Analysis

  • max time kernel
    117s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    15-12-2024 04:02

General

  • Target

    d2100ffe58eb50c05d97a3da738ccd1f0be9672c057c26a10140af80595b78c3.exe

  • Size

    881KB

  • MD5

    9049faba5517305c44bd5f28398fb6b9

  • SHA1

    036c6b32f3e7d7d689c9b4d482091eebcc669bfa

  • SHA256

    d2100ffe58eb50c05d97a3da738ccd1f0be9672c057c26a10140af80595b78c3

  • SHA512

    65a33506f970675775468f80b94a3f8bb2d3672e6fb08fc9f2e5107020095ca6d4bca927c59b72488e2ef4208a64a56ced7511ea14c0445cd50ea3ff9b827f6a

  • SSDEEP

    12288:I2wMm7l55+OeO+OeNhBBhhBBaELPA081o9baXpL3K+HDFgZUid4X9dCU5+Kazw4t:I2wMm7lfCIL3K+gY9dfcw4h3DX9X1

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\Decryptfiles.txt

Ransom Note
ATTENTION! Don't worry, you can return your files! All your files like photos, videos and other important documents are encrypted with a strong encryption algorithm and unique key. The only method of recovering files is to purchase a decrypt tool and your key. Do not try to recover your files without a decrypt tool, you may damage them making them impossible to recover we advise you contact us in less than 72 hours, otherwise there is a possibility that your files will never be returned. We will not wait for your letter for a long time, mail can be abused, we are moving on, hurry up with the decision. Check your email 'Spam' or 'Junk' foeder if you don't get answer within 6 hours. Contact us email :[email protected] -> [email protected] Attach this file in the email. ID :77F7CDB113A40F953B681AC9D5E1BD1968DA6D4BBCAE36B5E577D50EEF069B296A46A3FA0FEA807C8642E99801742A422F9A6B80DC236E307C9D875D07A4C06E4F1C28AB90F36A61E256E51EDD67B1B157622139733281BC09C8865051663E9DD892AB5DC300BF4035FD55B0C544696E40D3BFE8461A29FC49F0E7CDE70A8B3352CB9473E0A0C510804C35E9F2CAE084D3706EA32A1BC9030730F1BF19B48B28134D368AC85FBA4B0ACADF5843A348010BC81D367F00343A1CE1E667484668ED01BB14EB347BB3426824DCC672207B38096DEAF39AF0076847FF416645D4757033772E89F8FEE4C68FB4281DD16B3C27EEFFCB9D3C5C59FDE437CC684474A0CAB8E1AEAD8518AF90A3C95123DECA03EC5508DF08969DEA44BD6AD1A656C21CDEA66E4DAE6A88AC6FE5B96F6C0D802F90BC7AEBEE04AE149AE5320F6409938F2FF3E2B1DC03CAA3254990266335111B49530C4F1949C6D64DBC79F3C707B28FAB71E298A385B938CD4363EFD47C56F0C820900FE04E7EA53CD425A80CFBB515C6C22E77B8495DD5F1C238AF2719DE4A4E4CA0E87437D81BA9AF9FA23D3091B1D093D2EA8AFE0F44257E7F38FE145BF9D5FA6884F434D3294D1962E387A16AEE96FC59D6A5BD5BBAC288DDB868AD5A7947F5910375423CE8826DBEB48561AC87438FDB14409909FAC5996343A18D5A3B0AAE672A0FF619B3BE695E2EB6173553F36413CF5C720A4DD611A705298386A8C9AFD6FD7C9E90C6ACC3523FFA24D8E2C94543A83C0C35EA95E4A4C0CE2B26BFA74989256AB19D28C2A0AF65EE3876102C8997DC8CBC10AA3F2F1AFEE19D59F83567CAEE4857E663BC17A614A9352E8201A57D369C71F3247AB7EBF12955AE1BD62C87FD81AC077EEB4A9E8E3ADED5688F18CEC168C58906A477A85BD911C015C902E2D50562A435849137CAADF199078F2C109587601EA905BE2DA1D7D1CAE7AF8600925AFF73D99BA19955763071537B47624A8D99BE61CE3D4EA0A3C174B6EF8D9280611A551EE0D4AEAD00B95EB5061E8BC549B75E42759C042683FEE2E1BE2F97CDC0021C0C6CA1070B7E0078DA218BE8B115136FA413F9E34E203E0FFD2056F4AE76B195040376457BEC8CF91B508CACFCE7620AC8230F06CCE094E7592A23977076D7AD89008BED3233574492C494FBF429876F2D60B77CC3E14C043C5B4755E019606969429A8D1CFC61B57D6410677DACDF7AEC46C5FC7FDBFF8DFB9009AD7EF895107DA884B9EADFE0983E501CB36ABD57E77C535342D3C95B895F6BD26244A5A1F47BC1CC6BA485576D4556199979AE4D7AFE81EE74B6D202CD5785A922D5B9300636C22A35972C68F3EAB0FF664E52A6110D49EBCD1BCE66E7EC339FB0E0EA45D5E6BBC0F75CD98F391863D5379966A585683CCF8C4C53EED7BFDAA612D200BDAA08BE8260F16E34C47D7E07CFA04F10FFBC5F19FC85508D6D67994D60D10F7E16F7CB04737C24008D00CFEEBD30F0FDEE10677C22F8ACB3489FC5777341BB6FEECB5C927B6EAB3DEC55ADADC27BE7B6C8CC750698F563707F337D7600111E0D796D63B5A015B98629EF7D576AC857514B5C858F68F512F2FC9DF41DF27EAA4591380BFC8499004292E66693D0697682D832E45F403B2403FDF0F24C2334292B3A166053747E79FF34974F846296584618E7FD14551043FF9D493BAB6F9A783738018577298D208A8CD1940FD8E152EB127B20CC2345DA7F67C371FE120CD1DF25E68AAAAE205556D9C5E49EF4B2C141657ECFA343CA132C8B57E16C4CD8C2FB2BC13D05DCFCDF8B0097502A8F9141579457556ECC2DE834391D347FB353775BAF2A104B8E24B7276A3E7B28F0F75F16674CED559F5FA21928DF8E961CD5E8F573C194622D342E72D7EA1D5BDBAE2C2213D7F9DE3D2B6334DD2B77DD95148505BC1A5B57964847C4C2B6D06C02274BBD472F48B787BBBAEB7B1AE6900D3511C83F13EEC2CA4F4C73D8463785A0080401B152492BEC2B04D1D0E8558EFE8B0E4887BE87173153BBAD626DE0CCC2100CA9D720A2308B6A0367E2CE981185E79011FF7D1D2A8D54DCEDDCECAEC0E9AD815808A2E904E4F196F271916ADC735ADB77B6CA17FE0FA90F1F2F23186BCF17C6462C00F8CF3DFFFEB40FDB2902162C9C0D83C478537DB413FF9A7B9006678642E02F773A1309746E77DE5187DB007C5C7C595203CD3E9C979706A0030CB6D6E850F39FBD61DD804F09F0B9BED752F6196BA0BAEB56E6575EE6CC3A825FEFEA811418F48A78642DA96BD4B2D02DBC23F122A1D86A990E28E362C9FF2250F4A4BF5C7BB86CFD25AEAFCE01461EC4B90EBBF92FB2476ED5DB4F322BF45907CD79E7414EDCB3D2C65D

