15b7ee3734e6bdecfc3a82fabfcd79fc3cae22fceb00c5d1afc8571a513510ce

General

Target

00b2679e73e28343fd153df9858bc910.exe
Size

715KB
MD5

00b2679e73e28343fd153df9858bc910
SHA1

f27390cdca4afea0ffeda89f117931858e7f5a7f
SHA256

6396ea2ef48aa3d3a61fb2e1ca50ac3711c376ec2b67dbaf64eeba49f5dfa9df
SHA512

35b06555bd088bdcdd13f3377832073ebdae9053fe8a640c41470560da1f093abe65d6cfc4cfce30a9af708a8926ea646c801b6c155d0517e612f807472a7261

Score

10^/10

ransomware spyware

Malware Config

Extracted

Path

C:\program files\7-zip\lang\!!FAQ for Decryption!!.txt

Ransom Note

Good day. All your files are encrypted. For decryption contact us. Write here mrddnet_support@protonmail.ch We also inform that your databases, ftp server and file server were downloaded by us to our servers. * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss.

Emails

mrddnet_support@protonmail.ch

Signatures

Suspicious use of SetThreadContext 1 IoCs

Processes:

00b2679e73e28343fd153df9858bc910.exe

description pid process target process

PID 1056 set thread context of 900 1056 00b2679e73e28343fd153df9858bc910.exe svchost.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1312 cmd.exe
Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

svchost.exe

pid process

900 svchost.exe
900 svchost.exe
900 svchost.exe
900 svchost.exe
900 svchost.exe
900 svchost.exe
900 svchost.exe

description	pid	process	target process
PID 1056 set thread context of 900	1056	00b2679e73e28343fd153df9858bc910.exe	svchost.exe

pid	process
1312	cmd.exe

pid	process
900	svchost.exe
900	svchost.exe
900	svchost.exe
900	svchost.exe
900	svchost.exe
900	svchost.exe
900	svchost.exe

