Overview

overview

10

Static

static

10

020db58e3c...4c.exe

windows10-2004-x64

10

06cbef0e90...f8.exe

windows10-2004-x64

9

083c5b43df...fb.exe

windows10-2004-x64

10

15cb04fa5c...4f.exe

windows10-2004-x64

9

22a1f50db9...85.exe

windows10-2004-x64

9

24cb5e44b6...8d.exe

windows10-2004-x64

10

27c9f44e0c...d6.exe

windows10-2004-x64

10

2c2aa8458f...3d.exe

windows10-2004-x64

7

2e9e18954a...d1.exe

windows10-2004-x64

10

2ebb2a34dd...c6.exe

windows10-2004-x64

10

2fff52aa0c...21.exe

windows10-2004-x64

10

37ca1cfa1f...60.exe

windows10-2004-x64

10

38cd67a044...4c.exe

windows10-2004-x64

9

3d4f84e20d...96.exe

windows10-2004-x64

49cff73125...4b.exe

windows10-2004-x64

10

4c0153b979...a5.exe

windows10-2004-x64

10

4ded976d2e...5a.exe

windows10-2004-x64

10

4ee95ee627...68.exe

windows10-2004-x64

10

5b439daac4...d7.exe

windows10-2004-x64

10

67df6d4554...78.exe

windows10-2004-x64

3

6b3bf710cf...2e.exe

windows10-2004-x64

7

6df64a0a92...fe.exe

windows10-2004-x64

10

75b45fea60...34.exe

windows10-2004-x64

10

82e6b71b99...5a.exe

windows10-2004-x64

10

8a6aa9e5d5...47.exe

windows10-2004-x64

10

8bcfb60733...fd.exe

windows10-2004-x64

10

8bf1319fd0...6c.exe

windows10-2004-x64

10

8d76a9a577...20.exe

windows10-2004-x64

10

8dd283ca01...4c.exe

windows10-2004-x64

10

8edaee2550...e7.exe

windows10-2004-x64

10

9bff71afad...75.exe

windows10-2004-x64

10

9d7fb7050c...20.exe

windows10-2004-x64

10

Resubmissions

13-07-2024 09:54

240713-lxbx6swdmm 10

13-07-2024 09:50

240713-lvbvdsyapd 10

13-07-2024 09:46

240713-lr1dksyajd 10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-07-2024 09:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6b3bf710cf4a0806b2c5eaa26d2d91ca57575248ff0298f6dee7180456f37d2e.exe

  • Size

    145KB

  • MD5

    9f16d35de8c312ba0b6f9efd558487fe

  • SHA1

    93040ad968110a6c96c9e2f74f6902aa52b71057

  • SHA256

    6b3bf710cf4a0806b2c5eaa26d2d91ca57575248ff0298f6dee7180456f37d2e

  • SHA512

    1534d12e38937d0c9597f67540b1c849728a637eb7dcd1286e28c9bd72a463bdbc492247beffd16e47986157323134edc84eb1d1f2e857d5c4a136427fe99699

  • SSDEEP

    1536:6Cpb2XbbPD1c2lB4a9wL7vkYq0Hk5rR5JkVJ4y/uU/rLV9YYccquTrX7YeOzk+7J:ZyXbt4aEcTrR5OVZ/rLV9Yrcqu3

Score
7/10
persistenceransomware

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 26 IoCs
  • Suspicious use of SendNotifyMessage 25 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6b3bf710cf4a0806b2c5eaa26d2d91ca57575248ff0298f6dee7180456f37d2e.exe
    "C:\Users\Admin\AppData\Local\Temp\6b3bf710cf4a0806b2c5eaa26d2d91ca57575248ff0298f6dee7180456f37d2e.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Sets desktop wallpaper using registry
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2828
    • C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\Read Me First!.txt
      2⤵
        PID:3940
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c @echo off & echo github: https://t.me/temon_69 & start https://t.me/temon_69
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2804
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/temon_69
          3⤵
          • Enumerates system info in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          PID:4992
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffbbc6646f8,0x7ffbbc664708,0x7ffbbc664718
            4⤵
              PID:4148
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,18422683717933188888,5629834264465830673,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
              4⤵
                PID:3128
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,18422683717933188888,5629834264465830673,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2392 /prefetch:3
                4⤵
                • Suspicious behavior: EnumeratesProcesses
                PID:1704
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,18422683717933188888,5629834264465830673,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2712 /prefetch:8
                4⤵
                  PID:4672
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,18422683717933188888,5629834264465830673,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:1
                  4⤵
                    PID:4140
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,18422683717933188888,5629834264465830673,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
                    4⤵
                      PID:4660
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,18422683717933188888,5629834264465830673,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5040 /prefetch:1
                      4⤵
                        PID:1624
                      • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,18422683717933188888,5629834264465830673,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5048 /prefetch:8
                        4⤵
                          PID:4256
                        • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,18422683717933188888,5629834264465830673,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5048 /prefetch:8
                          4⤵
                          • Suspicious behavior: EnumeratesProcesses
                          PID:60
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,18422683717933188888,5629834264465830673,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:1
                          4⤵
                            PID:4520
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,18422683717933188888,5629834264465830673,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:1
                            4⤵
                              PID:1776
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,18422683717933188888,5629834264465830673,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4560 /prefetch:1
                              4⤵
                                PID:2732
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,18422683717933188888,5629834264465830673,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:1
                                4⤵
                                  PID:2876
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,18422683717933188888,5629834264465830673,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4356 /prefetch:2
                                  4⤵
                                  • Suspicious behavior: EnumeratesProcesses
                                  PID:2984
                          • C:\Windows\System32\CompPkgSrv.exe
                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                            1⤵
                              PID:3364
                            • C:\Windows\System32\CompPkgSrv.exe
                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                              1⤵
                                PID:2188

                              Network

                              MITRE ATT&CK Enterprise v15

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\866bdc33-46eb-477d-b2f0-1745d5358a8b.tmp
                                Filesize

                                11KB

                                MD5

                                c3a6b664073f4eaf81397e4b01a6d065

                                SHA1

                                9f7d09b60ad3a65184801c0fa80c18fae50b571c

                                SHA256

                                854f5b855b99bffdf4d31c02f818ec44a34543988a336bc70c33106987cc3a1e

                                SHA512

                                00a8479af061aaf81d1c645af93416385f6a49330beda6efbab84b2218ac387965ae7349d76a870559fbddc8612636708515231f8bb43ccbc7b1830c3a13dacd

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                Filesize

                                152B

                                MD5

                                60ead4145eb78b972baf6c6270ae6d72

                                SHA1

                                e71f4507bea5b518d9ee9fb2d523c5a11adea842

                                SHA256

                                b9e99e7387a915275e8fe4ac0b0c0cd330b4632814d5c9c446beb2755f1309a7

                                SHA512

                                8cdbafd2783048f5f54f22e13f6ef890936d5b986b0bb3fa86d2420a5bfecf7bedc56f46e6d5f126eae79f492315843c134c441084b912296e269f384a73ccde

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                Filesize

                                152B

                                MD5

                                1f9d180c0bcf71b48e7bc8302f85c28f

                                SHA1

                                ade94a8e51c446383dc0a45edf5aad5fa20edf3c

                                SHA256

                                a17d56c41d524453a78e3f06e0d0b0081e79d090a4b75d0b693ddbc39f6f7fdc

                                SHA512

                                282863df0e51288049587886ed37ad1cf5b6bfeed86454ea3b9f2bb7f0a1c591f3540c62712ebfcd6f1095e1977446dd5b13b904bb52b6d5c910a1efc208c785

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
                                Filesize

