Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20250207-en -
resource tags
-
submitted
17/03/2025, 14:33
General
-
Target
86d812544f8e250f1b52a4372aaab87565928d364471d115d669a8cc7ec50e17.exe
-
Size
1.4MB
-
MD5
5c254d25751269892b6f02d6c6384aef
-
SHA1
79106dd259ba5343202c2f669a0a61b10adfadff
-
SHA256
86d812544f8e250f1b52a4372aaab87565928d364471d115d669a8cc7ec50e17
-
SHA512
ebde8f69487bf89570169fad50b494afb8859caf309bc6dde05979881100daebbcd38873277dc45f0108715f70418b3c9364909ec5a8bcb0ec2faac815a2f11e
-
SSDEEP
24576:lVN4zWHoN+fFqqPuD6Iedm2q3QKtgNIGqvKD9McwPDCkw6Bh0lhSMXlemqth5yR1:Fo5+fFqgdh02q3ntgNLqw9nwPDC7bODU
Score
10/10
Malware Config
Extracted
Path
C:\ProgramData\Adobe\Acrobat\9.0\README.txt
Ransom Note
--= No news is a good news ! =--
Your network has been breached and all your files Personal data, financial reports and important documents has been stolen , encrypted and ready to publish to public,
if you willing to continue your bussines and make more money and keep bussines secret safe you need to restore your files first, And to restore all your files you have to pay the ransom in Bitcoin.
don't bother your self and wast your time or make it more harder on your bussines , we developed a locker that can't be decrypted using third part decrypters .
making your self geek and trying to restore the files with third part decrypter this will leads to lose all your date ! and then the even you pay the ransom can't help you to restore your files even us.
to chat with us :
1 - Download tor browser https://www.torproject.org/download/
2 - go to one of these links above
http://vanhelcbxqt4tqie6fuevfng2bsdtxgc7xslo2yo7nitaacdfrlpxnqd.onion
http://vanhelqmjstkvlhrjwzgjzpq422iku6wlggiz5y5r3rmfdeiaj3ljaid.onion
http://vanhelsokskrlaacilyfmtuqqa5haikubsjaokw47f3pt3uoivh6cgad.onion
http://vanheltarnbfjhuvggbncniap56dscnzz5yf6yjmxqivqmb5r2gmllad.onion
3 - you will be asked for your ticket id to enter the chat this for you : TICKET ID 77565753618715415149
usefull links :
#OUR TOR BLOG :
http://vanhelvuuo4k3xsiq626zkqvp6kobc2abry5wowxqysibmqs5yjh4uqd.onion
http://vanhelwmbf2bwzw7gmseg36qqm4ekc5uuhqbsew4eihzcahyq7sukzad.onion
http://vanhelxjo52qr2ixcmtjayqqrcodkuh36n7uq7q7xj23ggotyr3y72yd.onion
URLs
http://vanhelcbxqt4tqie6fuevfng2bsdtxgc7xslo2yo7nitaacdfrlpxnqd.onion
http://vanhelqmjstkvlhrjwzgjzpq422iku6wlggiz5y5r3rmfdeiaj3ljaid.onion
http://vanhelsokskrlaacilyfmtuqqa5haikubsjaokw47f3pt3uoivh6cgad.onion
http://vanheltarnbfjhuvggbncniap56dscnzz5yf6yjmxqivqmb5r2gmllad.onion
http://vanhelvuuo4k3xsiq626zkqvp6kobc2abry5wowxqysibmqs5yjh4uqd.onion
http://vanhelwmbf2bwzw7gmseg36qqm4ekc5uuhqbsew4eihzcahyq7sukzad.onion
http://vanhelxjo52qr2ixcmtjayqqrcodkuh36n7uq7q7xj23ggotyr3y72yd.onion
Signatures
-
Renames multiple (225) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Drops file in Windows directory 2 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 4 IoCs
-
Opens file in notepad (likely ransom note) 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\86d812544f8e250f1b52a4372aaab87565928d364471d115d669a8cc7ec50e17.exe"C:\Users\Admin\AppData\Local\Temp\86d812544f8e250f1b52a4372aaab87565928d364471d115d669a8cc7ec50e17.exe"1⤵
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A9F5F91E-EA4A-412E-8696-B8B7D2A33563}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A9F5F91E-EA4A-412E-8696-B8B7D2A33563}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B1EACD82-7A7E-448E-95A1-74C24B2DA4D6}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B1EACD82-7A7E-448E-95A1-74C24B2DA4D6}'" delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{22568444-769D-4872-85FE-B7E5E7AD3999}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{22568444-769D-4872-85FE-B7E5E7AD3999}'" delete3⤵
