I literally can't think of a fitting pun - MrDec Ransomware

Malware Analysis
1

It employs techniques that are not seen very often in other ransomware samples, so the Analysis is actually quite difficult, but I'm hoping reading this is also a bit interesting atleast.

Logo
Logo512×512

Work in Progress

A general disclaimer as always: downloading and running the samples linked below will lead to the encryption of your personal data, so be f$cking careful. Also check with your local laws as owning malware binaries/ sources might be illegal depending on where you live.

MrDec @ AnyRun | VirusTotal | HybridAnalysis --> sha256 a700f9ced75c4143da6c4d1e09d6778e84ff570ea7d297fc130a0844e56c96ad


Detect it easy


Ransomnote
Ransomnote1013×724


Ransomnote
Ransomnote1843×646


x32dbg
x32dbg1629×836


Running it twice


Imports of the binary
Imports of the binary897×307


Detect it easy


Windows Crypto API
Windows Crypto API789×805


Connected Drives


Clearing the Memory
Clearing the Memory714×375


clop?
clop?1313×608


Clop in Binary Ninja
Clop in Binary Ninja800×280


MITRE ATT&CK

T1215 --> Kernel Modules and Extensions --> Persistence

T1179 --> Hooking --> Persistence

T1060 --> Registry Run Keys / Start Folder --> Persistence

T1055 --> Process Injection --> Privilege Escalation

T1179 --> Hooking --> Privilege Escalation

T1055 --> Process Injection --> Defense Evasion

T1045 --> Software Packing --> Defense Evasion

T1112 --> Modify Registry --> Defense Evasion

T1107 --> File Deletion --> Defense Evasion

T1179 --> Hooking --> Credential Access

T1012 --> Query Registry --> Discovery

T1057 --> Process Discovery --> Discovery

T1076 --> Remote Desktop Protocol --> Lateral Movement


IOCs

MrDec

searchfiles.exe --> SHA256: a700f9ced75c4143da6c4d1e09d6778e84ff570ea7d297fc130a0844e56c96ad 
                    SSDEEP: 192:QEsTzSIs3HIuvipDu3uTtKTzTwmH+STs8fpgiRHIYGL4vKrGoO:QE0JoapKeTtKTz8s+S48h5dIYxK

Registry Keys

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
unlock --> "c:\Decoding help.hta"
searchfiles -->  C:\windows\searchfiles.exe 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DateTime

orsa–> 06 02 00 00 00 A4 00 00  52 53 41 31 00 08 00 00 01 00 01 00 07 AF 04 2E  A4 1A 3C 08 5E 32 C7 4F 6A DB C8 7C 91 6B C1 FE  73 38 2F 4F 7C EA B8 B6 BC BD CB 22 5C 6B E6 1C  E0 35 24 58 ED C8 BC EF A9 A6 EC AE 4F 84 AF BC  E8 D7 50 4B C5 2A 6F 85 5E E9 A1 46 5F 2A 65 E7  0E 97 74 4B 16 D5 C4 4C 28 6B 17 47 EC F0 B9 A5  72 C4 DB EE 67 1D C6 0D DD 58 93 FF CE 38 64 5D  92 0E 93 AC A6 BC 31 B5 6D ED A6 74 8F 59 F3 40  EF FD A9 7D 18 12 4F 0A 51 AF D6 1F EE 1E 17 4B  A2 D7 CD 20 B4 4F FD DF 5C BB CD B6 A4 BC D2 8D  85 17 F9 95 BF FD 67 16 36 15 69 7A BC A2 FD 0F  EC F6 D4 A4 92 94 3A AC FC 78 77 81 4B F4 E8 2E  AD 55 52 27 67 EF E9 48 1F 1D 8B F5 35 8F 71 AA  DA 84 75 79 A2 1C BD 32 90 8B EB 54 88 3F CC 51  C9 48 2A 47 76 79 CE EB B4 A7 ED D5 DF C3 EB 50  09 25 CC FE F3 DB 49 29 A6 6B 4F 69 AF 10 3A 1F  2F 86 1A 0C B4 90 EB 21 DF 4E 43 B3

