Analysis Overview
SHA256
294cca25a52a8ce7764f2504e1f65ad3ee0dd8d2e701bc910d12c2e24fb367d0
Threat Level: Likely malicious
The file ransom.exe was found to be: Likely malicious.
Malicious Activity Summary
Renames multiple (320) files with added filename extension
Reads user/profile data of web browsers
Drops startup file
Loads dropped DLL
Unsigned PE
Detects Pyinstaller
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Opens file in notepad (likely ransom note)
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-09 15:20
Signatures
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-09 15:20
Reported
2024-06-09 15:21
Platform
win10v2004-20240508-en
Max time kernel
91s
Max time network
95s
Command Line
Signatures
Renames multiple (320) files with added filename extension
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.skk | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| File opened for modification | \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\desktop.ini.skk | C:\Windows\system32\taskmgr.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings | C:\Windows\system32\taskmgr.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ransom.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3728 wrote to memory of 4544 | N/A | C:\Users\Admin\AppData\Local\Temp\ransom.exe | C:\Users\Admin\AppData\Local\Temp\ransom.exe |
| PID 3728 wrote to memory of 4544 | N/A | C:\Users\Admin\AppData\Local\Temp\ransom.exe | C:\Users\Admin\AppData\Local\Temp\ransom.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\ransom.exe
"C:\Users\Admin\AppData\Local\Temp\ransom.exe"
C:\Users\Admin\AppData\Local\Temp\ransom.exe
"C:\Users\Admin\AppData\Local\Temp\ransom.exe"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\msedge_installer.log
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI37282\python310.dll
| MD5 | a1185bef38fdba5e3fe6a71f93a9d142 |
| SHA1 | e2b40f5e518ad000002b239a84c153fdc35df4eb |
| SHA256 | 8d0bec69554317ccf1796c505d749d5c9f3be74ccbfce1d9e4d5fe64a536ae9e |
| SHA512 | cb9baea9b483b9153efe2f453d6ac0f0846b140e465d07244f651c946900bfcd768a6b4c0c335ecebb45810bf08b7324501ea22b40cc7061b2f2bb98ed7897f4 |
C:\Users\Admin\AppData\Local\Temp\_MEI37282\VCRUNTIME140.dll
| MD5 | a87575e7cf8967e481241f13940ee4f7 |
| SHA1 | 879098b8a353a39e16c79e6479195d43ce98629e |
| SHA256 | ded5adaa94341e6c62aea03845762591666381dca30eb7c17261dd154121b83e |
| SHA512 | e112f267ae4c9a592d0dd2a19b50187eb13e25f23ded74c2e6ccde458bcdaee99f4e3e0a00baf0e3362167ae7b7fe4f96ecbcd265cc584c1c3a4d1ac316e92f0 |
C:\Users\Admin\AppData\Local\Temp\_MEI37282\base_library.zip
| MD5 | 514cf74da8ee921006c003a1257df418 |
| SHA1 | 59321f253aacda0287335048193747bd0c274c98 |
