Overview

overview

10

Static

static

3

sample.exe

windows7-x64

10

sample.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    124s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    29-12-2024 16:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    sample.exe

  • Size

    280KB

  • MD5

    badc00888b75a7a568d5a2b3d0cb6451

  • SHA1

    10e2dde399f369bab14eba5acfa06a923394aa33

  • SHA256

    994539855377a216b90c1db4f77fdd60dd89aa2296a19345cf19d9591419809e

  • SHA512

    5d00ce31011d460a34446469382b4151d0a241853b925b979da4b758336ff3416ef93b77c31666d1b846fc0ab1e242b34c400ef5b8c2f33cc725d1c39d3d4c7f

  • SSDEEP

    6144:EjWkd35a63FC6EkbwO+ZfhluCm9At1sotV50DErPtld:EjWk130CbwOouCmouDel

Score
10/10
discoverypersistenceransomware

Malware Config

Extracted

Path

C:\MSOCache\All Users\READ_ME_NOTE.txt

Ransom Note
!!! ALL YOUR FILES ARE ENCRYPTED!!! All your files, documents, photos, databases and other important files are encrypted. The only way to recover your files is to get a decryptor. To get the decryptor, write to us by mail or telegram, specify the ID of the encrypted files in the letter: Email: [email protected] Telegram: https://t.me/returnbackcyberfearcom Warning!!! * Do not rename files. * Do not attempt to decrypt data using third party software, as this may result in permanent data loss. * Do not contact other people, only we can help you and recover your data. Your personal decryption ID: CxLg9XcDAS0
URLs

https://t.me/returnbackcyberfearcom

Signatures

  • Renames multiple (221) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies registry class 2 IoCs
  • Opens file in notepad (likely ransom note) 3 IoCs
    ransomware
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\sample.exe
    "C:\Users\Admin\AppData\Local\Temp\sample.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2084
    • C:\Windows\sample.exe
      "C:\Windows\sample.exe" p r i v e t1
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      PID:2312
    • C:\Windows\SysWOW64\cmd.exe
      /c ping localhost -n 3 > nul & del C:\Users\Admin\AppData\Local\Temp\sample.exe
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Suspicious use of WriteProcessMemory
      PID:2892
      • C:\Windows\SysWOW64\PING.EXE
        ping localhost -n 3
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2664
  • C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\READ_ME_NOTE.txt
    1⤵
    • Opens file in notepad (likely ransom note)
    PID:920
  • C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    1⤵
      PID:2364
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\READ_ME_NOTE.txt
      1⤵
      • Opens file in notepad (likely ransom note)
      PID:2476
    • C:\Program Files\7-Zip\7zG.exe
      "C:\Program Files\7-Zip\7zG.exe" a -i#7zMap14101:1082:7zEvent18595 -ad -saa -- "C:\Users\Admin\Desktop\Desktop"
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:2012
    • C:\Program Files\7-Zip\7zG.exe
      "C:\Program Files\7-Zip\7zG.exe" a -i#7zMap12345:698:7zEvent1144 -ad -saa -- "C:\Users\Admin\Desktop\Desktop"
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:2720
    • C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\111.7z
      1⤵
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2612
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\111.7z
        2⤵
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:2840
        • C:\Windows\system32\NOTEPAD.EXE
          "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\111.7z
          3⤵
          • Opens file in notepad (likely ransom note)
          PID:788

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\MSOCache\All Users\READ_ME_NOTE.txt
      Filesize

      635B

      MD5

      42bba4a0949ea0f73a193f4aa130d777

      SHA1

      c74d96dc21ecbc76822d9eabdd9b7bc6feca69d6

      SHA256

      5364b0c5ea458ab438bd1d9fbfc76a5f6583d913f67344314c30dc8ab3c55b4c

      SHA512

      b909a7ce7b79bcab319758425f8b83a485fafc874c26e2a73d84ea735df2ade868d83b5b53574e857170f48e02df051ddae26c78c05ee5a0ced2196d92f4276c

      Download Submit

    • C:\Users\Admin\Desktop\111.7z
      Filesize

      3.8MB

      MD5

      76e4429eadcab3febc6b67c2cc8a4491

      SHA1

      e35c2318ae0e3fe10142782061403dfe5c678845

      SHA256

      b5f032ebf4a8ce48d5b4d3b3a6f1c581e6c889de7f5badbd70f4362f8606fae7

      SHA512

      2ffbbc297534e23013cd371fc7b461c685c35ada7d38c006112d9bf1cfe7088bf0124c4a97cc9d7eb4f6d097883f4f9851d151314f07b7d1f423adb14de3b25c

