5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2

General

Target

5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exe
Size

324KB
MD5

142a9f0015e581fc7b88db66eec5bf77
SHA1

c9dae1b23c711ef916a55616bf0bd558c51ce97c
SHA256

5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2
SHA512

9cc7d6f6fc0c67a9bd48511094ae1fd16eb04a8876be62c4ab2c319a4b4a6108feb7528a1830e6182bafa3b53b6edb6322fef42827fb25001fd1629ba7c9521a

Score

10^/10

ransomware persistence spyware

Malware Config

Extracted

Path

C:\697CB8-DECRYPT.txt

Ransom Note

---= SHADOW CRYPTOR =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .697CB8 The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. You only have 7 days of payment time, after which the password will be automatically destroyed by the system. You can contact us by the following ways: ---------------------------------------------------------------------------------------- EMAIL:test@mail.com REPEAT:test@mail.com ---------------------------------------------------------------------------------------- ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN ENCRYPT KEY--- uy/f7j0ziu3yOrclC7HlhFjZVX7DRkBuKqNJlGkzqIIJ1lo47nbejiWx6GO2/h5qTqNkKvld6IXgwrIUf7+Avvod071rZ7Nbu7b06eVHMiHf4yTJZWmU8O8dClJ6HFP0iAveGaaekksN7eFS/HuEnLxkmPftUQGV1zsWfxxb+tARJle5PM4vh3nzROTcTtOT1CTp99C+CDxj+piNuUPeAvyKIX1iddVJ+ehlNkFh/Jr5dQggpYmzsLG3oirNxuaSbC901eDAU/CY/RZPtQUmgualdyFFd/+eLfEedhe0w03so8wHrwhRbzVkyZLBpzc3rgtJ7POA5ZJ9tdCQPfh8BfZrCoc6KZQ1Ek12aSwPilxW6Al4bS9nQyE64CcxAub3413R8nSsUardKryGs2hO5PADFwt2GN8STwxNtof9GBT9wAeX4kH52rNr6JpOdN0f/Ybltj4tCsePkIHCP6juAbCjUQmyy6xKk8xooOEyIZnGCJcYVe54u1ToKCzwX0JWDpSeFreDuh6m3dA8jm96nIVykCA/+C7G5xhccmojHHcmTaITIGmtUKrUadXfYtLuGRVXGeFrAXycXvx5cJkieQYDnBfLVjQvuT/gGfOdN6vuaiu5v1qy27NauMpP+XcvZDPKTn8hs7gBgSAE38Kvq03Uwa8Wn3HIZYyK9U9YjR0nSaIMMPM5qdqXGief4jC7ajMidmTMuj42G6ksSioaGKwKOnnmdNxw+3xM1/Er7UJyo7J/AFsJfjqgBCRftQmG7oUHKXGePDmC0eF+tQ2Ctbn4rKtBU4VUlqmMLnRbLfV5Mi/+V4+HOitr2YZo0P4iKaDhQGUaHkju2/PxdanCzbqsYPp3IWfqB8ZNxs7AOKHVzysSbnBQUtGtFmIJ9OXWiJkOjAEOX1Wcx/hmnifrpaeQFeLmmb4mXCNtlFkcxbV72ykFmyP+ctzPNdwY9BfJYykFlSu44U743V2MKpbBj7rWRQs2cKjB+M/O9f6VZSWg/F7Dzc1Q6zADkQNerqMBAhoymaq9cPd5i4CbSuyXZ36Gp2x4J7dQVFezMEDRBZQfSfJwbWd+llGWsW4P3YcX57L4xq+XibL2csLqOgofRChvMmPONZH7jLRyLiApudxkFE8taTdHEjqPHOIjyQeCyE0GRCFdgdNxTio9EAZde5xUhn9ibauC2ngn9BgONTPrG4E7tw6vy3T2uiP6XAM5u9FdQKijOsgf9qoL1iAvI8U6SzuxeZF4u0scqZCxiF3I91+gopu5dSLxph0d9goD+4OcGelycISRFai61vow/7on5AXr/1oGW9AC3hpfA7VxTqS6K5pnac5eigiP69e8mNurw3uib8pAKvRdMZi3VCSR8G6MagJqJYIz/XT1l1NhznPKLSULnpKUYgiF9DFr94b0oD5G6T0mT0jhghpF2kQ/dX2lJiCQXIkjGcGWe7CnAF5X/Pu03Df74rMM/HfHEp4wym7maYSkeboISLuFDCVeBQr3WGI3nyHDrUh+exNUK7J1wmsFlVmcCmqyqvakpH5VILpvgJBsLKKzEYg2fmSYQbX+tC1/TQCEZKwQPxubVRj7qylprDQVfY/OonSVMjiL2j+g/HTMpyfrcPhJ5pW3J+GSveKhH6aovHwePCtf5cxbojjnXXOf+yHOvzyVTojWFEKDQQVUMtFK95bhfx4C1MjRkKptvjd3o7oBPBQ= ---END ENCRYPT KEY---

