77a164b6f3112876b7b2b2c8a7b9ee57997ddde6f4e6cd5235f41c1cd5478621

Analysis

max time kernel
151s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
01-01-2024 15:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a045d39cbae62c5e73639b6a5a6bdc7948e13d5e960978d22b687d95e599b35.exe
Size

225KB
MD5

19275ec337c79577d1b218afcc5fdf96
SHA1

c6fb78e7203073f9bfceda682c0fede8d5d645f7
SHA256

0a045d39cbae62c5e73639b6a5a6bdc7948e13d5e960978d22b687d95e599b35
SHA512

faaef2dee406f0ef52a80e413410a45b76903b3702ab14b8be8c946566fa80a87fa5b09bf643e00b75629b0355ba2044fba5d8713a526f0e8a935bd906a7eb7f
SSDEEP

6144:zrA1b71kw8TML7RiVhVPuV17rQ+LGsuUSpbO:zr7P8iVmVdQ+LqJE

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2456	Ransom.exe
1364	RANSED_WATCH.exe

Loads dropped DLL 2 IoCs

pid	Process
1352	0a045d39cbae62c5e73639b6a5a6bdc7948e13d5e960978d22b687d95e599b35.exe
2456	Ransom.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\RANSED = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ransom.exe"	Ransom.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2456	Ransom.exe
2456	Ransom.exe
2456	Ransom.exe
1364	RANSED_WATCH.exe
1364	RANSED_WATCH.exe
1364	RANSED_WATCH.exe
1364	RANSED_WATCH.exe
1364	RANSED_WATCH.exe
1364	RANSED_WATCH.exe
1364	RANSED_WATCH.exe
1364	RANSED_WATCH.exe
1364	RANSED_WATCH.exe
1364	RANSED_WATCH.exe
1364	RANSED_WATCH.exe
1364	RANSED_WATCH.exe
1364	RANSED_WATCH.exe
1364	RANSED_WATCH.exe
1364	RANSED_WATCH.exe
1364	RANSED_WATCH.exe
1364	RANSED_WATCH.exe
1364	RANSED_WATCH.exe
1364	RANSED_WATCH.exe
1364	RANSED_WATCH.exe
1364	RANSED_WATCH.exe
1364	RANSED_WATCH.exe
1364	RANSED_WATCH.exe
1364	RANSED_WATCH.exe
1364	RANSED_WATCH.exe
1364	RANSED_WATCH.exe
1364	RANSED_WATCH.exe
1364	RANSED_WATCH.exe
1364	RANSED_WATCH.exe
1364	RANSED_WATCH.exe
1364	RANSED_WATCH.exe
1364	RANSED_WATCH.exe
1364	RANSED_WATCH.exe
1364	RANSED_WATCH.exe
1364	RANSED_WATCH.exe
1364	RANSED_WATCH.exe
1364	RANSED_WATCH.exe
1364	RANSED_WATCH.exe
1364	RANSED_WATCH.exe
1364	RANSED_WATCH.exe
1364	RANSED_WATCH.exe
1364	RANSED_WATCH.exe
1364	RANSED_WATCH.exe
1364	RANSED_WATCH.exe
1364	RANSED_WATCH.exe
1364	RANSED_WATCH.exe
1364	RANSED_WATCH.exe
1364	RANSED_WATCH.exe
1364	RANSED_WATCH.exe
1364	RANSED_WATCH.exe
1364	RANSED_WATCH.exe
1364	RANSED_WATCH.exe
1364	RANSED_WATCH.exe
1364	RANSED_WATCH.exe
1364	RANSED_WATCH.exe
1364	RANSED_WATCH.exe
1364	RANSED_WATCH.exe
1364	RANSED_WATCH.exe
1364	RANSED_WATCH.exe
1364	RANSED_WATCH.exe
1364	RANSED_WATCH.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2796	cmd.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2456	Ransom.exe
Token: SeDebugPrivilege	1364	RANSED_WATCH.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1352 wrote to memory of 2456	1352	0a045d39cbae62c5e73639b6a5a6bdc7948e13d5e960978d22b687d95e599b35.exe	28
PID 1352 wrote to memory of 2456	1352	0a045d39cbae62c5e73639b6a5a6bdc7948e13d5e960978d22b687d95e599b35.exe	28
PID 1352 wrote to memory of 2456	1352	0a045d39cbae62c5e73639b6a5a6bdc7948e13d5e960978d22b687d95e599b35.exe	28
PID 1352 wrote to memory of 2456	1352	0a045d39cbae62c5e73639b6a5a6bdc7948e13d5e960978d22b687d95e599b35.exe	28
PID 1352 wrote to memory of 2796	1352	0a045d39cbae62c5e73639b6a5a6bdc7948e13d5e960978d22b687d95e599b35.exe	30
PID 1352 wrote to memory of 2796	1352	0a045d39cbae62c5e73639b6a5a6bdc7948e13d5e960978d22b687d95e599b35.exe	30
PID 1352 wrote to memory of 2796	1352	0a045d39cbae62c5e73639b6a5a6bdc7948e13d5e960978d22b687d95e599b35.exe	30
PID 1352 wrote to memory of 2796	1352	0a045d39cbae62c5e73639b6a5a6bdc7948e13d5e960978d22b687d95e599b35.exe	30
PID 2796 wrote to memory of 2728	2796	cmd.exe	31
PID 2796 wrote to memory of 2728	2796	cmd.exe	31
PID 2796 wrote to memory of 2728	2796	cmd.exe	31
PID 2796 wrote to memory of 2728	2796	cmd.exe	31
PID 2456 wrote to memory of 1364	2456	Ransom.exe	34
PID 2456 wrote to memory of 1364	2456	Ransom.exe	34
PID 2456 wrote to memory of 1364	2456	Ransom.exe	34
PID 2456 wrote to memory of 1364	2456	Ransom.exe	34

C:\Users\Admin\AppData\Local\Temp\0a045d39cbae62c5e73639b6a5a6bdc7948e13d5e960978d22b687d95e599b35.exe
"C:\Users\Admin\AppData\Local\Temp\0a045d39cbae62c5e73639b6a5a6bdc7948e13d5e960978d22b687d95e599b35.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1352
- C:\Users\Admin\AppData\Local\Temp\Ransom.exe
  "C:\Users\Admin\AppData\Local\Temp\Ransom.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2456
- - C:\Users\Admin\AppData\Local\Temp\RANSED_WATCH.exe
    "C:\Users\Admin\AppData\Local\Temp\RANSED_WATCH.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1364
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 1 & MOVE /Y C:\Users\Admin\AppData\Local\Temp\0a045d39cbae62c5e73639b6a5a6bdc7948e13d5e960978d22b687d95e599b35.exe C:\Users\Admin\AppData\Local\Temp\
  2⤵
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Windows\SysWOW64\choice.exe
    choice /C Y /N /D Y /T 1
    3⤵
    PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RANSED_WATCH.exe

Filesize
6KB

MD5
4d7bab2c3c2ddc1e72cd31124af8e59c

SHA1
ed310764bb3903dfc1b810d16ddac778dbd5a4a5

SHA256
44a2f5a450185c2d464417d805691b17c5226b650bdc34964b584ef9efb50509

SHA512
8b367639e292a646a720fdccfb1342b3b7336b91dcbfb67933189e3b37c41af440a8ef552873dfc208232d2660857dc0de7a27cfbaef192b484f97bbab7d4325

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransom.exe

Filesize
53KB

MD5
e63dc265f7d5a4592fc935f992e598a2

SHA1
ef6e749eedf603c1bb2045ecc2cec392388eb82a

SHA256
ed740d835ed0dc4cfd867aba5a3c05c2f2d2de4462525681427cb40bda07f02e

SHA512
39857596811ebc965abc72372e16f3b73a35fc347e09fb84c3ec9160f5d0b562b461816fbd5dd74ff95d31bc91e99ef341c6b60f513859fed39f9dcc50082fe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransom.exe

Filesize
77KB

MD5
5ffa9e7a0fe2bf53d02eed6ddbf755d3

SHA1
9ded78941eb585e018095356716b479e43844854

SHA256
446c91b43666754528ca2bf919f421b09f7427cb0625fab834ac7ce8e5056706

SHA512
6a49bc5b3a5d660b64442037e264a73a04f3a05b444df0c18e20f5994aed671c78ef946458b00127702dd2ce51f7093a6bf99f5b04403c0620356b5ad8099cae

Download Submit
\Users\Admin\AppData\Local\Temp\Ransom.exe

Filesize
54KB

MD5
c112b9691c557c5f6ec5850adc9df170

SHA1
28616269496026dc7d7f670be51fb519416c93c1

SHA256
dff5692e97361440f365d070251d3970bd9a9ce535c96a700362c6d0585d72aa

SHA512
22bb1c63bc6143b6014bced9b6faa3234bb9ce82e39c96301eedbbfdd9dc698988eaf96872b5c4117fe6fd0ce4aa7ac6747af94fada2aab656f357db91a61ba4

Download Submit
memory/1352-1-0x0000000073EB0000-0x000000007459E000-memory.dmp

Filesize
6.9MB

Download
memory/1352-2-0x0000000004270000-0x00000000042B0000-memory.dmp

Filesize
256KB

Download
memory/1352-0-0x0000000000DD0000-0x0000000000E0E000-memory.dmp

Filesize
248KB

Download
memory/1352-14-0x0000000073EB0000-0x000000007459E000-memory.dmp

Filesize
6.9MB

Download
memory/1364-121-0x0000000073EB0000-0x000000007459E000-memory.dmp

Filesize
6.9MB

Download
memory/1364-120-0x0000000073EB0000-0x000000007459E000-memory.dmp

Filesize
6.9MB

Download
memory/1364-119-0x00000000003A0000-0x00000000003A8000-memory.dmp

Filesize
32KB

Download
memory/2456-13-0x00000000049A0000-0x00000000049E0000-memory.dmp

Filesize
256KB

Download
memory/2456-17-0x00000000009D0000-0x00000000009F0000-memory.dmp

Filesize
128KB

Download
memory/2456-18-0x0000000073EB0000-0x000000007459E000-memory.dmp

Filesize
6.9MB

Download
memory/2456-19-0x00000000049A0000-0x00000000049E0000-memory.dmp

Filesize
256KB

Download
memory/2456-16-0x0000000004CC0000-0x0000000004D2E000-memory.dmp

Filesize
440KB

Download
memory/2456-15-0x00000000049A0000-0x00000000049E0000-memory.dmp

Filesize
256KB

Download
memory/2456-12-0x0000000073EB0000-0x000000007459E000-memory.dmp

Filesize
6.9MB

Download
memory/2456-11-0x0000000000EE0000-0x0000000000F1C000-memory.dmp

Filesize
240KB

Download