Overview

overview

10

Static

static

10

323389cde5...f3.exe

windows7-x64

1

323389cde5...f3.exe

windows10-2004-x64

1

365712147d...a7.exe

windows7-x64

9

365712147d...a7.exe

windows10-2004-x64

10

5474e75872...06.exe

windows7-x64

10

5474e75872...06.exe

windows10-2004-x64

10

out.exe

windows7-x64

3

out.exe

windows10-2004-x64

3

59c59ef90d...4d.exe

windows7-x64

10

59c59ef90d...4d.exe

windows10-2004-x64

10

63fb410fc5...22.exe

windows7-x64

7

63fb410fc5...22.exe

windows10-2004-x64

7

9443472de4...e5.exe

windows7-x64

1

9443472de4...e5.exe

windows10-2004-x64

1

97a877b999...8d.exe

windows7-x64

10

97a877b999...8d.exe

windows10-2004-x64

10

a0f5def5aa...93.exe

windows7-x64

1

a0f5def5aa...93.exe

windows10-2004-x64

1

abfe442282...b1.exe

windows7-x64

1

abfe442282...b1.exe

windows10-2004-x64

1

b21f34ecfa...73.exe

windows7-x64

9

b21f34ecfa...73.exe

windows10-2004-x64

9

b4b97aa67e...a9.zip

windows7-x64

1

b4b97aa67e...a9.zip

windows10-2004-x64

1

svchost.exe

windows7-x64

9

svchost.exe

windows10-2004-x64

9

b8ce017478...a8.exe

windows7-x64

9

b8ce017478...a8.exe

windows10-2004-x64

9

bbb4627895...f2.exe

windows7-x64

1

bbb4627895...f2.exe

windows10-2004-x64

1

bdf06acf03...63.exe

windows7-x64

1

bdf06acf03...63.exe

windows10-2004-x64

1

Resubmissions

21-01-2024 14:52

240121-r8syqaeac7 10

21-01-2024 14:51

240121-r8k8waeac5 10

01-01-2024 13:55

240101-q776kscacp 10

Analysis

  • max time kernel
    144s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-01-2024 13:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b21f34ecfa7135153d506b3fde2a0d0bd23b44eccedc635cbfa474e321040273.exe

  • Size

    352KB

  • MD5

    4f88b5e510ecbd0adefdfc87c552289c

  • SHA1

    047ec67b8e3c001086284d7176b2d239db565fb5

  • SHA256

    b21f34ecfa7135153d506b3fde2a0d0bd23b44eccedc635cbfa474e321040273

  • SHA512

    75b86d6de4bec5285559f7e9a0dbf46df48dbdf78386023e5f8668a7814bc1db5322d8bf9d306cfd65175112b94366641d671175d59d3edacc3d2b2ba802f348

  • SSDEEP

    6144:X9PrHO8306KFnBCzDIZXY3HJmui45mkA2/1:drHBpgkDuoEuXbJ

Score
9/10
persistenceransomware

Malware Config

Signatures

  • Renames multiple (112) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b21f34ecfa7135153d506b3fde2a0d0bd23b44eccedc635cbfa474e321040273.exe
    "C:\Users\Admin\AppData\Local\Temp\b21f34ecfa7135153d506b3fde2a0d0bd23b44eccedc635cbfa474e321040273.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2588
    • C:\Users\Admin\AppData\Roaming\dwa01.exe
      "C:\Users\Admin\AppData\Roaming\dwa01.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4640
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
        3⤵
          PID:3224
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled No
          3⤵
            PID:5004
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c vssadmin Delete Shadows /All /Quiet
            3⤵
              PID:1424
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\{14C2B9E4-A43C-EAB3-B3BB-95D7F8572294}.bat
              3⤵
                PID:628
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c start /max notepad.exe "C:\Users\Admin\RECOVER-FILES.HTML"
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:1156
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\{A014D5D1-FA42-8425-0410-0C702DF3FB04}.bat
              2⤵
                PID:3012
            • C:\Windows\SysWOW64\notepad.exe
              notepad.exe "C:\Users\Admin\RECOVER-FILES.HTML"
              1⤵
                PID:4872

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\{14C2B9E4-A43C-EAB3-B3BB-95D7F8572294}.bat
                Filesize

