Overview

overview

10

Static

static

7

Documents/...er.exe

windows10-2004-x64

10

Documents/...ll.exe

windows10-2004-x64

3

Documents/...aw.exe

windows10-2004-x64

10

Documents/...ky.exe

windows10-2004-x64

10

Documents/...31.exe

windows10-2004-x64

1

Documents/...3 .exe

windows10-2004-x64

3

Documents/...d9.dll

windows10-2004-x64

10

027cc450ef...ju.dll

windows10-2004-x64

10

ee29b9c013...bc6.js

windows10-2004-x64

3

fe2e5d0543...L9.rtf

windows10-2004-x64

1

Documents/...uy.hta

windows10-2004-x64

10

Documents/...st.exe

windows10-2004-x64

7

Documents/...39.exe

windows10-2004-x64

6

Documents/...5c.exe

windows10-2004-x64

Documents/...00.exe

windows10-2004-x64

7

Supplement...16.scr

windows10-2004-x64

3

Documents/...ZSFwgb

windows10-2004-x64

1

Documents/...96.exe

windows10-2004-x64

5

Documents/...ed.exe

windows10-2004-x64

10

Documents/...70.exe

windows10-2004-x64

9

Documents/...67.exe

windows10-2004-x64

1

Documents/...56.exe

windows10-2004-x64

1

Documents/...ab.exe

windows10-2004-x64

8

Documents/...3a.exe

windows10-2004-x64

8

Documents/...73.exe

windows10-2004-x64

8

ed01ebfbc9...aa.exe

windows10-2004-x64

10

Documents/...aa.exe

windows10-2004-x64

10

Resubmissions

30-06-2024 00:59

240630-bcjr6svbkk 10

20-06-2024 02:02

240620-cf43ysxbnk 10

20-06-2024 01:44

240620-b5v1xawemk 10

19-06-2024 01:10

240619-bjmseavfmp 10

18-06-2024 20:40

240618-zfwsxawdpa 10

18-06-2024 13:45

240618-q2vcjawdle 10

Analysis

  • max time kernel
    138s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-06-2024 01:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Documents/Ransomware.Vipasana/Ransomware.Vipasana/e49778d20a2f9b1f8b00ddd24b6bcee81af381ed02cfe0a3c9ab3111cda5f573.exe

  • Size

    329KB

  • MD5

    adb5c262ca4f95fee36ae4b9b5d41d45

  • SHA1

    cdbe420609fec04ddf3d74297fc2320b6a8a898e

  • SHA256

    e49778d20a2f9b1f8b00ddd24b6bcee81af381ed02cfe0a3c9ab3111cda5f573

  • SHA512

    dad3541217a7f1fde669441a3f987794ee58ae44e7899d7ed5ebdf59e8174e2924441ea8474701908071df74479a4f928b673c2d9086c67078a2a861b61ba754

  • SSDEEP

    6144:TRzMgpY8bXFHW1FbwwEHidUoagoW2C9cuqBGI4Zq6mYN8+N6MSiF0Q5XNN:pDRbXFHW1+K2UWBGIymYG+zn

Score
8/10
persistenceransomwarespywarestealer

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 64 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Control Panel 3 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Vipasana\Ransomware.Vipasana\e49778d20a2f9b1f8b00ddd24b6bcee81af381ed02cfe0a3c9ab3111cda5f573.exe
    "C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Vipasana\Ransomware.Vipasana\e49778d20a2f9b1f8b00ddd24b6bcee81af381ed02cfe0a3c9ab3111cda5f573.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3056
    • C:\Users\Admin\AppData\Local\Temp\e49778d20a2f9b1f8b00ddd24b6bcee81af381ed02cfe0a3c9ab3111cda5f573.exe
      "C:\Users\Admin\AppData\Local\Temp\e49778d20a2f9b1f8b00ddd24b6bcee81af381ed02cfe0a3c9ab3111cda5f573.exe"
      2⤵
      • Drops file in Drivers directory
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • Sets desktop wallpaper using registry
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4080
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KBVNJ.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1528
        • C:\Windows\SysWOW64\chcp.com
          chcp 1251
          4⤵
            PID:1048

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Defense Evasion

    Modify Registry

    2
    T1112

    Credential Access

    Unsecured Credentials

    1
    T1552

    Credentials In Files

    1
    T1552.001

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Defacement

    1
    T1491

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\Manifest.xml
      Filesize

