Overview

overview

10

Static

static

3

sample.exe

windows7-x64

10

sample.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-12-2024 16:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    sample.exe

  • Size

    280KB

  • MD5

    badc00888b75a7a568d5a2b3d0cb6451

  • SHA1

    10e2dde399f369bab14eba5acfa06a923394aa33

  • SHA256

    994539855377a216b90c1db4f77fdd60dd89aa2296a19345cf19d9591419809e

  • SHA512

    5d00ce31011d460a34446469382b4151d0a241853b925b979da4b758336ff3416ef93b77c31666d1b846fc0ab1e242b34c400ef5b8c2f33cc725d1c39d3d4c7f

  • SSDEEP

    6144:EjWkd35a63FC6EkbwO+ZfhluCm9At1sotV50DErPtld:EjWk130CbwOouCmouDel

Score
10/10
discoverypersistenceransomware

Malware Config

Extracted

Path

C:\$Recycle.Bin\READ_ME_NOTE.txt

Ransom Note
!!! ALL YOUR FILES ARE ENCRYPTED!!! All your files, documents, photos, databases and other important files are encrypted. The only way to recover your files is to get a decryptor. To get the decryptor, write to us by mail or telegram, specify the ID of the encrypted files in the letter: Email: [email protected] Telegram: https://t.me/returnbackcyberfearcom Warning!!! * Do not rename files. * Do not attempt to decrypt data using third party software, as this may result in permanent data loss. * Do not contact other people, only we can help you and recover your data. Your personal decryption ID: CxLg9XcDAS0
URLs

https://t.me/returnbackcyberfearcom

Signatures

  • Renames multiple (179) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\sample.exe
    "C:\Users\Admin\AppData\Local\Temp\sample.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2904
    • C:\Users\Admin\AppData\Local\Temp\sample.exe
      "C:\Users\Admin\AppData\Local\Temp\sample.exe" p r i v e t
      2⤵
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      PID:4528
  • C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\READ_ME_NOTE.txt
    1⤵
    • Opens file in notepad (likely ransom note)
    PID:2596

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\READ_ME_NOTE.txt
    Filesize

    635B

    MD5

    42bba4a0949ea0f73a193f4aa130d777

    SHA1

    c74d96dc21ecbc76822d9eabdd9b7bc6feca69d6

    SHA256

    5364b0c5ea458ab438bd1d9fbfc76a5f6583d913f67344314c30dc8ab3c55b4c

    SHA512

    b909a7ce7b79bcab319758425f8b83a485fafc874c26e2a73d84ea735df2ade868d83b5b53574e857170f48e02df051ddae26c78c05ee5a0ced2196d92f4276c

    Download Submit