rsa -->  3C 53 81 1E 96 58 52 7C  67 7D 5F 60 14 15 29 1B 72 AC F5 F6 B7 B8 54 32  B7 63 1A 24 4F B2 9E B5 C7 8B 29 68 40 6B 44 80  FA E4 5E 53 7B 4A 1D DE AD 28 4A E0 EF 65 1E 09  00 75 34 15 79 59 86 C9 61 ED DD E2 AE 4F 3C DA  45 7A 20 3F 85 85 FB 05 22 1E 9D 12 D2 C7 96 AB  8A 99 46 60 F0 CB 10 6C 2E A0 39 FF 07 80 A1 A4  3B 62 E6 71 93 C6 5D 42 00 1B 00 37 76 56 14 2F  72 78 F9 A2 A6 98 49 A7 38 E0 B0 A6 81 B8 F5 7F  79 7C 29 88 79 C3 98 65 C0 69 47 93 59 28 A8 BF  36 6F 88 C0 08 98 0F 6E C8 27 28 9A C8 12 F2 B2  09 7B F0 A3 1E 9A 3A 48 CE 04 C3 61 82 6B AF 2E  0D 46 14 3A F9 47 3E 26 B0 B3 67 49 81 56 DF E8  DF A4 FC 86 88 A0 80 7C 68 6D 46 84 3E 6F 30 FA  20 AC 54 3F AC 8B C3 E9 24 C3 27 31 4C A1 07 98  C2 BD D8 84 02 17 D7 3D 63 83 8F 7C 35 D3 6C C8  29 69 E6 F5 DD D8 DB AA A5 0D 9A 12 43 5D CE CA  47 6E E5 CA A5 DB D8 A6 9F FE FD DE C2 94 24 92  43 C9 08 88 FB B2 33 2B C8 59 1D B6 F2 55 71 E2  83 C7 F5 67 89 03 06 F1 E4 FC F1 13 2D 38 7B 15  DE 05 BE 27 0A AE CD A9 84 2C 3B 66 4B 18 F7 8D  76 31 BD 37 07 ED 1C D9 68 82 94 EF 08 5C B6 29  C4 69 A9 AB 07 6B B7 46 9C 0F DD A9 76 32 B2 D7  F7 FA 3A 25 15 9B A6 F7 55 93 77 DF 67 24 E0 48  B9 CC B0 39 22 B0 51 36 5B F8 DC 2A 0D 19 CC 7E  EC D3 9E 9C 68 38 E4 11 DE BD 2B AE 2E A2 FA AC  86 35 D6 DC C8 4E 9D E5 8A BE B3 EC 6C 5B BB BD  CB 61 F1 81 99 1F 5E 1A 80 AF 72 75 CA 55 7E 7B  93 ED F3 EB 7A 2F 5E D9 61 32 99 0C 95 3B 4C 9C  CD F7 4C A5 4C 5D DB CA 72 2E BB 7B 4D 76 C5 5D  CA 27 76 29 C1 4A 36 3E 66 7F 5F 29 A1 A8 AD FC  BB FF 2A 11 16 29 63 8C A8 92 75 FC 0E 56 72 DC  01 9B B9 81 1C E0 14 84 8F F2 1B 15 F8 AC 0A BA  07 22 6D E0 DA A0 8B CF C1 26 0C 69 78 48 BE 24  53 E6 5E A7 A7 10 24 58 EA 26 30 6A 37 0E 30 9A  FF 6E 18 90 2F 93 33 61 11 C1 7B 62 85 A8 A0 E8  3F EA 65 FC 58 3E FD BC 20 55 03 C3 95 63 2E AD  9D 0A 8E 45 87 F6 19 34 D3 48 7E 2E F2 06 BE D0  EE B9 6D 82 62 3E 51 C9 27 96 64 07 84 70 50 C0  A1 2B 13 D3 25 EA C8 62 F1 1F C5 59 B0 6B 3B 52  54 3B 1B 21 42 7B 80 CB E7 58 3D F2 A3 7F F8 48  C0 9E 1E 78 E4 0F F0 7F 50 4D D8 06 C2 53 47 3A  93 B0 AD D7 BF 5A 3F 5A F8 5B BF 60 66 0B EC B6  AF 50 5B 52 9C 82 E3 F8 EC 40 FF ED AB 4C 5C 29  E7 C4 41 87 48 B4 C1 92 74 54 A1 47 70 8A 03 94  AE AE 57 86 FF E2 BE 14 E6 F8 0C D1 73 D9 1A 2E  2E 1E B1 9E 31 3A 3D 0A F1 19 6C 4C 48 F9 C0 7A  58 9E 8F 46 F7 9C 14 26 64 2A 57 A1 88 2A A7 D5  02 6B 76 AE AB 69 C8 64 16 7A 7F E0 43 A7 14 DE  29 19 A7 3B 78 D7 02 8C 9F F5 BF 09 1E 6B BB 47  88 3E 30 76 3B DF AF 87 CB 47 2A 84 D8 B9 88 96  09 A1 EF B0 1E 99 B1 0E 07 8D 37 FF 94 BF C6 94  17 AD 95 15 30 78 FE FC 9A AB 6E B8 8B C2 9E F0  B9 8B 83 30 45 DF F3 22 28 AD 4A 8D 69 E4 7E B6  83 1E 80 C9 8B 9C 97 BE ED FD 72 D8 A8 68 21 79  CC 53 87 54 FE CB D7 38 A0 44 ED E3 15 48 D6 CD  E1 14 32 0A 49 72 FC 08 7F 36 17 60 5B CA B1 BE  89 21 08 09 02 25 94 AC E2 A0 B8 F5 B6 DF 49 17  86 C6 A3 4A 7D 48 0F 27 EF 1E 48 91 71 A1 A3 2A  D3 2F CF 4F B8 39 B7 04 76 CA 26 EA CF C8 A7 0F  42 BD 7B A7 50 FC 01 D3 94 1B 8B 2C F3 1C 87 CA  E0 9F E3 CA B9 FF 31 69 ED DB 5F E2 2E 04 64 52  08 C8 B3 F5 9F 04 CB 31 7C D3 AD 78 76 83 5F 53  8F 5C 3C D8 CD 4D 2D 49 8A 2C CA 4D C9 43 AC B0  88 45 E5 41 7F FA 1D BF 92 9D BF C0 06 5C 24 CE  44 A1 F6 D0 ED 0C 46 BF 88 F2 DA B1 71 D6 E6 EE  87 85 29 36 AD 84 ED 7D F8 4C 8F BB 5A 44 DA 4C  A4 4B B7 60 17 B8 BE 49 12 DB 15 DC 84 D4 89 08  B5 27 84 71 92 5E 3D 5A A3 0A AA 0D FD 5E 32 56  DC A3 4B 89 F9 9D 28 A6 AC C3 31 68 F3 98 31 D3  0A 38 B6 E4 DD 87 8E 2E 95 A8 D4 BE 23 FB 48 42  BD 07 80 AC 8E D8 97 0F 46 C6 55 D8 F0 98 3F 33  26 47 A8 05 82 B3 D7 5D 08 A1 4A 30 F9 80 5D 7F  8A 80 98 A0 F5 C8 8A 56 FF EC 44 C3 20 40 AB 06  1C 8C 3B D1 E5 79 5B 02 F2 25 F8 06 31 54 B5 60  38 68 C7 EC 42 E9 36 BD 47 B6 BE 06 A8 1B 5B 92  0D 29 CD B3 E9 F5 7A EB E5 27 83 BC 0E 48 F6 93  21 62 81 0B CE E4 92 67 35 4E AB 23 B7 AA 86 25  78 91 22 38 CC C1 95 A5 D4 4D 20 FE E3 AE F8 8F  24 E9 38 75 B2 31 82 49 00 D4 8F 9A 93 E0 A0 DD  D3 B1 F8 B9 B9 3D 2D 02


