Overview

overview

8

Static

static

slamransomware2.1.exe

windows10-2004-x64

8

Resubmissions

23-01-2023 08:52

230123-kswaksce58 8

25-10-2022 11:24

221025-nhs91scebp 9

Analysis

  • max time kernel
    1625s
  • max time network
    1590s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-01-2023 08:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    slamransomware2.1.exe

  • Size

    3.9MB

  • MD5

    b4c5397ba985fe7770a4822f28343198

  • SHA1

    18bb6536a8caa53fa006b0e78d4c4097ecee583f

  • SHA256

    acb3d1eab482ba2428084e53cc04fbe08fed4c603861e9ce116b4e9aad2096cf

  • SHA512

    c8b2ce7b61c5fda173ce404c4ca602a794db016a942a44fe50236dd3a54c047fb022c2772446e87744caeb5da02a3111e9169a0cebf83fca2e5c57fd765e3013

  • SSDEEP

    49152:nbX8LRHjOGjBlB4XyGOkNdVxzyK8LRHjOGjBlB4XyGOkNdV5A:bX88cIyGOk3188cIyGOk3jA

Score
8/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Modifies Installed Components in the registry 2 TTPs 5 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 3 IoCs
  • Drops desktop.ini file(s) 1 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 62 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\slamransomware2.1.exe
    "C:\Users\Admin\AppData\Local\Temp\slamransomware2.1.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4656
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6D93.tmp\slamloader.bat" "C:\Users\Admin\AppData\Local\Temp\slamransomware2.1.exe""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2436
      • C:\temp\uac.exe
        uac.exe 34 C:\temp\slam.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:2132
  • C:\Program Files\VideoLAN\VLC\vlc.exe
    "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\SubmitRegister.aiff"
    1⤵
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    PID:2100
  • C:\Program Files (x86)\Windows Media Player\wmplayer.exe
    "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4216
    • C:\Program Files (x86)\Windows Media Player\setup_wm.exe
      "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3140
      • C:\Windows\SysWOW64\unregmp2.exe
        C:\Windows\system32\unregmp2.exe /ShowWMP /SetShowState /CreateMediaLibrary
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:5084
        • C:\Windows\system32\unregmp2.exe
          "C:\Windows\SysNative\unregmp2.exe" /ShowWMP /SetShowState /CreateMediaLibrary /REENTRANT
          4⤵
          • Modifies Installed Components in the registry
          • Drops desktop.ini file(s)
          • Drops file in Program Files directory
          • Modifies registry class
          PID:2468
      • C:\Program Files (x86)\Windows Media Player\wmplayer.exe
        "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Relaunch /Play C:\Users\Admin\Desktop\GrantFormat.midi
        3⤵
        • Enumerates connected drives
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:932
    • C:\Windows\SysWOW64\unregmp2.exe
      "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2432
      • C:\Windows\system32\unregmp2.exe
        "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
        3⤵
        • Enumerates connected drives
        • Suspicious use of AdjustPrivilegeToken
        PID:1796
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
    1⤵
    • Drops file in Windows directory
    PID:4084
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:4600

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

Peripheral Device Discovery

2
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
    Filesize

    1024KB

    MD5

    f9ecf076ae351c6df6e82bf3fe7132d7

    SHA1

    7a1b13bcabd5789ff26320cf5c326754354e9af7

    SHA256

    ab0fb9fdb3d76e8a92c8abf9b641f1742d47205df88120fbf60a4f48568209cf

    SHA512

    25491a2386a6d31761891ee8c2059d3d279027b17850914287a7ba9b2b65422d6d54dc5b8637ee124c98c3e5878b4f4b5f2153051539e2669616bb77b85ab481

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\6D93.tmp\slamloader.bat
    Filesize

    220B

    MD5

    dde74ab5efc28a2946e166a97f5743bb

    SHA1

    3ee33b652ce15f38559104ebfd4303215c400290

    SHA256

    b4a5de5423c09f118aeffac94004b46c0fc6f67e70d48c62c2b9f2524c5f7f08

    SHA512

    d874ac72c81000d897ed2fd0ce06c124170b8a2b65f8759ab1efaa9ef69b6aaaf241e1d62545449779d1364b58eeaa588c032dcc25aa5e137f7fa2f08c095a84