                                72B

                                MD5

                                ae4caa15f31ed6d8ed4f26bb863a1984

                                SHA1

                                6480fb10c9c5ac6a349de56706df72879b07e8eb

                                SHA256

                                fc39c6d8a21b4bd8e08015c0fe7b3cbc4b7194fc7313de27e937dae89d6f627d

                                SHA512

                                22e06f5eccc65b360e7179a48e4bd16679aed941e3e009145e63e3b5daf622c81927f48985fdb5d326efb64afe41f968c7d32243fbae0c85a8a258a7a34f80c5

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                                Filesize

                                242B

                                MD5

                                e384a795d1e597feb0a5bebd13dcde50

                                SHA1

                                7ce66637789b61ae163c1de62dc996a99cdef796

                                SHA256

                                42a6ef02d02be95231cee980c97d4398ac167e7264a5cf838b3e3a2ad2a3380b

                                SHA512

                                36f58ca4b73ed5fdfd9b2557d09203189dc9cb3db29ee9716f89bb75a8f6d1c32cca67e597dfefb3b9074be0a024ba51ff40d8024439ccbb16d17316abc2215c

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                Filesize

                                6KB

                                MD5

                                c7d6cd77ce89d2390a8fe11814b262ac

                                SHA1

                                ed5556dfacd1257af51830afed800b0e2d732f0c

                                SHA256

                                9d400f44c0ab883944e2c4786a0afaff7ad569d10fdb9a2fe858ff496463f18f

                                SHA512

                                8f94c5e2655f37e5d3ed15f0de6dcddb28fd93bde46b91e8eec5c7c08ea96fd3e8399706523dcae31c1c6ff09c576b7530a35483b7fcd46988d8f53bf3ec8bb7

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                Filesize

                                6KB

                                MD5

                                bd16dade7a675a44040eb5fe3315e983

                                SHA1

                                d36149aaa274715b854d43149fbbb93354ce8629

                                SHA256

                                551797bd53d5c64a6ec1a8b88081b18adf2d93fa99b3eef537f9b848d8191bca

                                SHA512

                                0d1595de439e964dcbafd575b3e65fb51c4e865326f4e316a15b68c986bd4ec06e5911665e4cf47a3c9092ec3d9e4936cafbbf898a25f63486862ad01be2fa26

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                Filesize

                                16B

                                MD5

                                46295cac801e5d4857d09837238a6394

                                SHA1

                                44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                SHA256

                                0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                SHA512

                                8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                Filesize

                                16B

                                MD5

                                206702161f94c5cd39fadd03f4014d98

                                SHA1

                                bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                                SHA256

                                1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                                SHA512

                                0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                                Download Submit

                              • C:\Users\Admin\AppData\Roaming\Read Me First!.txt
                                Filesize

                                266B

                                MD5

                                5efe8b27a75520511406ff8ddcbc93bc

                                SHA1

                                d3755c5c29e04f356c6852f64e6a318885d93579

                                SHA256

                                426906022fed3ebb1427364f16717af29af909bbfa08b387518ead501ef1c7a8

                                SHA512

                                6ee99458c294e072e7f4bfaeb34bcca1364b4440485b18dfdcf27aadfd7fad67fff11c3238326f7fbd30be8f3670d2c200c2dc9c5f38e36f0dd14d83ca3a5e7b

                                Download Submit

                              • memory/2828-16-0x0000000074560000-0x0000000074D10000-memory.dmp

                                Filesize

                                7.7MB

                                Download

                              • memory/2828-0-0x000000007456E000-0x000000007456F000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/2828-5-0x0000000004D70000-0x0000000004D7A000-memory.dmp

                                Filesize

                                40KB

                                Download

                              • memory/2828-4-0x0000000074560000-0x0000000074D10000-memory.dmp

                                Filesize

                                7.7MB

                                Download

                              • memory/2828-2-0x00000000050D0000-0x0000000005674000-memory.dmp

                                Filesize

                                5.6MB

                                Download

                              • memory/2828-3-0x0000000004C30000-0x0000000004CC2000-memory.dmp

                                Filesize

                                584KB

                                Download

                              • memory/2828-1-0x0000000000230000-0x000000000025A000-memory.dmp

                                Filesize

                                168KB

                                Download