Overview

overview

10

Static

static

10

533.7z

windows7-x64

533.7z

windows10-2004-x64

533.7z

android-10-x64

533.7z

android-13-x64

533.7z

macos-10.15-amd64

533.7z

ubuntu-18.04-amd64

533.7z

debian-9-armhf

533.7z

debian-9-mips

533.7z

debian-9-mipsel

084c57449c...0e.exe

windows7-x64

10

084c57449c...0e.exe

windows10-2004-x64

10

084c57449c...0e.exe

android-13-x64

084c57449c...0e.exe

android-13-x64

084c57449c...0e.exe

macos-10.15-amd64

084c57449c...0e.exe

ubuntu-18.04-amd64

084c57449c...0e.exe

debian-9-armhf

084c57449c...0e.exe

debian-9-mips

084c57449c...0e.exe

debian-9-mipsel

14b94844b9...c3.exe

windows7-x64

10

14b94844b9...c3.exe

windows10-2004-x64

10

14b94844b9...c3.exe

android-11-x64

14b94844b9...c3.exe

android-13-x64

14b94844b9...c3.exe

macos-10.15-amd64

14b94844b9...c3.exe

ubuntu-18.04-amd64

14b94844b9...c3.exe

debian-9-armhf

14b94844b9...c3.exe

debian-9-mips

14b94844b9...c3.exe

debian-9-mipsel

2daa514408...2e.exe

windows7-x64

10

2daa514408...2e.exe

windows10-2004-x64

10

2daa514408...2e.exe

android-11-x64

2daa514408...2e.exe

android-13-x64

2daa514408...2e.exe

macos-10.15-amd64

Resubmissions

05/02/2025, 11:16

250205-ndjvsavrdm 10

16/07/2024, 08:54

240716-kt64gavakp 10

Analysis

  • max time kernel
    288s
  • max time network
    282s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    05/02/2025, 11:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    084c57449c765416706301c723116da5073aa60da415c0eb3013239611135b0e.exe

  • Size

    49KB

  • MD5

    50248697e19117027d4823c6a3be6db5

  • SHA1

    fb81c35ffe11180c1d6269006db2fc775eec4741

  • SHA256

    084c57449c765416706301c723116da5073aa60da415c0eb3013239611135b0e

  • SHA512

    abc04de0ee5dfc9ca1afccc6b46f9bb4b56d3d9e9ec11165dfc9d3630a597e865941c2c33f4284807f155f69d8255ac3279c418f3bdb2a7f6b4e8678ba7fd6ed

  • SSDEEP

    768:acaQRffDB31aCytHLykiKPT3JATD2qBwV2ckjbnsb0Ah99De0YAD8hMWsddOC86t:acai318HxZATvnsblYO8hMWsdoC86+r

Score
10/10
defense_evasiondiscoveryexecutionimpactransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\scoped_dir2112_817205846\+README-WARNING+.txt

Ransom Note
::: Hey ::: Small FAQ: .1. Q: What's going on? A: Your files have been encrypted. The file structure was not affected, we did our best to prevent this from happening. .2. Q: How to recover files? A: If you want to decrypt your files, you will need to pay us. .3. Q: What about guarantees? A: It's just business. We are absolutely not interested in you and your transactions, except for profit. If we do not fulfill our work and obligations, no one will cooperate with us. It's not in our interest. To check the possibility of returning files, you can send us any 2 files with SIMPLE extensions (jpg, xls, doc, etc... not databases!) and small sizes (max 1 mb), we will decrypt them and send them back to you. This is our guarantee. .4. Q: How to contact you? A: You can write to us at our mailboxes: [email protected] .5. Q: How will the decryption process take place after payment? A: After payment, we will send you our scanner-decoder program and detailed instructions for use. With this program you will be able to decrypt all your encrypted files. .6. Q: If I don't want to pay bad people like you? A: If you do not cooperate with our service - it does not matter to us. But you will lose your time and data because only we have the private key. In practice, time is much more valuable than money. :::BEWARE::: DO NOT try to modify encrypted files yourself! If you try to use third party software to recover your data or antivirus solutions - back up all encrypted files! Any changes to the encrypted files may result in damage to the private key and, as a result, the loss of all data. Note: ::::::IF WE HAVE NOT RESPONSE YOU BY MAIL WITHIN 24 HOURS:::::: Spare contact for communication: If we have not answered your email within 24 hours, you can contact us via the free messenger qTox Download from the link https://tox.chat/download.html Next go qTox 64-bit after downloading the program, install it and go through a short registration. Our Tox ID 37CDA60B5B593473E120366CCF68A8C08F503880D2AE7F0F4161C2C9C0502C6304DDA2B19D8E
URLs

https://tox.chat/download.html

Signatures

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (8352) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 4 IoCs
    ransomware
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\084c57449c765416706301c723116da5073aa60da415c0eb3013239611135b0e.exe
    C:\Users\Admin\AppData\Local\Temp\084c57449c765416706301c723116da5073aa60da415c0eb3013239611135b0e.exe dsrm -subtree -noprompt -c user"http://+:443"
    1⤵
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2304
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2040
      • C:\Windows\system32\vssadmin.exe
        vssadmin delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:2452
      • C:\Windows\system32\wbadmin.exe
        wbadmin delete catalog -quiet
        3⤵
        • Deletes backup catalog
        PID:2792
      • C:\Windows\System32\Wbem\WMIC.exe
        wmic shadowcopy delete
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2564
    • C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\+README-WARNING+.txt
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2752
    • C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\+README-WARNING+.txt
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1152
    • C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\+README-WARNING+.txt
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2100
    • C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\+README-WARNING+.txt
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2500
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2644
  • C:\Windows\system32\wbengine.exe
    "C:\Windows\system32\wbengine.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2568
  • C:\Windows\System32\vdsldr.exe
    C:\Windows\System32\vdsldr.exe -Embedding
    1⤵
      PID:2744
    • C:\Windows\System32\vds.exe
      C:\Windows\System32\vds.exe
      1⤵
        PID:2948
      • C:\Windows\system32\Dwm.exe
        "C:\Windows\system32\Dwm.exe"
        1⤵
          PID:2732

