Resubmissions
13-07-2024 09:54
240713-lxbx6swdmm 1013-07-2024 09:50
240713-lvbvdsyapd 1013-07-2024 09:46
240713-lr1dksyajd 10Analysis
-
max time kernel
1659s -
max time network
1155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
-
submitted
13-07-2024 09:54
General
-
Target
22a1f50db97e2f91417a668d7c31379012b9f756d37a6697220b10aaf1f8b585.exe
-
Size
240KB
-
MD5
598b2a2bdfb474047a6d5b5f0469c27a
-
SHA1
a2d42ceb046e3bfcab1bb3dc9ef9e89f12e2bd66
-
SHA256
22a1f50db97e2f91417a668d7c31379012b9f756d37a6697220b10aaf1f8b585
-
SHA512
ff6930e0dd15d7fc23f3cd62b5213863ec0c59b8ada189960e52be1832c8a1b928ddb3debf9eca65bbd5203e7b191e55d79dd2c7592bed3e197bdfb5b200ddbf
-
SSDEEP
3072:PC4zn72NrvV9YhZv0FKbgx2HMdYlTYpu/EVarwBwCc45TEywugt45ZoIWpEzGVz1:Pn72NrvV9OCTE45Z1WpEKvmSx7ri
Malware Config
Signatures
-
Renames multiple (133) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Drops desktop.ini file(s) 10 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
-
NTFS ADS 1 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SendNotifyMessage 1 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\22a1f50db97e2f91417a668d7c31379012b9f756d37a6697220b10aaf1f8b585.exe"C:\Users\Admin\AppData\Local\Temp\22a1f50db97e2f91417a668d7c31379012b9f756d37a6697220b10aaf1f8b585.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops desktop.ini file(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\README.txt2⤵
- Opens file in notepad (likely ransom note)
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\usb_maker.bat" "2⤵
- NTFS ADS
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD58b926e674282e555448c3d236419cc02
SHA14a4e549641f3e780a6b1f1d02963919bd80919c3
SHA256a942687463c636d9ae805ed322285cb4454312924f9d6cdd8dfa28e5a9a4a925
SHA5125fa18988494427d99c2025d887484a8450042ccf52fd1883490f24dcbd5c61bf8a120a5b9edb15172957513f12db126e68677a5759349976af71cd0cdef0d162
-
Filesize
55B
MD5b93eb695a60a289d6ec60bf91ade3f47
SHA1162bbce41920668be61dd0c6cbf2686b3df721f0
SHA25665c12214995d2dca08255cbcce236746950a6a064b511fa9e98f7ce4d00ca3a1
SHA512b8aa02d79be5bee12a783c09dbad88774c07b1381760f4f4d8381a487911ee1403923bd75f1e4d27007ec1981be667fa9313fc635153c24ff6efddd202a58c15
-
Filesize
4KB
-
Filesize
264KB
-
Filesize
5.6MB
-
Filesize
584KB
-
Filesize
7.7MB
-
Filesize
40KB
-
Filesize
7.7MB