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\slam.exe
    Filesize

    2.1MB

    MD5

    768722fc2f95bbfd54c366064907acca

    SHA1

    4f1c4acb9dfef40555702ab6fcf6b2e086e91652

    SHA256

    d4b35a4c7d82a2584a8ea10b3b4b12f5f19e5e34b6f24fb2a554f0c5c8b7906f

    SHA512

    bc7b099e28a00f9a45d7c767513f69c949d61e932447e0ffce2e0ceb8ecea1bd4f7c725481d250661305530283c3d22dd97cf61c571d5844d66acdda10180180

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\uac.exe
    Filesize

    223KB

    MD5

    e5a75ef124d13c43126f9c20dd9892f9

    SHA1

    98eadc4be6f8df785ae5668a623c66ce46e8b366

    SHA256

    2d9dbac4cfc3a9676454ddcae5e4d595509af195177eae680b1f953223973f75

    SHA512

    f4a56a70814e8bc03b5596ba440d70be773db021d3486b7be2b1bacc492212f3fe7f4a2fd5fa22c459c6d67e6a7ce73262331539cc50e1c49dfbfcb339d8a074

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\ucrtbased.dll
    Filesize

    1.4MB

    MD5

    ceeda0b23cdf173bf54f7841c8828b43

    SHA1

    1742f10b0c1d1281e5dec67a9f6659c8816738ad

    SHA256

    c297d2bd5c6fcef4c5895cb5c2d191303f87f4c32ad39a9d236c4831d2a809e9

    SHA512

    f6be09560d84da788391741be48c9759935b71d1c556a596a43b9e39aeb605d827d334f42c83a6120d398cdc4c445767e7bd6efa7baea8c872f29db8da7beb89

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\vcruntime140d.dll
    Filesize

    111KB

    MD5

    b59b0f6193bcc7e78a3b2fc730196be3

    SHA1

    045469fec2df2a9c75b550984a0ed32db2e9f846

    SHA256

    003619245b3159385f85757f39947a568d0b386786f81a5a00e71249631e246b

    SHA512

    73cc58cb5f87f2a03a99c461df63740ade5cd97d7c3cd09fd570296627eee5ecfb4a945422cc76f9249281c2ef2d04ee717c2530089b79e3dc0db018b8608a97

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\wmsetup.log
    Filesize

    1KB

    MD5

    9e4fc647c1e487e577b72c65ec788623

    SHA1

    d64f9178fe584ca8df49821571395478b85e2593

    SHA256

    3b8e13e91d2c483d7a5d90cd59ba1254bdc6ae9baeff71d08181cd2dd510d4e3

    SHA512

    d013b66484b18dcbd9cb4a60e2ddb2f9597e3553ddd4ea32e007209d6f7f32ab17c9f61fadac8fcc7c3bc1994dc923c7fd2e14c538729a1e2d19aefade1ba271

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\wmsetup.log
    Filesize

    2KB

    MD5

    30ea6069c858907e229ca7d0acaa5107

    SHA1

    6bf9e4c28c401ee56d6714e6c5037226f72af034

    SHA256

    6005e72800233ad75cdde51c644241d3aee552f0793bd9a152f1537be426438e

    SHA512

    453f5d559e2177e3e168dcf33eb1fe4a0acc48de27f2b34f7950543094445b8f5b0e4eee5966a9230025f2e23b8e3ac27d69fa5ecd25079fed37f6bdf4b190ee

    Download Submit
  • C:\temp\uac.exe
    Filesize

    223KB

    MD5

    e5a75ef124d13c43126f9c20dd9892f9

    SHA1

    98eadc4be6f8df785ae5668a623c66ce46e8b366

    SHA256

    2d9dbac4cfc3a9676454ddcae5e4d595509af195177eae680b1f953223973f75

    SHA512

    f4a56a70814e8bc03b5596ba440d70be773db021d3486b7be2b1bacc492212f3fe7f4a2fd5fa22c459c6d67e6a7ce73262331539cc50e1c49dfbfcb339d8a074

