Analysis
-
max time kernel
150s -
max time network
104s -
platform
windows11-21h2_x64 -
resource
win11-20250619-en -
resource tags
arch:x64arch:x86image:win11-20250619-enlocale:en-usos:windows11-21h2-x64system -
submitted
01/07/2025, 07:25
Static task
static1
Behavioral task
behavioral1
Sample
main.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral2
Sample
main.exe
Resource
win11-20250610-en
Behavioral task
behavioral3
Sample
ransom.exe
Resource
win10v2004-20250619-en
Behavioral task
behavioral4
Sample
ransom.exe
Resource
win11-20250619-en
General
-
Target
ransom.exe
-
Size
7.8MB
-
MD5
648bd793d9e54fc2741e0ba10980c7de
-
SHA1
f5d0c94b2be91342dc01ecf2f89e7e6f21a74b90
-
SHA256
102276ae1f518745695fe8f291bf6e69856b91723244881561bb1a2338d54b12
-
SHA512
d1428b934a360d7f3651947d11081892c93c7cd29a17dc38190cbb46c95939928ac6f805adf586be2937e27fc20aec8bd1fc2c782c681e7e94e9e8d33b8ebf15
-
SSDEEP
98304:9+v9K8MgmB4oIWcCJ3ZZVL8oYi5lTkZkmla1DXL:S4uWcCT9Gzl
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\CyberVolk_ReadMe.txt
https://t.me/cubervolk
Signatures
-
Renames multiple (2895) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Drops startup file 4 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini ransom.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.cvenc ransom.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CyberVolk_ReadMe.txt ransom.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\CyberVolk_ReadMe.txt ransom.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini ransom.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini ransom.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini ransom.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini ransom.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini ransom.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini ransom.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini ransom.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini ransom.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini ransom.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini ransom.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini ransom.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini ransom.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini ransom.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini ransom.exe File opened for modification C:\Users\Admin\Searches\desktop.ini ransom.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\desktop.ini ransom.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini ransom.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini ransom.exe File opened for modification C:\Users\Admin\Links\desktop.ini ransom.exe File opened for modification C:\Users\Public\Videos\desktop.ini ransom.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini ransom.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini ransom.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini ransom.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini ransom.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini ransom.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini ransom.exe File opened for modification C:\Users\Public\Music\desktop.ini ransom.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini ransom.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini ransom.exe File opened for modification C:\Users\Admin\Videos\desktop.ini ransom.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini ransom.exe File opened for modification C:\Users\Public\Documents\desktop.ini ransom.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini ransom.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini ransom.exe File opened for modification C:\Users\Admin\Documents\desktop.ini ransom.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini ransom.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini ransom.exe File opened for modification C:\Users\Public\Libraries\desktop.ini ransom.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini ransom.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini ransom.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini ransom.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini ransom.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini ransom.