Signatures

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops desktop.ini file(s) 10 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\d2100ffe58eb50c05d97a3da738ccd1f0be9672c057c26a10140af80595b78c3.exe
    "C:\Users\Admin\AppData\Local\Temp\d2100ffe58eb50c05d97a3da738ccd1f0be9672c057c26a10140af80595b78c3.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2100
    • \??\c:\Windows\system32\wbem\wmic.exe
      c:\VQENMJ\VQEN\..\..\Windows\VQEN\VQEN\..\..\system32\VQEN\VQEN\..\..\wbem\VQEN\VQENM\..\..\wmic.exe shadowcopy delete
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2728
    • \??\c:\Windows\system32\wbem\wmic.exe
      c:\sQhpKI\sQhp\..\..\Windows\sQhp\sQhp\..\..\system32\sQhp\sQhp\..\..\wbem\sQhp\sQhpK\..\..\wmic.exe shadowcopy delete
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2548
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\d2100ffe58eb50c05d97a3da738ccd1f0be9672c057c26a10140af80595b78c3.exe"
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Suspicious use of WriteProcessMemory
      PID:2212
      • C:\Windows\SysWOW64\PING.EXE
        ping 1.1.1.1 -n 1 -w 3000
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:1624
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2136

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Decryptfiles.txt

    Filesize

    4KB

    MD5

    b39bd748f7464f1c02a856aeb7117a03

    SHA1

    397aafccfd7992b50eb70e4ec21a9fe18cf7dbef

    SHA256

    388ebe1fff279cb8c6cff13c400c9dfdf37d7b291fc69082566075975d007652

    SHA512

    d003457a03caa3d7e400370f9576d30501eacdd9f76be98304d35583df560ef4b4a80b63b5177bdef20594a2d9482a485370c5727263ac4f136b13c7029060af