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

PromptOnSecureDesktop --> 0

EnableLUA --> 0

ConsentPromptBehaviorAdmin --> 0


HKEY_CLASSES_ROOT[ID]PFOzv5ecUnxnfV9F[ID]_auto_file

HKEY_CLASSES_ROOT.[ID]PFOBHpZYUnxnfV9F[ID] --> HKEY_CLASSES_ROOT[ID]PFOBHpZYUnxnfV9F[ID]_auto_file

HKEY_CLASSES_ROOT[ID]PFOBHpZYUnxnfV9F[ID]_auto_file\shell\open\command --> %SystemRoot%\System32\rundll32.exe “%ProgramFiles%\Windows Photo Viewer\PhotoViewer.dll”, ImageView_Fullscreen %1

HKEY_CLASSES_ROOT[ID]PFOBHpZYUnxnfV9F[ID]_auto_file\shell\open\DropTarget --> {FFE2A43C-56B9-4bf5-9A79-CC6D4285608A}

HKEY_CLASSES_ROOT[ID]PFOBHpZYUnxnfV9F[ID]_auto_file\shell\open -->  @photoviewer.dll,-3043

HKEY_CLASSES_ROOT[ID]PFOBHpZYUnxnfV9F[ID]_auto_file\shell\print\command --> %SystemRoot%\System32\rundll32.exe “%ProgramFiles%\Windows Photo Viewer\PhotoViewer.dll”, ImageView_Fullscreen %1

HKEY_CLASSES_ROOT[ID]PFOBHpZYUnxnfV9F[ID]_auto_file\shell\print\DropTarget --> {60fd46de-f830-4894-a628-6fa81bc0190d}

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts.[ID]PFOBHpZYUnxnfV9F[ID]\OpenWithList --> PhotoViewer.dll

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts.[ID]PFOBHpZYUnxnfV9F[ID]\OpenWithProgids --> ID]PFOBHpZYUnxnfV9F[ID]_auto_file

E-Mail Addresses

First campaign (May 2018):

shine1@tutanota[.]com

[email protected]


Second campaign (September/October 2019):


JonStokton@Protonmail[.]com

JonStokton@tutanota[.]com

filessnoop@aol[.]com

filessnoop@tutanota[.]com


Third campaign:


localgroup@protonmail[.]com

localgroup@tutanota[.]com

ZiCoyote@protonmail[.]com

ZiCoyote@aol[.]com


Forth campaign:


mr.dec@protonmail[.]com

mr.dec@tutanota[.]com


Frederik888@protonmail[.]com

Frederik888@aol[.]com

Ransomnote V1

You are unlucky! The terrible virus has captured your files! For decoding please contact by email [email protected] or [email protected]
Your
[ID]PFOBHpZYUnxnfV9F[ID]
1. In the subject line, write your ID.
2. Attach 1-2 infected files that do not contain important information (less than 2 mb)
are required to generate the decoder and restore the test file.
Hurry up! Time is limited!
Attention!!!
At the end of this time, the private key for generating the decoder will be destroyed. Files will not be restored!


Article Link: https://dissectingmalwa.re/i-literally-cant-think-of-a-fitting-pun-mrdec-ransomware.html