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini ransom.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini ransom.exe File opened for modification C:\Users\Public\Pictures\desktop.ini ransom.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini ransom.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini ransom.exe File opened for modification C:\Users\Public\Desktop\desktop.ini ransom.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini ransom.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini ransom.exe File opened for modification \??\f:\$RECYCLE.BIN\S-1-5-21-707770698-2523217751-1187874351-1000\desktop.ini ransom.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini ransom.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini ransom.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini ransom.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini ransom.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini ransom.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini ransom.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini ransom.exe File opened for modification C:\Users\Admin\Music\desktop.ini ransom.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini ransom.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini ransom.exe File opened for modification C:\Users\Public\desktop.ini ransom.exe File opened for modification C:\Users\Public\Downloads\desktop.ini ransom.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\b: ransom.exe File opened (read-only) \??\g: ransom.exe File opened (read-only) \??\i: ransom.exe File opened (read-only) \??\j: ransom.exe File opened (read-only) \??\k: ransom.exe File opened (read-only) \??\m: ransom.exe File opened (read-only) \??\o: ransom.exe File opened (read-only) \??\v: ransom.exe File opened (read-only) \??\h: ransom.exe File opened (read-only) \??\q: ransom.exe File opened (read-only) \??\u: ransom.exe File opened (read-only) \??\w: ransom.exe File opened (read-only) \??\y: ransom.exe File opened (read-only) \??\e: ransom.exe File opened (read-only) \??\r: ransom.exe File opened (read-only) \??\x: ransom.exe File opened (read-only) \??\z: ransom.exe File opened (read-only) \??\a: ransom.exe File opened (read-only) \??\l: ransom.exe File opened (read-only) \??\n: ransom.exe File opened (read-only) \??\p: ransom.exe File opened (read-only) \??\s: ransom.exe File opened (read-only) \??\t: ransom.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-707770698-2523217751-1187874351-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\tmp.bmp" ransom.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ransom.exe
Processes
Network
MITRE ATT&CK Enterprise v16
Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD50863459591e797af38da82ddd0425e14
SHA19c8933d870442d5d4b1391c3d059bce9c8cb39a6
SHA256ec32212245ccd0133c682ecde37e0fe8f8ff9f313b5bcf3f55fbba784d832c0e
SHA51252619e8cf074f01cf96bd0ec0e30965d9af296591e05aef82ca2fe724750fe1a715b91ab41b5cbf239b669c0d7f2d9ac78b8c1d721d9d4581a0854d99761e727
-
C:\ProgramData\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\vcRuntimeMinimum_amd64\vc_runtimeMinimum_x64.msi.cvenc
Filesize141KB
MD5e826b97424bc1f792771a39daee2fb86
SHA11ba2f8cb6ea525065bcc8ac5531acd8f1a495ce4
SHA2567b13a0030913376e6a1313e0fc5498daa0f92b0177ad72b09cbcbd3a8d5fc16c
SHA512943d9585ce30e20bf2ff9371ae4a25419400b797e1026007daace0a972c541c4fd2a92f186f3319a1181c6a85cb09af938ee1c95da5ab6940538450128121f20
-
Filesize
348B
MD5ce7ff0a9361571a2dcb08f50500ace3f
SHA15d8bed459f55a37e2fcb801d04de337a01c5d623
SHA256894bc59f5227b4d545412b2a2897367d7ac88090c86f5a1728bf733e70bd93ee
SHA512bba6d46fae5b4099b047b192f7df21fdf01675b09f3da38a365710fc9aa5b126cc6a2c2547be48deecfaa360e1521cf04a9793af083735de4a8cb7be9bd4c52a
-
Filesize
1KB
MD56f7e5e0fb81c20eb92f1869f6d14c7c9
SHA1330505d5d878f85545705ada064c51f2d3046656
SHA256f4661d6fe70011b2118f4d6d52f29a7a1e9135fa0f46163ad13d384bbb14a34d
SHA51208c8c6a994f04c6ea173dfe3e1e197836ec03aaec967d785a30cf354f0cdc405c20530af9ea67dd38ee6e70a54a4d1e7d118e01aec78fb1b62cf5dda71d20dcd
-
Filesize
513KB
MD5ac12292209807151552778f4810d99c3
SHA1d31b4c590a3dd0c565ffd332540344708735e69a
SHA256d80cc9b369a26f3cada539324cb7c0f2a93be0395e34fc5bf3a52d84ccac7c40
