Analysis
-
max time kernel
140s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
-
submitted
29/08/2023, 11:06
General
-
Target
5.exe
-
Size
1.8MB
-
MD5
53c1fa0286a21f9269f7c0dd5d6ddcaf
-
SHA1
07eecfd07af0a7a6758d3141e57fbb252364c6b2
-
SHA256
1341bd6193ea223c05566aaca13fc1152732b67af8344519d6efaaf9ab6ed5f4
-
SHA512
e53416018753823b6eb6b4dffa45d7520c8deb116faafa398810d599c27e0316a8c047154fc79612a1ec4ddb96b21bbf4e48a246d09b72eaa83d02668f263831
-
SSDEEP
24576:9ucUS55cDR3NgJ4zJ1H+QI84rncvGt3nE6vlTlIxBkTde/cfkyg:9ucUS55cHgJIzez8+n9Bn3NTaBkYokyg
Malware Config
Extracted
F:\How To Restore Your Files.txt
http://knightv5pdwrrfyxghivy3qccxxghk2yfyfigur562gcnmpmgd4pgfid.onion/1326c67a-5082-4d81-b695-33a0864b1942/
https://www.binance.com/en/how-to-buy/bitcoin
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
Renames multiple (167) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Drops desktop.ini file(s) 16 IoCs
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 45 IoCs
-
Suspicious use of WriteProcessMemory 16 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\5.exe"C:\Users\Admin\AppData\Local\Temp\5.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
-
C:\Users\Admin\AppData\Roaming\msls31\Dashboard.exe"C:\Users\Admin\AppData\Roaming\msls31\Dashboard.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\explorer.exeC:\Windows\explorer.exe4⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{314E5405-43C0-4FEE-AF3C-774285496418}'" delete5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{314E5405-43C0-4FEE-AF3C-774285496418}'" delete6⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
760KB
MD5da390597ed2162eeb969b62d63c3ec0f
SHA148d24c5175aae2654adf7c237ccc7c06389883dc
SHA2562d1facfbac9bc73e7279e656e5d7a33b0a7df2654a42920856e7584aafaee006
SHA5123f06f32aa3e9f1f503d46d68e2818e7627b14ec6f6bcdd9789558db81084c2536ae2411f810108f3e394cd5cdc77a16bc94719adf4d802d28fdc86d7a8e480ee
-
Filesize
141KB
MD5704925ecfdb24ef81190b82de0e5453c
SHA11128b3063180419893615ca73ad4f9dd51ebeac6
SHA2568cc871ee8760a4658189528b4a5d8afe9824f6a13faaf1fe7eb56f2a3ad2d04e
SHA512ca187015812ddfcaa6515f3a5b780183b4a772801aa14b3f785d6dee9b9aa7db6402a7b346623fd24cf4a28f9856683022b10c3d812f8f2888e25bb218cbf216
-
Filesize
141KB
MD5704925ecfdb24ef81190b82de0e5453c
SHA11128b3063180419893615ca73ad4f9dd51ebeac6
SHA2568cc871ee8760a4658189528b4a5d8afe9824f6a13faaf1fe7eb56f2a3ad2d04e
SHA512ca187015812ddfcaa6515f3a5b780183b4a772801aa14b3f785d6dee9b9aa7db6402a7b346623fd24cf4a28f9856683022b10c3d812f8f2888e25bb218cbf216
-
Filesize
811KB
MD57d872477323ae325f650b06b4f439683
SHA12fe866293d86df9d0516d3468635b806a6d36f70
SHA2564c38f9a9e10732d6acbcd71d9024b07ce2f7f877516a0277632ba301c3306110
SHA512979ca070811729da622588d685a2f005d906c8515df3a5cd45285c1ce2c2c346fe0dc768c1e9a65588f5037f8f60efc776becd31cf333af1441919094e91e434
-
Filesize
811KB
MD57d872477323ae325f650b06b4f439683
SHA12fe866293d86df9d0516d3468635b806a6d36f70
SHA2564c38f9a9e10732d6acbcd71d9024b07ce2f7f877516a0277632ba301c3306110
SHA512979ca070811729da622588d685a2f005d906c8515df3a5cd45285c1ce2c2c346fe0dc768c1e9a65588f5037f8f60efc776becd31cf333af1441919094e91e434
-
Filesize
627KB
MD5ec774fad95698c76e2feae1eb7253783
SHA19510294214015562b47881e0c1ab82430ee047dd
SHA2563ac241a3987da616d1afb0783d3593b60fabe528b42e86ad6886430cce9ad8a4
SHA512dd93bfae49c878e01b86694db2c069db971563816173c41e7ae67a5bd2d2ef1749e584a5ec3b04244353f2328859b1ecc72ece8cc36534ca978002b8bfd547e2
-
Filesize
1KB
MD5a6fea339b14268cd27cec9e091eaf9d3
SHA15e66e8168457cb7c4ffc884a0e74803839469fac
SHA2563feaa616d49ac78917ea76257a0e6b6830ef67d078ec671ff4f3b6dc85ba4fbd
SHA512f2b66f86a7321a83f5e0f80d98b7eaeb3687f1b2ab928e868dc81960111b37dc2772eb30a5f977dd596ed21f966b5481f5ab629d218bcec7eb7ea783f09bfced
-
Filesize
18.3MB
-
Filesize
3.2MB
-
Filesize
18.3MB
-
Filesize
2.0MB
-
Filesize
18.3MB
-
Filesize
18.3MB
-
Filesize
18.3MB