Overview

overview

10

Static

static

3

f78a743813...8b.exe

windows10-ltsc 2021-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20250217-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20250217-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    06/03/2025, 23:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f78a743813ab1d4eee378990f3472628ed61532e899503cc9371423307de3d8b.exe

  • Size

    192KB

  • MD5

    59440276b249b38e5ad536f4a3ca922e

  • SHA1

    db67605a431ee34e7c9f901c90eaa57b4505b7ba

  • SHA256

    e62543f0558ee275d799b6f9d9369b442a300814b7c147eac65d639476910eb3

  • SHA512

    a3bd20139e61a6dbcde863bf39f69bb3b19293174ea63e5eb2edeb3f1e317629f85fe1fe1d2088b50b6ef6294806e3ec886c5b6d952ba985f107fdfbf364435a

  • SSDEEP

    3072:q75DzyLgv8vT6nRc24odbkDXFwzIc3jiptvwF:mDjv8v44o+X3pWF

Score
10/10
deathransomdiscoveryransomware

Malware Config

Extracted

Path

C:\Users\read_me.txt

Family

deathransom

Ransom Note
--= DEATHRANSOM =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS***** All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email [email protected] [email protected] Your LOCK-ID: CZtC1FAKqliifPjjPLYNTiPTkErwlU9+kD2uFqPDpW4mSV+WIeX2DmP3ptkjh8mOndjgpqz0ONQV9enOYbQRNXNPxdZ7XIjLfJud2KAuJYwuXgeZcvsA8JqLyJWf+Huv/ufZovTGFPEzOr5K9Dzw0heP9C6weAD1zWcOtR/nmvqKiFgdyj91CbH1+JpfEUv6FLV9UXH+pTuKtDDeKCZfuGFgf2wA8AT+F3VwJMNB2TrZiqgqjNsasAnnqQS9ckcOKLFr5BqTdCzzC5/48zHPDqy1XDFinUMdTg142DpVzDNLvpB7qEUQaq4bAcs+Ua6lqlj6wmgaczjAl8o9ijMDEBF5fyVWuS7VORYwnpixckuk/fC6Uqi8AvR+4q9WdAvB+j51hgG2Oi7yzqAfYBoNdZJ+V3AA6C9SF/oqSmjBk+xJjWhOK+LvKFOzfJM/hALVxDI3TknKp1HOEx+gfZBVeJMtA4DO/lCBqlPNmTWutSKUL3zVzW1sysJSUjwFT4J5IHxzFCL7q721DFIzLwYGx8BszW3g/q46pdu1BhdU86oTH28Vnny0PzFVLZbR6McZgNfe9ouzfu2qcDJOCKlhpQjiDkSBE6dpOjvP38kidsqhDJbN2JTqstK/gHAiwKg6csqVy1O/0wR4BQWTWKNLVqVpNsDt7KLSOmHkn7I/L/v/nQVQkfYTvstS7Eaac10ouYYsEnXpLG6m+UMy2I+n8Q== >>>How to obtain bitcoin: The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/ >>> Free decryption as guarantee! Before paying you send us up to 1 file for free decryption. We recommeded to send pictures, text files, sheets, etc. (files no more than 1mb) IN ORDER TO PREVENT DATA DAMAGE: 1. Do not rename encrypted files. 2. Do not try to decrypt your data using third party software, it may cause permanent data loss. 3. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Signatures

  • DeathRansom

    Ransomware family first seen at the start of 2020. Initial versions did not actually encrypt files.

    ransomwaredeathransom
  • Deathransom family
    deathransom
  • Renames multiple (130) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Drops desktop.ini file(s) 23 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery

Processes

  • C:\Users\Admin\AppData\Local\Temp\f78a743813ab1d4eee378990f3472628ed61532e899503cc9371423307de3d8b.exe
    "C:\Users\Admin\AppData\Local\Temp\f78a743813ab1d4eee378990f3472628ed61532e899503cc9371423307de3d8b.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • System Location Discovery: System Language Discovery
    PID:3236
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3236 -s 708
      2⤵
      • Program crash
      PID:4764
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3236 -s 776
      2⤵
      • Program crash
      PID:5084
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3236 -s 1040
      2⤵
      • Program crash
      PID:3920
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3236 -s 1108
      2⤵
      • Program crash
      PID:4944
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3236 -ip 3236
    1⤵
      PID:2128
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3236 -ip 3236
      1⤵
        PID:1964
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3236 -ip 3236
        1⤵
          PID:1680
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3236 -ip 3236
          1⤵
            PID:4496

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\read_me.txt
            Filesize

            2KB

            MD5

            9ec44b42c6e6f1b0f46cf86c00a737f7

            SHA1

            12234609099a80e2ad4c119bca3443681e305994

            SHA256

            935314105ceef28537308028e3810138aadb3368c6316acf0d51e9a5c85e477c

            SHA512

            4bd18ca38851eeef521738e02f2791eaccf1ae97bf5b772d811e1ff13c4275c20fdc34302b4256b4d8ef9f441ff6a02d8cd60fd5994ce920951dcc1bddb97bc4

            Download Submit

          • memory/3236-1-0x0000000003740000-0x0000000003840000-memory.dmp

            Filesize

            1024KB

            Download

          • memory/3236-2-0x00000000001E0000-0x00000000001EF000-memory.dmp

            Filesize

            60KB

            Download

          • memory/3236-3-0x0000000000400000-0x0000000000411000-memory.dmp

            Filesize

            68KB

            Download

          • memory/3236-4-0x0000000003740000-0x0000000003840000-memory.dmp

            Filesize

            1024KB

            Download

          • memory/3236-5-0x00000000001E0000-0x00000000001EF000-memory.dmp

            Filesize

            60KB

            Download

          • memory/3236-7-0x0000000000400000-0x0000000000411000-memory.dmp

            Filesize

            68KB

            Download

          • memory/3236-6-0x0000000000400000-0x0000000003585000-memory.dmp

            Filesize

            49.5MB

            Download

          • memory/3236-102-0x0000000000400000-0x0000000000411000-memory.dmp

            Filesize

            68KB

            Download

          • memory/3236-101-0x0000000000400000-0x0000000003585000-memory.dmp

            Filesize

            49.5MB

            Download