    Download Submit
  • C:\temp\ucrtbased.dll
    Filesize

    1.4MB

    MD5

    ceeda0b23cdf173bf54f7841c8828b43

    SHA1

    1742f10b0c1d1281e5dec67a9f6659c8816738ad

    SHA256

    c297d2bd5c6fcef4c5895cb5c2d191303f87f4c32ad39a9d236c4831d2a809e9

    SHA512

    f6be09560d84da788391741be48c9759935b71d1c556a596a43b9e39aeb605d827d334f42c83a6120d398cdc4c445767e7bd6efa7baea8c872f29db8da7beb89

    Download Submit
  • C:\temp\ucrtbased.dll
    Filesize

    1.4MB

    MD5

    ceeda0b23cdf173bf54f7841c8828b43

    SHA1

    1742f10b0c1d1281e5dec67a9f6659c8816738ad

    SHA256

    c297d2bd5c6fcef4c5895cb5c2d191303f87f4c32ad39a9d236c4831d2a809e9

    SHA512

    f6be09560d84da788391741be48c9759935b71d1c556a596a43b9e39aeb605d827d334f42c83a6120d398cdc4c445767e7bd6efa7baea8c872f29db8da7beb89

    Download Submit
  • C:\temp\vcruntime140d.dll
    Filesize

    111KB

    MD5

    b59b0f6193bcc7e78a3b2fc730196be3

    SHA1

    045469fec2df2a9c75b550984a0ed32db2e9f846

    SHA256

    003619245b3159385f85757f39947a568d0b386786f81a5a00e71249631e246b

    SHA512

    73cc58cb5f87f2a03a99c461df63740ade5cd97d7c3cd09fd570296627eee5ecfb4a945422cc76f9249281c2ef2d04ee717c2530089b79e3dc0db018b8608a97

    Download Submit
  • memory/932-163-0x0000000005E60000-0x0000000005E70000-memory.dmp
    Filesize

    64KB

    Download
  • memory/932-157-0x0000000005E80000-0x0000000005E90000-memory.dmp
    Filesize

    64KB

    Download
  • memory/932-166-0x0000000005E60000-0x0000000005E70000-memory.dmp
    Filesize

    64KB

    Download
  • memory/932-165-0x0000000005E60000-0x0000000005E70000-memory.dmp
    Filesize

    64KB

    Download
  • memory/932-164-0x0000000005E60000-0x0000000005E70000-memory.dmp
    Filesize

    64KB

    Download
  • memory/932-155-0x0000000005E60000-0x0000000005E70000-memory.dmp
    Filesize

    64KB

    Download
  • memory/932-150-0x0000000000000000-mapping.dmp
    Download
  • memory/932-156-0x0000000005E60000-0x0000000005E70000-memory.dmp
    Filesize

    64KB

    Download
  • memory/932-154-0x0000000005E60000-0x0000000005E70000-memory.dmp
    Filesize

    64KB

    Download
  • memory/932-158-0x0000000005E60000-0x0000000005E70000-memory.dmp
    Filesize

    64KB

    Download
  • memory/932-160-0x0000000005E60000-0x0000000005E70000-memory.dmp
    Filesize

    64KB

    Download
  • memory/932-161-0x0000000005E60000-0x0000000005E70000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1796-146-0x0000000000000000-mapping.dmp
    Download
  • memory/2132-143-0x0000000000410000-0x000000000045E000-memory.dmp
    Filesize

    312KB

    Download
  • memory/2132-138-0x0000000000000000-mapping.dmp
    Download
  • memory/2432-145-0x0000000000000000-mapping.dmp
    Download
  • memory/2436-132-0x0000000000000000-mapping.dmp
    Download
  • memory/2468-149-0x0000000000000000-mapping.dmp
    Download
  • memory/3140-144-0x0000000000000000-mapping.dmp
    Download
  • memory/5084-148-0x0000000000000000-mapping.dmp
    Download