Overview

overview

10

Static

static

10

0fb86a8ba8...05.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    95s
  • max time network
    99s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/07/2024, 19:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe

  • Size

    146KB

  • MD5

    2357ecbcf3b566c76c839daf7ecf2681

  • SHA1

    89d9b7c3eff0a15dc9dbbfe2163de7d5e9479f58

  • SHA256

    0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305

  • SHA512

    bb5630ae44e684f2dfc74478c57bf97a94045501a64022d563e87f2a60d777307cab2b5a14e6764d25a2fd1f27901624c1ee76ca551d5a5e3a21abc4befef401

  • SSDEEP

    3072:V6glyuxE4GsUPnliByocWepo2NVLiguo/pyEwUS:V6gDBGpvEByocWeauV2gvzwU

Score
10/10
ransomwarespywarestealer

Malware Config

Extracted

Path

C:\7V7uPExzv.README.txt

Ransom Note
~~~NULLBULGE LOCK - BASED ON LOCKBIT~~~ >>>> Your data is encrypted... but dont freak out If we encrypted you, you majorly fucked up. But... all can be saved But not for free, we require an xmr payment >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption. Life is too short to be sad. Dont be sad money is only paper. Your files are more important than paper right? If we do not give you decrypter then nobody will pay us in the future. To us, our reputation is very important. There is no dissatisfied victim after payment. >>>> You may contact us and decrypt one file for free on these TOR sites with your personal DECRYPTION ID Download and install TOR Browser https://www.torproject.org/ Write to a chat and wait for the answer, we will always answer you. Sometimes you will need to wait a while Links for Tor Browser: http://nullblgtk7dwzpfklgktzll27ovvnj7pvqkoprmhubnnb32qcbmcpgid.onion/ Link for the normal browser http://group.goocasino.org https://nullbulge.com >>>> Your personal DECRYPTION ID: 217B9D5D58C4AD3C6AF9D000A709531C >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems!
URLs

http://nullblgtk7dwzpfklgktzll27ovvnj7pvqkoprmhubnnb32qcbmcpgid.onion/

http://group.goocasino.org

https://nullbulge.com

Signatures

  • Renames multiple (637) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 2 IoCs
  • Drops file in System32 directory 4 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies registry class 5 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
    "C:\Users\Admin\AppData\Local\Temp\0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4124
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
      • Drops file in System32 directory
      PID:2952
    • C:\ProgramData\BC9A.tmp
      "C:\ProgramData\BC9A.tmp"
      2⤵
      • Checks computer location settings
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:3412
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\BC9A.tmp >> NUL
        3⤵
          PID:3500
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
      1⤵
        PID:3152
      • C:\Windows\system32\printfilterpipelinesvc.exe
        C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
        1⤵
        • Drops file in System32 directory
        • Suspicious use of WriteProcessMemory
        PID:3748
        • C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
          /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{2A3F0721-4929-4796-A4A8-817A2314FA70}.xps" 133655459179680000
          2⤵
          • Checks processor information in registry
          • Enumerates system info in registry
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious use of SetWindowsHookEx
          PID:1412

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\$Recycle.Bin\S-1-5-21-1705699165-553239100-4129523827-1000\BBBBBBBBBBB
        Filesize

        129B

        MD5

        827b058797760cc49f838f2032e73231

        SHA1

        e6e47b925790af151902ea68ad4b20beec1fbcf4

        SHA256

        2ec898ef7a03f467ef2339963a84079a888e2ab0b7a086a539bedb62b9cb8084

        SHA512

        d411260266a249c88b83186139b9ec2817b3f41b93d7cc95c69583d748d51ce880fb0705797183f40fbd38fe7dac3760c09340b1676d70cad478d8180e847fd1

        Download Submit

      • C:\7V7uPExzv.README.txt
        Filesize

        1KB

        MD5

        60ddc3a3e92e360bb93072b24563f60e

        SHA1

        d4c69f535cd6b03c663ec897ed786ec865fb7d78

        SHA256

        6e2d54a642bdc43feb36e46d20c66602d89827b6e058557ab8b7e20e249ccfd7

        SHA512

        d6e1b53815846198aab159048b0f55ef839874e01a4bfdfd36fb202085fe9dcadfa41db7d3f32c20063e72c50e92572132a768fe8004078d3dd95a7504f38f03

        Download Submit

      • C:\ProgramData\BC9A.tmp
        Filesize

        14KB

        MD5

        294e9f64cb1642dd89229fff0592856b