                120B

                MD5

                598c2707c8197e1a1fde5eed2bfb73bd

                SHA1

                4ce1f59601ca6f5892481bae3ec7530126711b24

                SHA256

                ce47464addcf6c7e68cb1597cd1cad319bb43f6905e06de11b5be32c3fffa8ff

                SHA512

                7247ac5b8e7fff4a8b1619de141a9eeea885a8887c4a5eb6eb3f8ce3f1061481a34ffa532658137f7ff96fb308570a6ea9595487451b7213bbed55af74c9487b

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\{A014D5D1-FA42-8425-0410-0C702DF3FB04}.bat
                Filesize

                132B

                MD5

                f16ecf9f57b99fcff16b149dd7cc31d1

                SHA1

                b3549ce4e882977a25fda4e2affe94826ef4055e

                SHA256

                a9dd2be9fd2bc62a2ced854662676283e02a138d350c5f5c3d0de1d7f81369fd

                SHA512

                cce03073a895771fe43fbcfb16cca1e6e2a0763b62ca0a53413b1196b01aeed77300abf7fac1017c952295e86080d35aad3aa4e2e79e12faa477a25a4a0909a1

                Download Submit

              • C:\Users\Admin\AppData\Roaming\dwa01.exe
                Filesize

                352KB

                MD5

                4f88b5e510ecbd0adefdfc87c552289c

                SHA1

                047ec67b8e3c001086284d7176b2d239db565fb5

                SHA256

                b21f34ecfa7135153d506b3fde2a0d0bd23b44eccedc635cbfa474e321040273

                SHA512

                75b86d6de4bec5285559f7e9a0dbf46df48dbdf78386023e5f8668a7814bc1db5322d8bf9d306cfd65175112b94366641d671175d59d3edacc3d2b2ba802f348

                Download Submit

              • C:\Users\Admin\Desktop\RECOVER-FILES.HTML
                Filesize

                4KB

                MD5

                17b758a77d94ca4d957d749c354f0865

                SHA1

                dc151acae7b2f5ddb371ada32521da190a80e8e7

                SHA256

                95aec0ead5bc65efc5ef23d3984991e228375e626aeaf01c3d373f75aa45cb12

                SHA512

                939472d3661f54469978ad88f433c7be3a1df46c82fb3f34e2d134bdbc06570ed7bef10d2c0bc99981c0bb5620858c5c7852ca9e6631197de8f059fe61dab12a

                Download Submit

              • memory/2588-0-0x0000000002400000-0x0000000002469000-memory.dmp

                Filesize

                420KB

                Download

              • memory/2588-2-0x0000000002400000-0x0000000002469000-memory.dmp

                Filesize

                420KB

                Download

              • memory/2588-3-0x0000000003C00000-0x0000000003C01000-memory.dmp

                Filesize

                4KB

                Download

              • memory/2588-4-0x0000000003C00000-0x0000000003C01000-memory.dmp

                Filesize

                4KB

                Download

              • memory/2588-5-0x0000000003C00000-0x0000000003C01000-memory.dmp

                Filesize

                4KB

                Download

              • memory/2588-6-0x0000000003C00000-0x0000000003C01000-memory.dmp

                Filesize

                4KB

                Download

              • memory/2588-7-0x0000000003F10000-0x0000000003F40000-memory.dmp

                Filesize

                192KB

                Download

              • memory/2588-1-0x0000000003C00000-0x0000000003C01000-memory.dmp

                Filesize

                4KB

                Download

              • memory/4640-30-0x00000000023D0000-0x0000000002439000-memory.dmp

                Filesize

                420KB

                Download

              • memory/4640-33-0x00000000039C0000-0x00000000039C1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/4640-34-0x0000000003E10000-0x0000000003E40000-memory.dmp

                Filesize

                192KB

                Download

              • memory/4640-43-0x0000000003E10000-0x0000000003E40000-memory.dmp

                Filesize

                192KB

                Download

              • memory/4640-32-0x00000000039C0000-0x00000000039C1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/4640-606-0x00000000039C0000-0x00000000039C1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/4640-31-0x00000000023D0000-0x0000000002439000-memory.dmp

                Filesize

                420KB

                Download

              • memory/4640-611-0x0000000003E10000-0x0000000003E40000-memory.dmp

                Filesize

                192KB

                Download