Overview

overview

10

Static

static

ransom.bin.exe

windows7_x64

10

ransom.bin.exe

windows10_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    44s
  • platform
    windows7_x64
  • resource
    win7v200430
  • submitted
    31-05-2020 11:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ransom.bin.exe

  • Size

    82KB

  • MD5

    50a8eaf7e9aacf554862a4dd4a44f70f

  • SHA1

    81fce02871932bbc6811fb955471ff90b5f29190

  • SHA256

    adc2f5649973f922dc8294df91c63303870178c8a6839c1a9e8c9e4c4516bfd0

  • SHA512

    416e15f6dc1e25c867011a90645775c6a30add95578082b19950641e28a22bd8c049b5f8c02d5d7514e6b5db0e646e91995b09ea3a58ab7bce9726e60a9f2cf4

Score
10/10
ransomwarepersistence

Malware Config

Extracted

Path

C:\Users\Admin\ReadMe.txt

Ransom Note
What happend for my computer? All your files are encrypted due a security issue in your computer. What should i do? You have 48 hours to email us.Otherwise, the decryption price will increase or become impossible. Your email must contain your unique id and the unique key. your unique id is 7CA96E25 your unique key is lpT6xs/T+Zq0oYiLS2jjlUOifOZ5ojRhxH/Hx1W0Z4W4sO14SvNwla8/sh3zoTH09fYFmYwpUreQE0jZP7wGCsEVVmf939uzvwo1qleBRp3h5ELef1ednrDCdqxfUJntx9p62FxTk9uADlkuWeaZMEpyPoCa4xlXDe9AOFz2ccUpFkkrJ4+pOK8wM4JUx4Nr1hRbpF26jt79kOfAECr/THKVm47oiVIg+ANrGEGaRWTy1gE5HsZxxqjqdrDGcGnOol0A6oFdbIZ8z+mDwe9o1KD3VOzdlHFfxJ5tBuz5Gd6Xn0vMZcQnqLn5hi6q4bA7tkcfF/KqOyHzUP5JpIQ33KXmC82IYt+S/jzjEUhsV6URTGKEkP2KwQvcSrIdsPzGK7SVTcNiMmT4vMHdOXptRXIk8o2geiliuWdl1+9pJ2NC3CelH29gNPcgeSj2uiHuLOciRNHPOqRNrNYGgfU9JqZaMWfYyVI1jdNUPgneLC+kXyL7at3SGvDgoobNMvOwsBX0PK3yrxH5MAFuKSyglkgeKlKwsV+783GkO3QLCsHjYqaZfunsaxlG2SNitw+HvRmjEBYHwLk9LlopnCUCv3FjpKNTW5chMotImS0zjnZlgw96hZEC+wirdxFlyr+D9UVbUwpEoxFuE/KIQ7W+wI4FcalUO/tktSzRnOv08Cc= Email Address: jerjis@tuta.io If you didn't recive any response till 24 hours,Send email to this address: jerjis@tutamail.com What is our guarantee? We decrypt two files for you Free to be sure that we are able to recover your files.
Emails

jerjis@tuta.io

jerjis@tutamail.com

Signatures

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Suspicious use of WriteProcessMemory 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Drops startup file 3 IoCs
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Drops file in Program Files directory 5661 IoCs
  • Drops desktop.ini file(s) 38 IoCs
  • Modifies service 2 TTPs 15 IoCs
    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\ransom.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\ransom.bin.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • Suspicious use of AdjustPrivilegeToken
    • Drops startup file
    • Drops file in Program Files directory
    • Drops desktop.ini file(s)
    PID:1516
    • C:\Windows\system32\cmd.exe
      "cmd.exe"
      2⤵
        PID:1032
        • C:\Windows\system32\netsh.exe
          netsh.exe netsh advfirewall set currentprofile state off
          3⤵
          • Modifies service
          PID:1524
      • C:\Windows\system32\cmd.exe
        "cmd.exe"
        2⤵
          PID:1792
          • C:\Windows\system32\netsh.exe
            netsh.exe netsh firewall set opmode mode=disable
            3⤵
            • Modifies service
            PID:1784
        • C:\Windows\system32\cmd.exe
          "cmd" /C vssadmin Delete Shadows /All /Quiet
          2⤵
            PID:1820
            • C:\Windows\system32\vssadmin.exe
              vssadmin Delete Shadows /All /Quiet
              3⤵
              • Interacts with shadow copies
              PID:1748
        • C:\Windows\system32\vssvc.exe
          C:\Windows\system32\vssvc.exe
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          • Modifies service
          PID:1840

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Modify Existing Service

        1
        T1031

        Privilege Escalation

        Defense Evasion

        File Deletion

        2
        T1107

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Inhibit System Recovery

        2
        T1490

        Replay Monitor

        Loading Replay Monitor...

        Downloads