Overview

overview

10

Static

static

3

86d812544f...17.exe

windows7-x64

10

86d812544f...17.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    105s
  • max time network
    136s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/03/2025, 14:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    86d812544f8e250f1b52a4372aaab87565928d364471d115d669a8cc7ec50e17.exe

  • Size

    1.4MB

  • MD5

    5c254d25751269892b6f02d6c6384aef

  • SHA1

    79106dd259ba5343202c2f669a0a61b10adfadff

  • SHA256

    86d812544f8e250f1b52a4372aaab87565928d364471d115d669a8cc7ec50e17

  • SHA512

    ebde8f69487bf89570169fad50b494afb8859caf309bc6dde05979881100daebbcd38873277dc45f0108715f70418b3c9364909ec5a8bcb0ec2faac815a2f11e

  • SSDEEP

    24576:lVN4zWHoN+fFqqPuD6Iedm2q3QKtgNIGqvKD9McwPDCkw6Bh0lhSMXlemqth5yR1:Fo5+fFqgdh02q3ntgNLqw9nwPDC7bODU

Score
10/10
discoveryransomwarespywarestealer

Malware Config

Extracted

Path

C:\ProgramData\Adobe\README.txt

Ransom Note
--= No news is a good news ! =-- Your network has been breached and all your files Personal data, financial reports and important documents has been stolen , encrypted and ready to publish to public, if you willing to continue your bussines and make more money and keep bussines secret safe you need to restore your files first, And to restore all your files you have to pay the ransom in Bitcoin. don't bother your self and wast your time or make it more harder on your bussines , we developed a locker that can't be decrypted using third part decrypters . making your self geek and trying to restore the files with third part decrypter this will leads to lose all your date ! and then the even you pay the ransom can't help you to restore your files even us. to chat with us : 1 - Download tor browser https://www.torproject.org/download/ 2 - go to one of these links above http://vanhelcbxqt4tqie6fuevfng2bsdtxgc7xslo2yo7nitaacdfrlpxnqd.onion http://vanhelqmjstkvlhrjwzgjzpq422iku6wlggiz5y5r3rmfdeiaj3ljaid.onion http://vanhelsokskrlaacilyfmtuqqa5haikubsjaokw47f3pt3uoivh6cgad.onion http://vanheltarnbfjhuvggbncniap56dscnzz5yf6yjmxqivqmb5r2gmllad.onion 3 - you will be asked for your ticket id to enter the chat this for you : TICKET ID 77565753618715415149 usefull links : #OUR TOR BLOG : http://vanhelvuuo4k3xsiq626zkqvp6kobc2abry5wowxqysibmqs5yjh4uqd.onion http://vanhelwmbf2bwzw7gmseg36qqm4ekc5uuhqbsew4eihzcahyq7sukzad.onion http://vanhelxjo52qr2ixcmtjayqqrcodkuh36n7uq7q7xj23ggotyr3y72yd.onion
URLs

http://vanhelcbxqt4tqie6fuevfng2bsdtxgc7xslo2yo7nitaacdfrlpxnqd.onion

http://vanhelqmjstkvlhrjwzgjzpq422iku6wlggiz5y5r3rmfdeiaj3ljaid.onion

http://vanhelsokskrlaacilyfmtuqqa5haikubsjaokw47f3pt3uoivh6cgad.onion

http://vanheltarnbfjhuvggbncniap56dscnzz5yf6yjmxqivqmb5r2gmllad.onion

http://vanhelvuuo4k3xsiq626zkqvp6kobc2abry5wowxqysibmqs5yjh4uqd.onion

http://vanhelwmbf2bwzw7gmseg36qqm4ekc5uuhqbsew4eihzcahyq7sukzad.onion

http://vanhelxjo52qr2ixcmtjayqqrcodkuh36n7uq7q7xj23ggotyr3y72yd.onion

Signatures

  • Renames multiple (263) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\86d812544f8e250f1b52a4372aaab87565928d364471d115d669a8cc7ec50e17.exe
    "C:\Users\Admin\AppData\Local\Temp\86d812544f8e250f1b52a4372aaab87565928d364471d115d669a8cc7ec50e17.exe"
    1⤵
    • Sets desktop wallpaper using registry
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:528
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D733FEE7-3394-450A-B737-1B4D1F617D4E}'" delete
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2900
      • C:\Windows\System32\wbem\WMIC.exe
        C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D733FEE7-3394-450A-B737-1B4D1F617D4E}'" delete
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4792
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2736
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:5084
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\New folder\README.txt
      1⤵
        PID:4128

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\Adobe\README.txt
        Filesize

        1KB

        MD5

        bf400c4bae262d443ea6641b42de65bd

        SHA1

        c93508d3922d39d197f71b0d2ab5bf6e139fd3f2

        SHA256

        e81f7ebffbcdcd6abfb37225682f8355728f743b2b9e7eecf59db6f0a92f8db5

        SHA512

        3e80539426999b0f8616a3fbaea10954811f2ab91bceb011bbb816e9485104cd4db659d9adf9f533572fa36b046f43a1cab45a1fb77813d9d9f10c9959435eec

        Download Submit