bb623a98f1d61f13d2de4dee55b14f97956e8306aa66d945aab0b00538b95900

Analysis

max time kernel
779s
max time network
683s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
22/02/2024, 15:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ransom_builder.exe
Size

4.3MB
MD5

43a2c7ba0ecd3a1b8ff0b82a0e82296d
SHA1

9b106aa440085d1cf76889a186a4c0ece9f86b06
SHA256

bb623a98f1d61f13d2de4dee55b14f97956e8306aa66d945aab0b00538b95900
SHA512

2d1d9c37fcfc1f38e71a6f7be68431ec5e7220dd8eb8df6fa612be62bed071fdf1f505c9702d69719e74c99ae02af4a48909f63862addca7c4e911c1792b8f59
SSDEEP

98304:w8sjkaDkbFqE0DtuJFsEG/SxFEQGr7wgiMgaUP/XEXw5d1OFQ:yj3aqE0tubjTPgiFaUHEXgaF

Score

7^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0006000000016d24-93.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
2120	Include.exe

Loads dropped DLL 5 IoCs

pid	Process
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0006000000016d24-93.dat	upx
behavioral1/memory/3048-96-0x0000000010000000-0x00000000100BB000-memory.dmp	upx
behavioral1/memory/3048-376-0x0000000010000000-0x00000000100BB000-memory.dmp	upx

AutoIT Executable 5 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/3048-100-0x0000000000D50000-0x00000000011A2000-memory.dmp	autoit_exe
behavioral1/memory/3048-111-0x0000000000D50000-0x00000000011A2000-memory.dmp	autoit_exe
behavioral1/memory/3048-139-0x0000000000D50000-0x00000000011A2000-memory.dmp	autoit_exe
behavioral1/memory/3048-150-0x0000000000D50000-0x00000000011A2000-memory.dmp	autoit_exe
behavioral1/memory/3048-167-0x0000000000D50000-0x00000000011A2000-memory.dmp	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3048	ransom_builder.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3048	ransom_builder.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe
3048	ransom_builder.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 3048 wrote to memory of 2120	3048	ransom_builder.exe	30
PID 3048 wrote to memory of 2120	3048	ransom_builder.exe	30
PID 3048 wrote to memory of 2120	3048	ransom_builder.exe	30
PID 3048 wrote to memory of 2120	3048	ransom_builder.exe	30
PID 3048 wrote to memory of 2120	3048	ransom_builder.exe	30
PID 3048 wrote to memory of 2120	3048	ransom_builder.exe	30
PID 3048 wrote to memory of 2120	3048	ransom_builder.exe	30

C:\Users\Admin\AppData\Local\Temp\ransom_builder.exe
"C:\Users\Admin\AppData\Local\Temp\ransom_builder.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3048
- C:\Users\Admin\AppData\Local\Temp\Include.exe
  "C:\Users\Admin\AppData\Local\Temp\Include.exe"
  2⤵
  - Executes dropped EXE
  PID:2120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Include.exe

Filesize
61KB

MD5
57945be40617051ea842b9a4dbcbdde9

SHA1
67b5944b4d52b81e84c97e4df6e47dc62365f98c

SHA256
f263a9326c7d7ea9aea33d4dc6a19d362d0c69cef66b87a84b050141ef443047

SHA512
0c063b4a1afdf625ed82389d2dfdcf52d6ca14febf659187294cfaf5fe4d49f74c5a6c8611b0f835997090b58b625071a76dc11a73172d074a5923114a6185a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Include.exe

Filesize
10KB

MD5
22060345b3c4539ccd1905a1d81e7e2f

SHA1
80ba51f10245fa890e1cc4912852eab79302b23d

SHA256
c7eefdfae421f6e0e54f56a8078d742272c9daf73ba43d2d82fc5db2366fbe81

SHA512
67a0afe305986866773cbb39dbd26e0d8a57d9d8457e10423242a8d06fc20a281f98fce9a557e7d4c432661ef257e2b9782f9926eb99291d7875b68eeaebdd1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Include.exe

