Analysis
-
max time kernel
117s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
14-07-2024 13:25
Behavioral task
behavioral1
Sample
1.exe
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral2
Sample
1.exe
Resource
win10-20240611-en
windows10-1703-x64
Behavioral task
behavioral3
Sample
1.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral4
Sample
1.exe
Resource
win11-20240709-en
windows11-21h2-x64
General
-
Target
1.exe
-
Size
146KB
-
MD5
314275168bf7958219662a242dbfe8a7
-
SHA1
d629032d9d8f491d133ee26a230c393335d7ad74
-
SHA256
f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23
-
SHA512
b5246db461ee78d622a33a758b3d178208b88e0b9e98185f17ee95f2fbbcf66b1059afece1dd5b586d01587bc01662491a6baab208b9836d4b4b9efc55f14c2f
-
SSDEEP
3072:V6glyuxE4GsUPnliByocWepo2NVLiguo/pyEwUSx:V6gDBGpvEByocWeauV2gvzwUA
Malware Config
Extracted
C:\7V7uPExzv.README.txt
http://nullblgtk7dwzpfklgktzll27ovvnj7pvqkoprmhubnnb32qcbmcpgid.onion/
http://group.goocasino.org
https://nullbulge.com
Signatures
-
Renames multiple (792) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
Processes:
DDF0.tmppid Process 2964 DDF0.tmp -
Executes dropped EXE 1 IoCs
Processes:
DDF0.tmppid Process 2964 DDF0.tmp -
Loads dropped DLL 1 IoCs
Processes:
1.exepid Process 2072 1.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
Processes:
1.exedescription ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-2212144002-1172735686-1556890956-1000\desktop.ini 1.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2212144002-1172735686-1556890956-1000\desktop.ini 1.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
1.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\7V7uPExzv.bmp" 1.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\7V7uPExzv.bmp" 1.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
1.exeDDF0.tmppid Process 2072 1.exe 2072 1.exe 2072 1.exe 2072 1.exe 2964 DDF0.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Control Panel 2 IoCs
Processes:
1.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Control Panel\Desktop 1.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Control Panel\Desktop\WallpaperStyle = "10" 1.exe -
Modifies registry class 5 IoCs
Processes:
1.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\7V7uPExzv 1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\7V7uPExzv\DefaultIcon\ = "C:\\ProgramData\\7V7uPExzv.ico" 1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.7V7uPExzv 1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.7V7uPExzv\ = "7V7uPExzv" 1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\7V7uPExzv\DefaultIcon 1.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
1.exepid Process 2072 1.exe 2072 1.exe 2072 1.exe 2072 1.exe 2072 1.exe 2072 1.exe 2072 1.exe 2072 1.exe 2072 1.exe 2072 1.exe 2072 1.exe 2072 1.exe 2072 1.exe 2072 1.exe 2072 1.exe 2072 1.exe 2072 1.exe 2072 1.exe 2072 1.exe 2072 1.exe -
Suspicious behavior: RenamesItself 26 IoCs
Processes:
DDF0.tmppid Process 2964 DDF0.tmp 2964 DDF0.tmp 2964 DDF0.tmp 2964 DDF0.tmp 2964 DDF0.tmp 2964 DDF0.tmp 2964 DDF0.tmp 2964 DDF0.tmp 2964 DDF0.tmp 2964 DDF0.tmp 2964 DDF0.tmp 2964 DDF0.tmp 2964 DDF0.tmp 2964 DDF0.tmp 2964 DDF0.tmp 2964 DDF0.tmp 2964 DDF0.tmp 2964 DDF0.tmp 2964 DDF0.tmp 2964 DDF0.tmp 2964 DDF0.tmp 2964 DDF0.tmp 2964 DDF0.tmp 2964 DDF0.tmp 2964 DDF0.tmp 2964 DDF0.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
1.exedescription pid Process Token: SeAssignPrimaryTokenPrivilege 2072 1.exe Token: SeBackupPrivilege 2072 1.exe Token: SeDebugPrivilege 2072 1.exe Token: 36 2072 1.exe Token: SeImpersonatePrivilege 2072 1.exe Token: SeIncBasePriorityPrivilege 2072 1.exe Token: SeIncreaseQuotaPrivilege 2072 1.exe Token: 33 2072 1.exe Token: SeManageVolumePrivilege 2072 1.exe Token: SeProfSingleProcessPrivilege 2072 1.exe Token: SeRestorePrivilege 2072 1.exe Token: SeSecurityPrivilege 2072 1.exe Token: SeSystemProfilePrivilege 2072 1.exe Token: SeTakeOwnershipPrivilege 2072 1.exe Token: SeShutdownPrivilege 2072 1.exe Token: SeDebugPrivilege 2072 1.exe Token: SeBackupPrivilege 2072 1.exe Token: SeBackupPrivilege 2072 1.exe Token: SeSecurityPrivilege 2072 1.exe Token: SeSecurityPrivilege 2072 1.exe Token: SeBackupPrivilege 2072 1.exe Token: SeBackupPrivilege 2072 1.exe Token: SeSecurityPrivilege 2072 1.exe Token: SeSecurityPrivilege 2072 1.exe Token: SeBackupPrivilege 2072 1.exe Token: SeBackupPrivilege 2072 1.exe Token: SeSecurityPrivilege 2072 1.exe Token: SeSecurityPrivilege 2072 1.exe Token: SeBackupPrivilege 2072 1.exe Token: SeBackupPrivilege 2072 1.exe Token: SeSecurityPrivilege 2072 1.exe Token: SeSecurityPrivilege 2072 1.exe Token: SeBackupPrivilege 2072 1.exe Token: SeBackupPrivilege 2072 1.exe Token: SeSecurityPrivilege 2072 1.exe Token: SeSecurityPrivilege 2072 1.exe Token: SeBackupPrivilege 2072 1.exe Token: SeBackupPrivilege 2072 1.exe Token: SeSecurityPrivilege 2072 1.exe Token: SeSecurityPrivilege 2072 1.exe Token: SeBackupPrivilege 2072 1.exe Token: SeBackupPrivilege 2072 1.exe Token: SeSecurityPrivilege 2072 1.exe Token: SeSecurityPrivilege 2072 1.exe Token: SeBackupPrivilege 2072 1.exe Token: SeBackupPrivilege 2072 1.exe Token: SeSecurityPrivilege 2072 1.exe Token: SeSecurityPrivilege 2072 1.exe Token: SeBackupPrivilege 2072 1.exe Token: SeBackupPrivilege 2072 1.exe Token: SeSecurityPrivilege 2072 1.exe Token: SeSecurityPrivilege 2072 1.exe Token: SeBackupPrivilege 2072 1.exe Token: SeBackupPrivilege 2072 1.exe Token: SeSecurityPrivilege 2072 1.exe Token: SeSecurityPrivilege 2072 1.exe Token: SeBackupPrivilege 2072 1.exe Token: SeBackupPrivilege 2072 1.exe Token: SeSecurityPrivilege 2072 1.exe Token: SeSecurityPrivilege 2072 1.exe Token: SeBackupPrivilege 2072 1.exe Token: SeBackupPrivilege 2072 1.exe Token: SeSecurityPrivilege 2072 1.exe Token: SeSecurityPrivilege 2072 1.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
1.exeDDF0.tmpdescription pid Process procid_target PID 2072 wrote to memory of 2964 2072 1.exe 32 PID 2072 wrote to memory of 2964 2072 1.exe 32 PID 2072 wrote to memory of 2964 2072 1.exe 32 PID 2072 wrote to memory of 2964 2072 1.exe 32 PID 2072 wrote to memory of 2964 2072 1.exe 32 PID 2964 wrote to memory of 684 2964 DDF0.tmp 33 PID 2964 wrote to memory of 684 2964 DDF0.tmp 33 PID 2964 wrote to memory of 684 2964 DDF0.tmp 33 PID 2964 wrote to memory of 684 2964 DDF0.tmp 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\1.exe"C:\Users\Admin\AppData\Local\Temp\1.exe"1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\ProgramData\DDF0.tmp"C:\ProgramData\DDF0.tmp"2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\DDF0.tmp >> NUL3⤵PID:684
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x1541⤵PID:1732
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD57e84c732b764e55a66f9c39e7546389d
SHA14932d5c10d9332bfb19c263f742aa594a1f8c805
SHA2561c1a3089e40978e50daf5fd1b3742ef68f7b2909847fb54f81a1ca10b4c41d09
SHA5126c3fbf587175886a887b4f37afa8e6526b9792d78b24f461bce573f85bf76e188e39d79c92e1008aeb056dee6f3a2e2d256c58a9897dda62b03e1b085721ad5d
-
Filesize
1KB
MD58c2be5dabda6d70998031e98877de66e
SHA1476e830160f2b4baead3e49f006cb90c2d4dde58
SHA256be932154ec7f413bab9c9a9267cc4d59fc1e36eaa138c852804795acc3b07a82
SHA512042a56a08582adb379ab51cd5a68eb1fbe443386cce7b1b8dcd2cddf4d47e4b7567344242af858b71da484727678b29ffa16807e44e35aa84b959f3adfd5463f
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
Filesize
146KB
MD51916699a2426286792774b00c701d27f
SHA1a730410c607c8f2919ad33c02175320c27dade21
SHA2563c85457836f3744e958438917bf5dd6a9e23e474b3dde2417a6e69b99bade022
SHA51298f31eb09cbd8c2d988750ddf4a0e5afbf78d38fd15d1d92c9b8dc903643112a90602b7641c5b56ac2ed53299a7eb1d39ad199d172e2defe2cdbc96f6ed634bb
-
Filesize
129B
MD5d42d54b330e293cbdad797b8c3416eb9
SHA1009cc24d6d5421aaaed6b631305b96a8a9951bde
SHA256222125288b4381536255a60939cd235cc8042ebefd429a4e28774a73c922a8c3
SHA5129482e5f446c62d6d5474da3dc8957c9d5694d14004801874e6e9e89f0394c92425582941e3eded51145d0b848e78f064c582bca741f7958ed859029953bf71d3