Overview

overview

10

Static

static

5

f4ca0aaa77...f5.exe

windows7-x64

5

f4ca0aaa77...f5.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    104s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/03/2025, 06:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f4ca0aaa779663297a6fb634fb3c9f775230e52a9fa733073fe8057b0e70a0f5.exe

  • Size

    181KB

  • MD5

    4b61967fdf02be7687b1490e15b9fd68

  • SHA1

    fad1ec3f9014432f8bc878c1424c7a7e56d6d729

  • SHA256

    f4ca0aaa779663297a6fb634fb3c9f775230e52a9fa733073fe8057b0e70a0f5

  • SHA512

    4cbcbe30b4cbc62268a28c4d711548d56f78b3dc82e1840061d1e0f2ecd8d9316ff5a42108ec7994f63fa0cbd088b0f5375e9f178840e21844bf5eebef7ace24

  • SSDEEP

    3072:rB/5U7rXgNoku2TspaCq7IUnQOuDE4cxmphmSkCRgOupmTZ0Nk5TqhpzWJy43UYl:rR5U7rwN02Tyq7IwQO54eMBkwXKmTZQq

Score
10/10
defense_evasiondiscoveryexecutionimpactpersistenceprivilege_escalationransomwareupx

Malware Config

Extracted

Path

C:\PerfLogs\readme_for_unlock.txt

Ransom Note
!!! ATTENTION !!! Your network is hacked and files are encrypted. Including the encrypted data we also downloaded other confidential information: Data of your employees, customers, partners, as well as accounting and other internal documentation of your company. All data is stored until you will pay. After payment we will provide you the programs for decryption and we will delete your data. If you refuse to negotiate with us (for any reason) all your data will be put up for sale. What you will face if your data gets on the black market: 1) The personal information of your employees and customers may be used to obtain a loan or purchases in online stores. 2) You may be sued by clients of your company for leaking information that was confidential. 3) After other hackers obtain personal data about your employees, social engineering will be applied to your company and subsequent attacks will only intensify. 4) Bank details and passports can be used to create bank accounts and online wallets through which criminal money will be laundered. 5) You will forever lose the reputation. 6) You will be subject to huge fines from the government. You can learn more about liability for data loss here: https://en.wikipedia.org/wiki/General_Data_Protection_Regulation https://gdpr-info.eu/ Courts, fines and the inability to use important files will lead you to huge losses. The consequences of this will be irreversible for you. Contacting the police will not save you from these consequences, but will only make your situation worse. You can get out of this situation with minimal losses To do this you must strictly observe the following rules: DO NOT Modify, DO NOT rename, DO NOT copy, DO NOT move any files. Such actions may DAMAGE them and decryption will be impossible. DO NOT use any third party or public decryption software, it may also DAMAGE files. DO NOT Shutdown or Reboot the system this may DAMAGE files. DO NOT hire any third party negotiators (recovery/police, etc.) You need to contact us as soon as possible and start negotiations. Instructions for contacting our team: Download & Install TOR browser: https://torproject.org For contact us via LIVE CHAT open our > Website: http://z6ig22odfrlgttti64avskvguqpjlmixzzaepm3xn2pmjkare5rjwpid.onion > Login: CLIENT > Password: D01EuXJTiTnWR5S1bSCV If Tor is restricted in your area, use VPN�����������������������������������
URLs

