5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2

General

Target

5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exe
Size

324KB
MD5

142a9f0015e581fc7b88db66eec5bf77
SHA1

c9dae1b23c711ef916a55616bf0bd558c51ce97c
SHA256

5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2
SHA512

9cc7d6f6fc0c67a9bd48511094ae1fd16eb04a8876be62c4ab2c319a4b4a6108feb7528a1830e6182bafa3b53b6edb6322fef42827fb25001fd1629ba7c9521a

Score

10^/10

ransomware persistence spyware

Malware Config

Extracted

Path

C:\697CB8-DECRYPT.txt

Ransom Note

---= SHADOW CRYPTOR =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .697CB8 The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. You only have 7 days of payment time, after which the password will be automatically destroyed by the system. You can contact us by the following ways: ---------------------------------------------------------------------------------------- EMAIL:[email protected] REPEAT:[email protected] ---------------------------------------------------------------------------------------- ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN ENCRYPT KEY--- uy/f7j0ziu3yOrclC7HlhFjZVX7DRkBuKqNJlGkzqIIJ1lo47nbejiWx6GO2/h5qTqNkKvld6IXgwrIUf7+Avvod071rZ7Nbu7b06eVHMiHf4yTJZWmU8O8dClJ6HFP0iAveGaaekksN7eFS/HuEnLxkmPftUQGV1zsWfxxb+tARJle5PM4vh3nzROTcTtOT1CTp99C+CDxj+piNuUPeAvyKIX1iddVJ+ehlNkFh/Jr5dQggpYmzsLG3oirNxuaSbC901eDAU/CY/RZPtQUmgualdyFFd/+eLfEedhe0w03so8wHrwhRbzVkyZLBpzc3rgtJ7POA5ZJ9tdCQPfh8BfZrCoc6KZQ1Ek12aSwPilxW6Al4bS9nQyE64CcxAub3413R8nSsUardKryGs2hO5PADFwt2GN8STwxNtof9GBT9wAeX4kH52rNr6JpOdN0f/Ybltj4tCsePkIHCP6juAbCjUQmyy6xKk8xooOEyIZnGCJcYVe54u1ToKCzwX0JWDpSeFreDuh6m3dA8jm96nIVykCA/+C7G5xhccmojHHcmTaITIGmtUKrUadXfYtLuGRVXGeFrAXycXvx5cJkieQYDnBfLVjQvuT/gGfOdN6vuaiu5v1qy27NauMpP+XcvZDPKTn8hs7gBgSAE38Kvq03Uwa8Wn3HIZYyK9U9YjR0nSaIMMPM5qdqXGief4jC7ajMidmTMuj42G6ksSioaGKwKOnnmdNxw+3xM1/Er7UJyo7J/AFsJfjqgBCRftQmG7oUHKXGePDmC0eF+tQ2Ctbn4rKtBU4VUlqmMLnRbLfV5Mi/+V4+HOitr2YZo0P4iKaDhQGUaHkju2/PxdanCzbqsYPp3IWfqB8ZNxs7AOKHVzysSbnBQUtGtFmIJ9OXWiJkOjAEOX1Wcx/hmnifrpaeQFeLmmb4mXCNtlFkcxbV72ykFmyP+ctzPNdwY9BfJYykFlSu44U743V2MKpbBj7rWRQs2cKjB+M/O9f6VZSWg/F7Dzc1Q6zADkQNerqMBAhoymaq9cPd5i4CbSuyXZ36Gp2x4J7dQVFezMEDRBZQfSfJwbWd+llGWsW4P3YcX57L4xq+XibL2csLqOgofRChvMmPONZH7jLRyLiApudxkFE8taTdHEjqPHOIjyQeCyE0GRCFdgdNxTio9EAZde5xUhn9ibauC2ngn9BgONTPrG4E7tw6vy3T2uiP6XAM5u9FdQKijOsgf9qoL1iAvI8U6SzuxeZF4u0scqZCxiF3I91+gopu5dSLxph0d9goD+4OcGelycISRFai61vow/7on5AXr/1oGW9AC3hpfA7VxTqS6K5pnac5eigiP69e8mNurw3uib8pAKvRdMZi3VCSR8G6MagJqJYIz/XT1l1NhznPKLSULnpKUYgiF9DFr94b0oD5G6T0mT0jhghpF2kQ/dX2lJiCQXIkjGcGWe7CnAF5X/Pu03Df74rMM/HfHEp4wym7maYSkeboISLuFDCVeBQr3WGI3nyHDrUh+exNUK7J1wmsFlVmcCmqyqvakpH5VILpvgJBsLKKzEYg2fmSYQbX+tC1/TQCEZKwQPxubVRj7qylprDQVfY/OonSVMjiL2j+g/HTMpyfrcPhJ5pW3J+GSveKhH6aovHwePCtf5cxbojjnXXOf+yHOvzyVTojWFEKDQQVUMtFK95bhfx4C1MjRkKptvjd3o7oBPBQ= ---END ENCRYPT KEY---

Emails

EMAIL:[email protected]

REPEAT:[email protected]

Signatures

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\LimitRestore.697CB8	5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exe
File created	C:\Program Files\RedoUpdate.697CB8	5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exe
File created	C:\Program Files\697CB8-DECRYPT.txt	5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1680	PING.EXE

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeBackupPrivilege	1448	vssvc.exe
Token: SeRestorePrivilege	1448	vssvc.exe
Token: SeAuditPrivilege	1448	vssvc.exe
Token: SeIncBasePriorityPrivilege	880	5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exe

Deletes itself 1 IoCs

pid	Process
1520	cmd.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1060	notepad.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1048	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
880	5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exe
880	5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exe
880	5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 880 wrote to memory of 1048	880	5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exe	24
PID 880 wrote to memory of 1048	880	5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exe	24
PID 880 wrote to memory of 1048	880	5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exe	24
PID 880 wrote to memory of 1048	880	5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exe	24
PID 880 wrote to memory of 1060	880	5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exe	28
PID 880 wrote to memory of 1060	880	5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exe	28
PID 880 wrote to memory of 1060	880	5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exe	28
PID 880 wrote to memory of 1060	880	5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exe	28
PID 880 wrote to memory of 1520	880	5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exe	29
PID 880 wrote to memory of 1520	880	5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exe	29
PID 880 wrote to memory of 1520	880	5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exe	29
PID 880 wrote to memory of 1520	880	5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exe	29
PID 1520 wrote to memory of 1680	1520	cmd.exe	31
PID 1520 wrote to memory of 1680	1520	cmd.exe	31
PID 1520 wrote to memory of 1680	1520	cmd.exe	31
PID 1520 wrote to memory of 1680	1520	cmd.exe	31

Modifies service 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

C:\Users\Admin\AppData\Local\Temp\5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exe
"C:\Users\Admin\AppData\Local\Temp\5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exe"
1⤵
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:880
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin.exe delete shadows /all /Quiet
  2⤵
  - Interacts with shadow copies
  PID:1048
- C:\Windows\SysWOW64\notepad.exe
  notepad.exe "C:\Users\Admin\AppData\Local\Temp\697CB8-DECRYPT.txt"
  2⤵
  - Suspicious use of FindShellTrayWindow
  PID:1060
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 3 && del /f/q "C:\Users\Admin\AppData\Local\Temp\5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:1520
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 3
    3⤵
    - Runs ping.exe
    PID:1680