Overview

overview

10

Static

static

10

2025-03-20...to.exe

windows7-x64

10

2025-03-20...to.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    20/03/2025, 00:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-03-20_88cd426be100a17756f2ff09fbb790bb_mailto.exe

  • Size

    69KB

  • MD5

    88cd426be100a17756f2ff09fbb790bb

  • SHA1

    339df90f848d5394fcf0d68d70e89a9c7852915e

  • SHA256

    e6385e24bf9a458a6e8040c0778c55d1db3f403a40ba800c124fe7851eb2c12b

  • SHA512

    faa9af7a3104c03a34672625a36404ddd6a1e6db68a5d7732c47c3f3e94885b9555fed268677bf7fe3d9579b84e66a2d3980df433507bf2d74dda04262a70066

  • SSDEEP

    1536:cuCWRxL7hbUiQfovePbUU+hhOZuIWiFp+ZfaBZebC33O+6wc:XCWf7VJQfmePbvkhOZu1iFBBZebC3o

Score
10/10
defense_evasiondiscoveryexecutionimpactransomwarespywarestealer

Malware Config

Extracted

Path

C:\ProgramData\Microsoft\OfficeSoftwareProtectionPlatform\Cache\29B4D4-Readme.txt

Ransom Note
Hello Cowan, Liebowitz & Latman, P.C. Your files are encrypted. All encrypted files for this computer has extension: .29b4d4 All data from your computers, servers including emails were uploaded. https://photos.app.goo.gl/LBMfnb3wZ9gp4uL58 You have 5 days to contact us and pay, otherwise all your data, personal information your clients and other confidentinal documents will be published and your clients will receive a link to the publication. -- Our encryption algorithms are very strong and your files are very well protected, the only way to get your files back is to cooperate with us and get the decrypter program. Do not try to recover your files without a decrypter program, you may damage them and then they will be impossible to recover. For us this is just business and to prove to you our seriousness, we will decrypt you one file for free. Just open our website, upload the encrypted file and get the decrypted file for free. To contact us, please go to the chat section on our website. -- Steps to get access on our website: 1.Download and install Tor-browser: https://torproject.org/ 2.Open our website in Tor-browser: pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion If the website is not available, open another one: rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion 3.Put your personal code in the input form: {code_29b4d4: Z3b1zfUrUzhC6YTd5AIb9Jm9acnvEweEVL/WWGl2tRq9cjRKJ5 c6qyBGkPrsb7avTqsbbr6xmst64u8qh9GS7TrtHJsWcWllB9s0 UjULSZaLbFH54tHz1/+/kx0vDuhUGbuPGC3CWZ5L7UWJkVfrBn Y+sIpZfzRLdBr+POSvFH2bgwfHJXCFXRVc02LfKvhdESszt2LW 3v/sBu1GZd/p730reXJfJRaNd1xTlA3MjKmBaMUx9FhEVyMzA8 7QxQg/VDN19jl11ZVTFv9TPMFUJVylFZsNrn0tyA==}
URLs

https://photos.app.goo.gl/LBMfnb3wZ9gp4uL58

http://pb36hu4spl6cyjdfhing7h3pw6dhpk32ifemawkujj4gp33ejzdq3did.onion

http://rnfdsgm6wb6j6su5txkekw4u4y47kp2eatvu7d6xhyn5cs4lt4pdrqqd.onion

Signatures

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (7440) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes itself 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Program Files directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Kills process with taskkill 1 IoCs
    defense_evasion
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-03-20_88cd426be100a17756f2ff09fbb790bb_mailto.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-03-20_88cd426be100a17756f2ff09fbb790bb_mailto.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2100
    • C:\Windows\system32\vssadmin.exe
      C:\Windows\system32\vssadmin.exe delete shadows /all /quiet
      2⤵
      • Interacts with shadow copies
      PID:2392
    • C:\Windows\SysWOW64\notepad.exe
      C:\Windows\system32\notepad.exe "C:\Users\Admin\Desktop\29B4D4-Readme.txt"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:8188
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\5CB.tmp.bat"
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:6560
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /F /PID 2100
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:5500
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4760

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Microsoft\Assistance\Client\1.0\it-IT\Help_MKWD_AssetId.H1W.29b4d4
    Filesize

    229KB

    MD5

    71c69fa5bd543e97ac61aa7adb0e9333

    SHA1

    9b9a991cf215693c96745ef50f14079a94a185f5

    SHA256

    a4dcd4fb5b5271d79a4b026ab2f18c4cde96fd5036372008279a7cfe2582a746

    SHA512

    af5996b4327004e69a2769ea91415c33f93d15e190a2f4ae764dfb92fe684e160d30f3cbdba894a30994e4f31eac4a316723979e3f93a7c40ec8e5a24315d0af

    Download Submit

  • C:\ProgramData\Microsoft\Assistance\Client\1.0\it-IT\Help_MKWD_BestBet.H1W.29b4d4
    Filesize

    422KB

    MD5

    43a7b5b9eee95f157943f7d138f84696

    SHA1

    be10d85675c2c30ab5949e702799cd3d8b317ab6

    SHA256

    8d37e5c49095c115a5df828421f8a572fab4838620d203ac0d87de1b75e90573

    SHA512

    c1a3e687af6e108203540739a2ff04ee7ee00e75135548ba6be64f2eeae1d2eeeb156fbaa30e7ac1caf5d641ea4ae3029ff0ac6f55705a956bacea5c70ac8d8d

    Download Submit

  • C:\ProgramData\Microsoft\Assistance\Client\1.0\it-IT\Help_MValidator.Lck.29b4d4
    Filesize

    284B

    MD5

    553965d0f3f5f6be21cf545bf88d63a0

    SHA1

    10b4012c8111400e0245d5c1acf032e96c6eb10c

    SHA256

    f0b48986f0ba77710e883877b4b94a6b254756e308c6e2b54d313c97a9714b7f

    SHA512

    9e6420ae10a8920657e8e74a23c86aeb4e2b2ea25af1a795c5dde7683746e65b2a67780ded8896a3a4eef75e70f82c998dad289dfffbd2d2d3f2637a31bb004c

    Download Submit

  • C:\ProgramData\Microsoft\OfficeSoftwareProtectionPlatform\Cache\29B4D4-Readme.txt
    Filesize

    1KB

    MD5

    21ad963c552427ec66e17441f06b6544

    SHA1

    24e9ff74082ae268d41a5ffcb03cddae0f159d29

    SHA256

    1c832f52e97c6339db03e4f47159435c708b7f0d9266d713c3a6061677381b16

    SHA512

    b5a32744e4270ca50340f072d5e40c32db030c627f45641d2919db8ada4bf76676e6ffd369731dbfe550730695c3630fff82e8ed0094a3cc19962f9f526b204f

    Download Submit

  • C:\ProgramData\Microsoft\Windows\WER\ReportQueue\NonCritical_x64_3eb5ea8473594499407cacbd9887e2953d50fd80_cab_06f05994\Report.wer.29b4d4
    Filesize

    2KB

    MD5

    f7096f89d839d7ef15eb22a8cfe1f1bd

    SHA1

    0c0ab7487a1ee75e8658e5417fea5d37d6148ce1

    SHA256

    796133cdcf8d92976802304967fcda518464861672d765b58d36d856c4c95f4c

    SHA512

    e9376d75429c54f6e2616be8f603b496a38482ff2dc65326043bdabba1b95083d4465195649eec0330619131de784457c038ccb13d071ae38162551ad8529f54

    Download Submit

  • C:\ProgramData\Microsoft\Windows\WER\ReportQueue\NonCritical_x64_7e7688eac2ab845272f4daac96479e93e0f0a5_cab_07d033bc\DMI33AC.tmp.log.xml.29b4d4
    Filesize

    7KB

    MD5

    da740f84c8cb631afab490612797b9fc

    SHA1

    b7902941cff3f1a3cf1880bc17a216a3e2099358

    SHA256

    e853402664f91014019898c37ece54ee08b150119214f478e566d1935fa40fe2

    SHA512

    641fb440c0eb9a50b77b4cfd671d694de82e25f6ce2ab57fde0f873190cf4d84e9b49950b35851a0f5b6b769c57fcd489b0f9615d15ab50c5e42d0bdc1cee97f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\5CB.tmp.bat
    Filesize

    127B

    MD5

    2a328cf9f2dac54b9d7a7c2242e880ae

    SHA1

    475a706eb7eae446f59c636c62ec466800f9dd86

    SHA256

    6b5943cacc3826337e45a5e010c6b49f634e424e9bb16e244610954c967aaf73

    SHA512

    153a88167b13b4421c9bf62f9087d305661a230e3db8b893f647f4a1cbb500f92b257ba1984dd3ef6530c977d76784dea34912ba30ec3e8d9e199f6777517edd

    Download Submit