Overview

overview

9

Static

static

3

0a85705c62...2f.exe

windows7-x64

9

0a85705c62...2f.exe

windows10-2004-x64

9

Resubmissions

23-05-2024 18:29

240523-w4vnzabh2w

Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    23-05-2024 18:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0a85705c6264d2bf29b85e89b886c9c08b78c07221bcf14b7f0a3bce97d4a12f.exe

  • Size

    214KB

  • MD5

    c164b01878448f08b1ed93dd22e67e4e

  • SHA1

    699eb9ddde38aa2148c7f2661579882ad3572093

  • SHA256

    0a85705c6264d2bf29b85e89b886c9c08b78c07221bcf14b7f0a3bce97d4a12f

  • SHA512

    851392b2fe1d3ff56d89096413585dad721d60f30da0d14e7fb3e7daf8147d3e15dd2dd263949d4bceb06fd2ae6b7c92ea3dbf95ad9e09f515e075a259a140f6

  • SSDEEP

    3072:6e7WpMaxeb0CYJ97lEYNR73e+eKZ3R9j3NqSGCLOwstyhZFChcssc56FUrgxvbSR:RqKvb0CYJ973e+eKZh9LNtShcHUa0

Score
9/10
ransomware

Malware Config

Signatures

  • Renames multiple (3691) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0a85705c6264d2bf29b85e89b886c9c08b78c07221bcf14b7f0a3bce97d4a12f.exe
    "C:\Users\Admin\AppData\Local\Temp\0a85705c6264d2bf29b85e89b886c9c08b78c07221bcf14b7f0a3bce97d4a12f.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:3028
    • C:\Windows\SysWOW64\Zombie.exe
      "C:\Windows\system32\Zombie.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      PID:1284
    • C:\Users\Admin\AppData\Local\Temp\_cup.exe
      "_cup.exe"
      2⤵
      • Executes dropped EXE
      PID:1936

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-3452737119-3959686427-228443150-1000\desktop.ini.tmp
    Filesize

    74KB

    MD5

    ef60fe6066be2a4ca2fd949bf1d753f0

    SHA1

    5cc74c937916338359a36e423f3a96e4b97e96f9

    SHA256

    01817e54a156ec6a7537286af43aa523e9a795df224190f852113140939fa62d

    SHA512

    424919ab8cd5cb20307df631518a0f4bc6e2f0560e4c47e5082a437567f3f52db19ee4c0a2fa98c60d679b1a99a400c650c703128ef6f59f384f01026e1e82be

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\_cup.exe
    Filesize

    140KB

    MD5

    24f79f24b079ff5d837e1040f1c09d2a

    SHA1

    c56cfe2bc3817be2482cea1faea8925eb47ff424

    SHA256

    e7ba69ae8bd3206d73514b21e0d2f5d7e0101cb1a449442855068ff00ab88361

    SHA512

    574060ae61aa95200f1fa6423977040c5fd1ad46f1f1539329a2fc55eb871bf561d3d50191f3e16bdc32144295cd2939937f87bbd6c9f1b53b3288ddbb71a8cf

    Download Submit
  • \Windows\SysWOW64\Zombie.exe
    Filesize

    74KB

    MD5

    cac8a7372617ff0d53aa0f617b5b01d7

    SHA1

    6e4bdf7fca668a1e8d37f088328cf675e9eca141

    SHA256

    7c7948467e1d62cb74dc7f8341a57bfad1e3fe471128b30103ad010f4fb5b902

    SHA512

    1d1dad4e28d4ddbcd3b2bfd53d92ebf6ee5e01972640967603053bda9e6e3ffd0cedd021186c0cc5c350219974c33e3adcd9e766e084e1570baca1d711b51d45

    Download Submit
  • memory/1936-19-0x000007FEF58F3000-0x000007FEF58F4000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1936-20-0x00000000010C0000-0x00000000010E8000-memory.dmp
    Filesize

    160KB

    Download