Overview

overview

10

Static

static

10

8e7a924425...97.exe

windows7-x64

10

8e7a924425...97.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-07-2024 14:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8e7a92442581fe1179b826cc112ac804c24e0f25389c4c649d87309bcd82c097.exe

  • Size

    146KB

  • MD5

    a6238bac4eea44789acd7594bbefacae

  • SHA1

    83f89ce4c6ac20243baf5937f0f666b594d91a3c

  • SHA256

    8e7a92442581fe1179b826cc112ac804c24e0f25389c4c649d87309bcd82c097

  • SHA512

    baf19b9074d3971605a2c9cf0c733dccf8f871a21b49034bf984fdcde3e86208c6d21030352619438dfd8adc80c5a23c76fae5e04782b52aae1ab1ae039c242e

  • SSDEEP

    3072:V6glyuxE4GsUPnliByocWepo2NVLiguo/pyEwUST:V6gDBGpvEByocWeauV2gvzwUg

Score
10/10
ransomwarespywarestealer

Malware Config

Extracted

Path

C:\7V7uPExzv.README.txt

Ransom Note
~~~NULLBULGE LOCK - BASED ON LOCKBIT~~~ >>>> Your data is encrypted... but dont freak out If we encrypted you, you majorly fucked up. But... all can be saved But not for free, we require an xmr payment >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption. Life is too short to be sad. Dont be sad money is only paper. Your files are more important than paper right? If we do not give you decrypter then nobody will pay us in the future. To us, our reputation is very important. There is no dissatisfied victim after payment. >>>> You may contact us and decrypt one file for free on these TOR sites with your personal DECRYPTION ID Download and install TOR Browser https://www.torproject.org/ Write to a chat and wait for the answer, we will always answer you. Sometimes you will need to wait a while Links for Tor Browser: http://nullblgtk7dwzpfklgktzll27ovvnj7pvqkoprmhubnnb32qcbmcpgid.onion/ Link for the normal browser http://group.goocasino.org https://nullbulge.com >>>> Your personal DECRYPTION ID: 217B9D5D58C4AD3C285D9C9B96FB3EBE >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems!
URLs

http://nullblgtk7dwzpfklgktzll27ovvnj7pvqkoprmhubnnb32qcbmcpgid.onion/

http://group.goocasino.org

https://nullbulge.com

Signatures

  • Renames multiple (649) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 2 IoCs
  • Drops file in System32 directory 4 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8e7a92442581fe1179b826cc112ac804c24e0f25389c4c649d87309bcd82c097.exe
    "C:\Users\Admin\AppData\Local\Temp\8e7a92442581fe1179b826cc112ac804c24e0f25389c4c649d87309bcd82c097.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3312
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
      • Drops file in System32 directory
      PID:4124
    • C:\ProgramData\F1B4.tmp
      "C:\ProgramData\F1B4.tmp"
      2⤵
      • Checks computer location settings
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:1480
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\F1B4.tmp >> NUL
        3⤵
          PID:1028
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
      1⤵
        PID:2600
      • C:\Windows\system32\printfilterpipelinesvc.exe
        C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
        1⤵
        • Drops file in System32 directory
        • Suspicious use of WriteProcessMemory
        PID:3212
        • C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
          /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{CFEA1D78-E5D3-46B1-BAE8-E42CFAEF2C27}.xps" 133654413794070000
          2⤵
          • Checks processor information in registry
          • Enumerates system info in registry
          • Suspicious use of SetWindowsHookEx
          PID:1900

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\$Recycle.Bin\S-1-5-21-464762018-485119342-1613148473-1000\YYYYYYYYYYY
        Filesize

        129B

        MD5

        48fc2be523c371c6fa67d126ee784f74

        SHA1

        0bd4a2e942396a6153c4856d48d0e0e9fc51194f

        SHA256

        f7d057a8004541e23184532d1e3106908ab88f74397d4eda062672bfd0f069f1

        SHA512

        fc7d6cd89e13f5d6bb0dcb7fdcf0b04e3a93fb5ff522b2079c46d61d3becc61a3fe7f31d7b8e38bdb226886b0fdc3cc822a5f9085e3f0b0a66092b5e4658e739

        Download Submit

      • C:\7V7uPExzv.README.txt
        Filesize

        1KB

        MD5

        f01fe07fb95c0ab1c869743c894a0e0a

        SHA1

        a64b12e426e825210e6d48b0bb38c8dd71cf36f2

        SHA256

        72733dfaa7b6b03ee74f8679597b5a5b7ac2c6781b12784cc8e96b8cb42bc87c

        SHA512

        34fafe499a203bfa7f24348737204feeb28a58b9619a83ff9491d343d08d9b734b0d5cbf722233d50db4ded08e6673e9e7591fd30514cf1a5797c173e53bfbe3

        Download Submit

      • C:\ProgramData\F1B4.tmp
        Filesize

        14KB

        MD5

        294e9f64cb1642dd89229fff0592856b

        SHA1

        97b148c27f3da29ba7b18d6aee8a0db9102f47c9

        SHA256

        917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

        SHA512

        b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE
        Filesize

        146KB

        MD5

        d14e48b1d236596aeb65d941258e2319

        SHA1

        efb24742a8980bfbb3f3508f678d82ebd659f4fe

        SHA256

        bc94248335448c3ec1a2599a21dc6dd36f0e23b0a8063a621d2e16099c8ece30

        SHA512

        609aebbedb765724e6f7e180f28a801cab3f767984c514fac8cdd9a54566f6f50334b29dea78502d470380b6a538323695d19e7deedfa87a74eba20fd3929330

        Download Submit

      • C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2
        Filesize

        4KB

        MD5

        a8190da707856694dfae081582b015e7

        SHA1

        ba9f61a841a0ace9401989ceb3b6d8644b1f5d10

        SHA256

        0835c5d7172508829accf2c96fdda8d72e7a6fcf0d185265a6e2a2fdeb866a81

        SHA512

        97ea6d135bcb9a1f74ae1fe9501f8e111261cb5c108eaece36968b2ad5f164b30bf54e3d89eca207f95edb600fcb107a468721cf724b4e72766f91439fba0780

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-464762018-485119342-1613148473-1000\DDDDDDDDDDD
        Filesize

        129B

        MD5

        739ba7092f680db7149809dc708155ee

        SHA1

        68e317fd954885543301ef826696276c5b52e81e

        SHA256

        e5f382eeff885c6cf60910d4c8253466a7888c6d80a958bca05821912d008081

        SHA512

        b60de9b21f8934e3ca82c964de73c3b6993b5aa66fbc5d662cfcc548c979f582e11fcf2651e50c28ed5559f250b441b6059966dbfafd6420ff0d10ce732c992e

        Download Submit

      • memory/1900-2819-0x00007FFB89C30000-0x00007FFB89C40000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1900-2817-0x00007FFB89C30000-0x00007FFB89C40000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1900-2818-0x00007FFB89C30000-0x00007FFB89C40000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1900-2816-0x00007FFB89C30000-0x00007FFB89C40000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1900-2815-0x00007FFB89C30000-0x00007FFB89C40000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1900-2846-0x00007FFB87430000-0x00007FFB87440000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1900-2853-0x00007FFB87430000-0x00007FFB87440000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3312-2-0x0000000002B90000-0x0000000002BA0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3312-0-0x0000000002B90000-0x0000000002BA0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3312-1-0x0000000002B90000-0x0000000002BA0000-memory.dmp

        Filesize

        64KB

        Download