Overview

overview

10

Static

static

10

8e7a924425...97.exe

windows7-x64

10

8e7a924425...97.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    14-07-2024 14:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8e7a92442581fe1179b826cc112ac804c24e0f25389c4c649d87309bcd82c097.exe

  • Size

    146KB

  • MD5

    a6238bac4eea44789acd7594bbefacae

  • SHA1

    83f89ce4c6ac20243baf5937f0f666b594d91a3c

  • SHA256

    8e7a92442581fe1179b826cc112ac804c24e0f25389c4c649d87309bcd82c097

  • SHA512

    baf19b9074d3971605a2c9cf0c733dccf8f871a21b49034bf984fdcde3e86208c6d21030352619438dfd8adc80c5a23c76fae5e04782b52aae1ab1ae039c242e

  • SSDEEP

    3072:V6glyuxE4GsUPnliByocWepo2NVLiguo/pyEwUST:V6gDBGpvEByocWeauV2gvzwUg

Score
10/10
ransomwarespywarestealer

Malware Config

Extracted

Path

C:\7V7uPExzv.README.txt

Ransom Note
~~~NULLBULGE LOCK - BASED ON LOCKBIT~~~ >>>> Your data is encrypted... but dont freak out If we encrypted you, you majorly fucked up. But... all can be saved But not for free, we require an xmr payment >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption. Life is too short to be sad. Dont be sad money is only paper. Your files are more important than paper right? If we do not give you decrypter then nobody will pay us in the future. To us, our reputation is very important. There is no dissatisfied victim after payment. >>>> You may contact us and decrypt one file for free on these TOR sites with your personal DECRYPTION ID Download and install TOR Browser https://www.torproject.org/ Write to a chat and wait for the answer, we will always answer you. Sometimes you will need to wait a while Links for Tor Browser: http://nullblgtk7dwzpfklgktzll27ovvnj7pvqkoprmhubnnb32qcbmcpgid.onion/ Link for the normal browser http://group.goocasino.org https://nullbulge.com >>>> Your personal DECRYPTION ID: 217B9D5D58C4AD3C7A5BC69A26216496 >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems!
URLs

http://nullblgtk7dwzpfklgktzll27ovvnj7pvqkoprmhubnnb32qcbmcpgid.onion/

http://group.goocasino.org

https://nullbulge.com

Signatures

  • Renames multiple (320) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 2 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8e7a92442581fe1179b826cc112ac804c24e0f25389c4c649d87309bcd82c097.exe
    "C:\Users\Admin\AppData\Local\Temp\8e7a92442581fe1179b826cc112ac804c24e0f25389c4c649d87309bcd82c097.exe"
    1⤵
    • Loads dropped DLL
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1628
    • C:\ProgramData\8D51.tmp
      "C:\ProgramData\8D51.tmp"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:1200
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\8D51.tmp >> NUL
        3⤵
          PID:1836
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x14c
      1⤵
        PID:2356

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\$Recycle.Bin\S-1-5-21-3450744190-3404161390-554719085-1000\BBBBBBBBBBB
        Filesize

        129B

        MD5

        bb1a87b836513c6d96acd56a27044ccc

        SHA1

        00e5ce8ff68321eb200d35de6ccc1cb4d40c4d60

        SHA256

        a4af09a0fabdd670e07ebc6a25f04b28d9605b5100bddae006e1eabffbfbbeee

        SHA512

        e7e8049000130d142c67f7bc38dd9b3a0ae0bede4bd6d01d75c162a3a1846dff080b3c7150eb517da9b9f60c80cc02f675d5711ac365f8729d8e99dc4c7f91b7

        Download Submit

      • C:\7V7uPExzv.README.txt
        Filesize

        1KB

        MD5

        fc760cb0ba1315e33d6954fcacc6860f

        SHA1

        8cf63cb83f87806f9ac6e15601ada9a28685a95f

        SHA256

        9cc6f0de04ee12a1498f019566d0029f3ef5d82cd1869c7943ddcb7c6b7f2255

        SHA512

        7f91a152300142e662ea3fed21c036ef609ef86d7b7647a320e1e326f8c38f81da48a85cd0d58dab14e32f8541f33ee79ec932ab581e74f84e90c91b5a8f36a2

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
        Filesize

        146KB

        MD5

        ff495de97290461cd95dff21d48809ef

        SHA1

        d3dc258853da9eef70e60fd1de44e4897713fd1d

        SHA256

        92aa9ff58ffcb89e0e4e31d48e412a16750943eb3de9774eb3aae3c0e521c623

        SHA512

        047296f915e6ed0f43fb511b104749724e8d89311fe4657fd8663bed60ff257dede8667f9d30dd605be851f19fb0d0fa2ed19d6729b98ffdd4394dafac587c08

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-3450744190-3404161390-554719085-1000\HHHHHHHHHHH
        Filesize

        129B

        MD5

        1db23e77c6f9bdefd297447b61cf821c

        SHA1

        9833831e663c266ab182382f4051d1e77c3e1182

        SHA256

        fc777009b98fd9d3a6172984952a0189425616dbedee71ebce52ddbcbef0cd86

        SHA512

        8251c85166561465458f5cc01460140c2a8afb558cb456e75a3e447fb9eed9ab430c06185055c5715ba0e86f785e7e4c247343f4dbc17aef39ddd1b98db03d7e

        Download Submit

      • \ProgramData\8D51.tmp
        Filesize

        14KB

        MD5

        294e9f64cb1642dd89229fff0592856b

        SHA1

        97b148c27f3da29ba7b18d6aee8a0db9102f47c9

        SHA256

        917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

        SHA512

        b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

        Download Submit

      • memory/1200-852-0x0000000000401000-0x0000000000404000-memory.dmp

        Filesize

        12KB

        Download

      • memory/1200-854-0x0000000000400000-0x0000000000407000-memory.dmp

        Filesize

        28KB

        Download

      • memory/1628-0-0x0000000000200000-0x0000000000240000-memory.dmp

        Filesize

        256KB

        Download