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\Microsoft\OfficeSoftwareProtectionPlatform\Cache\cache.dat
          Filesize

          44KB

          MD5

          a898212802fabb832af95be44f32ef4d

          SHA1

          d215b5721994f6c60d071c8eda820019d26bf014

          SHA256

          138c0e8787a60f719f3d8baaf98365b63f4bfea8b89239664f005284d8e24d16

          SHA512

          b30185b03e725631b9bc5b5e3e23d4a4297f75c4dfa2a26de764137b5e5b89eb7e866d7f3cf7a6f2f8bf0448762c8c245a5ae9071c28130408f1bc1061c0f8d2

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1024.db
          Filesize

          260B

          MD5

          b9bbb08c9c2d179f7d4fb83ff4231a75

          SHA1

          9adb0fc8c3caab16f9b928c9918c57d3db9ac5c2

          SHA256

          568e89a2d5b560027bd343b8584a94e52b9f285a52890a87d45b852dff89efdd

          SHA512

          2ca5c526afdbf3830c72fc9cf815effab8b221781f5e6246aa54f7e3e5f58c9a376d5eb532914aea1942eb96bb85a58aff923e7bea140201325dd3266b68cacb

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_256.db
          Filesize

          1.0MB

          MD5

          0c81016b9710d12c841045995205351b

          SHA1

          cbfaeff661f8c9d612ff567ae1467c75abe99ee2

          SHA256

          a63214c393bef19faff3d36a96026546397bd865b165d73725389610db3667cd

          SHA512

          759625abf52fdf327e1752e54552ec9a305f1606f61ad5920a1d4379fca43dba7c204917bde576cb0f49df8c404844c9fda7545421a9ea75cfe31c2d3fcf22bd

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_32.db
          Filesize

          260B

          MD5

          74516c76f7bf69b8674a7952584a27ce

          SHA1

          628ff5c0690b7e5fc2f556fce6604458bc776c68

          SHA256

          c32f1cc87adb10ffa93e0ea8aabe416ab5dde67f505518a3a4f3d98d707017ad

          SHA512

          39c70f271e54fdede73cdb7457a09fb68aa803592ed103c2390af0588daa233bc1c83ef104a8dfe4d4aab6a5ac7b0077845d86fbb7b760becffc8f91c0ec174c

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_96.db
          Filesize

          260B

          MD5

          2e035dc997af789ad4ce51b394428194

          SHA1

          21c81e9908f99c36ce5dab71b6088c9721560b16

          SHA256

          84b35a4c4b81fa4aba8ce8c8aa8729da003522beed49cdab2ec6d01dfdbdfed2

          SHA512

          0755daefcf3b2542a975a76a39da7e5d942105d5d556ebb17158295e6287c2755dc3c2bed4ccf1b91472f11db9da74371e57ba5fdf898dda179f4eb0369e59f3

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db
          Filesize

          3KB

          MD5

          ce9b1aa388a5ff33dafb983da4d45d33

          SHA1

          3ff50e7446c0a8d83a443186ff274c7cbe8f6fb5

          SHA256

          c0fe227eade8f43f51c1742671a42f31a644899d4bcf9203bf1f81c654129ff0

          SHA512

          054064dafa8129e0d70b40e4508693bf79bbc29bde355e70fa00f06e2dfff8969c18811ef8847ded4919ec4631d85fee9c7eea0db23b1496318db6616a3f1965

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_sr.db
          Filesize

          260B

          MD5

          7862e36ac4fb2d887edcc866ba27f163

          SHA1

          47bdd48f56209fe131f90a55e49d5b8e43b0eb57

          SHA256

          0411096ba6f540840fcc98a6406836096aff578adc4adddb74c1bf0c3438ba0f

          SHA512

          6f9554ebaea27d33b7e46031e8cbac01268aee81e8bbcb36d6a8ab6ed1f620e91484da1095ebfb48f3e3fd3e619afb9448338a456a62047ec8d532ffa06c5902

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\EAD0.tmp.bmp
          Filesize

          3.5MB

          MD5

          aa5060b84d130d5d68a45a045af8e9f3

          SHA1

          16ea1f77cf224375f99a0860e3ab5c0540d2428a

          SHA256

          f843f4256d84e581933b93a6f5a1505abe23db68c92129150aa5ae2cda3cf340

          SHA512

          14fa215ff9c3a6390270dc381e5b8dc0e4d7a6f7b9d7028733b2821580dc3d347248c4a462ea98a8f52c9f2a4adff0f6914a7253c73bf469d7fd732578d0327c

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\scoped_dir2112_817205846\+README-WARNING+.txt
          Filesize

          2KB

          MD5

          5d230c41f5f5f64ec6858756404c7a7e

          SHA1

          6e6ccd293641504eee97cb55d48566976f1bcf92

          SHA256

          2225eb49c5a55704c141e965cee16592f303ab5112a5df49b6a102a8bd34bb02

          SHA512

          1a058e1c77214546b5c978d77671f44a3d636c9ec69818da17064746a983aeeddd3068e2eef63bd54c2ad0a014ca943f50df588510107e8a02ef25f7d309c883

          Download Submit