Emails

EMAIL:test@mail.com

REPEAT:test@mail.com

Signatures

Drops file in Program Files directory 3 IoCs

Processes:

5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exe

description	ioc	process
File created	C:\Program Files\LimitRestore.697CB8	5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exe
File created	C:\Program Files\RedoUpdate.697CB8	5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exe
File created	C:\Program Files\697CB8-DECRYPT.txt	5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1680 PING.EXE

pid	process
1680	PING.EXE

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

vssvc.exe5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exe

description	pid	process
Token: SeBackupPrivilege	1448	vssvc.exe
Token: SeRestorePrivilege	1448	vssvc.exe
Token: SeAuditPrivilege	1448	vssvc.exe
Token: SeIncBasePriorityPrivilege	880	5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1520 cmd.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

notepad.exe

pid process

1060 notepad.exe
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1048 vssadmin.exe

pid	process
1520	cmd.exe

pid	process
1060	notepad.exe

pid	process
1048	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exe

pid	process
880	5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exe
880	5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exe
880	5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.execmd.exe

description	pid	process	target process
PID 880 wrote to memory of 1048	880	5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exe	vssadmin.exe
PID 880 wrote to memory of 1048	880	5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exe	vssadmin.exe
PID 880 wrote to memory of 1048	880	5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exe	vssadmin.exe
PID 880 wrote to memory of 1048	880	5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exe	vssadmin.exe
PID 880 wrote to memory of 1060	880	5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exe	notepad.exe
PID 880 wrote to memory of 1060	880	5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exe	notepad.exe
PID 880 wrote to memory of 1060	880	5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exe	notepad.exe
PID 880 wrote to memory of 1060	880	5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exe	notepad.exe
PID 880 wrote to memory of 1520	880	5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exe	cmd.exe
PID 880 wrote to memory of 1520	880	5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exe	cmd.exe
PID 880 wrote to memory of 1520	880	5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exe	cmd.exe
PID 880 wrote to memory of 1520	880	5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exe	cmd.exe
PID 1520 wrote to memory of 1680	1520	cmd.exe	PING.EXE
PID 1520 wrote to memory of 1680	1520	cmd.exe	PING.EXE
PID 1520 wrote to memory of 1680	1520	cmd.exe	PING.EXE
PID 1520 wrote to memory of 1680	1520	cmd.exe	PING.EXE

Modifies service 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

C:\Users\Admin\AppData\Local\Temp\5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exe
"C:\Users\Admin\AppData\Local\Temp\5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exe"
1⤵
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:880

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe delete shadows /all /Quiet
2⤵
- Interacts with shadow copies
PID:1048

C:\Windows\SysWOW64\notepad.exe
notepad.exe "C:\Users\Admin\AppData\Local\Temp\697CB8-DECRYPT.txt"
2⤵
- Suspicious use of FindShellTrayWindow
PID:1060

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 3 && del /f/q "C:\Users\Admin\AppData\Local\Temp\5f2cc1bce3f6d9b382891ad0b441318b221958ba7fc028f71d9689838536b7c2.bin.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1520