Overview

overview

10

Static

static

10

08751be484...2d.dll

windows10-ltsc 2021-x64

10

0a9f79abd4...51.exe

windows10-ltsc 2021-x64

3

0di3x.exe

windows10-ltsc 2021-x64

10

2019-09-02...10.exe

windows10-ltsc 2021-x64

10

2c01b00772...eb.exe

windows10-ltsc 2021-x64

10

31.exe

windows10-ltsc 2021-x64

10

3DMark 11 ...on.exe

windows10-ltsc 2021-x64

3

42f9729255...61.exe

windows10-ltsc 2021-x64

10

5da0116af4...18.exe

windows10-ltsc 2021-x64

10

69c56d12ed...6b.exe

windows10-ltsc 2021-x64

10

905d572f23...50.exe

windows10-ltsc 2021-x64

10

948340be97...54.exe

windows10-ltsc 2021-x64

10

95560f1a46...f9.dll

windows10-ltsc 2021-x64

3

Archive.zi...3e.exe

windows10-ltsc 2021-x64

8

DiskIntern...en.exe

windows10-ltsc 2021-x64

3

ForceOp 2....ce.exe

windows10-ltsc 2021-x64

7

HYDRA.exe

windows10-ltsc 2021-x64

10

KLwC6vii.exe

windows10-ltsc 2021-x64

1

Keygen.exe

windows10-ltsc 2021-x64

10

Lonelyscre...ox.exe

windows10-ltsc 2021-x64

3

LtHv0O2KZDK4M637.exe

windows10-ltsc 2021-x64

10

Magic_File...ja.exe

windows10-ltsc 2021-x64

3

OnlineInstaller.exe

windows10-ltsc 2021-x64

8

Remouse.Mi...cg.exe

windows10-ltsc 2021-x64

3

SecuriteIn...dE.exe

windows10-ltsc 2021-x64

10

SecuriteIn...ee.dll

windows10-ltsc 2021-x64

10

SecurityTa...up.exe

windows10-ltsc 2021-x64

4

Treasure.V...ox.exe

windows10-ltsc 2021-x64

3

VyprVPN.exe

windows10-ltsc 2021-x64

10

WSHSetup[1].exe

windows10-ltsc 2021-x64

3

Yard.dll

windows10-ltsc 2021-x64

10

b2bd3de3e5...2).exe

windows10-ltsc 2021-x64

10

Resubmissions

17-01-2025 20:27

250117-y8gzsasjhw 10

17-01-2025 10:48

250117-mv59nsvlbr 10

14-12-2024 07:51

241214-jqcj1sxnhr 10

11-12-2024 15:39

241211-s3498stkar 10

Analysis

  • max time kernel
    148s
  • max time network
    146s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20250113-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    17-01-2025 20:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe

  • Size

    669KB

  • MD5

    ead18f3a909685922d7213714ea9a183

  • SHA1

    1270bd7fd62acc00447b30f066bb23f4745869bf

  • SHA256

    5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18

  • SHA512

    6e532d9c3d186e4dac38823ae9152056346e283613f0caf088b21a1b3e5f4f6cf3bad8c407168b1072895a386e3be0b8c11ad1cb326d3d3ff0eb8562052def91

  • SSDEEP

    6144:bLUHLyHlwFjxDi2nEZkQ4NXxp0XMgkBWPqdN/jGdfYY7SRA7j4YlvfYAAjJ:4uFi02nEZh4jp0XLuxGdgTm73vL

Score
10/10
discoverypersistenceransomwareupx

Malware Config

Extracted

Path

C:\Users\Public\Documents\_readme.txt

Ransom Note
ATTENTION! Don't worry my friend, you can return all your files! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-T9WE5uiVT6 Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 046Sdsd3273yifhsisySD60h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1
URLs

