Overview
overview
10Static
static
10323389cde5...f3.exe
windows7-x64
1323389cde5...f3.exe
windows10-2004-x64
1365712147d...a7.exe
windows7-x64
9365712147d...a7.exe
windows10-2004-x64
105474e75872...06.exe
windows7-x64
105474e75872...06.exe
windows10-2004-x64
10out.exe
windows7-x64
3out.exe
windows10-2004-x64
359c59ef90d...4d.exe
windows7-x64
1059c59ef90d...4d.exe
windows10-2004-x64
1063fb410fc5...22.exe
windows7-x64
763fb410fc5...22.exe
windows10-2004-x64
79443472de4...e5.exe
windows7-x64
19443472de4...e5.exe
windows10-2004-x64
197a877b999...8d.exe
windows7-x64
1097a877b999...8d.exe
windows10-2004-x64
10a0f5def5aa...93.exe
windows7-x64
1a0f5def5aa...93.exe
windows10-2004-x64
1abfe442282...b1.exe
windows7-x64
1abfe442282...b1.exe
windows10-2004-x64
1b21f34ecfa...73.exe
windows7-x64
9b21f34ecfa...73.exe
windows10-2004-x64
9b4b97aa67e...a9.zip
windows7-x64
1b4b97aa67e...a9.zip
windows10-2004-x64
1svchost.exe
windows7-x64
9svchost.exe
windows10-2004-x64
9b8ce017478...a8.exe
windows7-x64
9b8ce017478...a8.exe
windows10-2004-x64
9bbb4627895...f2.exe
windows7-x64
1bbb4627895...f2.exe
windows10-2004-x64
1bdf06acf03...63.exe
windows7-x64
1bdf06acf03...63.exe
windows10-2004-x64
1Resubmissions
21-01-2024 14:52
240121-r8syqaeac7 1021-01-2024 14:51
240121-r8k8waeac5 1001-01-2024 13:55
240101-q776kscacp 10Analysis
-
max time kernel
144s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
01-01-2024 13:55
Behavioral task
behavioral1
Sample
323389cde5a3059c6c6e5c6c711d11e434a577b11dc07a9aeb7f8e1fb661ecf3.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
323389cde5a3059c6c6e5c6c711d11e434a577b11dc07a9aeb7f8e1fb661ecf3.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
365712147d687fb2eb2d5cb612586c7d3d7364277441491a3ab379a4a1128ba7.exe
Resource
win7-20231215-en
Behavioral task
behavioral4
Sample
365712147d687fb2eb2d5cb612586c7d3d7364277441491a3ab379a4a1128ba7.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral5
Sample
5474e75872eeb1e34cbe407c73409d4c65da7bd6aa9378b356bb3c12f316c506.exe
Resource
win7-20231215-en
Behavioral task
behavioral6
Sample
5474e75872eeb1e34cbe407c73409d4c65da7bd6aa9378b356bb3c12f316c506.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral7
Sample
out.exe
Resource
win7-20231129-en
Behavioral task
behavioral8
Sample
out.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral9
Sample
59c59ef90d1370297375d4e3195eabe2a031251bc939fae962a835d8336a8a4d.exe
Resource
win7-20231215-en
Behavioral task
behavioral10
Sample
59c59ef90d1370297375d4e3195eabe2a031251bc939fae962a835d8336a8a4d.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral11
Sample
63fb410fc5267c61c5099927af714a8f5f4ba6dcdeeb1f297b022879767c7222.exe
Resource
win7-20231215-en
Behavioral task
behavioral12
Sample
63fb410fc5267c61c5099927af714a8f5f4ba6dcdeeb1f297b022879767c7222.exe
Resource
win10v2004-20231222-en
Behavioral task
behavioral13
Sample
9443472de461e9e7a9d7b7d89fa13815521db1ecebea5054643664953ee366e5.exe
Resource
win7-20231215-en
Behavioral task
behavioral14
Sample
9443472de461e9e7a9d7b7d89fa13815521db1ecebea5054643664953ee366e5.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral15
Sample
97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
Resource
win7-20231215-en
Behavioral task
behavioral16
Sample
97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral17
Sample
a0f5def5aaaefa3ae538da9c643a5e381ea89cdee3e451ab1d0c52181d758593.exe
Resource
win7-20231215-en
Behavioral task
behavioral18
Sample
a0f5def5aaaefa3ae538da9c643a5e381ea89cdee3e451ab1d0c52181d758593.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral19
Sample
abfe4422828c6515e7b53c50a8f07dda0169f4ee34173357b6fa35b06fe144b1.exe
Resource
win7-20231215-en
Behavioral task
behavioral20
Sample
abfe4422828c6515e7b53c50a8f07dda0169f4ee34173357b6fa35b06fe144b1.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral21
Sample
b21f34ecfa7135153d506b3fde2a0d0bd23b44eccedc635cbfa474e321040273.exe
Resource
win7-20231215-en
Behavioral task
behavioral22
Sample
b21f34ecfa7135153d506b3fde2a0d0bd23b44eccedc635cbfa474e321040273.exe
Resource
win10v2004-20231222-en
Behavioral task
behavioral23
Sample
b4b97aa67e2fbfa344053be1c101cbd6560b0a5cfe2de8e2e637ba90c4df2ca9.zip
Resource
win7-20231215-en
Behavioral task
behavioral24
Sample
b4b97aa67e2fbfa344053be1c101cbd6560b0a5cfe2de8e2e637ba90c4df2ca9.zip
Resource
win10v2004-20231215-en
Behavioral task
behavioral25
Sample
svchost.exe
Resource
win7-20231129-en
Behavioral task
behavioral26
Sample
svchost.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral27
Sample
b8ce0174783c9c7ec30f96f8857c356e61365562463457d3ef0d1f62f4d302a8.exe
Resource
win7-20231215-en
Behavioral task
behavioral28
Sample
b8ce0174783c9c7ec30f96f8857c356e61365562463457d3ef0d1f62f4d302a8.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral29
Sample
bbb46278959b4628106319457405a8cc04681c82c2c8afa30475d50ed63417f2.exe
Resource
win7-20231215-en
Behavioral task
behavioral30
Sample
bbb46278959b4628106319457405a8cc04681c82c2c8afa30475d50ed63417f2.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral31
Sample
bdf06acf03785275d01d4135b432b56b31c7f352f9be3cf8eca00286251aa163.exe
Resource
win7-20231215-en
Behavioral task
behavioral32
Sample
bdf06acf03785275d01d4135b432b56b31c7f352f9be3cf8eca00286251aa163.exe
Resource
win10v2004-20231215-en
General
-
Target
b21f34ecfa7135153d506b3fde2a0d0bd23b44eccedc635cbfa474e321040273.exe
-
Size
352KB
-
MD5
4f88b5e510ecbd0adefdfc87c552289c
-
SHA1
047ec67b8e3c001086284d7176b2d239db565fb5
-
SHA256
b21f34ecfa7135153d506b3fde2a0d0bd23b44eccedc635cbfa474e321040273
-
SHA512
75b86d6de4bec5285559f7e9a0dbf46df48dbdf78386023e5f8668a7814bc1db5322d8bf9d306cfd65175112b94366641d671175d59d3edacc3d2b2ba802f348
-
SSDEEP
6144:X9PrHO8306KFnBCzDIZXY3HJmui45mkA2/1:drHBpgkDuoEuXbJ
Malware Config
Signatures
-
Renames multiple (112) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation b21f34ecfa7135153d506b3fde2a0d0bd23b44eccedc635cbfa474e321040273.exe -
Executes dropped EXE 1 IoCs
pid Process 4640 dwa01.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\{67B97992-033F-589A-AA66-FFC16ECB2C0C} = "C:\\Users\\Admin\\AppData\\Roaming\\dwa01.exe" b21f34ecfa7135153d506b3fde2a0d0bd23b44eccedc635cbfa474e321040273.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{67B97992-033F-589A-AA66-FFC16ECB2C0C} = "notepad.exe \"C:\\Users\\Admin\\RECOVER-FILES.HTML\"" dwa01.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4640 dwa01.exe 4640 dwa01.exe 4640 dwa01.exe 4640 dwa01.exe 4640 dwa01.exe 4640 dwa01.exe 4640 dwa01.exe 4640 dwa01.exe 4640 dwa01.exe 4640 dwa01.exe 4640 dwa01.exe 4640 dwa01.exe 4640 dwa01.exe 4640 dwa01.exe 4640 dwa01.exe 4640 dwa01.exe 4640 dwa01.exe 4640 dwa01.exe 4640 dwa01.exe 4640 dwa01.exe 4640 dwa01.exe 4640 dwa01.exe 4640 dwa01.exe 4640 dwa01.exe 4640 dwa01.exe 4640 dwa01.exe 4640 dwa01.exe 4640 dwa01.exe 4640 dwa01.exe 4640 dwa01.exe 4640 dwa01.exe 4640 dwa01.exe 4640 dwa01.exe 4640 dwa01.exe 4640 dwa01.exe 4640 dwa01.exe 4640 dwa01.exe 4640 dwa01.exe 4640 dwa01.exe 4640 dwa01.exe 4640 dwa01.exe 4640 dwa01.exe 4640 dwa01.exe 4640 dwa01.exe 4640 dwa01.exe 4640 dwa01.exe 4640 dwa01.exe 4640 dwa01.exe 4640 dwa01.exe 4640 dwa01.exe 4640 dwa01.exe 4640 dwa01.exe 4640 dwa01.exe 4640 dwa01.exe 4640 dwa01.exe 4640 dwa01.exe 4640 dwa01.exe 4640 dwa01.exe 4640 dwa01.exe 4640 dwa01.exe 4640 dwa01.exe 4640 dwa01.exe 4640 dwa01.exe 4640 dwa01.