      Download Submit

    • C:\Users\Admin\Desktop\SearchWait.M2T.CxLg9XcDAS0
      Filesize

      704KB

      MD5

      0879653385c3402639873421ffd1d0b7

      SHA1

      9585b6c9d6ec3ae36d11e884dc3f311994abaec6

      SHA256

      cc94d53ef1f558707d92940ded8b02af21db3a6cf42cce5deeb302a9afe30548

      SHA512

      952ef2dd23f11e0bc33de57893a291988157d9d6a30cba961a92c1d40ae4709ad5a5bb604c755eac6b1f84daf787b831b9e7c1db85abb94bb374b3a5763c4c36

      Download Submit

    • C:\Users\Admin\Desktop\SetReceive.pot.CxLg9XcDAS0
      Filesize

      340KB

      MD5

      5e9021be717265b3016b27b3364b4e0f

      SHA1

      f677f19e2d8f36d826393d83a8f21dc7fa1ae91f

      SHA256

      e5b39ea03705812de660c4235aa6582db0c56a21d977bc208024ecf55953ad60

      SHA512

      8fe413b828ab8ecd3cf52a561b4fd5b1bd5a4d20aaf569017fd7d5ce58afc9a0e8d03a954beba343feb708753f12f71beefebfdc2a480e95a2f68cd1c34b6aed

      Download Submit

    • C:\Users\Admin\Desktop\ShowLock.dot.CxLg9XcDAS0
      Filesize

      818KB

      MD5

      6f1ec21095e2f3fc3333533f8f734f34

      SHA1

      66523ab97e074d5e0ae58d2d0e9342e619d4bd82

      SHA256

      019fb5d9ffdb63792729e4adbb896e2f84b697815df744fbd49b4b86dd9b8d23

      SHA512

      d42f6b6b82e1b25683cd9af0cdb1e4a762b289a3033829d908acabfae2682423846952d904dde001800d6258bb95b17abd62d5cc64335f92ea26f5b6d1a25c3a

      Download Submit

    • C:\Users\Admin\Desktop\StopClose.m1v.CxLg9XcDAS0
      Filesize

      499KB

      MD5

      a4b1e503ca6265f698b4a7ddd8caeaa9

      SHA1

      b84709953f10fca2e2099a08423c2ccecd27eb01

      SHA256

      7237ee52706e78dda52e177b5d459ad71bf975ed0b830d7c6a672c3459c27c74

      SHA512

      308fecaf8dba74588b455026cf93c2b88a0f15a9ff78122f9253d761d78d69c6d25cc9df68e4d71d3bd7e1b524353eb531ca01c1c810d730b23ce5553a6fce6b

      Download Submit

    • C:\Users\Admin\Desktop\UnblockUnpublish.tiff.CxLg9XcDAS0
      Filesize

      749KB

      MD5

      03304166edcb586a0628bb6bca723275

      SHA1

      bcdf68b6f14728479e555426ea36ef9160aaa1b5

      SHA256

      9a971e88669365b287bb49d6b509de9e668f84f5815a20eeb2866aa4f01dd5a1

      SHA512

      7269292f3df0ceade1afef96d5a73df0f55c0aaa0101d8be95ed2355ef41ef1b07d73f72a81c8b0e679281385c8a1a0660c3c749ab7fc74178c3083360dbc4bd

      Download Submit

    • C:\Users\Admin\Desktop\UnprotectRead.ttf.CxLg9XcDAS0
      Filesize

      727KB

      MD5

      8ca5dd641adb16d9303b81bc54b282c7

      SHA1

      4053d3d2f469fde78d8bdf1a7a1c0ea606aa6f5d

      SHA256

      de24253dc9536e5af5cfeca596427cd50ff66c83f5295f86cf5373e8ab60592c

      SHA512

      b43beb4f509eba28e1efbb43f57ddbac47a099e0c3f74c14c1a2b04f78b91aa912e7e59bc8899a3c69f7109f692dbca5fc7a731b046e9b2dd183301051fa0e11

      Download Submit

    • C:\Windows\sample.exe
      Filesize

      280KB

      MD5

      badc00888b75a7a568d5a2b3d0cb6451

      SHA1

      10e2dde399f369bab14eba5acfa06a923394aa33

      SHA256

      994539855377a216b90c1db4f77fdd60dd89aa2296a19345cf19d9591419809e

      SHA512

      5d00ce31011d460a34446469382b4151d0a241853b925b979da4b758336ff3416ef93b77c31666d1b846fc0ab1e242b34c400ef5b8c2f33cc725d1c39d3d4c7f

      Download Submit