https://gdpr-info.eu/

http://z6ig22odfrlgttti64avskvguqpjlmixzzaepm3xn2pmjkare5rjwpid.onion

Signatures

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (185) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Disables Task Manager via registry modification
    defense_evasion
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    defense_evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 20 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Control Panel 2 IoCs
    defense_evasion
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs
  • System policy modification 1 TTPs 16 IoCs
    defense_evasion
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\f4ca0aaa779663297a6fb634fb3c9f775230e52a9fa733073fe8057b0e70a0f5.exe
    "C:\Users\Admin\AppData\Local\Temp\f4ca0aaa779663297a6fb634fb3c9f775230e52a9fa733073fe8057b0e70a0f5.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3288
    • C:\Windows\SysWOW64\diskpart.exe
      diskpart /s C:\ProgramData\kD1aE.tmp
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3056
    • C:\Windows\SysWOW64\diskpart.exe
      diskpart /s C:\ProgramData\kD1aE.tmp
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3528
    • C:\ProgramData\Host Process for Windows Services
      "C:\ProgramData\Host Process for Windows Services"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • Enumerates connected drives
      • Sets desktop wallpaper using registry
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:7116
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:6084
        • C:\Windows\system32\vssadmin.exe
          vssadmin.exe delete shadows /all /quiet
          4⤵
          • Interacts with shadow copies
          PID:4768
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\System32\netsh.exe" advfirewall set allprofiles state off
        3⤵
        • Modifies Windows Firewall
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:2376
    • C:\ProgramData\sichost.exe
      C:\ProgramData\sichost.exe C:\Users\Admin\AppData\Local\Temp\f4ca0aaa779663297a6fb634fb3c9f775230e52a9fa733073fe8057b0e70a0f5.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:5692
    • C:\Windows\SysWOW64\diskpart.exe
      diskpart /s C:\ProgramData\kD1aE.tmp
      2⤵
      • System Location Discovery: System Language Discovery
      PID:5208
  • C:\Windows\System32\vdsldr.exe
    C:\Windows\System32\vdsldr.exe -Embedding
    1⤵
      PID:1384
    • C:\Windows\System32\vds.exe
      C:\Windows\System32\vds.exe
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious use of AdjustPrivilegeToken
      PID:2252
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
      1⤵
        PID:5068
      • C:\Windows\System32\vds.exe
        C:\Windows\System32\vds.exe
        1⤵
        • Checks SCSI registry key(s)
        PID:6016
      • C:\Windows\System32\vds.exe
        C:\Windows\System32\vds.exe
        1⤵
        • Checks SCSI registry key(s)
        PID:2580
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1776

      Network

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Execution

      Windows Management Instrumentation

      1
      T1047

      Persistence

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Create or Modify System Process

      1
      T1543

      Windows Service

      1
      T1543.003

      Event Triggered Execution

      1
      T1546

      Netsh Helper DLL

      1
      T1546.007

      Privilege Escalation

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Create or Modify System Process

      1
      T1543

      Windows Service

      1
      T1543.003

      Event Triggered Execution

      1
      T1546

      Netsh Helper DLL

      1
      T1546.007

      Defense Evasion

      Direct Volume Access

      1
      T1006

      Impair Defenses

      1
      T1562

      Disable or Modify System Firewall

      1
      T1562.004

      Indicator Removal

      2
      T1070

      File Deletion

      2
      T1070.004

      Modify Registry

      3
      T1112

      Credential Access

      Discovery

      Peripheral Device Discovery

      2
      T1120

      Query Registry

      3
      T1012

      System Information Discovery

      4
      T1082

      System Location Discovery

      1
      T1614

      System Language Discovery

      1
      T1614.001

      Lateral Movement

      Collection

      Command and Control

      Exfiltration

      Impact

      Defacement

      1
      T1491

      Inhibit System Recovery

      2
      T1490

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\PerfLogs\readme_for_unlock.txt
        Filesize

        2KB

        MD5

        d8e863955a2afad6b297de25aa1e34a8

        SHA1

        9d960ad303b8925f684c2516e014221c462c8d74

        SHA256

        bd2668828c480746dd8d6270efa1eab91416ad07ccf7bf58b0c1e6dda2e0a707

        SHA512

        fa5698a78210357e859123e6d7c54348a7f78c605104ad9fb82b41fe69ee510fa1905290d1d4ffd8e94ee16d3e9f401a8c63b902bc3688a4bbcf94d884650ed7

        Download Submit

      • C:\ProgramData\Host Process for Windows Services
        Filesize

        69KB

        MD5

        f17d7475ae143611c98e3eb03d3911ef

        SHA1

        b98367f0d97faf9b7d1002d46637ce4bc57d9a5b

        SHA256

        827baf5be98a693f923c055ba9950ec3437a244abb9bd0a4e794add298bff087

        SHA512

        4dfe335b8a1be3c2c71b0d4a43b3f004b3e29eba8491e0a5f98b4fe5b8a14d787ca6f8a6997ca845e0b95c7110fecaab94907c217fce4ca1622cab9b256dbb2a