Drops file in Program Files directory 5605 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\program files\common files\microsoft shared\stationery\pretty_peacock.jpg	svchost.exe
File opened for modification	C:\program files\dvd maker\shared\dvdstyles\memories\btn-previous-static.png	svchost.exe
File opened for modification	C:\program files\java\jdk1.7.0_80\jre\lib\images\cursors\win32_copynodrop32x32.gif	svchost.exe
File opened for modification	C:\program files\java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.eclipse.nl_ja_4.4.0.v20140623020002.jar	svchost.exe
File opened for modification	C:\program files\java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jetty.util_8.1.14.v20131031.jar	svchost.exe
File opened for modification	C:\program files\java\jre7\lib\zi\america\indiana\tell_city	svchost.exe
File opened for modification	C:\program files\java\jre7\lib\zi\etc\gmt-4	svchost.exe
File created	C:\program files\videolan\vlc\locale\zu\lc_messages\!!FAQ for Decryption!!.txt	svchost.exe
File opened for modification	C:\program files (x86)\adobe\reader 9.0\resource\linguistics\providers\proximity\11.00\can32.clx	svchost.exe
File opened for modification	C:\program files (x86)\microsoft analysis services\as oledb\10\cartridges\sybase.xsl	svchost.exe
File opened for modification	C:\program files (x86)\windows sidebar\gadgets\slideshow.gadget\logo.png	svchost.exe
File opened for modification	C:\program files\common files\microsoft shared\stationery\seyes.emf	svchost.exe
File opened for modification	C:\program files\java\jdk1.7.0_80\jre\lib\zi\america\dawson_creek	svchost.exe
File opened for modification	C:\program files (x86)\windows sidebar\gadgets\cpu.gadget\en-us\css\cpu.css	svchost.exe
File opened for modification	C:\program files (x86)\windows sidebar\gadgets\picturepuzzle.gadget\images\7.png	svchost.exe
File opened for modification	C:\program files (x86)\windows sidebar\gadgets\weather.gadget\images\undocked_black_moon-waning-gibbous.png	svchost.exe
File created	C:\program files\java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_cn_5.5.0.165303\!!FAQ for Decryption!!.txt	svchost.exe
File opened for modification	C:\program files\java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.ui.ja_5.5.0.165303.jar	svchost.exe
File opened for modification	C:\program files\java\jre7\lib\zi\america\phoenix	svchost.exe
File opened for modification	C:\program files\mozilla firefox\gmp-clearkey\0.1\clearkey.dll.sig	svchost.exe
File opened for modification	C:\program files\7-zip\lang\eu.txt	svchost.exe
File opened for modification	C:\program files\common files\microsoft shared\ink\fsdefinitions\main\base_heb.xml	svchost.exe
File created	C:\program files\dvd maker\shared\dvdstyles\push\!!FAQ for Decryption!!.txt	svchost.exe
File opened for modification	C:\program files\dvd maker\shared\dvdstyles\travel\header-background.png	svchost.exe
File opened for modification	C:\program files\java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\date-span-16.png	svchost.exe
File created	C:\program files\java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\!!FAQ for Decryption!!.txt	svchost.exe
File opened for modification	C:\program files\java\jre7\lib\zi\america\curacao	svchost.exe
File opened for modification	C:\program files\videolan\vlc\lua\intf\modules\httprequests.luac	svchost.exe
File opened for modification	C:\program files\windows sidebar\gadgets\picturepuzzle.gadget\images\tile16.png	svchost.exe
File opened for modification	C:\program files (x86)\windows sidebar\gadgets\clock.gadget\images\novelty_dot.png	svchost.exe
File opened for modification	C:\program files (x86)\windows sidebar\gadgets\cpu.gadget\en-us\gadget.xml	svchost.exe
File opened for modification	C:\program files\7-zip\lang\eo.txt	svchost.exe
File opened for modification	C:\program files\java\jdk1.7.0_80\jre\lib\deploy\messages_de.properties	svchost.exe
File opened for modification	C:\program files\java\jdk1.7.0_80\jre\lib\zi\pacific\apia	svchost.exe
File opened for modification	C:\program files\java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\license.html	svchost.exe
File created	C:\program files\java\jdk1.7.0_80\lib\visualvm\visualvm\core\!!FAQ for Decryption!!.txt	svchost.exe
File opened for modification	C:\program files\java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-sampler.jar	svchost.exe
File opened for modification	C:\program files\java\jre7\lib\management\management.properties	svchost.exe
File created	C:\program files\videolan\vlc\skins\fonts\!!FAQ for Decryption!!.txt	svchost.exe
File opened for modification	C:\program files (x86)\adobe\reader 9.0\reader\plug_ins\ebook.api	svchost.exe
File opened for modification	C:\program files (x86)\common files\speechengines\microsoft\tts20\en-us\enu-dsk\m1033dsk.lts	svchost.exe
File opened for modification	C:\program files (x86)\internet explorer\en-us\ieinstal.exe.mui	svchost.exe
File opened for modification	C:\program files (x86)\windows sidebar\gadgets\clock.gadget\images\square.png	svchost.exe
File opened for modification	C:\program files (x86)\windows sidebar\gadgets\weather.gadget\images\btn_close_down.png	svchost.exe
File opened for modification	C:\program files\java\jdk1.7.0_80\jre\lib\zi\asia\yekaterinburg	svchost.exe
File opened for modification	C:\program files\java\jdk1.7.0_80\jre\lib\zi\pacific\enderbury	svchost.exe
File opened for modification	C:\program files\java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-utilities_zh_cn.jar	svchost.exe
File created	C:\program files\videolan\vlc\locale\it\lc_messages\!!FAQ for Decryption!!.txt	svchost.exe
File created	C:\program files (x86)\adobe\reader 9.0\reader\legal\enu\!!FAQ for Decryption!!.txt	svchost.exe
File opened for modification	C:\program files (x86)\adobe\reader 9.0\reader\tracker\review_browser.gif	svchost.exe
File opened for modification	C:\program files (x86)\windows sidebar\gadgets\weather.gadget\images\19.png	svchost.exe
File opened for modification	C:\program files\common files\microsoft shared\themes14\evrgreen\evrgreen.elm	svchost.exe
File opened for modification	C:\program files\java\jdk1.7.0_80\jre\lib\zi\asia\riyadh	svchost.exe
File created	C:\program files\java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\meta-inf\!!FAQ for Decryption!!.txt	svchost.exe
File opened for modification	C:\program files\java\jre7\lib\security\local_policy.jar	svchost.exe
File opened for modification	C:\program files\videolan\vlc\lua\http\css\ui-lightness\jquery-ui-1.8.13.custom.css	svchost.exe
File created	C:\program files\windows media player\network sharing\!!FAQ for Decryption!!.txt	svchost.exe
File opened for modification	C:\program files\windows sidebar\gadgets\clock.gadget\en-us\js\timezones.js	svchost.exe
File opened for modification	C:\program files (x86)\windows sidebar\gadgets\slideshow.gadget\images\reveal_hov.png	svchost.exe
File opened for modification	C:\program files\java\jdk1.7.0_80\db\bin\ij	svchost.exe
File opened for modification	C:\program files\java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\meta-inf\eclipse_.sf	svchost.exe
File opened for modification	C:\program files\java\jre7\lib\zi\etc\gmt+9	svchost.exe
File opened for modification	C:\program files\common files\system\ado\msado20.tlb	svchost.exe
File opened for modification	C:\program files\dvd maker\shared\dvdstyles\travel\passportmask.wmv	svchost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

00b2679e73e28343fd153df9858bc910.exe

description	pid	process	target process
PID 1056 wrote to memory of 900	1056	00b2679e73e28343fd153df9858bc910.exe	svchost.exe
PID 1056 wrote to memory of 900	1056	00b2679e73e28343fd153df9858bc910.exe	svchost.exe
PID 1056 wrote to memory of 900	1056	00b2679e73e28343fd153df9858bc910.exe	svchost.exe
PID 1056 wrote to memory of 900	1056	00b2679e73e28343fd153df9858bc910.exe	svchost.exe
PID 1056 wrote to memory of 900	1056	00b2679e73e28343fd153df9858bc910.exe	svchost.exe
PID 1056 wrote to memory of 900	1056	00b2679e73e28343fd153df9858bc910.exe	svchost.exe
PID 1056 wrote to memory of 1312	1056	00b2679e73e28343fd153df9858bc910.exe	cmd.exe
PID 1056 wrote to memory of 1312	1056	00b2679e73e28343fd153df9858bc910.exe	cmd.exe
PID 1056 wrote to memory of 1312	1056	00b2679e73e28343fd153df9858bc910.exe	cmd.exe
PID 1056 wrote to memory of 1312	1056	00b2679e73e28343fd153df9858bc910.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\00b2679e73e28343fd153df9858bc910.exe
"C:\Users\Admin\AppData\Local\Temp\00b2679e73e28343fd153df9858bc910.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1056

C:\Windows\SysWOW64\svchost.exe
C:\Windows\System32\svchost.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Drops file in Program Files directory
PID:900

C:\Windows\SysWOW64\cmd.exe
/c del C:\Users\Admin\AppData\Local\Temp\00b2679e73e28343fd153df9858bc910.exe >> NUL
2⤵
- Deletes itself
PID:1312

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/900-0-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/900-1-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download

Analysis

Sharing