Overview

overview

10

Static

static

10

cfd5d9a4e6...f0.exe

windows10-ltsc_2021-x64

cfd5d9a4e6...f0.exe

windows7-x64

cfd5d9a4e6...f0.exe

windows10-2004-x64

cfd5d9a4e6...f0.exe

windows10-ltsc_2021-x64

cfd5d9a4e6...f0.exe

windows11-21h2-x64

da6f543313...2e.exe

windows11-21h2-x64

6

da6f543313...2e.exe

windows7-x64

6

da6f543313...2e.exe

windows10-2004-x64

6

da6f543313...2e.exe

windows10-ltsc_2021-x64

6

da6f543313...2e.exe

windows11-21h2-x64

6

e05323d9ca...62.exe

windows11-21h2-x64

3

e05323d9ca...62.exe

windows7-x64

1

e05323d9ca...62.exe

windows10-2004-x64

3

e05323d9ca...62.exe

windows10-ltsc_2021-x64

3

e05323d9ca...62.exe

windows11-21h2-x64

3

e48bd2f16b...14.exe

windows11-21h2-x64

10

e48bd2f16b...14.exe

windows7-x64

10

e48bd2f16b...14.exe

windows10-2004-x64

10

e48bd2f16b...14.exe

windows10-ltsc_2021-x64

10

e48bd2f16b...14.exe

windows11-21h2-x64

10

ecfb5c95d0...9d.exe

windows11-21h2-x64

10

ecfb5c95d0...9d.exe

windows7-x64

10

ecfb5c95d0...9d.exe

windows10-2004-x64

10

ecfb5c95d0...9d.exe

windows10-ltsc_2021-x64

10

ecfb5c95d0...9d.exe

windows11-21h2-x64

10

f08c1c26d3...3f.exe

windows11-21h2-x64

6

f08c1c26d3...3f.exe

windows7-x64

6

f08c1c26d3...3f.exe

windows10-2004-x64

6

f08c1c26d3...3f.exe

windows10-ltsc_2021-x64

6

f08c1c26d3...3f.exe

windows11-21h2-x64

6

Resubmissions

25/03/2025, 13:12

250325-qfl42aznw9 10

25/03/2025, 13:09

250325-qdtq4aznv6 10

25/03/2025, 13:05

250325-qbtcjszns3 10

25/03/2025, 13:01

250325-p9k86awxat 10

25/03/2025, 12:55

250325-p58tnawwe1 10

25/03/2025, 12:51

250325-p3txqazmt6 10

05/02/2025, 11:16

250205-ndjvsavrdm 10

16/07/2024, 08:54

240716-kt64gavakp 10

Analysis

  • max time kernel
    105s
  • max time network
    112s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/03/2025, 13:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe

  • Size

    52KB

  • MD5

    ba9210de03de945901f02792f7994871

  • SHA1

    20c4569cbb6f2650b02f6a5257faa8a8dfb298bd

  • SHA256

    ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d

  • SHA512

    277d26eea627b3da26664aaa4f72a7b79cd50311e45c59333563b4f58b76e6562cbaa1d55127c69d0830864721efa890fa824e1be381cca5e84bddc98f2b44d0