        Download Submit

      • C:\ProgramData\Q9acAd3.vhd
        Filesize

        16.0MB

        MD5

        449a62bf153f4fb72e2ee7a86c774b45

        SHA1

        efe19f472d460d7210e568e3443e164fd1f51855

        SHA256

        c902ce599db4134b17ac52a817c04b5a60cc587f983b3517b97c58634c13cc18

        SHA512

        c7198185e0f2bd2502cb3c24fc870fb621b8d421c5f00397f180b145035292ccb4900b17948cd5a166be39e5dc584bc9f22216ae050c20e87d44da485e820d18

        Download Submit

      • C:\ProgramData\kD1aE.tmp
        Filesize

        34B

        MD5

        4eb9ba2b74923cfdd5bf1b7d361916c8

        SHA1

        38bb5cd2e7c48a369d7e73852749bac403165519

        SHA256

        0977e976a701e82d9d4f1f1b1eaf8a495e1bd92cc33a86a398d0bd536d86a73a

        SHA512

        be4227c1d478476813f164b8e5389d46be10877839530e85e0ab51f744f6006810823751e5ec08ad345298c966082f48a36f0aa6ba12d47522bde95176cf203d

        Download Submit

      • C:\ProgramData\kD1aE.tmp
        Filesize

        132B

        MD5

        40525e4d5526164ffeeefb2e335c869e

        SHA1

        855aea5785873f5b13605de8765d94edf62143f7

        SHA256

        82350eee2b0b078b4dd06fee1242d227cb9bc4a5a61d01ee42161d8c8e1efc80

        SHA512

        b5334c2d1f8713f4316673754f112ae59d2b8854aada64380888cb40323927862b753ba40691f0923c8e70c7b624cf3cd315be7e84bf8202c293f2f71c02afcf

        Download Submit

      • C:\ProgramData\sichost.exe
        Filesize

        43KB

        MD5

        e6a8f3973380e37f13fc76a9d27e79ca

        SHA1

        24bd0e0662f0dca89698c1323268f15d30d36d96

        SHA256

        092d4fe86aec6c3a44499e7539e88e50a31b451250e53847d0ab23d116a7cd8e

        SHA512

        b5afbc690962fdfb9469a4bc96404e629c097b5bb60627f830e2a00879625e75590e3f3c2bbff7765d701d0d61481c49769c0d36fe74182027555444ae2f2534

        Download Submit

      • memory/3288-22-0x0000000003CE0000-0x0000000003CE1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3288-25-0x0000000003CE0000-0x0000000003CE1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3288-11-0x0000000003CE0000-0x0000000003CE1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3288-13-0x0000000003CE0000-0x0000000003CE1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3288-12-0x0000000003CE0000-0x0000000003CE1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3288-18-0x0000000003CE0000-0x0000000003CE1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3288-20-0x0000000003D10000-0x0000000003D11000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3288-17-0x0000000003D30000-0x0000000003D31000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3288-0-0x00000000002C0000-0x000000000030A000-memory.dmp

        Filesize

        296KB

        Download

      • memory/3288-7-0x0000000003CE0000-0x0000000003CE1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3288-24-0x0000000003CE0000-0x0000000003CE1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3288-8-0x0000000003CE0000-0x0000000003CE1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3288-33-0x0000000002C90000-0x0000000002C91000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3288-31-0x0000000003D40000-0x0000000003D41000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3288-6-0x0000000003D20000-0x0000000003D21000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3288-1-0x0000000001180000-0x0000000001181000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3288-5-0x0000000003D10000-0x0000000003D11000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3288-764-0x00000000002C0000-0x000000000030A000-memory.dmp

        Filesize

        296KB

        Download

      • memory/5692-754-0x0000000000550000-0x000000000056F000-memory.dmp

        Filesize

        124KB

        Download

      • memory/5692-772-0x0000000000550000-0x000000000056F000-memory.dmp

        Filesize

        124KB

        Download

      • memory/7116-774-0x0000000000CA0000-0x0000000000CD7000-memory.dmp

        Filesize

        220KB

        Download

      • memory/7116-745-0x0000000000CA0000-0x0000000000CD7000-memory.dmp

        Filesize

        220KB

        Download