Analysis

  • max time kernel
    103s
  • max time network
    104s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250410-en
  • resource tags

    arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    21/04/2025, 06:45

General

  • Target

    27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe

  • Size

    147KB

  • MD5

    714b31629c37dee57038ca4e52ef65ac

  • SHA1

    f9aa5b2dc359f3173ab555944b2fb5a914b45848

  • SHA256

    27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd

  • SHA512

    05f15b7609b862450ddd56181e1f7350d24a81486a7a2d9265e809b1577ee44b65c23c966b9efd3c3c1f836dde47c201c3239132ad921bb1727c5f402bed2187

  • SSDEEP

    3072:k6glyuxE4GsUPnliByocWepMf11O4OgfJCCrPPl8rzd:k6gDBGpvEByocWeu1RJpPN6

Malware Config

Extracted

Path

C:\KUsfyVlDo.README.txt

Family

braincipher

Ransom Note
*** Welcome to Brain Cipher Ransomware! *** Dear managers! If you're reading this, it means your systems have been hacked and encrypted and your data stolen. *** The most proper way to safely recover your data is through our support. We can recover your systems within 4-6 hours. In order for it to be successful, you must follow a few points: 1.Don't go to the police, etc. 2.Do not attempt to recover data on your own. 3.Do not take the help of third-party data recovery companies. In most cases, they are scammers who will pay us a ransom and take a for themselves. *** If you violate any 1 of these points, we will refuse to cooperate with you!!! ATTENTION! If you do not contact us within 48 hours, we will post the record on our website: vkvsgl7lhipjirmz6j5ubp3w3bwvxgcdbpi3fsbqngfynetqtw4w5hyd.onion 3 steps to data recovery: 1. Download and install Tor Browser (https://www.torproject.org/download/) 2. Go to our support page: http://mybmtbgd7aprdnw2ekxht5qap5daam2wch25coqerrq2zdioanob34ad.onion This page can take up to 30 minutes to load. 3. Enter your encryption ID: qLRS3o7nBgYneLCCIQT5S9+wDocPid9vGWlDqWB004LvisizirSDvQ3mpA3NcJAuRWgQw0M5TcgSNEttohZcJzM2VXBrdjcx Email to support: [email protected]
URLs

http://vkvsgl7lhipjirmz6j5ubp3w3bwvxgcdbpi3fsbqngfynetqtw4w5hyd.onion

http://mybmtbgd7aprdnw2ekxht5qap5daam2wch25coqerrq2zdioanob34ad.onion

Signatures

  • Brain Cipher

    Ransomware family based on Lockbit that was first observed in June 2024.

  • Braincipher family
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 2 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe
    "C:\Users\Admin\AppData\Local\Temp\27a3cc834c1cd00ad5378c373d76957998bb54bbcfe67bbf3ae5c7be5a5a66dd.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1180
    • C:\ProgramData\74C2.tmp
      "C:\ProgramData\74C2.tmp"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:5112
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\74C2.tmp >> NUL
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4680

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-1492919288-2219487354-2015056034-1000\IIIIIIIIIII

    Filesize

    129B

    MD5

    71608e63322ec8b5a74a6bd3880fa3c9

    SHA1

    0b00cc4b0d81bd3c2ccca0637ac2b26704560049

    SHA256

    97e8538fdd81e7754321eb462682f966396794a2d139ce6010467bd62ea93626

    SHA512

    27f5a1d7b2954cb41a413cda0d68933f57482d1460b2c14bc128b7f600964965dd18fc175f4eb0c6126190f328b47f1d9969a0d31bd2fb1fbd5f726cddf96173

  • C:\KUsfyVlDo.README.txt

    Filesize

    1KB

    MD5

    82046584dff98337c32ac7117e05387b

    SHA1

    61c5022e6a5f00b4b0164ecf090b0c863d7df84e

    SHA256

    9b90c3d076d429fdf9ea0606d6d19fee56b3202715157da0ac8ad88ef0b06399

    SHA512

    59e49ede5ed8e9769b28d56d4d03f2f28f33088282d0070b834adb30c639c2d93c72ed222aff9f18d973a2f965858f93b895d6282062ee551c9ec04d5ba54ecf

  • C:\ProgramData\74C2.tmp

    Filesize

    14KB

    MD5

    294e9f64cb1642dd89229fff0592856b

    SHA1

    97b148c27f3da29ba7b18d6aee8a0db9102f47c9

    SHA256

    917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

    SHA512

    b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

  • C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

    Filesize

    147KB

    MD5

    ce4b570255a46d7e4311dd20954ac96e

    SHA1

    ce9301b32db6d79ba1fdeeb961c2dc4268d7e441

    SHA256

    e3661eed8ab72d43aa42d5a36c2c83e3e9bda5f55076565ca1d83d6499927432

    SHA512

    6eb591c7398ae47232c200d59cc8059b7ff8a0ef53fcec0585347298f70800099bd5bdafc6636af6f7323c393ffc8162466e0cb3b002f5990aae5fcab79d92c1

  • F:\$RECYCLE.BIN\S-1-5-21-1492919288-2219487354-2015056034-1000\DDDDDDDDDDD

    Filesize

    129B

    MD5

    ff3b657effb49dbc70067995023a71c0

    SHA1

    c605a7973bfd647f2e3bed9807317a7d091ae5c5

    SHA256

    b2b165d4b5946fb0b29656d53627677dfa279fb31a2e6a40ec3a4389f506fca9

    SHA512

    5d1ee7ce5b0fdc5e90b73eed79ebdcd18182e5cf0c5f37de2ab14d79f44417a02a44ce8eb0c778b2e3fe99c2c31547e8d212bc2bcc30e274c1e69c533b0f9521

  • memory/1180-2-0x0000000003410000-0x0000000003420000-memory.dmp

    Filesize

    64KB

  • memory/1180-1-0x0000000003410000-0x0000000003420000-memory.dmp

    Filesize

    64KB

  • memory/1180-3498-0x0000000003410000-0x0000000003420000-memory.dmp

    Filesize

    64KB

  • memory/1180-0-0x0000000003410000-0x0000000003420000-memory.dmp

    Filesize

    64KB

  • memory/1180-3503-0x0000000003410000-0x0000000003420000-memory.dmp

    Filesize

    64KB

  • memory/5112-3499-0x000000007FE70000-0x000000007FE71000-memory.dmp

    Filesize

    4KB

  • memory/5112-3501-0x000000007FE50000-0x000000007FE51000-memory.dmp

    Filesize

    4KB

  • memory/5112-3500-0x00000000024B0000-0x00000000024C0000-memory.dmp

    Filesize

    64KB

  • memory/5112-3502-0x000000007FDF0000-0x000000007FDF1000-memory.dmp

    Filesize

    4KB

  • memory/5112-3532-0x000000007FE10000-0x000000007FE11000-memory.dmp

    Filesize

    4KB

  • memory/5112-3533-0x000000007FE30000-0x000000007FE31000-memory.dmp

    Filesize

    4KB