5b9b5f27d6f7be21ddb67a6fab7d1b5b876b9231bee48841c27760f6f8a49692

Analysis

max time kernel
1800s
max time network
1592s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
06/07/2024, 10:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

slam.ransomware.builder.installer.exe
Size

6.3MB
MD5

74bd5f609dabc4f942d8a8efe45e8c6e
SHA1

6955b5e2c45ff24084384ab5af0ef752f1b85e2f
SHA256

5b9b5f27d6f7be21ddb67a6fab7d1b5b876b9231bee48841c27760f6f8a49692
SHA512

043b12f9589cd7bab9b440e5cab0bdfc2b33f283dc34cb1102d0ad77c9d023db3a2afeee04a111bb00c988b41c854074bc17b51bf7396ca6692fe63c6f214d59
SSDEEP

196608:GO0jDOM+uGFAgEXlhsjPMxKrjBlU3UG62I3Hpd9j:GO03OJuGqgxPM4rjskG62I3jZ

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2040	start.exe
1772	slam.exe

Loads dropped DLL 2 IoCs

pid	Process
1772	slam.exe
1772	slam.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
1636	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3104	slam.ransomware.builder.installer.exe
3104	slam.ransomware.builder.installer.exe
3104	slam.ransomware.builder.installer.exe
3104	slam.ransomware.builder.installer.exe
3104	slam.ransomware.builder.installer.exe
3104	slam.ransomware.builder.installer.exe
3104	slam.ransomware.builder.installer.exe
3104	slam.ransomware.builder.installer.exe
3104	slam.ransomware.builder.installer.exe
3104	slam.ransomware.builder.installer.exe
3104	slam.ransomware.builder.installer.exe
3104	slam.ransomware.builder.installer.exe
3104	slam.ransomware.builder.installer.exe
3104	slam.ransomware.builder.installer.exe
3104	slam.ransomware.builder.installer.exe
3104	slam.ransomware.builder.installer.exe
3104	slam.ransomware.builder.installer.exe
3104	slam.ransomware.builder.installer.exe
3104	slam.ransomware.builder.installer.exe
3104	slam.ransomware.builder.installer.exe
3104	slam.ransomware.builder.installer.exe
3104	slam.ransomware.builder.installer.exe
3104	slam.ransomware.builder.installer.exe
3104	slam.ransomware.builder.installer.exe
3104	slam.ransomware.builder.installer.exe
3104	slam.ransomware.builder.installer.exe
3104	slam.ransomware.builder.installer.exe
3104	slam.ransomware.builder.installer.exe
3104	slam.ransomware.builder.installer.exe
3104	slam.ransomware.builder.installer.exe
3104	slam.ransomware.builder.installer.exe
3104	slam.ransomware.builder.installer.exe
3104	slam.ransomware.builder.installer.exe
3104	slam.ransomware.builder.installer.exe
3104	slam.ransomware.builder.installer.exe
3104	slam.ransomware.builder.installer.exe
3104	slam.ransomware.builder.installer.exe
3104	slam.ransomware.builder.installer.exe
3104	slam.ransomware.builder.installer.exe
3104	slam.ransomware.builder.installer.exe
3104	slam.ransomware.builder.installer.exe
3104	slam.ransomware.builder.installer.exe
3104	slam.ransomware.builder.installer.exe
3104	slam.ransomware.builder.installer.exe
3104	slam.ransomware.builder.installer.exe
3104	slam.ransomware.builder.installer.exe
3104	slam.ransomware.builder.installer.exe
3104	slam.ransomware.builder.installer.exe
3104	slam.ransomware.builder.installer.exe
3104	slam.ransomware.builder.installer.exe
3104	slam.ransomware.builder.installer.exe
3104	slam.ransomware.builder.installer.exe
3104	slam.ransomware.builder.installer.exe
3104	slam.ransomware.builder.installer.exe
3104	slam.ransomware.builder.installer.exe
3104	slam.ransomware.builder.installer.exe
3104	slam.ransomware.builder.installer.exe
3104	slam.ransomware.builder.installer.exe
3104	slam.ransomware.builder.installer.exe
3104	slam.ransomware.builder.installer.exe
3104	slam.ransomware.builder.installer.exe
3104	slam.ransomware.builder.installer.exe
3104	slam.ransomware.builder.installer.exe
3104	slam.ransomware.builder.installer.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3104	slam.ransomware.builder.installer.exe
Token: SeDebugPrivilege	1636	taskkill.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 3104 wrote to memory of 2680	3104	slam.ransomware.builder.installer.exe	73
PID 3104 wrote to memory of 2680	3104	slam.ransomware.builder.installer.exe	73
PID 3104 wrote to memory of 2680	3104	slam.ransomware.builder.installer.exe	73
PID 3104 wrote to memory of 8	3104	slam.ransomware.builder.installer.exe	74
PID 3104 wrote to memory of 8	3104	slam.ransomware.builder.installer.exe	74
PID 3104 wrote to memory of 8	3104	slam.ransomware.builder.installer.exe	74
PID 2680 wrote to memory of 1636	2680	cmd.exe	77
PID 2680 wrote to memory of 1636	2680	cmd.exe	77
PID 2680 wrote to memory of 1636	2680	cmd.exe	77
PID 3104 wrote to memory of 4564	3104	slam.ransomware.builder.installer.exe	79
PID 3104 wrote to memory of 4564	3104	slam.ransomware.builder.installer.exe	79
PID 3104 wrote to memory of 4564	3104	slam.ransomware.builder.installer.exe	79
PID 4564 wrote to memory of 2040	4564	cmd.exe	81
PID 4564 wrote to memory of 2040	4564	cmd.exe	81
PID 4564 wrote to memory of 2040	4564	cmd.exe	81
PID 2040 wrote to memory of 2740	2040	start.exe	82
PID 2040 wrote to memory of 2740	2040	start.exe	82
PID 2040 wrote to memory of 2740	2040	start.exe	82
PID 2740 wrote to memory of 1772	2740	cmd.exe	85
PID 2740 wrote to memory of 1772	2740	cmd.exe	85
PID 2740 wrote to memory of 1772	2740	cmd.exe	85