      3.4MB

      MD5

      2cd7af95219dcdae01ca23bf3056d093

      SHA1

      eb247205e492b91588988e2aa7bcfe536636dba1

      SHA256

      603d4bdad6bd631e39df4cede61101830f7c51930f290bfe69cb22834b6c72f0

      SHA512

      70800ef80155a151a426d61d1ef1aafc9d933001f9806acb4ccad25c6f81d3fff3ed372e59ff3e04d2af8d5183d441e42a9c62ae506fbe4272853f0bc0466a0a

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{79cdde58-390c-442a-a73b-387be457ad90}\0.1.filtertrie.intermediate.txt
      Filesize

      19KB

      MD5

      01cb4429b40af23f4bd1462344a1aea8

      SHA1

      20c20f30f8d22aee758a1066f000bd1184e38be0

      SHA256

      e2e40020fdddf3db175aa4e3313d1409b2baf0430e09514b66e52f402303b00c

      SHA512

      a9d53e6a17a0f85260349dc93a25c4ede542fe1c5fbc2e80a3f3759083e9f889752ee3ab969a6ac9b507e354d60e3f40ba415bc5d211ee182d20c38e8eb79a1b

      Download Submit
    • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{79cdde58-390c-442a-a73b-387be457ad90}\0.2.filtertrie.intermediate.txt
      Filesize

      19KB

      MD5

      b83e58da08830d5c3fa1cbb54459e9e4

      SHA1

      0a09dd36a492d183e07636decd44be45b5028877

      SHA256

      4283f49b6b93a12bd9ccbd065baf7c6ba2a5ff80c8697824b451cf42366021dd

      SHA512

      9706797d1dd0d565234ba9d789f9a73c579a5597b9f92b21e6207cf76c8239f770b3fa73826df1ec598088fe431a9e9f4c058e37a0f52b6d59b7e417bf0944d4

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\KBVNJ.bat
      Filesize

      309B

      MD5

      3d0159fbb3676cbb543a76e4555c646c

      SHA1

      29751571253c415888732a50f9353d5ce0201018

      SHA256

      5e59606c3d1d9605fbbf2796fc13fc005959823b9876a2d8ef21c08dfd952069

      SHA512

      15e6b7ac8a88f69350d080ce705c80a1bca33418b81a23540345a0c35f6855a72828a2faefb6d47641911e60657fa3bc25462e64ae1c5ac02e5bdb3cd41edc69

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\e49778d20a2f9b1f8b00ddd24b6bcee81af381ed02cfe0a3c9ab3111cda5f573.exe
      Filesize

      329KB

      MD5

      adb5c262ca4f95fee36ae4b9b5d41d45

      SHA1

      cdbe420609fec04ddf3d74297fc2320b6a8a898e

      SHA256

      e49778d20a2f9b1f8b00ddd24b6bcee81af381ed02cfe0a3c9ab3111cda5f573

      SHA512

      dad3541217a7f1fde669441a3f987794ee58ae44e7899d7ed5ebdf59e8174e2924441ea8474701908071df74479a4f928b673c2d9086c67078a2a861b61ba754

      Download Submit
    • memory/3056-7-0x0000000000400000-0x000000000045A000-memory.dmp
      Filesize

      360KB

      Download
    • memory/4080-1006-0x0000000000400000-0x000000000045A000-memory.dmp
      Filesize

      360KB

      Download
    • memory/4080-1870-0x0000000000400000-0x000000000045A000-memory.dmp
      Filesize

      360KB

      Download
    • memory/4080-1485-0x0000000000400000-0x000000000045A000-memory.dmp
      Filesize

      360KB

      Download
    • memory/4080-2094-0x0000000000400000-0x000000000045A000-memory.dmp
      Filesize

      360KB

      Download
    • memory/4080-2095-0x0000000000400000-0x000000000045A000-memory.dmp
      Filesize

      360KB

      Download
    • memory/4080-2108-0x0000000000400000-0x000000000045A000-memory.dmp
      Filesize

      360KB

      Download
    • memory/4080-2120-0x0000000000400000-0x000000000045A000-memory.dmp
      Filesize

      360KB

      Download
    • memory/4080-675-0x0000000000400000-0x000000000045A000-memory.dmp
      Filesize

      360KB

      Download