Overview

overview

8

Static

static

3

c453bc28c9...3c.exe

windows7-x64

8

c453bc28c9...3c.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    162s
  • max time network
    170s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/03/2024, 23:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c453bc28c9f211df2e1a87b0d26e1c3c.exe

  • Size

    147KB

  • MD5

    c453bc28c9f211df2e1a87b0d26e1c3c

  • SHA1

    c4ad140e1abb5478aef5a1aeb7db8b177368429e

  • SHA256

    a7b6b77de96352a518220615c1b32c2da43d0be60c983f90e31016c219a5681a

  • SHA512

    406076d38d85bf5eb75cd540cb973655ec4dc7b7053b42db838d52cb6a3c039962fac397b250687358e9c4646172d29b356bbb7e3c6a6248c41a68ba4b0f6f65

  • SSDEEP

    3072:XR1+aJe1mgawzxsBub861jIHxowx4rhYr73Or2PxOB3cuwBwqYHumi:XRUTV5nSMhssBciqYK

Score
8/10
persistence

Malware Config

Signatures

  • Modifies AppInit DLL entries 2 TTPs
    persistence
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 4 IoCs
  • Drops file in Windows directory 2 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3384
      • C:\Users\Admin\AppData\Local\Temp\c453bc28c9f211df2e1a87b0d26e1c3c.exe
        "C:\Users\Admin\AppData\Local\Temp\c453bc28c9f211df2e1a87b0d26e1c3c.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:2976
        • C:\Windows\serv.exe
          C:\Windows\serv.exe s
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Drops file in System32 directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4076
        • C:\Windows\SysWOW64\notepad.exe
          C:\Windows\System32\notepad.exe C:\Users\Admin\AppData\Local\Temp\55DB.tmp
          3⤵
          • Opens file in notepad (likely ransom note)
          PID:3580
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1428 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8
      1⤵
        PID:2500

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\55DB.tmp
        Filesize

        64KB

        MD5

        6bf80b5e2beffc0c31ed88572fd255b3

        SHA1

        d24c83074062185990c245975904986060c93ad8

        SHA256

        b7caada2a6516018079a51eaf7d00d7e154accfce95cb40eaf9f736ac0a32c78

        SHA512

        b8ab497b999ecc7dd712e2d0262c42f9be38ba810ab484bd794d77413d18d0bf860907ab8885a88152264ada5b001b708c80807b49f74e93b1cbb474502b3cb2

        Download Submit

      • C:\Windows\SysWOW64\dbnetsby.dll
        Filesize

        20KB

        MD5

        da2f63fc80d4714b0eca8c66c82837d9

        SHA1

        b79dd173f6691ead3c5b4fd4f74a31fed5c28d7e

        SHA256

        a883deb8d93e489dd62f871a2b2517c53004c4ed0880655e9b960b626d9edbb2

        SHA512

        21d8873030a5bb118521952e0ee5634c729d49820948ebfd62593299f839f5f3489e717109e7eb9fe7625fe733971488791436f37db677ef43db280d4c847e40

        Download Submit

      • C:\Windows\serv.dll
        Filesize

        7KB

        MD5

        7caccaf5cb2e8483057a6c7389c51e1c

        SHA1

        d50a265aca04fe4292be1ca623fa5668d725c608

        SHA256

        0c663f01a250db8af6b5b60d2640491693a38530530b04cbb43ece27d97c0f8f

        SHA512

        43de01f952070d01abc13f35786544b6e2e324fc65d86807e48624ee250051630b76b9059deda0515138bb6658aaf6dffe555a27de6dadc87ce5c8bec03f074c

        Download Submit

      • C:\Windows\serv.exe
        Filesize

        147KB

        MD5

        c453bc28c9f211df2e1a87b0d26e1c3c

        SHA1

        c4ad140e1abb5478aef5a1aeb7db8b177368429e

        SHA256

        a7b6b77de96352a518220615c1b32c2da43d0be60c983f90e31016c219a5681a

        SHA512

        406076d38d85bf5eb75cd540cb973655ec4dc7b7053b42db838d52cb6a3c039962fac397b250687358e9c4646172d29b356bbb7e3c6a6248c41a68ba4b0f6f65

        Download Submit

      • memory/2976-0-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

        Download

      • memory/2976-7-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

        Download

      • memory/4076-6-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

        Download

      • memory/4076-22-0x0000000077DA2000-0x0000000077DA3000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4076-23-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

        Download