  • SSDEEP

    1536:EJJRZQJes5b0k5bbyu6hXOKJrkH6sNNW:oJRa4kLmNVOKJIasNE

Score
10/10
defense_evasiondiscoveryevasionexecutionimpactpersistenceransomware

Malware Config

Extracted

Path

C:\Program Files\README_9993492.txt

Ransom Note
Hello! All your files have been encrypted... Your personal Id: g2nD8IuIdvLhH8DfyA4imst6Dk+cJvsuoquJWnoEoyoxN8LQBlXtXihrWPxTKuLJXt28cTwtoI+x0h/23sJ/Pz5PJ15OjZ5POp73NoQ2lZGkbw+IqF0EhdiRSpB442hMBwEI1TzxwmOCvbnvyzgc+VPzMESvteoFfvfL7AquKiEoo+dXfy5QAxd16NUFy0mg4A76wPr2eus/M07tY3TkW2KrFjRVtIihBd9bCEeiAMCLurlj3HuX6PGdbN/0Kt/YasHmumtLFwVS4lHrGjrXqWINQajHa5c76wEhX0GXlcYlX9NWMcFLt4hYzH1tw13Y9+gKPPflp8eIrKQAii7eBw++ZW4tVVNfOTk5MzQ5Ml9BZG1pbl8zLzI1LzIwMjUgMTowOTozNSBQTV9XaW4gMTBfYmx1dDRfZWNmYjVjOTVkMGYzZDExMjY1MGVmNDA0NzkzNmU4ZmE1MjQ0YzIxYzkyMWY2YzdhNjk2M2U5MmFiYWI0OTQ5ZA To decrypt your files, write to email: [email protected] or [email protected] In the letter, send your personal Id and 2 small encrypted files for trial decryption. If you dont get answer from [email protected] or [email protected] in 72 hours, you need to install tor browser, you can download it here: https://www.torproject.org/download/download.html.en After installation, open the tor browser to website: http://t5vj34iny72dpdu4.onion and follow the instructions. Do not try restore files without our help, this is useless, and can destroy you data permanetly. However, the files can be recovered even after the removal of our program and even after reinstalling the operating system. Download the decoding video here: https://content.screencast.com/users/tywlgpwg/folders/Default/media/3c1aeb4c-5386-41df-8eee-346487877522/decryption.avi
URLs

http://t5vj34iny72dpdu4.onion

https://content.screencast.com/users/tywlgpwg/folders/Default/media/3c1aeb4c-5386-41df-8eee-346487877522/decryption.avi

Signatures

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Disables Task Manager via registry modification
    defense_evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 25 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies registry class 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
    "C:\Users\Admin\AppData\Local\Temp\ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5848
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Roaming\delback.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4448
      • C:\Windows\system32\vssadmin.exe
        vssadmin delete shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:4816
      • C:\Windows\system32\bcdedit.exe
        bcdedit.exe /set {default} recoveryenabled no
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:3660
      • C:\Windows\system32\bcdedit.exe
        bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
        3⤵
        • Modifies boot configuration data using bcdedit
        PID:4376
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\update.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1824
      • C:\Windows\system32\PING.EXE
        ping -n 1 -w 5000 10.10.254.254
        3⤵
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:5504
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:6116

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\README_9993492.txt
    Filesize

    1KB

    MD5

    3e613e26e223d5f8430e7614462b3cbe

    SHA1

    db75725276c17613d0c376437f63f8008e451b5c

    SHA256

    94411c8bfa95a6cd7da30f1cf7705f482e95d90821eaa428b28e77943fb3f250

    SHA512

    cef6de4c1cbea9828a6071378b854d21aac0ca361e1f1a6a59933354a34cadc658105cbdc80002bde78e4979857a22c0cb299a8b3ee935c63e9b071fd24c1003

    Download Submit

  • C:\ProgramData\Package Cache\{2BB73336-4F69-4141-9797-E9BD6FE3980A}v64.8.8795\dotnet-host-8.0.2-win-x64.msi
    Filesize

    728KB

    MD5

    633abc8d73a18f4c2c201dc220b9c97a

    SHA1

    aa824b13db4c49357a2f79c5841ecc8f871d89ad

    SHA256

    97e0edb3f59849a15a0b04967d9d87654bf4b09a998e073cbe670da44721684f

    SHA512

    2a4e9b35267244e9b4f1e8d7bebfa351d456026f493f0036a6b68296479eb7977c7c1e61976fcb0014bfbadef219268612057fdf709c2e072ffcd106afcd1140

    Download Submit

  • C:\ProgramData\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\vc_runtimeAdditional_x64.msi
    Filesize

    140KB

    MD5

    a171d5ea45e09f66cb77a746352d8ffd

    SHA1

    e0c8965b3d1d76a1a238c0cf969f3373d8498e0a

    SHA256

    46cdc734db4e91b5e483ac0b23694468ac6093973f684a3bf2c871fc33ff88ee

    SHA512

    48e3ca7a4a255db3da231086664a12466bb0d70e4aee5ac3fc082e9dce4ebde60448029f4dd563d6d5c8baa391310275a17daf910ab1ca1f1370d6e38296c388