        SHA1

        97b148c27f3da29ba7b18d6aee8a0db9102f47c9

        SHA256

        917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

        SHA512

        b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{2A3F0721-4929-4796-A4A8-817A2314FA70}.xps
        Filesize

        13.1MB

        MD5

        f268f476eb3036aa0c769eb648b1c5f7

        SHA1

        59bbbd9fe2669b6e6701a72d138e6f13760fc40a

        SHA256

        7bb4bb96e1a78b354443c427aaf956f41af004b06cb9d56779cb2e2ece26338c

        SHA512

        a40f2e8c00acf1463f6fe3ee75d79f9c79a6a5b65b0dcc040563f4565671a791c0512cc9c0e09282e92b3e935994cf98a8af502d6376aad2e57d532a302489ea

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
        Filesize

        146KB

        MD5

        7608dfa9469716ce8425ddabc1737bf1

        SHA1

        aaa5062f5ac3067e470fbc3903734d24af62f812

        SHA256

        b9f6ad306d9e62b44e4c4d4417a0a1a9d15a4821b0aa1be38fb487021d1d0b5d

        SHA512

        8dc6bdecf32f282ada11b90c099d584a7c6c5ba83ec1c95c1b26bfc4d8c9661a09640b66e21c9dc349b79c4d4a11dfc47a227fd9f989aa8f6e800adb44c90292

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\{27F5D8A3-8935-47ED-80AB-88F655E8CEF2}
        Filesize

        4KB

        MD5

        d7a1f60634674156f11d9dd6cc2054e7

        SHA1

        8396794be7830227b06634630c0635d6b75bf026

        SHA256

        bf8e6f66c245e2759af0031b768dba34eb0bbe9287a37c5b9039bbff0a309fc5

        SHA512

        9318cce46b693743fd15206c3b6aa5ddc7d7fbdfe9e085aa7ac9041cffab0361dc61269434aa242f4039d5e4d54da5bb90f5bee45ea0b92fa68ed68c1834e2bb

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\{F98B1B01-0467-42C8-922C-0DA5B85F77CD}
        Filesize

        4KB

        MD5

        4482f5f7701a4ae359d7e31dfedd05c3

        SHA1

        6279b75444cb2cf0d09f7c59a00751da15c56b81

        SHA256

        0e22f7cc2c0fe3c2483edd612278bab30df48d611a9bc174fd85c888f34ce5ae

        SHA512

        9e795fb0df1008e09b48b912a71f91356bf98db6b2e4906f539724af7143468db8d85386eec678af301265f68a5898955ecc80ba227cd70bf4e65075a2d772bf

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC
        Filesize

        16B

        MD5

        d29962abc88624befc0135579ae485ec

        SHA1

        e40a6458296ec6a2427bcb280572d023a9862b31

        SHA256

        a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866

        SHA512

        4311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex
        Filesize

        2B

        MD5

        f3b25701fe362ec84616a93a45ce9998

        SHA1

        d62636d8caec13f04e28442a0a6fa1afeb024bbb

        SHA256

        b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

        SHA512

        98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-1705699165-553239100-4129523827-1000\DDDDDDDDDDD
        Filesize

        129B

        MD5

        05eaec31db1aff9e5db1b200cca38337

        SHA1

        2673d97d5b6586fcec9bc4bb6cbcc56d7f606346

        SHA256

        1766b029c8445511206f6273b387f2aa8af3209ea5a8aab94e9e751746cf4614

        SHA512

        6e8e8fcbff3b1aa7e1e79d55792c61a5e45c569903793d01171e981bd2b4834556c64f3e3fc377f6aa5b5e2cd0c9bac5306b4c7092ab6ed394cc55941a21b961

        Download Submit

      • memory/1412-2829-0x00007FFD0EB10000-0x00007FFD0EB20000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1412-2973-0x00007FFD0EB10000-0x00007FFD0EB20000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1412-2830-0x00007FFD0EB10000-0x00007FFD0EB20000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1412-2861-0x00007FFD0C8C0000-0x00007FFD0C8D0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1412-2862-0x00007FFD0C8C0000-0x00007FFD0C8D0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1412-2828-0x00007FFD0EB10000-0x00007FFD0EB20000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1412-2840-0x00007FFD0EB10000-0x00007FFD0EB20000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1412-2974-0x00007FFD0EB10000-0x00007FFD0EB20000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1412-2976-0x00007FFD0EB10000-0x00007FFD0EB20000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1412-2975-0x00007FFD0EB10000-0x00007FFD0EB20000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1412-2839-0x00007FFD0EB10000-0x00007FFD0EB20000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4124-1-0x0000000002EC0000-0x0000000002ED0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4124-0-0x0000000002EC0000-0x0000000002ED0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4124-2-0x0000000002EC0000-0x0000000002ED0000-memory.dmp

        Filesize

        64KB

        Download