Resubmissions
18-07-2024 07:25
240718-h84wjs1hpb 1018-07-2024 07:19
240718-h51pqa1gng 1017-07-2024 20:55
240717-zqkhmaydmq 1017-07-2024 19:21
240717-x2pwdaycjb 10Analysis
-
max time kernel
1443s -
max time network
1450s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
-
submitted
17-07-2024 19:21
General
-
Target
Bit Paymer.exe
-
Size
92KB
-
MD5
998246bd0e51f9582b998ca514317c33
-
SHA1
5a2d799ac4cca8954fc117c7fb3e868f93c6f009
-
SHA256
d693c33dd550529f3634e3c7e53d82df70c9d4fbd0c339dbc1849ada9e539ea2
-
SHA512
773d9838be9c09bd43a22aa1eada8f623f95739b21828712236a4a209c6d9266647ef43592d072d68399224965253c37f9ce9ef36e46e8191169c03ac7789130
-
SSDEEP
1536:tacFdjxs2TlWlpnXv91nhixG8/lA5jG8387SpK6jXOMVHoi5e+vRb:taqJC6lWlpnXv7nhixhlAU83VwMCifvR
Malware Config
Extracted
C:\vcredist2010_x86.log-MSI_vc_red.msi.txt.readme_txt
https://qmnmrba4s4a3py6z.onion.to/order/43e4593a-5dc7-11e7-8803-00163e417ea3
http://qmnmrba4s4a3py6z.onion/order/43e4593a-5dc7-11e7-8803-00163e417ea3
Signatures
-
Renames multiple (9929) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 6 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Drops desktop.ini file(s) 1 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Discovers systems in the same network 1 TTPs 2 IoCs
-
NTFS ADS 2 IoCs
-
Suspicious use of WriteProcessMemory 24 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Bit Paymer.exe"C:\Users\Admin\AppData\Local\Temp\Bit Paymer.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- NTFS ADS
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\wY1\jJ2urb7.exe 22⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\wY1\jJ2urb7.exeC:\Users\Admin\AppData\Local\wY1\jJ2urb7.exe 23⤵
- Executes dropped EXE
- Loads dropped DLL
- NTFS ADS
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\SYL0DS:exeC:\Users\Admin\AppData\Local\SYL0DS:exe 3 C:\Users\Admin\AppData\Local\wY1\jJ2urb7.exe4⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in Program Files directory
-
C:\Users\Admin\AppData\Local\vz2t6G8:exeC:\Users\Admin\AppData\Local\vz2t6G8:exe 1 C:\Users\Admin\AppData\Local\Temp\Bit Paymer.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exeC:\Windows\system32\net.exe view3⤵
- Discovers systems in the same network
-
C:\Windows\SysWOW64\net.exeC:\Windows\system32\net.exe view \\MVFYZPLM3⤵
- Discovers systems in the same network
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16KB
MD59af0fd933b32573fc23a01b45c73a37c
SHA1d3b0e9c2f44e4a61ddfce08ac0eb7873612a694a
SHA256797073ada4fc49080e3801afc4b4ec3b2be22e47386cdb97ee0aeea16c6bd0f8
SHA5126c19e31a6d9b482ce066ba3231af0531de2444b6ab6ab480d59facb7d37113d0a0ed628e54f7e888329884f7afedee5a6844852095d29cdcba9a772e066452e2
-
Filesize
1KB
MD586790fb33e065ee611010f72ae7af270
SHA15645b9dd67cbb967f5cd408a06cb397cf6f0e58f
SHA256a56f9d1f4781c39f42903101142fc936e3712f429adea3c397889c94513dad7a
SHA512e88c468291f8157dcdf6e2470646970f29703bbcbe52dd7ca1906c76d1148eada3a68c635e601a5d9a35e411563e1dbc860abb212c1e42b48d04e64da9ecb874
-
Filesize
2KB
MD5e5c090702f17432feddb2269d6d282d5
SHA18bcc473696463cdb3db094458a1e33504bef4996
SHA256c75adfa75cc1f7380c639a51068df8d026ca3de7c0f3413f01e9bb63f1b9be2d
SHA512833067c8bc41297eee531c9755fa8602044ae29f2578b6dbf151730252bcf033af68d3f4a21860a0e64e7a2c12a7cacbe3c3306c96e57c25f3412408ff2cac36
-
Filesize
1KB
MD5fd8f35b6a6ef7e0a0b0369abf48577c4
SHA1c1b7e5b5a5904491eac97c6ec4871f2a60f02104
SHA2561a815336304b0d8f169a60da17d6bca5646c08183865b8d9aea0a805ea0a2b26
SHA512924f7885985890ef27678fbede0dfc940258f110cfc982cec2f00b5d33a929d576f08ffe614b892ffb6538de3c3ddd25160e9c79b22fffd6c288973e97326b64
-
Filesize
405KB
MD59641bc98d0335bff9a2ce20bb3cd3d4a
SHA1be4bdff3a5ee4588bf7d88ffd318091c957c8dc7
SHA25600cfafcc42a97025ac850dcd1a656fad7e095d53818157d7f9c7f8014717dff4
SHA5122d9dfb40d55a87bf642e540eb169efe3faab84ecc7f84ab54bb80e771d3ff9aff7309baa13781fa910d9109548adc0f27d05c33fb08c301711e34a5ed9b3f29b
-
Filesize
92KB
MD5998246bd0e51f9582b998ca514317c33
SHA15a2d799ac4cca8954fc117c7fb3e868f93c6f009
SHA256d693c33dd550529f3634e3c7e53d82df70c9d4fbd0c339dbc1849ada9e539ea2
SHA512773d9838be9c09bd43a22aa1eada8f623f95739b21828712236a4a209c6d9266647ef43592d072d68399224965253c37f9ce9ef36e46e8191169c03ac7789130
-
Filesize
4B
MD576390d3429ba451f1e37daae6bc85b51
SHA1c8e633f4a5ad8991f348fa8bf85dfec134e2c4dc
SHA25631d694956ddcdb8b2d61ee7b91beb5af37ce0557b6ca44438d2c3ca9f96c56d9
SHA512cff8a95d7efbabc3ac3c06b721166ac26254eadcbed6296bb17712be07c1b7245ab22fb9b558371b0a69e855451706180ef20ccb57f639cbe818c14d90bd3e54
-
Filesize
1KB
MD551fab08a170e3c398e696a5d36cde259
SHA1b60d83b9db3831998bb5672e4a4a1610cf4e1cb1
SHA256bab1199a9b43d11429c79f0b15c7e8c8d61ec612aca223aa66fd253eab11f1cb
SHA51250b95e5bd31ab894e997773c374592bda8a0cf44f92c9b92aad8155928240c1a2d177f81bcdefe72d686413dd9494f8010f66f9e191b7a549fb99902c6f2c3d6
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
24KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
24KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB