Resubmissions

15/05/2025, 07:39

250515-jg1v9abk5s 10

15/05/2025, 05:36

250515-garb5a1j17 10

Analysis

  • max time kernel
    440s
  • max time network
    441s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250502-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/05/2025, 07:39

General

  • Target

    encrypter-windows-gui-x86.exe

  • Size

    1.1MB

  • MD5

    d0728e075e66bda22bb6c030502a689a

  • SHA1

    60c3cce7d1e1921794cd00308efb73f3412384fb

  • SHA256

    fb2fe8e18856af09231edefccc7d54b881d8f488f91ff61f4c09995c33aaafce

  • SHA512

    773f413ef51bc2493a940011645c40d1f55d06a53e8e60032ed01ad016184d67289a9fd9d3bb8af42fbdca29f0bb927e0137ff4f5f0914ea52b58646051962ef

  • SSDEEP

    24576:7u43pl7vAJusc1XsmJxYxm37IZ1EbdOn2XqKP/TMRxYWXE:7r3pl7pexGvdfXqKP/TMRGWXE

Malware Config

Extracted

Path

C:\Program Files\README.TXT

Ransom Note
 Hello! Your data is encrypted! We do not dare to decide the future fate of your data, only you can decide it ! Since we have many years of experience in this field, we can help you solve this problem quickly and in the most convenient way for you. 1.The price of decryption directly depends on the time in which you decide to ransom, we know perfectly well how data recovery companies work and in the event that you are trying to recover data without us (this is almost impossible). But for decryption companies this is the main income, the price of decryption will be several times higher. If you admit your mistake and are ready to pay within 12 hours after the attack, in this case the price will be 50-30% of the main cost. 2.We also understand that some of you are forced to contact an intermediary! In this case, we strongly recommend that you act as follows, under no circumstances trust your fate to decryption companies and control every step, including negotiations with us, leave backup copies of the most important data in encrypted form with you, not giving decryption companies access. Their task is not to decrypt your data but to make money on you, remember this! They are trying to decrypt us only in order to earn more, in fact, your data is not so important to them.Carefully study the sources and trust proven companies (they create fake topics on forums in which they create their own ratings and reviews) be extremely careful! 3.In case of refusal to pay, we transfer all your personal data such as (emails, link to panel, payment documents , certificates , personal information of you staff, SQL,ERP,financial information for other hacker groups) and they will come to you again for sure! We will also publicize this attack using social networks and other media, which will significantly affect your reputation! 4. IF YOU CHOOSE TO USE DATA RECOVERY COMPANY ASK THEM FOR DECRYPT TEST FILE FOR YOU IF THEY CAN'T DO IT DO NOT BELIEVE THEM AT ALL! 5. The decryption process is not at all a complicated process; any experienced PC user can handle it with ease. In the event that payment occurs within 12 hours after the attack, we undertake to fully accompany you until all data is fully decrypted, as well as point out to you all the mistakes of your specialists. Point out to you how to make sure that no one ever gets into your network again. Price in this case will be ONLY from 30 to 50 % of full amount. 6. We will provide you with the decryption tool no more than 30 minutes after payment! We can provide you with several test files (you send us encrypted files, we decrypt and send you the whole file) so you can confirm our competence (availability of the decryption key). 7. We never deceive people who got caught for us it is absolutely not profitable for us (we have key), I remind you that you are far from the first and not the last who got into such a situation and it is resolved quite quickly and easily. We protect our reputation, therefore we remind you that you carefully monitor the entire course of the decryption process, including negotiations, test files, the time at which the payment should occur and you should receive the treasured decryption tool, thank you for your attention. 8. Make informed decisions, you are far from the first who got into such a situation! Remember, only we have the decryption key, do not waste money and time, you will only complicate the situation and will be left without your data, success to you in business and do not get caught, be careful with security, it is very important these days! Contacts : Download the (Session) messenger (https://getsession.org) You fined me: "0585ae8a3c3a688c78cf2e2b2b7df760630377f29c0b36d999862861bdbf93380d" MAIL:[email protected]
Emails
URLs

https://getsession.org

Signatures

  • Renames multiple (5855) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates connected drives 3 TTPs 3 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\encrypter-windows-gui-x86.exe
    "C:\Users\Admin\AppData\Local\Temp\encrypter-windows-gui-x86.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3068
    • C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe
      "C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Enumerates connected drives
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4480
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4480 -s 1524
        3⤵
        • Program crash
        PID:10204
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe" /V-
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1604
    • C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe
      C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe /V-
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Enumerates connected drives
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3500
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3908
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4480 -ip 4480
    1⤵
      PID:10740

    Network

          MITRE ATT&CK Enterprise v16

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files\Java\jdk-1.8\jre\lib\ext\localedata.jar.{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}.edukr

            Filesize

            2.1MB

            MD5

            8387a958cb174e1f7b9be8a5a7673d33

            SHA1

            c6c144e3d42f8f941f53db8cccc724bdc33a938d

            SHA256

            466ba5591cdebf9fb2ee87c9a209c8531d247fdd712c55e6f2f0aef160e507e8

            SHA512

            fb050712efffef2ee5985f5d7e920bede8528d5efacc4f8a52bde4076b8ef223cd02396f654375795971072653c37eb4d70176c12cc8d055fa21b2161300310a

          • C:\Program Files\README.TXT

            Filesize

            3KB

            MD5

            f99f7c71d34b1123f0d892e3ccadc7fb

            SHA1

            719a28ee9139f75fabd9eff72cf6b1eee98b3d4d

            SHA256

            423d63cefcaac56016ba83149cb0423d6653397fad78e8a41da71ed48993e550

            SHA512

            9bf96ae8b0d3fb5bdcd5b38f16abb8beaa41c82d72ea937e6a795a02d43a7c5a6d06a0e9d1b65c6da6ee3942fb7ad1b85650cfbf1227374f8fd29bd9a3f8d17c

          • C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe

            Filesize

            1.1MB

            MD5

            d0728e075e66bda22bb6c030502a689a

            SHA1

            60c3cce7d1e1921794cd00308efb73f3412384fb

            SHA256

            fb2fe8e18856af09231edefccc7d54b881d8f488f91ff61f4c09995c33aaafce

            SHA512

            773f413ef51bc2493a940011645c40d1f55d06a53e8e60032ed01ad016184d67289a9fd9d3bb8af42fbdca29f0bb927e0137ff4f5f0914ea52b58646051962ef

          • C:\Users\Admin\AppData\Local\Temp\default.tmp

            Filesize

            576B

            MD5

            432a8b1057c5da436991e46d3d6a853b

            SHA1

            32d30803e27778d1465c690a12dba766468c0dd2

            SHA256

            52aa6764fd7d9351012db0ad3162dde1ec960a4282638dc147547796606f14af

            SHA512

            3b298027b408cb5428e8ec3300ed135606a5f93702e5ba7510bc3aee50eeca040a8ec63d2304b1b4f1cfce90dae90b581307dbb22cbe4f0049e27eab06079fe6

          • \??\Z:\BOOTNXT.{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}.edukr

            Filesize

            609B

            MD5

            3ca81c358e87ab45344063040983a66b

            SHA1

            8e80c1e5f8ea843579fdcb91a5e32447e0ccbb28

            SHA256

            148e6ac4213eb6a567bdcb93d20686dbabb68e5783fd1156ef905578a360128d

            SHA512

            44e00054ff2c5b1699d1aa43d3164fbee03da17cfdd7b6285ac0903fae03f5b7716c5ef006e763dea28df77979069f644c486737b49565ca71390b1ba07eee02