| SHA256 | 762591f4a42f9dc8b9e9a6c0ed6bd5c3b39875eeacc34a6bf078c18a3e735982 |
| SHA512 | df1e5dd55f09bfe3a9354911b4568a706e563b03c56be0a18934dfe5225e8101b84a561b8826b7fd6d146485f79c0bf156a3ff5cb11cc8c79942d084b2de3339 |
C:\Users\Admin\AppData\Local\Temp\_MEI37282\python3.DLL
| MD5 | 0812ee5d8abc0072957e9415ba6e62f2 |
| SHA1 | ea05c427e46c5d9470ba81d6b7cbca6838ee0dd5 |
| SHA256 | 84a29c369560c5175d22ee764fe8ada882ab6b37b6b10c005404153518a344ec |
| SHA512 | 18ca5631f2ae957b9ec8eaa7aa87094d3a296548790ced970752625a0f271511e0ce0042a0ea5469a9c362a0d811c530ef6fe41b84c61b25c838466acc37f22b |
C:\Users\Admin\AppData\Local\Temp\_MEI37282\libffi-7.dll
| MD5 | eef7981412be8ea459064d3090f4b3aa |
| SHA1 | c60da4830ce27afc234b3c3014c583f7f0a5a925 |
| SHA256 | f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081 |
| SHA512 | dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016 |
C:\Users\Admin\AppData\Local\Temp\_MEI37282\_bz2.pyd
| MD5 | a1fbcfbd82de566a6c99d1a7ab2d8a69 |
| SHA1 | 3e8ba4c925c07f17c7dffab8fbb7b8b8863cad76 |
| SHA256 | 0897e209676f5835f62e5985d7793c884fd91b0cfdfaff893fc05176f2f82095 |
| SHA512 | 55679427c041b2311cff4e97672102962f9d831e84f06f05600ecdc3826f6be5046aa541955f57f06e82ee72a4ee36f086da1f664f493fbe4cc0806e925afa04 |
C:\Users\Admin\AppData\Local\Temp\_MEI37282\_lzma.pyd
| MD5 | a6bee109071bbcf24e4d82498d376f82 |
| SHA1 | 1babacdfaa60e39e21602908047219d111ed8657 |
| SHA256 | ce72d59a0e96077c9ea3f1fd7b011287248dc8d80fd3c16916a1d9040a9a941f |
| SHA512 | 8cb2dafd19f212e71fa32cb74dad303af68eaa77a63ccf6d3a6ae82e09ac988f71fe82f8f2858a9c616b06dc42023203fa9f7511fac32023be0bc8392272c336 |
C:\Users\Admin\AppData\Local\Temp\_MEI37282\_socket.pyd
| MD5 | c5378bac8c03d7ef46305ee8394560f5 |
| SHA1 | 2aa7bc90c0ec4d21113b8aa6709569d59fadd329 |
| SHA256 | 130de3506471878031aecc4c9d38355a4719edd3786f27262a724efc287a47b9 |
| SHA512 | 1ecb88c62a9daad93ec85f137440e782dcc40d7f1598b5809ab41bf86a5c97224e2361c0e738c1387c6376f2f24d284583fd001c4e1324d72d6989d0b84bf856 |
C:\Users\Admin\AppData\Local\Temp\_MEI37282\select.pyd
| MD5 | 63ede3c60ee921074647ec0278e6aa45 |
| SHA1 | a02c42d3849ad8c03ce60f2fd1797b1901441f26 |
| SHA256 | cb643556c2dcdb957137b25c8a33855067e0d07547e547587c9886238253bfe5 |
| SHA512 | d0babc48b0e470abdafad6205cc0824eec66dbb5bff771cee6d99a0577373a2de2ffab93e86c42c7642e49999a03546f94e7630d3c58db2cff8f26debc67fcad |
C:\Users\Admin\AppData\Local\Temp\_MEI37282\psutil\_psutil_windows.pyd
| MD5 | 3cba71b6bc59c26518dc865241add80a |
| SHA1 | 7e9c609790b1de110328bbbcbb4cd09b7150e5bd |
| SHA256 | e10b73d6e13a5ae2624630f3d8535c5091ef403db6a00a2798f30874938ee996 |
