Overview

overview

10

Static

static

3

2272954a2c...5a.exe

windows7-x64

10

2272954a2c...5a.exe

windows10-2004-x64

10

72716d15ea...21.exe

windows7-x64

7

72716d15ea...21.exe

windows10-2004-x64

7

Bit Paymer.exe

windows7-x64

10

Bit Paymer.exe

windows10-2004-x64

10

KeepCalm.exe

windows7-x64

1

KeepCalm.exe

windows10-2004-x64

1

LockedIn.exe

windows7-x64

9

LockedIn.exe

windows10-2004-x64

9

NotPetya.dll

windows7-x64

10

NotPetya.dll

windows10-2004-x64

10

Purge.exe

windows7-x64

1

Purge.exe

windows10-2004-x64

1

Scarab.exe

windows7-x64

10

Scarab.exe

windows10-2004-x64

10

a631ad1b1a...4b.exe

windows7-x64

6

a631ad1b1a...4b.exe

windows10-2004-x64

6

a9053a3a52...bc.exe

windows7-x64

7

a9053a3a52...bc.exe

windows10-2004-x64

7

b764629e1f...1c.exe

windows7-x64

10

b764629e1f...1c.exe

windows10-2004-x64

10

cf89f70633...5c.exe

windows7-x64

1

cf89f70633...5c.exe

windows10-2004-x64

3

e951e82867...50.exe

windows7-x64

1

e951e82867...50.exe

windows10-2004-x64

1

fa0c321e1a...d2.exe

windows7-x64

9

fa0c321e1a...d2.exe

windows10-2004-x64

8

fc184274ad...27.exe

windows7-x64

10

fc184274ad...27.exe

windows10-2004-x64

10

Resubmissions

18-07-2024 07:25

240718-h84wjs1hpb 10

18-07-2024 07:19

240718-h51pqa1gng 10

17-07-2024 20:55

240717-zqkhmaydmq 10

17-07-2024 19:21

240717-x2pwdaycjb 10

Analysis

  • max time kernel
    147s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-07-2024 20:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe

  • Size

    121KB

  • MD5

    eac0a08470ee67c63b14ae2ce7f6aa61

  • SHA1

    285c0163376d5d9a5806364411652fe73424d571

  • SHA256

    fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7

  • SHA512

    f3fd7eeae18843d049443f0d5e818302eb3b3f73ad85e26c01e1ddc0a102a0a22b065afe01879aafc95ff3a2d15b5c302394bd03d91e6c4401648cd4222bddc5

  • SSDEEP

    1536:3THoX8wNjiMsyPcjgbKx534oU6Llg/iLBkZhifkdol9LYuVF5yZbn:DjksYKx5o3Slg/itMg8+LYu9ubn

