f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
14/07/2024, 19:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1.exe
Size

146KB
MD5

314275168bf7958219662a242dbfe8a7
SHA1

d629032d9d8f491d133ee26a230c393335d7ad74
SHA256

f28599b06560617bccdfb56acc841f3e642ff51b9956632fcc4204f026711e23
SHA512

b5246db461ee78d622a33a758b3d178208b88e0b9e98185f17ee95f2fbbcf66b1059afece1dd5b586d01587bc01662491a6baab208b9836d4b4b9efc55f14c2f
SSDEEP

3072:V6glyuxE4GsUPnliByocWepo2NVLiguo/pyEwUSx:V6gDBGpvEByocWeauV2gvzwUA

Score

10^/10

ransomware spyware stealer

Malware Config

Extracted

Path

C:\7V7uPExzv.README.txt

Ransom Note

~~~NULLBULGE LOCK - BASED ON LOCKBIT~~~ >>>> Your data is encrypted... but dont freak out If we encrypted you, you majorly fucked up. But... all can be saved But not for free, we require an xmr payment >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption. Life is too short to be sad. Dont be sad money is only paper. Your files are more important than paper right? If we do not give you decrypter then nobody will pay us in the future. To us, our reputation is very important. There is no dissatisfied victim after payment. >>>> You may contact us and decrypt one file for free on these TOR sites with your personal DECRYPTION ID Download and install TOR Browser https://www.torproject.org/ Write to a chat and wait for the answer, we will always answer you. Sometimes you will need to wait a while Links for Tor Browser: http://nullblgtk7dwzpfklgktzll27ovvnj7pvqkoprmhubnnb32qcbmcpgid.onion/ Link for the normal browser http://group.goocasino.org https://nullbulge.com >>>> Your personal DECRYPTION ID: 217B9D5D58C4AD3CA2E8848C7E360D25 >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems!

URLs

http://nullblgtk7dwzpfklgktzll27ovvnj7pvqkoprmhubnnb32qcbmcpgid.onion/

http://group.goocasino.org

https://nullbulge.com

Signatures

Renames multiple (358) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes itself 1 IoCs

pid	Process
568	A351.tmp

Executes dropped EXE 1 IoCs

pid	Process
568	A351.tmp

Loads dropped DLL 1 IoCs

pid	Process
1512	1.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3294248377-1418901787-4083263181-1000\desktop.ini	1.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3294248377-1418901787-4083263181-1000\desktop.ini	1.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\7V7uPExzv.bmp"	1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\7V7uPExzv.bmp"	1.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

pid	Process
1512	1.exe
1512	1.exe
1512	1.exe
1512	1.exe
568	A351.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop	1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\WallpaperStyle = "10"	1.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\7V7uPExzv	1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\7V7uPExzv\DefaultIcon\ = "C:\\ProgramData\\7V7uPExzv.ico"	1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.7V7uPExzv	1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.7V7uPExzv\ = "7V7uPExzv"	1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\7V7uPExzv\DefaultIcon	1.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1512	1.exe
1512	1.exe
1512	1.exe
1512	1.exe
1512	1.exe
1512	1.exe
1512	1.exe
1512	1.exe
1512	1.exe
1512	1.exe

Suspicious behavior: RenamesItself 26 IoCs

pid	Process
568	A351.tmp
568	A351.tmp
568	A351.tmp
568	A351.tmp
568	A351.tmp
568	A351.tmp
568	A351.tmp
568	A351.tmp
568	A351.tmp
568	A351.tmp
568	A351.tmp
568	A351.tmp
568	A351.tmp
568	A351.tmp
568	A351.tmp
568	A351.tmp
568	A351.tmp
568	A351.tmp
568	A351.tmp
568	A351.tmp
568	A351.tmp
568	A351.tmp
568	A351.tmp
568	A351.tmp
568	A351.tmp
568	A351.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	1512	1.exe
Token: SeBackupPrivilege	1512	1.exe
Token: SeDebugPrivilege	1512	1.exe
Token: 36	1512	1.exe
Token: SeImpersonatePrivilege	1512	1.exe
Token: SeIncBasePriorityPrivilege	1512	1.exe
Token: SeIncreaseQuotaPrivilege	1512	1.exe
Token: 33	1512	1.exe
Token: SeManageVolumePrivilege	1512	1.exe
Token: SeProfSingleProcessPrivilege	1512	1.exe
Token: SeRestorePrivilege	1512	1.exe
Token: SeSecurityPrivilege	1512	1.exe
Token: SeSystemProfilePrivilege	1512	1.exe
Token: SeTakeOwnershipPrivilege	1512	1.exe
Token: SeShutdownPrivilege	1512	1.exe
Token: SeDebugPrivilege	1512	1.exe
Token: SeBackupPrivilege	1512	1.exe
Token: SeBackupPrivilege	1512	1.exe
Token: SeSecurityPrivilege	1512	1.exe