| SHA512 | 3ef7e20e382d51d93c707be930e12781636433650d0a2c27e109ebebeba1f30ea3e7b09af985f87f67f6b9d2ac6a7a717435f94b9d1585a9eb093a83771b43f2 |
C:\Users\Admin\AppData\Local\Temp\_MEI37282\_hashlib.pyd
| MD5 | ad6e31dba413be7e082fab3dbafb3ecc |
| SHA1 | f26886c841d1c61fb0da14e20e57e7202eefbacc |
| SHA256 | 2e30544d07f1c55d741b03992ea57d1aa519edaaa121e889f301a5b8b6557fe4 |
| SHA512 | 6401664e5c942d98c6fa955cc2424dfa0c973bd0ac1e515f7640c975bba366af1b3e403ea50e753f837dcd82a04af2ce043e22b15fa9976af7cbb30b3ac80452 |
C:\Users\Admin\AppData\Local\Temp\_MEI37282\libcrypto-1_1.dll
| MD5 | ab01c808bed8164133e5279595437d3d |
| SHA1 | 0f512756a8db22576ec2e20cf0cafec7786fb12b |
| SHA256 | 9c0a0a11629cced6a064932e95a0158ee936739d75a56338702fed97cb0bad55 |
| SHA512 | 4043cda02f6950abdc47413cfd8a0ba5c462f16bcd4f339f9f5a690823f4d0916478cab5cae81a3d5b03a8a196e17a716b06afee3f92dec3102e3bbc674774f2 |
C:\Users\Admin\AppData\Local\Temp\_MEI37282\_ctypes.pyd
| MD5 | 92276f41ff9c856f4dbfa6508614e96c |
| SHA1 | 5bc8c3555e3407a3c78385ff2657de3dec55988e |
| SHA256 | 9ab1f8cbb50db3d9a00f74447a2275a89ec52d1139fc0a93010e59c412c2c850 |
| SHA512 | 9df63ef04ea890dd0d38a26ac64a92392cf0a8d0ad77929727238e9e456450518404c1b6bb40844522fca27761c4e864550aacb96e825c4e4b367a59892a09e7 |
C:\Users\Admin\AppData\Local\Temp\_MEI37282\_ssl.pyd
| MD5 | 9d810454bc451ff440ec95de36088909 |
| SHA1 | 8c890b934a2d84c548a09461ca1e783810f075be |
| SHA256 | 5a4c78adedf0bcb5fc422faac619b4c7b57e3d7ba4f2d47a98c1fb81a503b6b7 |
| SHA512 | 0800666f848faec976366dbfd2c65e7b7e1d8375d5d9e7d019bf364a1f480216c271c3bcf994dbab19290d336cf691cd8235e636f3dbc4d2a77f4760871c19ed |
C:\Users\Admin\AppData\Local\Temp\_MEI37282\libssl-1_1.dll
| MD5 | de72697933d7673279fb85fd48d1a4dd |
| SHA1 | 085fd4c6fb6d89ffcc9b2741947b74f0766fc383 |
| SHA256 | ed1c8769f5096afd000fc730a37b11177fcf90890345071ab7fbceac684d571f |
| SHA512 | 0fd4678c65da181d7c27b19056d5ab0e5dd0e9714e9606e524cdad9e46ec4d0b35fe22d594282309f718b30e065f6896674d3edce6b3b0c8eb637a3680715c2c |
C:\Users\Admin\AppData\Local\Temp\_MEI37282\cryptography\hazmat\bindings\_rust.pyd
| MD5 | 7d6f3ad57f25c087286a55fe1ecd55db |
| SHA1 | df87721286061ef3e5687fd29924c025d230c9e9 |
| SHA256 | bca2dd906302a6a84e9aa5f41b06c4deef4fee139e861d5c538ba30bd4c40574 |
| SHA512 | 8a042d70956c6d8d617b9fb73f942209c4396cee11a8ef64b8cce77f5989ac5fc728f04353b342beb1823953c6e73fdc50ccdc0d72721b81f515581ca5c32f6a |
C:\Users\Admin\AppData\Local\Temp\_MEI37282\bcrypt\_bcrypt.pyd
| MD5 | 03ef5e8da65667751e1fd3fa0c182d3e |
| SHA1 | 4608d1efca23143006c1338deda144a2f3bb8a16 |
| SHA256 | 3d1c66bdcb4fa0b8e917895e1b4d62ee14260eaa1bd6fe908877c47585ec6127 |
| SHA512 | c094a3dfbd863726524c56dab2592b3513a3a8c445bcaac6cfb41a5ddec3079d9b1f849c6826c1cc4241ca8b0aa44e33d2502bb20856313966af31f480ba8811 |