C:\Users\Admin\AppData\Local\Temp\slam.ransomware.builder.installer.exe
"C:\Users\Admin\AppData\Local\Temp\slam.ransomware.builder.installer.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3104
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c cd C:\Users\Admin\Desktop & del /Q /F slam_ransomware_builder.url & taskkill /F /IM slam.exe & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM slam.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1636
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c cd C:\Users\Admin\Desktop & del /Q /F slam_ransomware_builder.url & exit
  2⤵
  PID:8
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start C:\slam_ransomware_builder\start.exe & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4564
- - C:\slam_ransomware_builder\start.exe
    C:\slam_ransomware_builder\start.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2040
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4B2D.tmp\start.bat" C:\slam_ransomware_builder\start.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2740
    - - C:\slam_ransomware_builder\slam.exe
        
        slam.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4B2D.tmp\start.bat

Filesize
96B

MD5
2615bf9ed6d2e854c0602ef8fdd787df

SHA1
4e0682a961ee43b9ddce5b3c03c83945d7d0cc40

SHA256
a33ee4de5292cb00e1833b85a5dc530240bb5f23ee64a56ae7fa23ae4aabc493

SHA512
24ec09d91c3d8d93c7dd595dad8eefd00de24759e039bc4dfc6967291ee54ef2a65b693b02143352a8a7c0e83b372d77389059811927b18f52472ead1332fb8c

Download Submit
C:\slam_ransomware_builder\ConsoleApp2\ConsoleApp2\Properties\AssemblyInfo.cs

Filesize
556B

MD5
a08e9477bcf35558054417f16a5f5617

SHA1
5853ada9553643a039b1b56324f0c95226179c44

SHA256
7ef40c0cf01ec60f42ace3924716f5ccef0f5eea84bd8f9006016ddbfcdf36d2

SHA512
2f7950f9462fb26dfbd133311f2c0403929eef6c75abe416d55ca8e88dceaef15021e294c3ea683d221ae22ba7acac33c63d80d441adf28fa8ffd67a577b11b2

