{ "Event": { "analysis": "2", "date": "2020-01-17", "extends_uuid": "", "info": "Ako Ransomware", "publish_timestamp": "1580456344", "published": true, "threat_level_id": "3", "timestamp": "1580456326", "uuid": "5e211b87-8f34-43f5-b02b-42e4950d210f", "Orgc": { "name": "wilbursecurity.com", "uuid": "5e16d2bc-5c68-4ef1-bc80-47f5950d210f" }, "Tag": [ { "colour": "#ffffff", "local": "0", "name": "tlp:white", "relationship_type": "" }, { "colour": "#ffd890", "local": "0", "name": " Ransomware", "relationship_type": "" } ], "Attribute": [ { "category": "Payload installation", "comment": "Locker.exe", "deleted": false, "disable_correlation": false, "timestamp": "1579228479", "to_ids": true, "type": "sha256", "uuid": "5e211d3f-2db0-45f0-bfe5-479c950d210f", "value": "ae8e02d15c9b45a751e4e7f177f27f5ba7663fe6ec4b53cc68a6c1f5c2a3cfd9" }, { "category": "Payload installation", "comment": "Locker.exe", "deleted": false, "disable_correlation": false, "timestamp": "1579228480", "to_ids": true, "type": "sha1", "uuid": "5e211d40-5edc-4756-8ccc-4d80950d210f", "value": "c0501e264531f29854bdaa872eb12c30b5875200" }, { "category": "Payload installation", "comment": "Locker.exe", "deleted": false, "disable_correlation": false, "timestamp": "1579228480", "to_ids": true, "type": "md5", "uuid": "5e211d40-bd24-496b-b4e7-448f950d210f", "value": "ef2697aa224266b204127722771bc209" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1579229116", "to_ids": false, "type": "other", "uuid": "5e211ea9-58d4-4ef9-a5ef-40d7950d210f", "value": "Commands Run\r\nvssadmin.exe Delete Shadows /All /Quiet\r\nbcdedit.exe /set {default} recoveryenabled No\r\nbcdedit.exe /set {default} bootstatuspolicy ignoreallfailures\r\nwbadmin DELETE SYSTEMSTATEBACKUP\r\nwbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest\r\nwmic.exe SHADOWCOPY /nointeractive" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1579274836", "to_ids": false, "type": "link", "uuid": "5e211f10-6480-42ab-8b19-4de9950d210f", "value": "https://app.any.run/tasks/5f4740c6-023a-4214-a96a-97b05e8b440e/" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1579228985", "to_ids": false, "type": "ip-src", "uuid": "5e211f39-d0a8-43d2-8995-48cf950d210f", "value": "185.167.160.83" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1579274830", "to_ids": false, "type": "other", "uuid": "5e211f8e-94cc-4067-b97f-485f950d210f", "value": "Tor Ransom page\r\n\r\nhttp://kwvhrdibgmmpkhkidrby4mccwqpds5za6uo2thcw5gz75qncv7rbhyad.onion/C2SNJM7PHLUI0QQV" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1579275691", "to_ids": false, "type": "link", "uuid": "5e213034-de04-4974-820b-4b35950d210f", "value": "https://wilbursecurity.com/2020/01/ako-ransomware" } ], "Object": [ { "comment": "", "deleted": false, "description": "Registry key object describing a Windows registry key with value and last-modified timestamp", "meta-category": "file", "name": "registry-key", "template_uuid": "8b3228ad-6d82-4fe6-b2ae-05426308f1d5", "template_version": "4", "timestamp": "1579275850", "uuid": "5e21d353-e354-456a-ba6b-4647950d210f", "Attribute": [ { "category": "Persistence mechanism", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "key", "timestamp": "1579275850", "to_ids": true, "type": "regkey", "uuid": "5e21d354-c574-4de7-bc78-450b950d210f", "value": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System" }, { "category": "Persistence mechanism", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "name", "timestamp": "1579275850", "to_ids": false, "type": "text", "uuid": "5e21d354-98d8-4594-ac85-4b6f950d210f", "value": "EnableLinkedConnections" }, { "category": "Persistence mechanism", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "data", "timestamp": "1579275850", "to_ids": false, "type": "text", "uuid": "5e21d354-e3f8-47d8-b94e-499e950d210f", "value": "1" } ] }, { "comment": "", "deleted": false, "description": "Registry key object describing a Windows registry key with value and last-modified timestamp", "meta-category": "file", "name": "registry-key", "template_uuid": "8b3228ad-6d82-4fe6-b2ae-05426308f1d5", "template_version": "4", "timestamp": "1579275314", "uuid": "5e21d432-c228-4d2c-8d51-43ab950d210f", "Attribute": [ { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "key", "timestamp": "1579275335", "to_ids": true, "type": "regkey", "uuid": "5e21d432-e4f8-4b2f-9f62-46ef950d210f", "value": "HKEY_CURRENT_USER\\Software\\acfg" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "name", "timestamp": "1579275340", "to_ids": false, "type": "text", "uuid": "5e21d433-981c-4908-8617-4308950d210f", "value": "aid" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "data", "timestamp": "1579275350", "to_ids": false, "type": "text", "uuid": "5e21d433-18f4-4980-b89d-4c1b950d210f", "value": ".(randomly generated key)" } ] } ] } }