Resubmissions

13-07-2024 09:54

240713-lxbx6swdmm 10

13-07-2024 09:50

240713-lvbvdsyapd 10

13-07-2024 09:46

240713-lr1dksyajd 10

Analysis

  • max time kernel
    835s
  • max time network
    842s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    13-07-2024 09:50

General

  • Target

    22a1f50db97e2f91417a668d7c31379012b9f756d37a6697220b10aaf1f8b585.exe

  • Size

    240KB

  • MD5

    598b2a2bdfb474047a6d5b5f0469c27a

  • SHA1

    a2d42ceb046e3bfcab1bb3dc9ef9e89f12e2bd66

  • SHA256

    22a1f50db97e2f91417a668d7c31379012b9f756d37a6697220b10aaf1f8b585

  • SHA512

    ff6930e0dd15d7fc23f3cd62b5213863ec0c59b8ada189960e52be1832c8a1b928ddb3debf9eca65bbd5203e7b191e55d79dd2c7592bed3e197bdfb5b200ddbf

  • SSDEEP

    3072:PC4zn72NrvV9YhZv0FKbgx2HMdYlTYpu/EVarwBwCc45TEywugt45ZoIWpEzGVz1:Pn72NrvV9OCTE45Z1WpEKvmSx7ri

Malware Config

Signatures

  • Renames multiple (145) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops desktop.ini file(s) 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NTFS ADS 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\22a1f50db97e2f91417a668d7c31379012b9f756d37a6697220b10aaf1f8b585.exe
    "C:\Users\Admin\AppData\Local\Temp\22a1f50db97e2f91417a668d7c31379012b9f756d37a6697220b10aaf1f8b585.exe"
    1⤵
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2252
    • C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\README.txt
      2⤵
      • Opens file in notepad (likely ransom note)
      PID:2240
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Roaming\usb_maker.bat" "
      2⤵
      • NTFS ADS
      PID:1512

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\usb_maker.bat

    Filesize

    3KB

    MD5

    8b926e674282e555448c3d236419cc02

    SHA1

    4a4e549641f3e780a6b1f1d02963919bd80919c3

    SHA256

    a942687463c636d9ae805ed322285cb4454312924f9d6cdd8dfa28e5a9a4a925

    SHA512

    5fa18988494427d99c2025d887484a8450042ccf52fd1883490f24dcbd5c61bf8a120a5b9edb15172957513f12db126e68677a5759349976af71cd0cdef0d162

  • C:\Users\Admin\Music\README.txt

    Filesize

    55B

    MD5

    b93eb695a60a289d6ec60bf91ade3f47

    SHA1

    162bbce41920668be61dd0c6cbf2686b3df721f0

    SHA256

    65c12214995d2dca08255cbcce236746950a6a064b511fa9e98f7ce4d00ca3a1

    SHA512

    b8aa02d79be5bee12a783c09dbad88774c07b1381760f4f4d8381a487911ee1403923bd75f1e4d27007ec1981be667fa9313fc635153c24ff6efddd202a58c15

  • memory/2252-0-0x00000000749EE000-0x00000000749EF000-memory.dmp

    Filesize

    4KB

  • memory/2252-1-0x0000000000B80000-0x0000000000BC2000-memory.dmp

    Filesize

    264KB

  • memory/2252-2-0x00000000749E0000-0x00000000750CE000-memory.dmp

    Filesize

    6.9MB

  • memory/2252-320-0x00000000749E0000-0x00000000750CE000-memory.dmp

    Filesize

    6.9MB