spam folder, resend your letter or try send letter from another email service (like protonmail.com). Attention! Do not rename or edit encrypted files: you may have permanent data loss. To prove that we can recover your files, we am ready to decrypt any three files (less than 1Mb) for free (except databases, Excel and backups). HURRY UP! If you do not email us in the next 48 hours then your data may be lost permanently.

Signatures

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Renames multiple (7868) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

  • Drops startup file 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops file in Program Files directory 64 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\3c380d5492add3084df3876e715ef641ae0ba910cf84395e2f1f22bee33dad97.exe
    "C:\Users\Admin\AppData\Local\Temp\3c380d5492add3084df3876e715ef641ae0ba910cf84395e2f1f22bee33dad97.exe"
    1⤵
    • Drops startup file
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:2128
    • C:\Windows\system32\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\cqvfxynd.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2392
      • C:\Windows\system32\sc.exe
        SC QUERY
        3⤵
        • Launches sc.exe
        PID:2052
      • C:\Windows\system32\findstr.exe
        FINDSTR SERVICE_NAME
        3⤵
          PID:1508
      • C:\Windows\system32\cmd.exe
        cmd /c C:\Users\Admin\AppData\Local\Temp\rldlkhogcxxbsjdyiwb.bat
        2⤵
          PID:544
        • C:\Windows\system32\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\wevgcnybyfpdkoppygw.bat
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:2144
          • C:\Windows\system32\vssadmin.exe
            vssadmin delete shadows /all /quiet
            3⤵
            • Interacts with shadow copies
            PID:1788
        • C:\Windows\system32\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\jkyxxvvgj.bat
          2⤵
            PID:1816
        • C:\Windows\system32\vssvc.exe
          C:\Windows\system32\vssvc.exe
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2944

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\HOW TO RESTORE YOUR FILES.TXT

          Filesize

          758B

          MD5

          362c51682bf01718f78792252759ea48

          SHA1

          d2a7021fad7dc0551a9b19274d114fdebd0d24db

          SHA256

          8104414020397799ae6c4f779a8486a8a5c2975f4a5cee250151ccfa9911f8ab

          SHA512

          b6ed4e553e0d414cd83025d9c1a4170c8940744364f8662f5e86fbbe4d60c60471c5bd6d58fe28b9aec04b7d09ad9a688093c1632f22baa66cb0c1969a644154

        • C:\Users\Admin\AppData\Local\Temp\cqvfxynd.bat

          Filesize

          43B

          MD5

          55310bb774fff38cca265dbc70ad6705

          SHA1

          cb8d76e9fd38a0b253056e5f204dab5441fe932b

          SHA256

          1fbdb97893d09d59575c3ef95df3c929fe6b6ddf1b273283e4efadf94cdc802d

          SHA512

          40e5a5e8454ca3eaac36d732550e2c5d869a235e3bbc4d31c4afa038fe4e06f782fa0885e876ad8119be766477fdcc12c1d5d04d53cf6b324e366b5351fc7cd4

        • C:\Users\Admin\AppData\Local\Temp\jkyxxvvgj.bat

          Filesize

          43B

          MD5

          3b854ac9791ad8977b46f8b347eca1de

          SHA1

          6d0eb57be34e059a7275e227928d52400200dc72

          SHA256

          4dd7521f4d8351fed8275553a0fa4713f65872a25011f4853713f6915abbbf09

          SHA512

          24853c988df7274e10119cdbbc8816afaa20da661ac03286f9b47660126be8bf6eef40f40261c79b205308647ef42c87d1d840280fa12f7179b3eefef5e75030

        • C:\Users\Admin\AppData\Local\Temp\rldlkhogcxxbsjdyiwb.bat

          Filesize

          47B

          MD5

          2202e846ba05d7f0bb20adbc5249c359

          SHA1

          4115d2d15614503456aea14db61d71a756cc7b8c

          SHA256

          0965cb8ee38adedd9ba06bdad9220a35890c2df0e4c78d0559cd6da653bf740f

          SHA512

          cd6ce6d89a8e5f75724405bc2694b706819c3c554b042075d5eb47fdb75653235160ac8a85e7425a49d98f25b3886faaaec5599bcf66d20bf6115dc3af4ba9c7