    Download Submit

  • C:\ProgramData\Package Cache\{C7B73281-AB0A-4DAD-A09F-5C30D40679AC}v64.8.8795\dotnet-runtime-8.0.2-win-x64.msi
    Filesize

    26.2MB

    MD5

    9a2cbfdd81029ec1c0e108d267a077a1

    SHA1

    d7d4f9adfbe65597174d11f6ab22af409e025e03

    SHA256

    f5bdc0635caf2065d936999aaa4c7bc66244db3cb1757f94c5db2a3468870ef9

    SHA512

    880a85bb3ef8547986aaaa08fd5af24a2e20da672825fe54c4a2a33fe5e2dab944b5f55921e9f978ee58f6b50f96de036011ea92ada2936bf1189d226056400e

    Download Submit

  • C:\ProgramData\Package Cache\{D46F1FD9-2FE8-4D05-B2AC-011C23B69B24}v64.8.8806\windowsdesktop-runtime-8.0.2-win-x64.msi
    Filesize

    28.9MB

    MD5

    8549d3d8df455fffbb209c241ece15e9

    SHA1

    1a6bfa95a88ce2aa205d997c22301c7b612a9bc5

    SHA256

    40344e9bcefab6eede82dd027655312f074c399b77b20b2932c2628a4d683581

    SHA512

    42dd8955926287213c457019b986910d2ebd398fb66bc33d9f3cef1c269f8cfbc9bf9e6ded2898ca77603e4dd8974e30c535464167e0fe6113e2c0ba10f91cd7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\update.bat
    Filesize

    167B

    MD5

    d1df9bb96b34b2b9cba30dc139a00ef8

    SHA1

    44e80d8b875f296f7087eadc0584276fb68fa323

    SHA256

    17bdd9c1355d56e607eae45138d64ed86ebb1369dfcdf4f7ef313124c2f098bc

    SHA512

    7029c53a5de207b495c512bbfc160ccb1d76fb0101ff5bef497cc0bfa570228b5d641e3fb34ee4d17585a19e4ce0b1337f7e14750c70a014d69c1d8afa4f7ec2

    Download Submit

  • C:\Users\Admin\AppData\Roaming\delback.bat
    Filesize

    147B

    MD5

    2450c91afcc2d4cc3dea374820bed314

    SHA1

    dd1b61d0aa6d1769018c1d3144de9bb960a64d3c

    SHA256

    4f157084c6e48b547e698ed83ae9a853a4db4b7a115249db272e3eb93316f7df

    SHA512

    b0b21d16b7f35bfc5526ed07407ec85a221a7a036827b65dce0a449d02a31f3f6f5ce2fbf94f0af01ce4a248b27ccf5f287dd2746ee423766be8d366f78ccc91

    Download Submit

  • C:\f9532e701a889cdd91b8\2010_x86.log.html
    Filesize

    80KB

    MD5

    cabb9e1c17b5d6884ebd501f150a318a

    SHA1

    1d2c37375d35cb2c82affe2773a0a54b4006b4b1

    SHA256

    ff029a020a46eb42aa1fb92ee17226da0dca8c4cdd40c9b1ea172ddaf434d044

    SHA512

    b709ea4173a6d026631c2b7cc3d84d31798dcb0c86d45000b0b53ae045ae0b42e4a42358dc822359e675bdd1d8736fc0176f70794fbbf151fc2d16450b925afe

    Download Submit

  • memory/5848-4-0x00007FF982130000-0x00007FF982BF1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/5848-3-0x00007FF982133000-0x00007FF982135000-memory.dmp

    Filesize

    8KB

    Download

  • memory/5848-2-0x00007FF982130000-0x00007FF982BF1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/5848-1-0x00000000004D0000-0x00000000004E4000-memory.dmp

    Filesize

    80KB

    Download

  • memory/5848-0-0x00007FF982133000-0x00007FF982135000-memory.dmp

    Filesize

    8KB

    Download

  • memory/5848-819-0x00007FF982130000-0x00007FF982BF1000-memory.dmp

    Filesize

    10.8MB

    Download