SHA51252cdea087eac082836458c9e8c5983bd23972ee168ff09d96673a330e6ff712561597ebdd6c575a675a8088cc5f0dcdb13efdfa809d2869ff0446b9eb750c9cc
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kniw7saj.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shm.cvenc
Filesize33KB
MD59fceaef63a73675407e971fb7acc6130
SHA15001e9f0b486e7a142cff1b81ef5a36067c33eca
SHA256670e2379182c9db788add21e089792145d57f6b47946b67ee5f4c78d2d276673
SHA512e44f47c1aa82a596647080c43cf18c7cd0f3486c12436b4a126f9c1c246012e1a936520beade42aad3fb64c19c3ba497aceb9556be0f2ea6086709b1f3f1b3d5
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kniw7saj.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite.cvenc
Filesize49KB
MD55ee65d145651f9fcb858354f6615ae0b
SHA1db0190c8d45f66a9a9b5a5f29d3151d4c1e0dbd4
SHA256d63b63d6e74542cd8294d1de8b285eac8a64cb4d6ed3e69cf54344eddaa5e700
SHA5120e84f168a91335b83aee83c9b708ef56dc0af1fec89690129da6e9da3a79d629e9674689b209dd19d2a6b767b0e142750dec1443f4552d274bfd706d5227e890
-
Filesize
5B
MD57b972beaf37e2de7dbe066961a5d5c1c
SHA105fded5bdfe8bad9118d0d5b1d33af598ab39794
SHA2561274deb6dd5637d775d619b4b2449b40dd2179007cb88f0e36b1ccf91f18dd6e
SHA512db20e8fcb1205237940387d9e9184624b848fc9d3e5e24addb31edffa6f78fc987314f9509cb1b3700382276770f0a8b761a65e24cdb17ee15cb6cdcfa85f5d3
-
Filesize
5B
MD57ce5417e80aef872ba20917011e39416
SHA14ce45e74ef4a8701eaaa4e8fb17bab705ebd772c
SHA256987f32746376de3fa8ff935ec01448a5936c8e222ce383cf89b4dc2ecdc67ea8
SHA512b9926371eb5022b27b43e08bb30040cb4ed8938e0ab7ec0495a9ee176faae0e9ff6f392d801bf6c610080813568810202364100273883e5057c2ab3bd57887ec
-
Filesize
5B
MD5a734ad8883f2ce5db79f678149b8d6ed
SHA1db2f277d3f22707160ecadbc85fdbf36f5e16775
SHA2564b9647fd16286b9d48f8957d016408d48324837a2dc4726070225737e5764791
SHA512fbaae4949b92ab773efb546ae8d161e828225c911591853988fc876cfcb1d8436084981285fd6c9e09bc89a95a3da37686d439e3db086ab5d4eb43139270e00a
-
Filesize
5B
MD55143cf8618ed4a4d16edfebaf7728139
SHA103355d8a8beabaaaaa54bb99c253724be3ab123b
SHA256896ba209d8b0c5cdfdacb8b2d45dae08ba41a114dde0bc6ac633dd8a772d66f3
SHA512f2e4e516edcdb338fd5be7054203b6df5d72fb04d91f1035f13450859a28fbe5c763afa2121b230e9c93d5806348a89e67aa0f07ab585777cb792eeb2570f3b7
-
Filesize
5B
MD5d0dcf063a9c7678ef849da47e7b5c359
SHA1dd1d3f9db21c852aa5ce97e5a9f64165ecee7ed0
SHA256d46637522853433efdf1806e2e5336c312d5ba0ff0a32b80468e96b8abf11c04
SHA5122aca0e320da8db3720328d7fdd400ab23259acff084de43c4a18c702599e40c0286748b7c0cdc5b9cd6081453824b0e3311466c8f3db841ddeb1594b43c1feed
-
Filesize
5B
MD5942d56c3022c0cbed8b956292110a54f
SHA19d90ff42c13e1a1159651e7103812fd3eddec3b1
SHA256155464e7a35faffd6b3b4f2e6b757098204e8a24221641b58ee8156acfd2e1fc
SHA51262f13178aa3f33ba1410a6005b4d592f98438523b3e47cac35fb94da07bedc4a5c3ab4ee65f6419005835cfd635004445b671dc904ddb387afd8b2a851428a66
-
Filesize
5B
MD5916cbd6f20415c2214d441deaefedf75
SHA1764b4f70f63ee4203a9d422778df1b799d565c84
SHA256dea69a3afb734ba56e0465a463c3c6c5cd4c852cb165c1dd960ba91a4038a53d
SHA512362c4a98af8f6b1652b18e7feda108652269bee63c903d65225018d861d6efa4e5ae74162fb8d9db39f5706271d26b7cce8cfd1fd45be5b5e6fd22b4811d5cc0
-
Filesize
5B
MD54a90df0803c61aab5c319444f910371b
SHA1ec20ef7d365ac361b3a7970d329d9b4e93d67f40
SHA2565cf32f9151895f7869e8af1d91c81444a0d3157ad5f4484dcbcab8a29d6bc6ac
SHA512f434f0cf630953e364a1f9706e10dc0519ae09bee281d5efd9288b307233ebb006c004c6f2d54044487f5bd1628dd9130616a82d585bef4edc13f6a752f84519
-
Filesize
5B
MD5f678a3b7005a6251cb0cf3a28f523cb3
SHA1be95a3f025e6dabeea687e46dec4dbc2dbc56afd
SHA256bd41cbdc04707f80b319802470a1871b99d36766f9d020cc0f9a569a4d1bb54b
SHA512f51336743b3de543c0e4954b87046d36e22517cfa35f071b79d86b813177122f63488a809cc323dd86dc831fef90066954666f9388f8bf736c15eda050c9f21c
-
Filesize
5B
MD5eb4ab9e8db10f6fd9c9a5085f3a75fdd
SHA1cababf2bea2f1f0fb553b9d65dc2cde33a225489
SHA256e20c996edc342b0e8fe4abe8a1b4373ae040e36b367cf6188e43d04950b7f6c6
SHA512ccf44347376c9d905a5729478d1cf6f94b4f72c9119da4cb91649a57db62746cb874c929603478410397a2317397941626a10399b9e7e294f551240473422c70
-
Filesize
5B
MD57bf570282789f2798b7d6c1714e63ce9
SHA14250574703082799b6ff5d2aff42596bc3d3eec6
SHA2560abe1b008e37697d60391129deac748704d6105881949c60dff38453777ffb43
SHA5127e88f1bd9b4d92534e2343ca98d7b485921d604a80172538da18d55a8db0f102b30878458d41cd3a5f627c27b12f16a07636a33f63da618a02bd08e1c0508b69