C:\Users\Admin\AppData\Local\Temp\_MEI37282\cryptography\hazmat\bindings\_openssl.pyd
| MD5 | 772cace2ab493c306930c01050a5b667 |
| SHA1 | 5130913527cb73ca1358875f63464907088f0a5b |
| SHA256 | da0dea85eb34de0e50ab1d343d33ed0a99b3af5e2f479d306fce5c0ed604b1d8 |
| SHA512 | b0019a4ff07a5d76e1c01dd7079ea9eae5bd1cede64af917ba94206ad434acf946efad90ebfd240cfefcdb22c8ca732af659e4408105a9ff130545950ed1bd2d |
C:\Users\Admin\AppData\Local\Temp\_MEI37282\_cffi_backend.cp310-win_amd64.pyd
| MD5 | 282b92ef9ed04c419564fbaee2c5cdbe |
| SHA1 | e19b54d6ab67050c80b36a016b539cbe935568d5 |
| SHA256 | 5763c1d29903567cde4d46355d3a7380d10143543986ca4eebfca4d22d991e3e |
| SHA512 | 3ddebdc28d0add9063ee6d41f14331898f92452a13762b6c4c9aa5a83dde89510176425c11a48591fa05c949cb35218bf421f1974e33eb8133a1b95ea74e4941 |
C:\Users\Admin\AppData\Local\Temp\_MEI37282\cryptography-38.0.1.dist-info\top_level.txt
| MD5 | e7274bd06ff93210298e7117d11ea631 |
| SHA1 | 7132c9ec1fd99924d658cc672f3afe98afefab8a |
| SHA256 | 28d693f929f62b8bb135a11b7ba9987439f7a960cc969e32f8cb567c1ef79c97 |
| SHA512 | aa6021c4e60a6382630bebc1e16944f9b312359d645fc61219e9a3f19d876fd600e07dca6932dcd7a1e15bfdeac7dbdceb9fffcd5ca0e5377b82268ed19de225 |
C:\Users\Admin\AppData\Local\Temp\_MEI37282\cryptography-38.0.1.dist-info\top_level.txt.skk
| MD5 | fb64417db41de0ff4c32f1445aa566f9 |
| SHA1 | 54807fae2c936c58a763af2bfeffcdda5813a863 |
| SHA256 | 966033e4fd8feb43db835a8dc7aedf40e36641cbf096301b97343febdbe99b5c |
| SHA512 | ad0d3111234ff0fa3b0d76475776a8366752f7dd12d4fce6bd4cb4a1846fe58786268cd450050e4f6b7051c1f850315b17fd54c0ad143acd304944a9300e4384 |
memory/3352-400-0x000001600EE30000-0x000001600EE31000-memory.dmp
memory/3352-401-0x000001600EE30000-0x000001600EE31000-memory.dmp
memory/3352-402-0x000001600EE30000-0x000001600EE31000-memory.dmp
memory/3352-411-0x000001600EE30000-0x000001600EE31000-memory.dmp
memory/3352-412-0x000001600EE30000-0x000001600EE31000-memory.dmp
memory/3352-410-0x000001600EE30000-0x000001600EE31000-memory.dmp
memory/3352-409-0x000001600EE30000-0x000001600EE31000-memory.dmp
memory/3352-408-0x000001600EE30000-0x000001600EE31000-memory.dmp
memory/3352-406-0x000001600EE30000-0x000001600EE31000-memory.dmp
memory/3352-407-0x000001600EE30000-0x000001600EE31000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.skk
| MD5 | b0679dc4befcbf5e022a562a811c02fa |
| SHA1 | 1c1c5f1d9097094e5e1030abed690fb2157a06d3 |
| SHA256 | 4b7c3ae0577b4ec0900dbddbd5899347321957a48f4533571ee44ebe92df102f |
| SHA512 | 85786edc0bc6b602ef5af5445553922def1e619ae21810d33cef30aafa97859a685d5fcffe9926529d458a65d4a009c803c38e71d9e73b8fc840f7568c84cb5b |