Overview

overview

10

Static

static

10

Videos/64/64.exe

windows7-x64

1

Videos/64/64.exe

windows10-2004-x64

8

Videos/64/86.exe

windows7-x64

3

Videos/64/86.exe

windows10-2004-x64

6

Videos/64/...E.html

windows7-x64

3

Videos/64/...E.html

windows10-2004-x64

8

Videos/64/dump.bat

windows7-x64

9

Videos/64/dump.bat

windows10-2004-x64

9

Videos/64/mimidrv.sys

windows7-x64

10

Videos/64/mimidrv.sys

windows10-2004-x64

10

Videos/64/...tz.dll

windows7-x64

1

Videos/64/...tz.dll

windows10-2004-x64

6

Videos/64/mimilib.dll

windows7-x64

1

Videos/64/mimilib.dll

windows10-2004-x64

8

Videos/64/...ol.dll

windows7-x64

1

Videos/64/...ol.dll

windows10-2004-x64

8

Videos/Adv...69.exe

windows7-x64

4

Videos/Adv...69.exe

windows10-2004-x64

6

Videos/Cap...E.html

windows7-x64

3

Videos/Cap...E.html

windows10-2004-x64

8

Videos/PsExec.exe

windows7-x64

3

Videos/PsExec.exe

windows10-2004-x64

8

Videos/PsExec64.exe

windows7-x64

1

Videos/PsExec64.exe

windows10-2004-x64

8

Videos/READ_NOTE.html

windows7-x64

3

Videos/READ_NOTE.html

windows10-2004-x64

8

Videos/crypt154.exe

windows7-x64

10

Videos/crypt154.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20250207-en
  • resource tags

    arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system
  • submitted
    17-02-2025 11:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Videos/crypt154.exe

  • Size

    728KB

  • MD5

    ee91aeacff16d4ef5fe74b7252291665

  • SHA1

    88adb2573e183e44babf88005298cab9a9901d2d

  • SHA256

    ea585b7e84b67e8170b76f87115c0fc8423fe6d7184db32ba32b5bfc155e2b34

  • SHA512

    d12cf47211a38fe595d855fe336f30946a0a76a4a559e0430e212f68601cd28cab63ffd4acd04c76f4f83950ad2261efb49dff6a2b03fd2aaa4617bc49b1b8a4

  • SSDEEP

    12288:R/7tmBxTq87Rro7jx0/O2EbiJtzhCg3sph0lhSMXliuqJTJRg9J:RztmTqwRrSjx0/OpiDhdSh0lhSMXltqe

Score
10/10
defense_evasiondiscoveryevasionexecutionimpactpersistenceransomware

Malware Config

Extracted

Path

F:\$RECYCLE.BIN\READ_NOTE.html

Ransom Note
<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; word-break: break-all; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">6jm7J6SZ+U7c5JLqMyAg/VJT+bDrILJrOpHNn6ip1E14JFwbbIZ0b+mdJCPdY5dnPonH5zfJs7kXZV00LZc1exwa+Diphkspk3TsZnc8tvOeAbgV3MOeXjOaRGTuwMV0Q6Eu/vGaWsb7BttctXCa5MWV1QhJv8lggNb5pM643iX0ieuo0iYT5D2WRV9lQdcZdb5FNIPuCGVibxJLxeG3JwQJWlu2HLN128EjNKoorqMQdZD4WbU6//Q57R/h0NaRsqqhyKPwUd8+qL1RooIZ8/61ImlH4+UrLj5bTUvo9VvZTjTaKKDOehchG7kvbORBA64rN1xqJPOhs3YzfoQzSA==�</span> <br> <!-- !!! dont changing this !!! --> </div> </div> <!-- --> <div class="tabs"> <!--tab--> <div class="tab"> <div id="tab-content1" class="content"> <div class="text"> <!--text data --> <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br> <!--text data --> <hr> <b>Contact us for price and get decryption software.</b><br><br> <hr> <b>email:</b><br> <a href="[email protected] ">[email protected] </a> <br> <a href="[email protected] ">[email protected] </a> <br> <p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br> <b> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> <p>* Tor-chat to always be in touch: <a href<a href<b> </div> </div> </div> <!--tab--> <b> <b> <b> <span style="font-size: 22px">qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</span> </b><br><br> </b><br> <!--text data --> </div> </div> <!--tab--> </div> </div> </body> </html>

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs
    ransomwareevasion
  • Renames multiple (5688) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes system backups 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of WriteProcessMemory 50 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1188
      • C:\Users\Admin\AppData\Local\Temp\Videos\crypt154.exe
        "C:\Users\Admin\AppData\Local\Temp\Videos\crypt154.exe"
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Adds Run key to start application
        • Enumerates connected drives
        • Sets desktop wallpaper using registry
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2476
        • C:\Windows\SysWOW64\cmd.exe
          \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2764
          • C:\Windows\system32\cmd.exe
            C:\Windows\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2732
            • C:\Windows\system32\vssadmin.exe
              vssadmin.exe Delete Shadows /All /Quiet
              5⤵
              • Interacts with shadow copies
              PID:2876
        • C:\Windows\SysWOW64\cmd.exe
          \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3060
          • C:\Windows\system32\cmd.exe
            C:\Windows\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1892
            • C:\Windows\system32\wbadmin.exe
              wbadmin delete backup -keepVersion:0 -quiet
              5⤵
              • Deletes system backups
              • Drops file in Windows directory
              PID:2988
        • C:\Windows\SysWOW64\cmd.exe
          \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2624
          • C:\Windows\system32\cmd.exe
            C:\Windows\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2652
            • C:\Windows\System32\Wbem\WMIC.exe
              wmic.exe SHADOWCOPY /nointeractive"
              5⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:2888
        • C:\Windows\SysWOW64\cmd.exe
          \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1964
          • C:\Windows\system32\cmd.exe
            C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2644
            • C:\Windows\system32\bcdedit.exe
              bcdedit.exe /set {default} recoverynabled No
              5⤵
              • Modifies boot configuration data using bcdedit
              PID:2752
      • C:\Users\Admin\AppData\Local\Temp\Videos\crypt154.exe
        \\?\C:\Users\Admin\AppData\Local\Temp\Videos\crypt154.exe -network -skip_misc
        2⤵
        • Enumerates connected drives
        • Checks processor information in registry
        • Suspicious use of WriteProcessMemory
        PID:1060
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c pause
          3⤵
            PID:832
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2612

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12
        Filesize

        1KB

        MD5

        c9be626e9715952e9b70f92f912b9787

        SHA1

        aa2e946d9ad9027172d0d321917942b7562d6abe

        SHA256

        c13e8d22800c200915f87f71c31185053e4e60ca25de2e41e160e09cd2d815d4

        SHA512

        7581b7c593785380e9db3ae760af85c1a889f607a3cd2aa5a2695a0e5a0fe8ee751578e88f7d8c997faeda804e2fc2655d859bee2832eace526ed4379edaa3f5

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8
        Filesize

        436B

        MD5

        971c514f84bba0785f80aa1c23edfd79

        SHA1

        732acea710a87530c6b08ecdf32a110d254a54c8

        SHA256

        f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

        SHA512

        43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12
        Filesize

        174B

        MD5

        5b30872a74f4c114bc48e6de0526887b

        SHA1

        3673cf3142795c497a6273ecdbdd378cb664bb89

        SHA256

        a0fa3f9f7764472b3108bd27fc809156d741b9a6fa9662d3d6ac49bddd5a5ecb

        SHA512

        b6a0d1f40df8099608d204dc0eef7ae37770bc9a03a8156f060366ea1fb3ce75b75796131593551335189ea7564aef5a171e814a1ad502087bc420ee1dfba826

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8
        Filesize

        170B

        MD5

        eb908c3ece364e53b3681360de893c72

        SHA1

        bdb7578da312737ddf81f911f9f6e9c358e4783a

        SHA256

        b293d0fc7d29f4d7d08cc515f0b6ecb41707ef176a0bdbbf66c259c2d4cb7d81

        SHA512

        501caeae0dd66923fe6d0ad93aef84ce1e0c9fbcdf3d981bc84ae636a32a6ae2b78c0949aaa0d6d6c646417229ab100135e41cefcc1ba42e94e81f77fb37f389

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\CabFB6F.tmp
        Filesize

        70KB

        MD5

        49aebf8cbd62d92ac215b2923fb1b9f5

        SHA1

        1723be06719828dda65ad804298d0431f6aff976

        SHA256

        b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

        SHA512

        bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Videos\external_ip.crypt154
        Filesize

        14B

        MD5

        e3eb2b4cff0d56624daa49116976aeb4

        SHA1

        234db53081db6fc733d22a896f6dac5068eb066a

        SHA256

        3b9efd080931e6b2d3b89e8dcd2655792329a41c4699ffade4b48288bfdb0ffd

        SHA512

        ab0ce3a7301fe64594408380f5d55c8ebf24b0c94527fd2b29ff83bb2a10ab57be5a9de4ef56f532b0002e921c74cae14db0cc0f86d79e49d9d14f073d65d12d

        Download Submit

      • F:\$RECYCLE.BIN\READ_NOTE.html
        Filesize

        3KB

        MD5

        920a62e9adb67ce67ec7d36c0431e885

        SHA1

        8fbc246b07824ef5a4266f3bd1a14846f203573d

        SHA256

        bf7fe67bc837f33e8cab429a370f293d73cc44925d7717370808d3ed9ee30eba

        SHA512

        b33b2f7b042cc8a46a217ca03193f772d19308d5706401e7f45d87aec7c91c20bf34a999f1de8b37b545757c3a185088f94fb79d5e4fa9640d69e391063f19f3

        Download Submit