Filesize
31KB

MD5
332e16a4665067ab9583b57b9bd23da2

SHA1
a786c06627ac32760904042c68584eced4cbc90d

SHA256
99af0e549847b52f87814b286b903d25560e83b1dc76b0e9ea316c4af23d9fb4

SHA512
bc12269c46936184288bfa901c9297494aa7635a6dd4739e6a9d567b5150358bbc0252510a5b208aad38ddb86e6e61a68114816f9ffca3735f79c4e190dd64f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\iop.jpg

Filesize
156KB

MD5
19a588347de928200a06957f290b1b69

SHA1
068e5813ffd54c37a352fa1dbca86bb114ccace6

SHA256
d1e84a6b637ba81f38889a8feebc6ee6b6a656aead2b62b4853ff3a1917ab404

SHA512
b33f363911c70d0315676ab031ab68272727b31ca01b3667ce7ac67fba676f0200691c7fe21df8058557f5c1183112218fdcbe7456a99afe4caead7fa7caa6e7

Download Submit
\Users\Admin\AppData\Local\Temp\Include.exe

Filesize
40KB

MD5
60fe132dac8e3b5de8dcfd2d786ffed1

SHA1
9f90b0dc97522ec8bf725e768263bf8b2e14812e

SHA256
4fc0b1c0a3aec101eff47a886d5280d23572aa3d9522f5aac5db8dd29c3b77f2

SHA512
bd6b9cd6db6248342ef61955d548a583b6086be1705e920a83f4608eb7412215b84ea3277c01f8b0b453fae2e2bbb74eaa5e66117312747a0c5c9bc4eeb4043d

Download Submit
\Users\Admin\AppData\Local\Temp\Include.exe

Filesize
54KB

MD5
e8b0a2966dcec4c295bb24bfc267d4b1

SHA1
3236b20a29532af8f521c562457b5d7aec50e486

SHA256
5f4bf03ce2e0867043da754c06c8b9ac47706553f0b350423fcf1c1aa3e488e3

SHA512
40918c26694788c8790a76bd4378c6bfefa090731c2595700276076eae51d27b1908d02c5e93b2458ab5b4ef0731ce483d5619d29f61486fd42905a5c627636c

Download Submit
\Users\Admin\AppData\Local\Temp\Include.exe

Filesize
102KB

MD5
5d7d068c1196651fc288d901d1068fec

SHA1
92eaada1ae48fb4f9117050e3eaa66b3c3b83a8b

SHA256
00e7aa7ad31cc3e9b079476e70e1d599176c60a2995718691e9fca1ad9d9f10b

SHA512
633a7f29cc6041fe613acd4148b7b201c2f3019f9ce9573a2388d61fd7e80ac34f5d106575092a09810e7c5bd1d55cfcee422c84e1e7be098050b311c7e5af36

Download Submit
\Users\Admin\AppData\Local\Temp\skin.888cx.msstyles

Filesize
1.1MB

MD5
719c51f5637d922e8416e23d0978b8cb

SHA1
ebfc5fe2fcf48a36505716e997b1e2fab6365d85

SHA256
6cf0bf46c9ee98fde7eb4dbc0b147e33babeabf9b1f50a4722e29dd57e95ef09

SHA512
129a355ca1ace8c8ce7254c285d5e90b55941f18ff5fcaf6109aa502d18f543b7596493ce69c0bc167ce41bdc8622d4bf8529ecbd88fb0d9f963bfbcb91e24ae

Download Submit
\Users\Admin\AppData\Local\Temp\skin.dll

Filesize
239KB

MD5
29e1d5770184bf45139084bced50d306

SHA1
76c953cd86b013c3113f8495b656bd721be55e76

SHA256
794987c4069286f797631f936c73b925c663c42d552aeca821106dfc7c7ba307

SHA512
7cb3d0788978b6dc5a78f65349366dac3e91b1557efa4f385984bef4940b3ea859f75cfe42c71f6fe445555138f44305531de6a89c5beff4bf9d42001b4348e8

