Overview

overview

10

Static

static

7

samples3.zip

windows7-x64

1

samples3.zip

windows10-2004-x64

1

05cf6eee9b...b3.exe

windows7-x64

1

05cf6eee9b...b3.exe

windows10-2004-x64

1

0d332c0478...a7.exe

windows7-x64

9

0d332c0478...a7.exe

windows10-2004-x64

9

0fd8500fde...1e.exe

windows7-x64

1

0fd8500fde...1e.exe

windows10-2004-x64

1

11edf9436a...ed.pdf

windows7-x64

1

11edf9436a...ed.pdf

windows10-2004-x64

1

19a640415b...5c.exe

windows7-x64

10

19a640415b...5c.exe

windows10-2004-x64

10

33aa57b04b...cb.exe

windows7-x64

6

33aa57b04b...cb.exe

windows10-2004-x64

6

3643464a22...19.exe

windows7-x64

3

3643464a22...19.exe

windows10-2004-x64

3

37e2f97755...26.exe

windows7-x64

1

37e2f97755...26.exe

windows10-2004-x64

1

54cd11236f...ff.exe

windows7-x64

6

54cd11236f...ff.exe

windows10-2004-x64

6

55bc661ad4...8c.exe

windows7-x64

9

55bc661ad4...8c.exe

windows10-2004-x64

7

603d665f09...68.exe

windows7-x64

1

603d665f09...68.exe

windows10-2004-x64

1

6ea27a0861...7e.exe

windows7-x64

1

6ea27a0861...7e.exe

windows10-2004-x64

3

73af283fcb...0c.exe

windows7-x64

8

73af283fcb...0c.exe

windows10-2004-x64

8

7e41197b74...67.exe

windows7-x64

9

7e41197b74...67.exe

windows10-2004-x64

9

a878fed055...99.exe

windows7-x64

3

a878fed055...99.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    01-01-2024 15:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0d332c04780976b3cf6d505b5d7060c2f40399f581a8629885ad086e967f68a7.exe

  • Size

    92KB

  • MD5

    6c482e3d0fdc8af0182d543371ca5176

  • SHA1

    e4de59423b77477cc593b7f31d08252107444524

  • SHA256

    0d332c04780976b3cf6d505b5d7060c2f40399f581a8629885ad086e967f68a7

  • SHA512

    ed217f7c2a0b0ca7716c0c04dc369598371d997590437f70ce68147276ef0cc8e3539306abcd5d16266dc5d4a6b984eab9e8fc5348dc2f6607ddea3eed4e0411

  • SSDEEP

    1536:ReybNDac/BiUkGgxjDUsFFtZjSrHOUTS6r17Y4HbmxwRwW:lNDgUm5Fi6Uu6r17p7zV

Score
9/10
persistenceransomwarespywarestealer

Malware Config

Signatures

  • Renames multiple (9950) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes itself 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Discovers systems in the same network 1 TTPs 2 IoCs
    discovery
  • NTFS ADS 2 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Yw3:exe
    C:\Users\Admin\AppData\Local\Yw3:exe 3 C:\Users\Admin\AppData\Local\VvDMxU\59a6z0.exe
    1⤵
    • Executes dropped EXE
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    PID:2840
  • C:\Windows\SysWOW64\net.exe
    C:\Windows\system32\net.exe view
    1⤵
    • Discovers systems in the same network
    PID:2812
  • C:\Users\Admin\AppData\Local\VvDMxU\59a6z0.exe
    C:\Users\Admin\AppData\Local\VvDMxU\59a6z0.exe 2
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • NTFS ADS
    • Suspicious use of WriteProcessMemory
    PID:2732
  • C:\Users\Admin\AppData\Local\LshO:exe
    C:\Users\Admin\AppData\Local\LshO:exe 1 C:\Users\Admin\AppData\Local\Temp\0d332c04780976b3cf6d505b5d7060c2f40399f581a8629885ad086e967f68a7.exe
    1⤵
    • Deletes itself
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:2908
    • C:\Windows\SysWOW64\net.exe
      C:\Windows\system32\net.exe view \\CALKHSYM
      2⤵
      • Discovers systems in the same network
      PID:2304
  • C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\VvDMxU\59a6z0.exe 2
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1728
  • C:\Users\Admin\AppData\Local\Temp\0d332c04780976b3cf6d505b5d7060c2f40399f581a8629885ad086e967f68a7.exe
    "C:\Users\Admin\AppData\Local\Temp\0d332c04780976b3cf6d505b5d7060c2f40399f581a8629885ad086e967f68a7.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • NTFS ADS
    • Suspicious use of WriteProcessMemory
    PID:2964

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\LshO:exe
    Filesize

    92KB

    MD5

    6c482e3d0fdc8af0182d543371ca5176

    SHA1

    e4de59423b77477cc593b7f31d08252107444524

    SHA256

    0d332c04780976b3cf6d505b5d7060c2f40399f581a8629885ad086e967f68a7

    SHA512

    ed217f7c2a0b0ca7716c0c04dc369598371d997590437f70ce68147276ef0cc8e3539306abcd5d16266dc5d4a6b984eab9e8fc5348dc2f6607ddea3eed4e0411

    Download Submit
  • \Users\Admin\AppData\Local\LshO
    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

    Download Submit
  • memory/2732-30-0x0000000000400000-0x000000000041A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/2732-23-0x0000000000250000-0x0000000000256000-memory.dmp
    Filesize

    24KB

    Download
  • memory/2840-3258-0x0000000000400000-0x000000000041A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/2840-14899-0x0000000000400000-0x000000000041A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/2840-47087-0x0000000000400000-0x000000000041A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/2908-182-0x0000000000400000-0x000000000041A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/2964-0-0x0000000000400000-0x000000000041A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/2964-1-0x0000000000260000-0x0000000000266000-memory.dmp
    Filesize

    24KB

    Download
  • memory/2964-15-0x0000000000400000-0x000000000041A000-memory.dmp
    Filesize

    104KB

    Download