Resubmissions
18-07-2024 07:25
240718-h84wjs1hpb 1018-07-2024 07:19
240718-h51pqa1gng 1017-07-2024 20:55
240717-zqkhmaydmq 1017-07-2024 19:21
240717-x2pwdaycjb 10Analysis
-
max time kernel
148s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
-
submitted
17-07-2024 20:55
General
-
Target
Bit Paymer.exe
-
Size
92KB
-
MD5
998246bd0e51f9582b998ca514317c33
-
SHA1
5a2d799ac4cca8954fc117c7fb3e868f93c6f009
-
SHA256
d693c33dd550529f3634e3c7e53d82df70c9d4fbd0c339dbc1849ada9e539ea2
-
SHA512
773d9838be9c09bd43a22aa1eada8f623f95739b21828712236a4a209c6d9266647ef43592d072d68399224965253c37f9ce9ef36e46e8191169c03ac7789130
-
SSDEEP
1536:tacFdjxs2TlWlpnXv91nhixG8/lA5jG8387SpK6jXOMVHoi5e+vRb:taqJC6lWlpnXv7nhixhlAU83VwMCifvR
Malware Config
Extracted
C:\vcredist2010_x86.log-MSI_vc_red.msi.txt.readme_txt
https://qmnmrba4s4a3py6z.onion.to/order/43e4593a-5dc7-11e7-8803-00163e417ea3
http://qmnmrba4s4a3py6z.onion/order/43e4593a-5dc7-11e7-8803-00163e417ea3
Signatures
-
Renames multiple (12323) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 3 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Drops desktop.ini file(s) 2 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Discovers systems in the same network 1 TTPs 1 IoCs
-
NTFS ADS 2 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Bit Paymer.exe"C:\Users\Admin\AppData\Local\Temp\Bit Paymer.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- NTFS ADS
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Lrx9Yo\gT0.exe 22⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Lrx9Yo\gT0.exeC:\Users\Admin\AppData\Local\Lrx9Yo\gT0.exe 23⤵
- Executes dropped EXE
- NTFS ADS
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\cFqWH:exeC:\Users\Admin\AppData\Local\cFqWH:exe 3 C:\Users\Admin\AppData\Local\Lrx9Yo\gT0.exe4⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in Program Files directory
-
-
-
-
C:\Users\Admin\AppData\Local\gNT:exeC:\Users\Admin\AppData\Local\gNT:exe 1 C:\Users\Admin\AppData\Local\Temp\Bit Paymer.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exeC:\Windows\system32\net.exe view3⤵
- Discovers systems in the same network
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16KB
MD55fe795b0946117c943decf23c5a8e5bf
SHA1132661430c77b17f8b8d6a5b672401bef0942f70
SHA25696d68494a12403699a4b80ef56f7bebd5d7c2da903bb5ca49b653a87ceb9ecae
SHA512d5e31c8770456de7af85d92fc31ecf99128a423313ea90bf92bddb40b293cb1478782e27ac70c3e7a460fd0b89f9a72ed4a4d4cd9bca55c869edbddfd0fe043d
-
Filesize
289KB
MD5d35a51e72d507d85f6ca64225d7fcd5b
SHA1f94d07e0aed1087f12324b9d55212bfd43025c75
SHA25686b0a92394b29216197ac8bca73aaee6be9f761bd282c4a7cc763234fcf1fa72
SHA512ca1a3bf5d0ef9ed552ea486d336a75cc893f5d9b974cb8893a408307af17b8547ca5f64355c4c804812a363bb9a07ba2458c7ffc8d52d6c5f3165f6b88e4a40d
-
Filesize
1KB
MD519b579389820cd1fb908b9d8870a7142
SHA170e3dcccc5a29268fa2c6f1c4d86e0f7a3b52935
SHA2563c1e56c193980f4638a44575826b1605496ffa858a52ea3b2fdcd72094661cfe
SHA512220e1672dda8a4e951c0924b7d467a7ac78ae1865546fa4026f75539745696c9dc6658edfeddd6f701e02b9c23916f1e91764d787a85e91ac2a122a65041c36e
-
Filesize
622KB
MD5e8b24556b7ff24bcccf44c2823749e41
SHA124b989916199f6c3268e50393a763b3ee8cfea10
SHA256f7732d46879e5fd25c5f4e1a1f6bdf18ea5987af1b6de1ee973ecfa523c8e21a
SHA512da205c221d93de7e71a2c75c38487b293038dff0e01c2fa6fcaae4ecc925885b640082905580445f503e8a884c9205d6d8980b51984ae93d3bf35850f9284002
-
Filesize
92KB
MD5998246bd0e51f9582b998ca514317c33
SHA15a2d799ac4cca8954fc117c7fb3e868f93c6f009
SHA256d693c33dd550529f3634e3c7e53d82df70c9d4fbd0c339dbc1849ada9e539ea2
SHA512773d9838be9c09bd43a22aa1eada8f623f95739b21828712236a4a209c6d9266647ef43592d072d68399224965253c37f9ce9ef36e46e8191169c03ac7789130
-
Filesize
4B
MD576390d3429ba451f1e37daae6bc85b51
SHA1c8e633f4a5ad8991f348fa8bf85dfec134e2c4dc
SHA25631d694956ddcdb8b2d61ee7b91beb5af37ce0557b6ca44438d2c3ca9f96c56d9
SHA512cff8a95d7efbabc3ac3c06b721166ac26254eadcbed6296bb17712be07c1b7245ab22fb9b558371b0a69e855451706180ef20ccb57f639cbe818c14d90bd3e54
-
Filesize
1KB
MD551fab08a170e3c398e696a5d36cde259
SHA1b60d83b9db3831998bb5672e4a4a1610cf4e1cb1
SHA256bab1199a9b43d11429c79f0b15c7e8c8d61ec612aca223aa66fd253eab11f1cb
SHA51250b95e5bd31ab894e997773c374592bda8a0cf44f92c9b92aad8155928240c1a2d177f81bcdefe72d686413dd9494f8010f66f9e191b7a549fb99902c6f2c3d6
-
Filesize
24KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
24KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
24KB
-
Filesize
128KB
-
Filesize
24KB