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2588 wrote to memory of 4640 2588 b21f34ecfa7135153d506b3fde2a0d0bd23b44eccedc635cbfa474e321040273.exe 91 PID 2588 wrote to memory of 4640 2588 b21f34ecfa7135153d506b3fde2a0d0bd23b44eccedc635cbfa474e321040273.exe 91 PID 2588 wrote to memory of 4640 2588 b21f34ecfa7135153d506b3fde2a0d0bd23b44eccedc635cbfa474e321040273.exe 91 PID 2588 wrote to memory of 3012 2588 b21f34ecfa7135153d506b3fde2a0d0bd23b44eccedc635cbfa474e321040273.exe 92 PID 2588 wrote to memory of 3012 2588 b21f34ecfa7135153d506b3fde2a0d0bd23b44eccedc635cbfa474e321040273.exe 92 PID 2588 wrote to memory of 3012 2588 b21f34ecfa7135153d506b3fde2a0d0bd23b44eccedc635cbfa474e321040273.exe 92 PID 4640 wrote to memory of 1424 4640 dwa01.exe 100 PID 4640 wrote to memory of 1424 4640 dwa01.exe 100 PID 4640 wrote to memory of 1424 4640 dwa01.exe 100 PID 4640 wrote to memory of 5004 4640 dwa01.exe 99 PID 4640 wrote to memory of 5004 4640 dwa01.exe 99 PID 4640 wrote to memory of 5004 4640 dwa01.exe 99 PID 4640 wrote to memory of 3224 4640 dwa01.exe 98 PID 4640 wrote to memory of 3224 4640 dwa01.exe 98 PID 4640 wrote to memory of 3224 4640 dwa01.exe 98 PID 4640 wrote to memory of 1156 4640 dwa01.exe 113 PID 4640 wrote to memory of 1156 4640 dwa01.exe 113 PID 4640 wrote to memory of 1156 4640 dwa01.exe 113 PID 4640 wrote to memory of 628 4640 dwa01.exe 112 PID 4640 wrote to memory of 628 4640 dwa01.exe 112 PID 4640 wrote to memory of 628 4640 dwa01.exe 112 PID 1156 wrote to memory of 4872 1156 cmd.exe 109 PID 1156 wrote to memory of 4872 1156 cmd.exe 109 PID 1156 wrote to memory of 4872 1156 cmd.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\b21f34ecfa7135153d506b3fde2a0d0bd23b44eccedc635cbfa474e321040273.exe"C:\Users\Admin\AppData\Local\Temp\b21f34ecfa7135153d506b3fde2a0d0bd23b44eccedc635cbfa474e321040273.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Users\Admin\AppData\Roaming\dwa01.exe"C:\Users\Admin\AppData\Roaming\dwa01.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4640 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵PID:3224
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled No3⤵PID:5004
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c vssadmin Delete Shadows /All /Quiet3⤵PID:1424
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\{14C2B9E4-A43C-EAB3-B3BB-95D7F8572294}.bat3⤵PID:628
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c start /max notepad.exe "C:\Users\Admin\RECOVER-FILES.HTML"3⤵
- Suspicious use of WriteProcessMemory
PID:1156
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\{A014D5D1-FA42-8425-0410-0C702DF3FB04}.bat2⤵PID:3012
-
-
C:\Windows\SysWOW64\notepad.exenotepad.exe "C:\Users\Admin\RECOVER-FILES.HTML"1⤵PID:4872
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
120B
MD5598c2707c8197e1a1fde5eed2bfb73bd
SHA14ce1f59601ca6f5892481bae3ec7530126711b24
SHA256ce47464addcf6c7e68cb1597cd1cad319bb43f6905e06de11b5be32c3fffa8ff
SHA5127247ac5b8e7fff4a8b1619de141a9eeea885a8887c4a5eb6eb3f8ce3f1061481a34ffa532658137f7ff96fb308570a6ea9595487451b7213bbed55af74c9487b
-
Filesize
132B
MD5f16ecf9f57b99fcff16b149dd7cc31d1
SHA1b3549ce4e882977a25fda4e2affe94826ef4055e
SHA256a9dd2be9fd2bc62a2ced854662676283e02a138d350c5f5c3d0de1d7f81369fd
SHA512cce03073a895771fe43fbcfb16cca1e6e2a0763b62ca0a53413b1196b01aeed77300abf7fac1017c952295e86080d35aad3aa4e2e79e12faa477a25a4a0909a1
-
Filesize
352KB
MD54f88b5e510ecbd0adefdfc87c552289c
SHA1047ec67b8e3c001086284d7176b2d239db565fb5
SHA256b21f34ecfa7135153d506b3fde2a0d0bd23b44eccedc635cbfa474e321040273
SHA51275b86d6de4bec5285559f7e9a0dbf46df48dbdf78386023e5f8668a7814bc1db5322d8bf9d306cfd65175112b94366641d671175d59d3edacc3d2b2ba802f348
-
Filesize
4KB
MD517b758a77d94ca4d957d749c354f0865
SHA1dc151acae7b2f5ddb371ada32521da190a80e8e7
SHA25695aec0ead5bc65efc5ef23d3984991e228375e626aeaf01c3d373f75aa45cb12
SHA512939472d3661f54469978ad88f433c7be3a1df46c82fb3f34e2d134bdbc06570ed7bef10d2c0bc99981c0bb5620858c5c7852ca9e6631197de8f059fe61dab12a