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{51968473-E459-4D67-8359-4C0426F715EB}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{51968473-E459-4D67-8359-4C0426F715EB}'" delete3⤵
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A66DE442-604E-4BAE-BC54-C537A0E03EF1}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A66DE442-604E-4BAE-BC54-C537A0E03EF1}'" delete3⤵
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1B31EE54-A3E4-48E7-AAD2-18FA821AE71A}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1B31EE54-A3E4-48E7-AAD2-18FA821AE71A}'" delete3⤵
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{8E7F1856-32DB-4A0D-9C94-3719D4D1F5EA}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{8E7F1856-32DB-4A0D-9C94-3719D4D1F5EA}'" delete3⤵
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6E8FE875-9ABE-4D2C-9D02-4A1A27409E53}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{6E8FE875-9ABE-4D2C-9D02-4A1A27409E53}'" delete3⤵
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B61F5A0E-4F7C-4663-A1ED-27FA72E634D2}'" delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B61F5A0E-4F7C-4663-A1ED-27FA72E634D2}'" delete3⤵
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{549F9041-BBAA-4351-AAF2-96883B38DCD0}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{549F9041-BBAA-4351-AAF2-96883B38DCD0}'" delete3⤵
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{9C831F77-D8A4-41BF-B1BB-AB610266D615}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{9C831F77-D8A4-41BF-B1BB-AB610266D615}'" delete3⤵
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{54AE64EA-5127-4216-90FA-4DF3665143F1}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{54AE64EA-5127-4216-90FA-4DF3665143F1}'" delete3⤵
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{0BEF8F6C-0C38-4AFB-BC8A-46035E9B7A63}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{0BEF8F6C-0C38-4AFB-BC8A-46035E9B7A63}'" delete3⤵
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7DD8FF8B-8A5F-43E3-84B7-53D46D596BD6}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7DD8FF8B-8A5F-43E3-84B7-53D46D596BD6}'" delete3⤵
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{27D90FD6-2C7D-4550-A1E9-30FF53CD47C3}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{27D90FD6-2C7D-4550-A1E9-30FF53CD47C3}'" delete3⤵
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{8BD9F567-A226-49E6-9D43-B165A7AC8CA2}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{8BD9F567-A226-49E6-9D43-B165A7AC8CA2}'" delete3⤵
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{E808634B-95C5-4CE9-958E-7810CAB6235D}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{E808634B-95C5-4CE9-958E-7810CAB6235D}'" delete3⤵
-
-
-
C:\Windows\system32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7066A177-4503-4ED2-876F-944C4103B719}'" delete2⤵
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7066A177-4503-4ED2-876F-944C4103B719}'" delete3⤵
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Pictures\README.txt1⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Pictures\README.txt1⤵
- Opens file in notepad (likely ransom note)
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5bf400c4bae262d443ea6641b42de65bd
SHA1c93508d3922d39d197f71b0d2ab5bf6e139fd3f2
SHA256e81f7ebffbcdcd6abfb37225682f8355728f743b2b9e7eecf59db6f0a92f8db5
SHA5123e80539426999b0f8616a3fbaea10954811f2ab91bceb011bbb816e9485104cd4db659d9adf9f533572fa36b046f43a1cab45a1fb77813d9d9f10c9959435eec