Overview

overview

10

Static

static

10

ransomware.exe

windows7-x64

10

ransomware.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    14-01-2025 01:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ransomware.exe

  • Size

    147KB

  • MD5

    c09185c157831e4915c255d7002941f4

  • SHA1

    beca597f2c2c120c3d74163501a81f56664ff4f7

  • SHA256

    6f3d87f3dcfd248e64d26cf338a19f41a6f93affdde5fab071a631ff38637757

  • SHA512

    a843854ca79f4d98938635612d20f3d5b79d8661ee91d1ae130b2deffe95e44d7028f76b8b221c87fab0638afe5baf3c55e8348f8aa10dddc90133167a3c17bf

  • SSDEEP

    3072:SqJogYkcSNm9V7DnfX/91c6G+Mqc+2EIEMF+T:Sq2kc4m9tDnfXPc6g+2XEMF

Score
10/10
defense_evasiondiscoveryransomwarespywarestealer

Malware Config

Extracted

Path

C:\5VFg9o5tW.README.txt

Ransom Note
------Dear managers!------ If you are reading this, it means your network has been attacked. What does that mean? We hacked your network and now all your files, documents, client database, projects and other important data safely encrypted with reliable algorithms. we also have a copy of all your data. WARNING!!! You don't have to go to the POLICE, etc. Otherwise we will not be able to help you. You cannot acces the files right now. But do not worry. You can get it back! It is easy to recover in a few steps. As proof, we can decrypt any 3 files you provide. We are not interested to ruin your business. We want to get ransom and be happy. Please bring this information to your team leaders as soon as possible. In case of a successfull transaction, we will restore your systems within 4-6 hours and also provide security recommendations. -----------------------WARNING----------------------- If you modify files - our decrypt software won't able to recover data If you use third party software - you can damage/modify files (see item 1) You nedd cipher key / our decrypt software to restore you files. The police or authorities will not be able to help you get the cipher key. We encourage you to consider your decisions. -----------------------RECOVERY----------------------- Use email: [email protected] Alternative email address: [email protected] ([email protected]) ID message: c5337115f1d1a

Signatures

  • Renames multiple (358) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 2 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ransomware.exe
    "C:\Users\Admin\AppData\Local\Temp\ransomware.exe"
    1⤵
    • Loads dropped DLL
    • Drops desktop.ini file(s)
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3068
    • C:\ProgramData\AE0B.tmp
      "C:\ProgramData\AE0B.tmp"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:2972
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\AE0B.tmp >> NUL
        3⤵
        • System Location Discovery: System Language Discovery
        PID:400
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x14c
    1⤵
      PID:1560

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\$Recycle.Bin\S-1-5-21-3063565911-2056067323-3330884624-1000\desktop.ini
      Filesize

      129B

      MD5

      1059e0011085d40a2b54ee845009cb5a

      SHA1

      ad6d847e9ec870a5ad646a285823d435b236f1d5

      SHA256

      5047fa31c96564af46d2ab7101e9681e7a000dc055b2fcde2c9beed88d4ea050

      SHA512

      cf8f286549b7764e6a9ebc6e6031edd80a8be432a4e31687fd51e89fa753cdb4732e87247ba7b06035390640a45b2bf382ab2bb75d8b499edd0e3e7924fc78fa

      Download Submit

    • C:\5VFg9o5tW.README.txt
      Filesize

      1KB

      MD5

      17e3459297cd54cf124d089248ff395b

      SHA1

      617e2ddd0a69a242d4da510d32670a170ff667fa

      SHA256

      94aaefad5d5a9fea79e9271941a5e874951cceac46a110ef0f1de841051f6421

      SHA512

      280536a672423a4bf4df1cb7cd49bd0a7a3f731dfe4543359a84d3a82d734e3882386b336af62a77e2763cbe7fe9e4ff6ae852241dd61ab702cda1b0d2f02e13

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDD
      Filesize

      147KB

      MD5

      0b71de6eaf14f889e56fe79f195d8bb9

      SHA1

      4e1cfc5acdb70fb6c539b805c574f1452deb5612

      SHA256

      5c3c4ee963099ea4d790bbfb0840ec2b5b8cb011ec2c3051ec35c999af74827b

      SHA512

      b85b79353b20d01f63ee15703e8d2aaf207e6b5e8482168972619e23e7477604e7b19d0817af49d10db47c5a0a1f4c2e0798ddee569171ba61a1a367529cd418

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-3063565911-2056067323-3330884624-1000\DDDDDDDDDDD
      Filesize

      129B

      MD5

      3e3789b2f4c46057dd644bd93706a5bb

      SHA1

      c213a377bdc8d5c467ddb958e3fbc91c62954062

      SHA256

      787f7e205fd781470490e3cc476d74da705752b6de5d33ba394624f7c29d82fa

      SHA512

      134817316ca5d332ff0eb15d2664d693478b168c342369d5f8938f221a103e55b5ce99c55d2b343707e7e67a7cecab8b7e563aff71ee2b9b77ca3203cebb91bb

      Download Submit

    • \ProgramData\AE0B.tmp
      Filesize

      14KB

      MD5

      294e9f64cb1642dd89229fff0592856b

      SHA1

      97b148c27f3da29ba7b18d6aee8a0db9102f47c9

      SHA256

      917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

      SHA512

      b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

      Download Submit

    • memory/2972-893-0x000000007EF80000-0x000000007EF81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2972-892-0x0000000000350000-0x0000000000390000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2972-891-0x000000007EF20000-0x000000007EF21000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2972-890-0x0000000000350000-0x0000000000390000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2972-888-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2972-923-0x000000007EF60000-0x000000007EF61000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2972-922-0x000000007EF40000-0x000000007EF41000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3068-0-0x0000000000100000-0x0000000000140000-memory.dmp

      Filesize

      256KB

      Download