Score
8/10
evasionexecutionpersistence

Malware Config

Signatures

  • Stops running service(s) 4 TTPs
    evasionexecution
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Drops desktop.ini file(s) 25 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Launches sc.exe 7 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • NTFS ADS 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe
    "C:\Users\Admin\AppData\Local\Temp\fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4824
    • C:\Users\Admin\AppData\Local\Temp\fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe
      "C:\Users\Admin\AppData\Local\Temp\fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe"
      2⤵
      • Checks computer location settings
      • Adds Run key to start application
      • NTFS ADS
      • Suspicious use of WriteProcessMemory
      PID:2056
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C sc stop VVS
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1032
        • C:\Windows\SysWOW64\sc.exe
          sc stop VVS
          4⤵
          • Launches sc.exe
          PID:2088
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C sc stop wscsvc
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4332
        • C:\Windows\SysWOW64\sc.exe
          sc stop wscsvc
          4⤵
          • Launches sc.exe
          PID:660
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C sc stop WinDefend
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4612
        • C:\Windows\SysWOW64\sc.exe
          sc stop WinDefend
          4⤵
          • Launches sc.exe
          PID:1312
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C sc stop wuauserv
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:528
        • C:\Windows\SysWOW64\sc.exe
          sc stop wuauserv
          4⤵
          • Launches sc.exe
          PID:2472
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C sc stop BITS
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4528
        • C:\Windows\SysWOW64\sc.exe
          sc stop BITS
          4⤵
          • Launches sc.exe
          PID:2800
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C sc stop ERSvc
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4856
        • C:\Windows\SysWOW64\sc.exe
          sc stop ERSvc
          4⤵
          • Launches sc.exe
          PID:1440
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C sc stop WerSvc
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3264
        • C:\Windows\SysWOW64\sc.exe
          sc stop WerSvc
          4⤵
          • Launches sc.exe
          PID:5084
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin.exe Delete Shadows /All /Quiet
        3⤵
          PID:3044
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} recoveryenabled No
          3⤵
            PID:464
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
            3⤵
              PID:1596
            • C:\Users\Admin\AppData\Roaming\BC1C9B74EA.exe
              C:\Users\Admin\AppData\Roaming\BC1C9B74EA.exe
              3⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              PID:5028
              • C:\Users\Admin\AppData\Roaming\BC1C9B74EA.exe
                C:\Users\Admin\AppData\Roaming\BC1C9B74EA.exe
                4⤵
                • Checks computer location settings
                • Executes dropped EXE
                • Adds Run key to start application
                • Drops desktop.ini file(s)
                • Drops file in Program Files directory
                • Drops file in Windows directory
                • Modifies registry class
                PID:4968
                • C:\Windows\SysWOW64\NOTEPAD.EXE
                  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_HELP_INSTRUCTION.TXT
                  5⤵
                  • Opens file in notepad (likely ransom note)
                  PID:3928

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files\_HELP_INSTRUCTION.TXT
          Filesize

          1KB

          MD5

          62e53ce26db5098f76a5337cbfd7bf64

          SHA1

          db36b49263c1eddd6874f0ba667a5adc0e3ba644

          SHA256

          2cf42abd200c8ca9bf5337752b495d7bf6b3143f61a5894a8ea2443a2a178cf9

          SHA512

          d4e6a9aefe0ed07d443b8d2ecde211b94ea7a0c810e7f1696ed52ec46400a34dc6761c70a35440081ed20d47eeba0c37b699bd8c90bbf7e24680c6b42849097a

          Download Submit

        • C:\Users\Admin\AppData\Roaming\BC1C9B74EA.exe
          Filesize

          121KB

          MD5

          eac0a08470ee67c63b14ae2ce7f6aa61

          SHA1

          285c0163376d5d9a5806364411652fe73424d571

          SHA256

          fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7

          SHA512

          f3fd7eeae18843d049443f0d5e818302eb3b3f73ad85e26c01e1ddc0a102a0a22b065afe01879aafc95ff3a2d15b5c302394bd03d91e6c4401648cd4222bddc5

          Download Submit

        • memory/2056-2-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

          Download

        • memory/2056-3-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

          Download

        • memory/2056-4-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

          Download

        • memory/4824-1-0x0000000000670000-0x0000000000770000-memory.dmp

          Filesize

          1024KB

          Download

        • memory/4968-71-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

          Download

        • memory/4968-86-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

          Download

        • memory/4968-22-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

          Download

        • memory/4968-26-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

          Download

        • memory/4968-31-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

          Download

        • memory/4968-36-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

          Download

        • memory/4968-41-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

          Download

        • memory/4968-46-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

          Download

        • memory/4968-51-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

          Download

        • memory/4968-56-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

          Download

        • memory/4968-61-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

          Download

        • memory/4968-66-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

          Download

        • memory/4968-18-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

          Download

        • memory/4968-76-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

          Download

        • memory/4968-81-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

          Download

        • memory/4968-20-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

          Download

        • memory/4968-91-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

          Download

        • memory/4968-96-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

          Download

        • memory/4968-15-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

          Download

        • memory/4968-109-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

          Download

        • memory/4968-115-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

          Download

        • memory/4968-127-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

          Download

        • memory/4968-133-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

          Download

        • memory/4968-135-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

          Download

        • memory/4968-137-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

          Download

        • memory/4968-139-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

          Download

        • memory/4968-141-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

          Download

        • memory/4968-143-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

          Download

        • memory/4968-145-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

          Download

        • memory/4968-151-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

          Download