Token: SeSecurityPrivilege	1512	1.exe
Token: SeBackupPrivilege	1512	1.exe
Token: SeBackupPrivilege	1512	1.exe
Token: SeSecurityPrivilege	1512	1.exe
Token: SeSecurityPrivilege	1512	1.exe
Token: SeBackupPrivilege	1512	1.exe
Token: SeBackupPrivilege	1512	1.exe
Token: SeSecurityPrivilege	1512	1.exe
Token: SeSecurityPrivilege	1512	1.exe
Token: SeBackupPrivilege	1512	1.exe
Token: SeBackupPrivilege	1512	1.exe
Token: SeSecurityPrivilege	1512	1.exe
Token: SeSecurityPrivilege	1512	1.exe
Token: SeBackupPrivilege	1512	1.exe
Token: SeBackupPrivilege	1512	1.exe
Token: SeSecurityPrivilege	1512	1.exe
Token: SeSecurityPrivilege	1512	1.exe
Token: SeBackupPrivilege	1512	1.exe
Token: SeBackupPrivilege	1512	1.exe
Token: SeSecurityPrivilege	1512	1.exe
Token: SeSecurityPrivilege	1512	1.exe
Token: SeBackupPrivilege	1512	1.exe
Token: SeBackupPrivilege	1512	1.exe
Token: SeSecurityPrivilege	1512	1.exe
Token: SeSecurityPrivilege	1512	1.exe
Token: SeBackupPrivilege	1512	1.exe
Token: SeBackupPrivilege	1512	1.exe
Token: SeSecurityPrivilege	1512	1.exe
Token: SeSecurityPrivilege	1512	1.exe
Token: SeBackupPrivilege	1512	1.exe
Token: SeBackupPrivilege	1512	1.exe
Token: SeSecurityPrivilege	1512	1.exe
Token: SeSecurityPrivilege	1512	1.exe
Token: SeBackupPrivilege	1512	1.exe
Token: SeBackupPrivilege	1512	1.exe
Token: SeSecurityPrivilege	1512	1.exe
Token: SeSecurityPrivilege	1512	1.exe
Token: SeBackupPrivilege	1512	1.exe
Token: SeBackupPrivilege	1512	1.exe
Token: SeSecurityPrivilege	1512	1.exe
Token: SeSecurityPrivilege	1512	1.exe
Token: SeBackupPrivilege	1512	1.exe
Token: SeBackupPrivilege	1512	1.exe
Token: SeSecurityPrivilege	1512	1.exe
Token: SeSecurityPrivilege	1512	1.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1512 wrote to memory of 568	1512	1.exe	32
PID 1512 wrote to memory of 568	1512	1.exe	32
PID 1512 wrote to memory of 568	1512	1.exe	32
PID 1512 wrote to memory of 568	1512	1.exe	32
PID 1512 wrote to memory of 568	1512	1.exe	32
PID 568 wrote to memory of 1644	568	A351.tmp	33
PID 568 wrote to memory of 1644	568	A351.tmp	33
PID 568 wrote to memory of 1644	568	A351.tmp	33
PID 568 wrote to memory of 1644	568	A351.tmp	33

C:\Users\Admin\AppData\Local\Temp\1.exe
"C:\Users\Admin\AppData\Local\Temp\1.exe"
1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1512
- C:\ProgramData\A351.tmp
  "C:\ProgramData\A351.tmp"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:568
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\A351.tmp >> NUL
    3⤵
    PID:1644

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x14c
1⤵
PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3294248377-1418901787-4083263181-1000\FFFFFFFFFFF

Filesize
129B

MD5
13bf3dc22e4040eb247a967668dc9d25

SHA1
31fcb2107231bc1f12830e942cb7be195fef1d83

SHA256
e035d729c050db58630bff2310a0da13581f847f40b625ca02a572378b2b4670

SHA512
e0185ba5af04452e2a49f5b8dbcd93ebe9d4eeb3853976119e6d1467aa7a828810b183ad9de289795ff84a990d61fbe6424f65a165d95f502776067f35d9d8a3

Download Submit
C:\7V7uPExzv.README.txt

Filesize
1KB

MD5
f818d1fa8584c2b97e56efd9ce22fa7f

SHA1
9e5ad97fc3893dd874db881e91a7f4297571697f

SHA256
052afd40c9ee4b83ac94d67ad0938ac5cd66764b8ec3cb4baf06c9027663634b

SHA512
257548eb4e11ac1b22f63b4a1e0f52e51d7a095492c27982a6363365b193e3b5dfd94250ca1bfb3053a4a5a96f5bd13d81e526dbdb815c8fd1431b9186828fdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\DDDDD

Filesize
146KB

MD5
0993870f86b070f722f9ba97a6398f26

SHA1
3409bb2d630a528436b5425dc5b138930670b157

SHA256
973595585a74e69c90bc4ae80b6f714a943390970914b97cdabe4d30e9f0d92e

SHA512
143259583d051fa15fc35e7a91dfb561b3ad81595a9ba1b6b5166793e84933484f0ccbfe9506ad0e3c75bdf98c8595754178d992224f431a1a0ae7ed63048a15

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3294248377-1418901787-4083263181-1000\AAAAAAAAAAA

Filesize
129B

MD5
2f4ad74bf99b34da6e2eba57b836a75f

SHA1
52bde153eb74a40a7148c4844eef8b42fd3f7d8d

SHA256
ca5216c25dc6e7e2882cd4b8c74e5df83bde9c5b0db73ee4600c97130c134eb1

SHA512
288d01d249608a1ee416fdaa6c6790e2b474fb5ef97248b1f14cb78cf97ed6028b0a4168e66d72f1e77fecacd2a0148c8d3287813626578a2eebdb228fc4ff86

Download Submit
\ProgramData\A351.tmp

Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
memory/568-891-0x0000000000401000-0x0000000000404000-memory.dmp

Filesize
12KB

Download
memory/568-893-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1512-0-0x0000000000390000-0x00000000003D0000-memory.dmp

Filesize
256KB

Download