Overview

overview

10

Static

static

7

1ee39f6cd5...64.exe

windows10-ltsc 2021-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20250217-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20250217-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    06/03/2025, 21:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1ee39f6cd500940ad97c444778dc717361e01ce5579a28d761aedae86e85af64.exe

  • Size

    5.7MB

  • MD5

    e3204b2e61223989b1562f5dee40eee0

  • SHA1

    7bd50a3b0e3f9b4a543f750869ca3ee29b4798e1

  • SHA256

    1ee39f6cd500940ad97c444778dc717361e01ce5579a28d761aedae86e85af64

  • SHA512

    19df0eb4c803e6eeb41abb1fb425f4d9cd6e4262aaeb8bbf7eb959a30f3db2533fd6aed13e055a9781371e9de37de4212d80a32862798368e5dd798763012bc4

  • SSDEEP

    98304:Um4trkO7w2JiJSBdUIVLoEricI7vwE77YFHIRM78PyYgh9TU8NVDa1zyWvq:GZRBhLmwbMM78qtYgVO9yj

Score
10/10
deathransomdiscoveryransomwarevmprotect

Malware Config

Extracted

Path

C:\Users\Admin\3D Objects\read_me.txt

Family

deathransom

Ransom Note
--= DEATHRANSOM =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS***** All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email [email protected] [email protected] Your LOCK-ID: csKeNHUIX5ACyoQlk8mu3dAIc8dvdB1gQmqGfnQEa3pKnR+tyDwft4IpPjDAhT4qBW5Z9xAxyIK1kpy8UuO4GfbfUWS+K1slYl2lgaT9enSMbaFu6jEuN/wMwH9WBwUkFULnaaty/ynofoXSckfmRbx73TumoH9xjdOE2n8eX6/VBfgnTVhtOdUNBEgVCVqsIbJHy8uKiXC8zLRDLSRCnBlTHFOjGfLti1dBNhsJqcvWeKDrWiakbDFFQ91kQgRP4Fu4DTR97XzGs3/+8UAiMvrFkr3gZrORoVewHYdxrlFjHnSwvBH5sBiTYZn/Ce8ZEZ+OFv4oXauJ5L8gzx/iszQPKeezWW1SyTJ97cbcMQb3V+sChpTMqVjMayNID9Ahd2zxN+blGsX6MTGj6mqOaDTcLxJi0QkJrsQ0rW1Eh9k2FzkR4uZhVOWTrbq7e07wRc2czKRT0xdTIL9EmJY8ykM1U0wleUL9ECny2OjLxU41WTZcrcUDsUK2ZU+ozlL1DhialxtYC8jpVs5tjkgxQz7yPLPk4vDodBiBRJ+zwFHVHYNSJ5oUBA9/BhVHTe4hQyqTuRHiA2SZcrvrrI/P4tfkKAjwowJ+H60zxr/nGAm54pdvCXOZdTSYwAvKjaBK1orSdbyBv8uxowZoa6Dp9T/3j7k0ShX+zNnUkOoYIVwdnDcXrgIQgBzNo/9NMskFwUc31BcK3xEFazvGz7Y4EQ== >>>How to obtain bitcoin: The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/ >>> Free decryption as guarantee! Before paying you send us up to 1 file for free decryption. We recommeded to send pictures, text files, sheets, etc. (files no more than 1mb) IN ORDER TO PREVENT DATA DAMAGE: 1. Do not rename encrypted files. 2. Do not try to decrypt your data using third party software, it may cause permanent data loss. 3. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Signatures

  • DeathRansom

    Ransomware family first seen at the start of 2020. Initial versions did not actually encrypt files.

    ransomwaredeathransom
  • Deathransom family
    deathransom
  • Renames multiple (171) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • VMProtect packed file 3 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Drops desktop.ini file(s) 23 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1ee39f6cd500940ad97c444778dc717361e01ce5579a28d761aedae86e85af64.exe
    "C:\Users\Admin\AppData\Local\Temp\1ee39f6cd500940ad97c444778dc717361e01ce5579a28d761aedae86e85af64.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    PID:392

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\3D Objects\read_me.txt
    Filesize

    2KB

    MD5

    1565f4efa19ff58535601c06203345d8

    SHA1

    f5679711b309efef4125f285cb9c2f0dab90cf38

    SHA256

    79e6a04df9ec1eee0ca26756cad7fc6d76e155b753318e1cdd55c60c0845d21c

    SHA512

    df77a2c9ab3600349528f30ea76b1c7339ca224637a9b37ed79597f3ae110cae4c34fbe3fc5e866c757f77ef8cbc4c1af3bf1a2af274585850621527cd23d1e7

    Download Submit

  • memory/392-0-0x0000000000700000-0x0000000000A3E000-memory.dmp

    Filesize

    3.2MB

    Download

  • memory/392-1-0x0000000000D70000-0x0000000000D71000-memory.dmp

    Filesize

    4KB

    Download

  • memory/392-2-0x0000000000D80000-0x0000000000D81000-memory.dmp

    Filesize

    4KB

    Download

  • memory/392-4-0x00000000006F0000-0x0000000000CAC000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/392-5-0x0000000000700000-0x0000000000A3E000-memory.dmp

    Filesize

    3.2MB

    Download

  • memory/392-6-0x00000000006F0000-0x0000000000CAC000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/392-103-0x0000000000700000-0x0000000000A3E000-memory.dmp

    Filesize

    3.2MB

    Download

  • memory/392-104-0x00000000006F0000-0x0000000000CAC000-memory.dmp

    Filesize

    5.7MB

    Download