Analysis

  • max time kernel
    103s
  • max time network
    104s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250410-en
  • resource tags

    arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    21/04/2025, 06:46

General

  • Target

    6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe

  • Size

    147KB

  • MD5

    9c5698924d4d1881efaf88651a304cb3

  • SHA1

    c60a0b99729eb6d95c2d9f8b76b9714411a3a751

  • SHA256

    6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417

  • SHA512

    1e9cc0d7c831a496e3dbcc56f2d5d477e7a7546c2f223b0278fedfa10fc1bebb0412fd5d81ac02a77aa503ddc99dea1d59d9120d076ae7a0f5137c9260a64eea

  • SSDEEP

    3072:+6glyuxE4GsUPnliByocWepMT0CY2gbP39m3Lpdp:+6gDBGpvEByocWeAYTbPN8p

Malware Config

Extracted

Path

C:\flzQgniJJ.README.txt

Family

braincipher

Ransom Note
*** Welcome to Brain Cipher Ransomware! *** Dear managers! If you're reading this, it means your systems have been hacked and encrypted and your data stolen. *** The most proper way to safely recover your data is through our support. We can recover your systems within 4-6 hours. In order for it to be successful, you must follow a few points: 1.Don't go to the police, etc. 2.Do not attempt to recover data on your own. 3.Do not take the help of third-party data recovery companies. In most cases, they are scammers who will pay us a ransom and take a for themselves. *** If you violate any 1 of these points, we will refuse to cooperate with you!!! 3 steps to data recovery: 1. Download and install Tor Browser (https://www.torproject.org/download/) 2. Go to our support page: http://mybmtbgd7aprdnw2ekxht5qap5daam2wch25coqerrq2zdioanob34ad.onion 3. Enter your encryption ID: uYrTA6hpRFsWQR0nqlFk5WK8S+zUIHNd9T3L6aykdR27ztPJwC3xHOsdSBkZhmr+yKcnVLCct0ffjVRy5yvFQydzhzQWJR Email to support: [email protected]
URLs

http://mybmtbgd7aprdnw2ekxht5qap5daam2wch25coqerrq2zdioanob34ad.onion

Signatures

  • Brain Cipher

    Ransomware family based on Lockbit that was first observed in June 2024.

  • Braincipher family
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 2 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 60 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe
    "C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5440
    • C:\ProgramData\AE51.tmp
      "C:\ProgramData\AE51.tmp"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:5468
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\AE51.tmp >> NUL
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2904

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-4239789418-2672923313-1754393631-1000\CCCCCCCCCCC

    Filesize

    129B

    MD5

    792ce97c733d78700ee4108087060fef

    SHA1

    e18208b0dc3cca5bb8a8e5e719dd0970f3a2a80f

    SHA256

    2f3179c017c3c193f3d3fdb8ffbe9034425e3a4be296c9e77dc4f525fc2d0967

    SHA512

    962ff754e81aea50c418964b8f3a00edee11e6ba7fb68f62e4421351f81a557c453b719a1c136cbb94b991259f470c07eb6730248c7181fc178e3e787ce00466

  • C:\ProgramData\AE51.tmp

    Filesize

    14KB

    MD5

    294e9f64cb1642dd89229fff0592856b

    SHA1

    97b148c27f3da29ba7b18d6aee8a0db9102f47c9

    SHA256

    917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

    SHA512

    b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

  • C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

    Filesize

    147KB

    MD5

    09dbbdd8e109019972ca73e323fb06eb

    SHA1

    642884fa2e69a3207d117bef7dd8414c395c7267

    SHA256

    3d12a0a8d03e2a3e6c0c15e2d681f6468ed732277d1bf7a6e73f5be96b970163

    SHA512

    945f3a3dabb1e59a8034aabed03dff79bdaf32a40966b067fb50ebffa3afd774363eee188e6fc616b4eff512abd2f985f2054d717e483d54773a7ccb4d6af7dd

  • C:\flzQgniJJ.README.txt

    Filesize

    1KB

    MD5

    3bebb5494e1c3d4753ce92a479e7eda5

    SHA1

    243685d0515d19210e4e2f354d367be6212e98ff

    SHA256

    13d69c85aeb5beab58caefaa2cdc257d668f568103a5cebbd98038b3b66b66bd

    SHA512

    0e31e7bf96fbd6bb91fbe96e59acf96dd0fef5e9db9e93e924afd17fe1066c04b0d9bf9e2d60c335db4f0347107a63d92dfc9ba9b166d2e3151e5440232f63da

  • F:\$RECYCLE.BIN\S-1-5-21-4239789418-2672923313-1754393631-1000\DDDDDDDDDDD

    Filesize

    129B

    MD5

    42546b38b5aabeb1cbd129cb0debb898

    SHA1

    4d6292dd749423691d4c7841ee49fd4d830d9498

    SHA256

    2b329685ce86afacd031ae11e37b9ddca638d7a271f3f6485d4d9a45f5336ac8

    SHA512

    97fb33fbcd026bfeefad444db7e4f5ef85aedee83f9889390262b7f065b31cb71558f94a2850cea7c118f7aeb8a19240f17bd51dacd6b6b6851e174aa1031bd4

  • memory/5440-3566-0x0000000002DA0000-0x0000000002DB0000-memory.dmp

    Filesize

    64KB

  • memory/5440-2-0x0000000002DA0000-0x0000000002DB0000-memory.dmp

    Filesize

    64KB

  • memory/5440-0-0x0000000002DA0000-0x0000000002DB0000-memory.dmp

    Filesize

    64KB

  • memory/5440-1-0x0000000002DA0000-0x0000000002DB0000-memory.dmp

    Filesize

    64KB

  • memory/5468-3571-0x000000007FDF0000-0x000000007FDF1000-memory.dmp

    Filesize

    4KB

  • memory/5468-3570-0x000000007FE50000-0x000000007FE51000-memory.dmp

    Filesize

    4KB

  • memory/5468-3569-0x0000000002680000-0x0000000002690000-memory.dmp

    Filesize

    64KB

  • memory/5468-3568-0x0000000002680000-0x0000000002690000-memory.dmp

    Filesize

    64KB

  • memory/5468-3567-0x000000007FE70000-0x000000007FE71000-memory.dmp

    Filesize

    4KB

  • memory/5468-3601-0x000000007FE30000-0x000000007FE31000-memory.dmp

    Filesize

    4KB

  • memory/5468-3600-0x000000007FE10000-0x000000007FE11000-memory.dmp

    Filesize

    4KB