https://we.tl/t-T9WE5uiVT6

Signatures

  • Renames multiple (165) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 24 IoCs
  • Looks up external IP address via web service 6 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    "C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4512
    • C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Users\Admin\AppData\Local\a4a99292-3947-4044-b8f9-a7dc5630d78a" /deny *S-1-1-0:(OI)(CI)(DE,DC)
      2⤵
      • Modifies file permissions
      • System Location Discovery: System Language Discovery
      PID:2100
    • C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
      "C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Admin IsNotAutoStart IsNotTask
      2⤵
      • Drops desktop.ini file(s)
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1136
      • C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
        "C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --ForNetRes "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1 IsNotAutoStart IsNotTask
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:216
        • C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
          "C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 216 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:4192
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4192 -s 1420
            5⤵
            • Program crash
            PID:1320
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 216 -s 1780
          4⤵
          • Program crash
          PID:2956
      • C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
        "C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 1136 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:1064
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4512 -s 2128
      2⤵
      • Program crash
      PID:1412
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4512 -ip 4512
    1⤵
      PID:680
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4192 -ip 4192
      1⤵
        PID:3200
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 216 -ip 216
        1⤵
          PID:1540

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\Microsoft\Network\Downloader\edbtmp.log
          Filesize

          1.3MB

          MD5

          f782b09fd215d3d9bb898d61ea2e7a37

          SHA1

          a382348e9592bdf93dd10c49773b815a992fa7c7

          SHA256

          7bd4646090dff9875e08ea00e5727b11be19fcb850344856e66360c152835694

          SHA512

          9342bd7a0cbabd7e699ea545897a6403371a0034e4bea067a9662dad9e492c5fa9b27efa4c850e1c001c79d6a76ffe0dacb6831010e41c8d5e2a92bd5b898606

          Download Submit

        • C:\ProgramData\Package Cache\{3A96B93E-763F-41E7-85C7-1F3CCC37EF27}v48.108.8828\dotnet-host-6.0.27-win-x64.msi
          Filesize

          736KB

          MD5

          c3c0fe1bf5f38a6c89cead208307b99c

          SHA1

          df5d4f184c3124d4749c778084f35a2c00066b0b

          SHA256

          f4f6d008e54b5a6bac3998fc3fe8e632c347d6b598813e3524d5489b84bd2eaf

          SHA512

          0f3e96d16c512e37025b04ff7989d60126c3d65fe868dbcfbeae4dac910ce04fc52d1089f0e41ce85c2def0182a927fdcc349094e74cdd21b45a42fde7f01806

          Download Submit

        • C:\ProgramData\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\packages\vcRuntimeMinimum_amd64\vc_runtimeMinimum_x64.msi
          Filesize

          180KB

          MD5

          b2e47100abd58190e40c8b6f9f672a36

          SHA1

          a754a78021b16e63d9e606cacc6de4fcf6872628

          SHA256

          889217bcb971387bc3cb6d76554646d2b0822eceb102320d40adf2422c829128

          SHA512

          d30da8c901e063df5901d011b22a01f884234ddddd44b9e81b3c43d93a51e10342074523339d155d69ff03a03a1df66c7d19e0137a16f47735b5b600616ca2a9

          Download Submit

        • C:\ProgramData\Package Cache\{CE4D7AE0-FCBA-486F-A58F-DBA3626FBE4B}v56.64.8781\dotnet-runtime-7.0.16-win-x64.msi
          Filesize

          18.1MB

          MD5

          275bb8a6c2002c809c77fb094819050a

          SHA1

          730abc53e028f4df53667ae81a49642f0d79fd80

          SHA256

          ddd7825284ff1c94fbf77ee00d026f838c112696995a6a8d20554d055919375f

          SHA512

          91a1cad018e7585ea8fac64e02503d66bc37cab0606f1605419ced16e52876a6d6e6c2b1449619105c7b03009c4710bfd45b77f0b2ec20136da073930dcc49de

          Download Submit

        • C:\ProgramData\Package Cache\{E634F316-BEB6-4FB3-A612-F7102F576165}v48.108.8836\windowsdesktop-runtime-6.0.27-win-x64.msi
          Filesize

