Overview

overview

9

Static

static

3

526488b374...25.exe

windows7-x64

9

526488b374...25.exe

windows10-2004-x64

9

Resubmissions

14-10-2023 11:58

231014-n449eaff45 9

14-10-2023 11:52

231014-n12n4sfe79 9

Analysis

  • max time kernel
    153s
  • max time network
    132s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    14-10-2023 11:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    526488b37415ae2c692f7da97a18c337b0efd4675fd1ac31b4acaa55c63d2725.exe

  • Size

    76KB

  • MD5

    74fd302390dc8e8b5f49d2da186e3e8c

  • SHA1

    63b7aedf094158e30980a46da8b8f4eaf88524e5

  • SHA256

    526488b37415ae2c692f7da97a18c337b0efd4675fd1ac31b4acaa55c63d2725

  • SHA512

    0cea34931b747c17e24c9e0947ca5862bdc19ede390e394697abce394047bc6117fdd93773de308cea7c3afbac00b303355e45a1be230f4c2baa7e04b3742b16

  • SSDEEP

    1536:IduCq+ndmWKk9WudptcZhpjrNqZE3Qh3OyeEiw2SB3aiqSuTDjdIa3d:4lq+dTKk9t0LNweQEyeEiDStSJ/jKat

Score
9/10
ransomware

Malware Config

Signatures

  • Renames multiple (194) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Opens file in notepad (likely ransom note) 3 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\526488b37415ae2c692f7da97a18c337b0efd4675fd1ac31b4acaa55c63d2725.exe
    "C:\Users\Admin\AppData\Local\Temp\526488b37415ae2c692f7da97a18c337b0efd4675fd1ac31b4acaa55c63d2725.exe"
    1⤵
    • Enumerates connected drives
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2820
  • C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\readme.txt
    1⤵
    • Opens file in notepad (likely ransom note)
    PID:2104
  • C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\readme.txt
    1⤵
    • Opens file in notepad (likely ransom note)
    PID:1164
  • C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\readme.txt
    1⤵
    • Opens file in notepad (likely ransom note)
    PID:624
  • C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    1⤵
      PID:2392

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads