ee65e9d7a7bc9d17e894e0b775fc0bbfb35e72c65c3d768e34bfe059d521cc16

Resubmissions

21-01-2024 14:52

240121-r8syqaeac7 10

21-01-2024 14:51

240121-r8k8waeac5 10

01-01-2024 13:55

240101-q776kscacp 10

Analysis

max time kernel
140s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
21-01-2024 14:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b8ce0174783c9c7ec30f96f8857c356e61365562463457d3ef0d1f62f4d302a8.exe
Size

245KB
MD5

78db42a978dbaeec6b87e718b0e00160
SHA1

226616df9b26e9ca327805755b75813ad67c1f3f
SHA256

b8ce0174783c9c7ec30f96f8857c356e61365562463457d3ef0d1f62f4d302a8
SHA512

8a8a29eb8679512ab214d16b3e207a4545dbd63a8410ce41eef8d2c249131a5947a157344932b6041feb3084ad14d437627d754a34b977a6c2f71159a54b2b5c
SSDEEP

6144:ZU1aQUdyXTFDhznLOoAM4zkw7nMnp5PdleQRWsvBoCRt7Y0x:ZUQd4TFJLOolqk/72QksvBBt7Y0

Score

9^/10

ransomware

Malware Config

Signatures

Renames multiple (133) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes itself 1 IoCs

Processes:

b8ce0174783c9c7ec30f96f8857c356e61365562463457d3ef0d1f62f4d302a8.exe

pid process

2256 b8ce0174783c9c7ec30f96f8857c356e61365562463457d3ef0d1f62f4d302a8.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

b8ce0174783c9c7ec30f96f8857c356e61365562463457d3ef0d1f62f4d302a8.exe

description	ioc	process
File opened (read-only)	\??\R:	b8ce0174783c9c7ec30f96f8857c356e61365562463457d3ef0d1f62f4d302a8.exe
File opened (read-only)	\??\T:	b8ce0174783c9c7ec30f96f8857c356e61365562463457d3ef0d1f62f4d302a8.exe
File opened (read-only)	\??\O:	b8ce0174783c9c7ec30f96f8857c356e61365562463457d3ef0d1f62f4d302a8.exe
File opened (read-only)	\??\P:	b8ce0174783c9c7ec30f96f8857c356e61365562463457d3ef0d1f62f4d302a8.exe
File opened (read-only)	\??\L:	b8ce0174783c9c7ec30f96f8857c356e61365562463457d3ef0d1f62f4d302a8.exe
File opened (read-only)	\??\Z:	b8ce0174783c9c7ec30f96f8857c356e61365562463457d3ef0d1f62f4d302a8.exe
File opened (read-only)	\??\H:	b8ce0174783c9c7ec30f96f8857c356e61365562463457d3ef0d1f62f4d302a8.exe
File opened (read-only)	\??\J:	b8ce0174783c9c7ec30f96f8857c356e61365562463457d3ef0d1f62f4d302a8.exe
File opened (read-only)	\??\K:	b8ce0174783c9c7ec30f96f8857c356e61365562463457d3ef0d1f62f4d302a8.exe
File opened (read-only)	\??\V:	b8ce0174783c9c7ec30f96f8857c356e61365562463457d3ef0d1f62f4d302a8.exe
File opened (read-only)	\??\M:	b8ce0174783c9c7ec30f96f8857c356e61365562463457d3ef0d1f62f4d302a8.exe
File opened (read-only)	\??\G:	b8ce0174783c9c7ec30f96f8857c356e61365562463457d3ef0d1f62f4d302a8.exe
File opened (read-only)	\??\X:	b8ce0174783c9c7ec30f96f8857c356e61365562463457d3ef0d1f62f4d302a8.exe
File opened (read-only)	\??\F:	b8ce0174783c9c7ec30f96f8857c356e61365562463457d3ef0d1f62f4d302a8.exe
File opened (read-only)	\??\Q:	b8ce0174783c9c7ec30f96f8857c356e61365562463457d3ef0d1f62f4d302a8.exe
File opened (read-only)	\??\W:	b8ce0174783c9c7ec30f96f8857c356e61365562463457d3ef0d1f62f4d302a8.exe
File opened (read-only)	\??\E:	b8ce0174783c9c7ec30f96f8857c356e61365562463457d3ef0d1f62f4d302a8.exe
File opened (read-only)	\??\U:	b8ce0174783c9c7ec30f96f8857c356e61365562463457d3ef0d1f62f4d302a8.exe
File opened (read-only)	\??\S:	b8ce0174783c9c7ec30f96f8857c356e61365562463457d3ef0d1f62f4d302a8.exe
File opened (read-only)	\??\N:	b8ce0174783c9c7ec30f96f8857c356e61365562463457d3ef0d1f62f4d302a8.exe
File opened (read-only)	\??\Y:	b8ce0174783c9c7ec30f96f8857c356e61365562463457d3ef0d1f62f4d302a8.exe
File opened (read-only)	\??\I:	b8ce0174783c9c7ec30f96f8857c356e61365562463457d3ef0d1f62f4d302a8.exe
File opened (read-only)	\??\A:	b8ce0174783c9c7ec30f96f8857c356e61365562463457d3ef0d1f62f4d302a8.exe
File opened (read-only)	\??\B:	b8ce0174783c9c7ec30f96f8857c356e61365562463457d3ef0d1f62f4d302a8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

b8ce0174783c9c7ec30f96f8857c356e61365562463457d3ef0d1f62f4d302a8.exe

pid	process
2256	b8ce0174783c9c7ec30f96f8857c356e61365562463457d3ef0d1f62f4d302a8.exe
2256	b8ce0174783c9c7ec30f96f8857c356e61365562463457d3ef0d1f62f4d302a8.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

b8ce0174783c9c7ec30f96f8857c356e61365562463457d3ef0d1f62f4d302a8.exe

pid process

2256 b8ce0174783c9c7ec30f96f8857c356e61365562463457d3ef0d1f62f4d302a8.exe

C:\Users\Admin\AppData\Local\Temp\b8ce0174783c9c7ec30f96f8857c356e61365562463457d3ef0d1f62f4d302a8.exe
"C:\Users\Admin\AppData\Local\Temp\b8ce0174783c9c7ec30f96f8857c356e61365562463457d3ef0d1f62f4d302a8.exe"
1⤵
- Deletes itself
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
PID:2256

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\HOW TO RECOVER YOUR FILES.txt
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2256-1-0x00007FFA94CD0000-0x00007FFA94EC5000-memory.dmp

Filesize
2.0MB

Download
memory/2256-0-0x00007FF770FD0000-0x00007FF771072000-memory.dmp

Filesize
648KB

Download
memory/2256-199-0x00007FF770FD0000-0x00007FF771072000-memory.dmp

Filesize
648KB

Download