Download Submit
C:\slam_ransomware_builder\FastColoredTextBox.dll

Filesize
325KB

MD5
adac0cee5cc4de7d4046ae1243e41bf0

SHA1
c8d6d92f0dbee64d0f4c0930f0d2699a8253e891

SHA256
68d0e444c0b27552d2cb86501dcb7db3fd64b82d966e9708db0408ec1ba38c79

SHA512
1d7af604540532a4121850760b1e401bb6356e59503c26f3d1fa358a105b7d88362c92f78aa4394095b165f06c484b8c2d2ed640380e85ef9b3eb087d3e7c869

Download Submit
C:\slam_ransomware_builder\slam ransomware builder.exe

Filesize
911KB

MD5
021458678c21929df321f7a9bfb7ff4b

SHA1
80632494db8082eff13f306a23663ff5e60c6171

SHA256
56d887e15714395489e83c9e476a743c44d0cddfaf1c06f3ac4826b0fe95f348

SHA512
af7d677ca06a2d9d0b70701943dfdf4804007c3433d476cd9a35f666052f4e8aa52ddfbb3638cd0283a29c60f64b925569d6bf647ac28b7dfea320bdd75f5fb2

Download Submit
C:\slam_ransomware_builder\start.exe

Filesize
46KB

MD5
f7b1a64333ab633f980b702723fb7cba

SHA1
e7e04a69a84c5a9e7d0901eb00face35457a0df1

SHA256
e7bde6768de9a7a1b1028d7fa52548f8c074b7355820b7a1cb2d4c2c082512d2

SHA512
666d09200f0bc1762903fcfb748335d1fec27cf2cd9723a91d2ad870468b94236ad7c15ed453446accc415f0be5d40f006d57695204fd7fa30c676a8e6d2ecad

Download Submit
C:\slam_ransomware_builder\uac\ConsoleApp2\App.config

Filesize
189B

MD5
9dbad5517b46f41dbb0d8780b20ab87e

SHA1
ef6aef0b1ea5d01b6e088a8bf2f429773c04ba5e

SHA256
47e5a0f101af4151d7f13d2d6bfa9b847d5b5e4a98d1f4674b7c015772746cdf

SHA512
43825f5c26c54e1fc5bffcce30caad1449a28c0c9a9432e9ce17d255f8bf6057c1a1002d9471e5b654ab1de08fb6eabf96302cdb3e0fb4b63ba0ff186e903be8

Download Submit
memory/1772-153-0x0000000006730000-0x0000000006788000-memory.dmp

Filesize
352KB

Download
memory/1772-147-0x0000000007E60000-0x0000000007EC6000-memory.dmp

Filesize
408KB

Download
memory/1772-146-0x0000000007DC0000-0x0000000007E5C000-memory.dmp

Filesize
624KB

Download
memory/1772-145-0x0000000000B10000-0x0000000000BFA000-memory.dmp

Filesize
936KB

Download
memory/3104-5-0x00000000731A0000-0x000000007388E000-memory.dmp

Filesize
6.9MB

Download
memory/3104-12-0x0000000009CE0000-0x0000000009CF2000-memory.dmp

Filesize
72KB

Download
memory/3104-10-0x00000000017A0000-0x00000000017AA000-memory.dmp

Filesize
40KB

Download
memory/3104-9-0x00000000731A0000-0x000000007388E000-memory.dmp

Filesize
6.9MB

Download
memory/3104-8-0x00000000731A0000-0x000000007388E000-memory.dmp

Filesize
6.9MB

Download
memory/3104-7-0x00000000731AE000-0x00000000731AF000-memory.dmp

Filesize
4KB

Download
memory/3104-6-0x00000000731A0000-0x000000007388E000-memory.dmp

Filesize
6.9MB

Download
memory/3104-0-0x00000000731AE000-0x00000000731AF000-memory.dmp

Filesize
4KB

Download
memory/3104-4-0x0000000005C10000-0x0000000005C1A000-memory.dmp

Filesize
40KB

Download
memory/3104-3-0x0000000005C20000-0x0000000005CB2000-memory.dmp

Filesize
584KB

Download
memory/3104-2-0x0000000006250000-0x000000000674E000-memory.dmp

Filesize
5.0MB

Download
memory/3104-1-0x0000000000D70000-0x00000000013CE000-memory.dmp

Filesize
6.4MB

Download