Download Submit
memory/3048-135-0x00000000761B0000-0x000000007623F000-memory.dmp

Filesize
572KB

Download
memory/3048-143-0x0000000074540000-0x00000000746DE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-103-0x00000000749C0000-0x0000000074A60000-memory.dmp

Filesize
640KB

Download
memory/3048-104-0x00000000753A0000-0x00000000753F7000-memory.dmp

Filesize
348KB

Download
memory/3048-105-0x0000000074A60000-0x0000000074C75000-memory.dmp

Filesize
2.1MB

Download
memory/3048-106-0x00000000754A0000-0x00000000760EA000-memory.dmp

Filesize
12.3MB

Download
memory/3048-107-0x0000000076560000-0x00000000766BC000-memory.dmp

Filesize
1.4MB

Download
memory/3048-108-0x00000000761B0000-0x000000007623F000-memory.dmp

Filesize
572KB

Download
memory/3048-109-0x0000000076180000-0x00000000761AA000-memory.dmp

Filesize
168KB

Download
memory/3048-110-0x00000000743F0000-0x0000000074441000-memory.dmp

Filesize
324KB

Download
memory/3048-111-0x0000000000D50000-0x00000000011A2000-memory.dmp

Filesize
4.3MB

Download
memory/3048-114-0x00000000749C0000-0x0000000074A60000-memory.dmp

Filesize
640KB

Download
memory/3048-113-0x00000000746E0000-0x0000000074712000-memory.dmp

Filesize
200KB

Download
memory/3048-112-0x00000000747F0000-0x00000000747F9000-memory.dmp

Filesize
36KB

Download
memory/3048-117-0x0000000074A60000-0x0000000074C75000-memory.dmp

Filesize
2.1MB

Download
memory/3048-116-0x00000000753A0000-0x00000000753F7000-memory.dmp

Filesize
348KB

Download
memory/3048-119-0x0000000075220000-0x000000007529B000-memory.dmp

Filesize
492KB

Download
memory/3048-115-0x0000000074540000-0x00000000746DE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-120-0x00000000754A0000-0x00000000760EA000-memory.dmp

Filesize
12.3MB

Download
memory/3048-121-0x0000000076560000-0x00000000766BC000-memory.dmp

Filesize
1.4MB

Download
memory/3048-122-0x00000000761B0000-0x000000007623F000-memory.dmp

Filesize
572KB

Download
memory/3048-124-0x0000000074D80000-0x0000000074E4C000-memory.dmp

Filesize
816KB

Download
memory/3048-125-0x00000000743F0000-0x0000000074441000-memory.dmp

Filesize
324KB

Download
memory/3048-127-0x00000000752A0000-0x000000007533D000-memory.dmp

Filesize
628KB

Download
memory/3048-129-0x0000000074540000-0x00000000746DE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-128-0x00000000749C0000-0x0000000074A60000-memory.dmp

Filesize
640KB

Download
memory/3048-130-0x00000000753A0000-0x00000000753F7000-memory.dmp

Filesize
348KB

Download
memory/3048-134-0x0000000075220000-0x000000007529B000-memory.dmp

Filesize
492KB

Download
memory/3048-136-0x0000000074D80000-0x0000000074E4C000-memory.dmp

Filesize
816KB

Download
memory/3048-101-0x00000000746E0000-0x0000000074712000-memory.dmp

Filesize
200KB

Download
memory/3048-132-0x0000000074A60000-0x0000000074C75000-memory.dmp

Filesize
2.1MB

Download
memory/3048-138-0x00000000743F0000-0x0000000074441000-memory.dmp

Filesize
324KB

Download
memory/3048-139-0x0000000000D50000-0x00000000011A2000-memory.dmp

Filesize
4.3MB

Download
memory/3048-102-0x00000000752A0000-0x000000007533D000-memory.dmp

Filesize
628KB

Download
memory/3048-144-0x00000000753A0000-0x00000000753F7000-memory.dmp

Filesize
348KB

Download
memory/3048-146-0x0000000074A60000-0x0000000074C75000-memory.dmp

Filesize
2.1MB

Download
memory/3048-145-0x00000000747D0000-0x00000000747E2000-memory.dmp

Filesize
72KB

Download
memory/3048-142-0x00000000749C0000-0x0000000074A60000-memory.dmp

Filesize
640KB

Download
memory/3048-141-0x00000000746E0000-0x0000000074712000-memory.dmp

Filesize
200KB

Download
memory/3048-140-0x00000000747F0000-0x00000000747F9000-memory.dmp

Filesize
36KB

Download
memory/3048-137-0x0000000074450000-0x0000000074463000-memory.dmp

Filesize
76KB

Download
memory/3048-149-0x00000000743F0000-0x0000000074441000-memory.dmp

Filesize
324KB

Download
memory/3048-148-0x0000000074D80000-0x0000000074E4C000-memory.dmp

Filesize
816KB

Download
memory/3048-131-0x00000000747D0000-0x00000000747E2000-memory.dmp

Filesize
72KB

Download
memory/3048-126-0x00000000746E0000-0x0000000074712000-memory.dmp

Filesize
200KB

Download
memory/3048-150-0x0000000000D50000-0x00000000011A2000-memory.dmp

Filesize
4.3MB

Download
memory/3048-154-0x00000000749C0000-0x0000000074A60000-memory.dmp

Filesize
640KB

Download
memory/3048-153-0x00000000752A0000-0x000000007533D000-memory.dmp

Filesize
628KB

Download
memory/3048-152-0x00000000746E0000-0x0000000074712000-memory.dmp

Filesize
200KB

Download
memory/3048-151-0x00000000747F0000-0x00000000747F9000-memory.dmp

Filesize
36KB

Download
memory/3048-155-0x0000000074540000-0x00000000746DE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-157-0x00000000747D0000-0x00000000747E2000-memory.dmp

Filesize
72KB

Download
memory/3048-158-0x0000000074A60000-0x0000000074C75000-memory.dmp

Filesize
2.1MB

Download
memory/3048-165-0x00000000743F0000-0x0000000074441000-memory.dmp

Filesize
324KB

Download
memory/3048-166-0x00000000753A0000-0x00000000753F7000-memory.dmp

Filesize
348KB

Download
memory/3048-167-0x0000000000D50000-0x00000000011A2000-memory.dmp

Filesize
4.3MB

Download
memory/3048-163-0x0000000074D80000-0x0000000074E4C000-memory.dmp

Filesize
816KB

Download
memory/3048-169-0x0000000074540000-0x00000000746DE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-168-0x00000000746E0000-0x0000000074712000-memory.dmp

Filesize
200KB

Download
memory/3048-164-0x0000000074450000-0x0000000074463000-memory.dmp

Filesize
76KB

Download
memory/3048-161-0x00000000761B0000-0x000000007623F000-memory.dmp

Filesize
572KB

Download
memory/3048-160-0x0000000075220000-0x000000007529B000-memory.dmp

Filesize
492KB

Download
memory/3048-100-0x0000000000D50000-0x00000000011A2000-memory.dmp

Filesize
4.3MB

Download
memory/3048-96-0x0000000010000000-0x00000000100BB000-memory.dmp

Filesize
748KB

Download
memory/3048-156-0x00000000753A0000-0x00000000753F7000-memory.dmp

Filesize
348KB

Download
memory/3048-365-0x0000000073D20000-0x0000000073E11000-memory.dmp

Filesize
964KB

Download
memory/3048-376-0x0000000010000000-0x00000000100BB000-memory.dmp

Filesize
748KB

Download
memory/3048-377-0x0000000073D20000-0x0000000073E11000-memory.dmp

Filesize
964KB

Download