          17.0MB

          MD5

          0059125acc28452c4a54d656ca490c00

          SHA1

          e69ced6b5138e91d8c89d12d95c7383478f6c163

          SHA256

          a0356dab27a8f49f137ac271f88fcddbcfeea41defe451df93980724dde5dc8d

          SHA512

          5f5f75e20837830b294138f48377ede553796f0e2e2bc27bd673b4e45525db208ed6f09e1e4addb185db1f43254d761df2ad3e29129ac4a9986c15593176cd62

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12
          Filesize

          1KB

          MD5

          c9be626e9715952e9b70f92f912b9787

          SHA1

          aa2e946d9ad9027172d0d321917942b7562d6abe

          SHA256

          c13e8d22800c200915f87f71c31185053e4e60ca25de2e41e160e09cd2d815d4

          SHA512

          7581b7c593785380e9db3ae760af85c1a889f607a3cd2aa5a2695a0e5a0fe8ee751578e88f7d8c997faeda804e2fc2655d859bee2832eace526ed4379edaa3f5

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8
          Filesize

          436B

          MD5

          971c514f84bba0785f80aa1c23edfd79

          SHA1

          732acea710a87530c6b08ecdf32a110d254a54c8

          SHA256

          f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

          SHA512

          43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12
          Filesize

          174B

          MD5

          be31ea32024f97823b8ed25fc01ca585

          SHA1

          ef8592a7f5face0c876268af2788205056edd4f9

          SHA256

          6bce2bb528f37843a38b7a77a6d21c9dc82e45331311fa2d80dc08a2c4543621

          SHA512

          59a6be152b0717c486bb81370886a44e3514d7d2b096b3881f8ecec469b293c101c4cd1ae37705464c31d84e884c855f7a6e05e2853256cfe6f7bc96cf261081

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8
          Filesize

          170B

          MD5

          9a7b2c8afb5321502349fe64de8b3e89

          SHA1

          ebf9ead5ce1f409490a109685330ead75a319511

          SHA256

          50a8d3adf8e4bc63f13b0a83e5d08f9f2ed6c06bd6a11e28f74af9cbfdfbeb5e

          SHA512

          d6983ba2eaf2daa105a7ed6009d8ecb99d495632e18c455f2e7c5eef5360c27388013a132c249f1286021d1bc3146ba66fa46dc4e263f0b1f00b3604ffc72159

          Download Submit

        • C:\Users\Public\Documents\_readme.txt
          Filesize

          1KB

          MD5

          d75064cfaac9c92f52aadf373dc7e463

          SHA1

          36ea05181d9b037694929ec81f276f13c7d2655c

          SHA256

          163ec5b903b6baadd32d560c44c1ea4dce241579a7493eb32c632eae9085d508

          SHA512

          43387299749f31c623c5dd4a53ff4d2eff5edfeb80fd4e2edd45860b5c9367d2767ae2ee9b60824b57301999dd2bd995b7d3bd5e7187e447aed76106272559d1

          Download Submit

        • memory/216-31-0x0000000000400000-0x00000000004A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/216-40-0x0000000000400000-0x00000000004A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/216-35-0x0000000000400000-0x00000000004A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/1064-34-0x0000000000400000-0x00000000004A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/1064-26-0x0000000000400000-0x00000000004A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/1064-28-0x0000000000400000-0x00000000004A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/1064-29-0x0000000000400000-0x00000000004A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/1136-18-0x0000000000400000-0x00000000004A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/1136-33-0x0000000000400000-0x00000000004A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/1136-25-0x0000000000400000-0x00000000004A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/1136-23-0x0000000000400000-0x00000000004A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/1136-17-0x0000000000400000-0x00000000004A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/1136-12-0x0000000000400000-0x00000000004A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/4192-37-0x0000000000400000-0x00000000004A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/4192-39-0x0000000000400000-0x00000000004A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/4512-0-0x0000000000400000-0x00000000004A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/4512-15-0x0000000000400000-0x0000000000476000-memory.dmp

          Filesize

          472KB

          Download

        • memory/4512-14-0x0000000000400000-0x00000000004A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/4512-3-0x0000000000400000-0x0000000000476000-memory.dmp

          Filesize

          472KB

          Download

        • memory/4512-2-0x0000000000750000-0x0000000000850000-memory.dmp

          Filesize

          1024KB

          Download