Analysis
-
max time kernel
146s -
max time network
26s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
12/05/2020, 01:53
General
-
Target
Cat22.exe
-
Size
11.3MB
-
MD5
25af3ae9f4ebe5413b0ca1080b69b0ca
-
SHA1
c34e2a2d8ba0aaea3913227de0cbf87cad4ebd1b
-
SHA256
2d95507aa1ea5d2a6313bc5c201cf76e6aae4c207aa0fafe8f1fcb03e94102ec
-
SHA512
b7194be16c8d4db0fc8305165c6d0e0aa6684b36c58855d9fab11e0d59d8bf004475df9932588cabebeff7d4f9a71dfa6bd8e985cfde1e318eb34e6880960ff2
Score
10/10
Malware Config
Extracted
Path
C:\Users\Admin\Downloads\README.txt
Ransom Note
Tango Down Bitch!
Seems like you got hit by GAmmA Group!
Don't Panic, you get to have your files back!
GAmmAWare uses a basic encryption script to lock your files.
This type of ransomware is known as CRYPTO.
You'll need a decryption key to unlock your files.
Your files will be deleted when the timer runs out, so you better hurry.
You have 10 hours to find your key!
Payment is accepted with Bitcoin only, Or Google [How to buy Bitcoin]
Payment 0.052 BTC to: 1sd2WD1fEJnUPkGgfTEciWENKtLeUGMQe
After Payment is confirmed Please Email: [email protected] with your IP/hostname & BTC transaction ID to receive your decryption key.
Kind regards,
GAmmA GrouP
Emails
Wallets
1sd2WD1fEJnUPkGgfTEciWENKtLeUGMQe
Signatures
-
Suspicious use of WriteProcessMemory 3 IoCs
-
Loads dropped DLL 50 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Cat22.exe"C:\Users\Admin\AppData\Local\Temp\Cat22.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Cat22.exe"C:\Users\Admin\AppData\Local\Temp\Cat22.exe"2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-