Analysis

  • max time kernel
    103s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250410-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/04/2025, 06:45

General

  • Target

    27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe

  • Size

    147KB

  • MD5

    714b31629c37dee57038ca4e52ef65ac

  • SHA1

    f9aa5b2dc359f3173ab555944b2fb5a914b45848

  • SHA256

    27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd

  • SHA512

    05f15b7609b862450ddd56181e1f7350d24a81486a7a2d9265e809b1577ee44b65c23c966b9efd3c3c1f836dde47c201c3239132ad921bb1727c5f402bed2187

  • SSDEEP

    3072:k6glyuxE4GsUPnliByocWepMf11O4OgfJCCrPPl8rzd:k6gDBGpvEByocWeu1RJpPN6

Malware Config

Extracted

Path

C:\KUsfyVlDo.README.txt

Family

braincipher

Ransom Note
*** Welcome to Brain Cipher Ransomware! *** Dear managers! If you're reading this, it means your systems have been hacked and encrypted and your data stolen. *** The most proper way to safely recover your data is through our support. We can recover your systems within 4-6 hours. In order for it to be successful, you must follow a few points: 1.Don't go to the police, etc. 2.Do not attempt to recover data on your own. 3.Do not take the help of third-party data recovery companies. In most cases, they are scammers who will pay us a ransom and take a for themselves. *** If you violate any 1 of these points, we will refuse to cooperate with you!!! ATTENTION! If you do not contact us within 48 hours, we will post the record on our website: vkvsgl7lhipjirmz6j5ubp3w3bwvxgcdbpi3fsbqngfynetqtw4w5hyd.onion 3 steps to data recovery: 1. Download and install Tor Browser (https://www.torproject.org/download/) 2. Go to our support page: http://mybmtbgd7aprdnw2ekxht5qap5daam2wch25coqerrq2zdioanob34ad.onion This page can take up to 30 minutes to load. 3. Enter your encryption ID: qLRS3o7nBgYneLCCIQT5S9+wDocPid9vGWlDqWB004LvisizirSDvQ3mpA3NcJAuRWgQw0M5TcgSNEttohZcJzM2VXBrdjcx Email to support: [email protected]
URLs

http://vkvsgl7lhipjirmz6j5ubp3w3bwvxgcdbpi3fsbqngfynetqtw4w5hyd.onion

http://mybmtbgd7aprdnw2ekxht5qap5daam2wch25coqerrq2zdioanob34ad.onion

Signatures

  • Brain Cipher

    Ransomware family based on Lockbit that was first observed in June 2024.

  • Braincipher family
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 2 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe
    "C:\Users\Admin\AppData\Local\Temp\27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3836
    • C:\ProgramData\8BB5.tmp
      "C:\ProgramData\8BB5.tmp"
      2⤵
      • Checks computer location settings
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:2752
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\8BB5.tmp >> NUL
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4948

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-3833542908-3750648139-3436651901-1000\desktop.ini

    Filesize

    129B

    MD5

    788c3e648ca16cdc4ca13f1fa9fe3559

    SHA1

    d3ebae159e8bc13872c0d72c3f73c71bc6dc8920

    SHA256

    e6e400ce100de5035de804af048a6ebe352a28156ddd7972830b2421959b6106

    SHA512

    d3aba090e8cdf9455c8006434f8d14df46bbcd0443c7cecdba59f2ced05811c7f4d7a7d15a299183d8d28b772c5793ad641b7394658cc38906750a37cc8e4089

  • C:\KUsfyVlDo.README.txt

    Filesize

    1KB

    MD5

    82046584dff98337c32ac7117e05387b

    SHA1

    61c5022e6a5f00b4b0164ecf090b0c863d7df84e

    SHA256

    9b90c3d076d429fdf9ea0606d6d19fee56b3202715157da0ac8ad88ef0b06399

    SHA512

    59e49ede5ed8e9769b28d56d4d03f2f28f33088282d0070b834adb30c639c2d93c72ed222aff9f18d973a2f965858f93b895d6282062ee551c9ec04d5ba54ecf

  • C:\ProgramData\8BB5.tmp

    Filesize

    14KB

    MD5

    294e9f64cb1642dd89229fff0592856b

    SHA1

    97b148c27f3da29ba7b18d6aee8a0db9102f47c9

    SHA256

    917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

    SHA512

    b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

  • C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

    Filesize

    147KB

    MD5

    e1e6d38e6175bd39a5a5d0f2e39c7feb

    SHA1

    4c4696eff20062641b9161cde80b98ffa7f627b9

    SHA256

    e02a8e5cb26f445d0a7866d5f632a9dac02fa29cd7e8ad87ff491c6b0ae19e78

    SHA512

    dbafc144c39c89927917261edfd95d8f21b10dce6caccfd7e9a0080405f14a8483148ae1ecc2c835e6db3479e5e3575169df87f34926c76dfb37c1a4b1a986c8

  • F:\$RECYCLE.BIN\S-1-5-21-3833542908-3750648139-3436651901-1000\DDDDDDDDDDD

    Filesize

    129B

    MD5

    9e67ebf40ba7dfc7a611153f9b904c31

    SHA1

    1884cfe86a7aa3a04053f02a5896bdb9101d3d24

    SHA256

    8bc68162599830bbf8ebd4592b043d14b55f1f62a063042f7a791bf66388f355

    SHA512

    3b60ef9ed00b67c20591786cc163e0f8729b6a4a8791953ef27e55cf10caac267a5c68ae90ca5bdf46ef0afe9af68f37d43439bccc33125c766ae3695f81af65

  • memory/2752-3425-0x0000000000401000-0x0000000000404000-memory.dmp

    Filesize

    12KB

  • memory/2752-3426-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB

  • memory/3836-2-0x0000000000BB0000-0x0000000000BC0000-memory.dmp

    Filesize

    64KB

  • memory/3836-1-0x0000000000BB0000-0x0000000000BC0000-memory.dmp

    Filesize

    64KB

  • memory/3836-3418-0x0000000000BB0000-0x0000000000BC0000-memory.dmp

    Filesize

    64KB

  • memory/3836-3420-0x0000000000BB0000-0x0000000000BC0000-memory.dmp

    Filesize

    64KB

  • memory/3836-3419-0x0000000000BB0000-0x0000000000BC0000-memory.dmp

    Filesize

    64KB

  • memory/3836-0-0x0000000000BB0000-0x0000000000BC0000-memory.dmp

    Filesize

    64KB