Overview
overview
10Static
static
7BitchTits ...P].exe
windows7-x64
7WannaFartCry.exe
windows7-x64
3Wannashiturself.exe
windows7-x64
10big FAT ti...RE.exe
windows7-x64
10big fat se...re.exe
windows7-x64
1bitch man ...re.exe
windows7-x64
8bro what t...at.dll
windows7-x64
7cocksucker...L].exe
windows7-x64
7fart poopy...re.exe
windows7-x64
7fart weewe...re.exe
windows7-x64
10farting po...re.exe
windows7-x64
10farty poo ...re.exe
windows7-x64
10fuck you.exe
windows7-x64
7large peni...24.exe
windows7-x64
niggaware ...29.exe
windows7-x64
10pee poo pi...re.exe
windows7-x64
10retard ransomware.exe
windows7-x64
1Analysis
-
max time kernel
6s -
max time network
7s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
20-07-2024 14:23
Behavioral task
behavioral1
Sample
BitchTits Ransomware [VIP].exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
WannaFartCry.exe
Resource
win7-20240704-en
Behavioral task
behavioral3
Sample
Wannashiturself.exe
Resource
win7-20240704-en
Behavioral task
behavioral4
Sample
big FAT tits RANSOMWARE.exe
Resource
win7-20240704-en
Behavioral task
behavioral5
Sample
big fat sexy dildo poop ransomware.exe
Resource
win7-20240708-en
Behavioral task
behavioral6
Sample
bitch man ransomware.exe
Resource
win7-20240708-en
Behavioral task
behavioral7
Sample
bro what the fuckkk ur seriously beliving that.dll
Resource
win7-20240704-en
Behavioral task
behavioral8
Sample
cocksucker ransomware [COOL].exe
Resource
win7-20240704-en
Behavioral task
behavioral9
Sample
fart poopy ransowmare.exe
Resource
win7-20240705-en
Behavioral task
behavioral10
Sample
fart weewee ransomware.exe
Resource
win7-20240708-en
Behavioral task
behavioral11
Sample
farting poop sex ransomware.exe
Resource
win7-20240708-en
Behavioral task
behavioral12
Sample
farty poo poo ransomware.exe
Resource
win7-20240705-en
Behavioral task
behavioral13
Sample
fuck you.exe
Resource
win7-20240705-en
Behavioral task
behavioral14
Sample
large penis ransomware 2024.exe
Resource
win7-20240704-en
Behavioral task
behavioral15
Sample
niggaware ransomware in 2029.exe
Resource
win7-20240704-en
Behavioral task
behavioral16
Sample
pee poo piss piss ransomware rare.exe
Resource
win7-20240705-en
Behavioral task
behavioral17
Sample
retard ransomware.exe
Resource
win7-20240705-en
Errors
General
-
Target
large penis ransomware 2024.exe
-
Size
63KB
-
MD5
26c694b48cd31b6d72b80600a628a9bb
-
SHA1
7f49fae234ece4eaa6e24bb036e22f5bf9695af5
-
SHA256
58a7fb4318058b3408693e6d1358b2f95dd00d8774f897464fbde3094c00de41
-
SHA512
bbd57471cdc48110380a275c765f4f730daf294b2e78d18f3bdda7337ae6e156b164fd6f495a374eaf5bceb8b21c7f5070e6549fd1a34be2a0511d7fef5f0394
-
SSDEEP
1536:X2raMo+pQDwUmjBl96LG9psn/yJo3XWHVmcuuIYWtJULLLES:GrRo+pEwU096KJvmTJULLLES
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2908 cmd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\2170829702 = "C:\\Users\\Admin\\2170829702.exe" reg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
large penis ransomware 2024.exeshutdown.exedescription pid process Token: SeIncBasePriorityPrivilege 3044 large penis ransomware 2024.exe Token: SeShutdownPrivilege 2836 shutdown.exe Token: SeRemoteShutdownPrivilege 2836 shutdown.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
large penis ransomware 2024.execmd.exedescription pid process target process PID 3044 wrote to memory of 2700 3044 large penis ransomware 2024.exe cmd.exe PID 3044 wrote to memory of 2700 3044 large penis ransomware 2024.exe cmd.exe PID 3044 wrote to memory of 2700 3044 large penis ransomware 2024.exe cmd.exe PID 3044 wrote to memory of 2700 3044 large penis ransomware 2024.exe cmd.exe PID 2700 wrote to memory of 2828 2700 cmd.exe reg.exe PID 2700 wrote to memory of 2828 2700 cmd.exe reg.exe PID 2700 wrote to memory of 2828 2700 cmd.exe reg.exe PID 2700 wrote to memory of 2828 2700 cmd.exe reg.exe PID 3044 wrote to memory of 2836 3044 large penis ransomware 2024.exe shutdown.exe PID 3044 wrote to memory of 2836 3044 large penis ransomware 2024.exe shutdown.exe PID 3044 wrote to memory of 2836 3044 large penis ransomware 2024.exe shutdown.exe PID 3044 wrote to memory of 2836 3044 large penis ransomware 2024.exe shutdown.exe PID 3044 wrote to memory of 2908 3044 large penis ransomware 2024.exe cmd.exe PID 3044 wrote to memory of 2908 3044 large penis ransomware 2024.exe cmd.exe PID 3044 wrote to memory of 2908 3044 large penis ransomware 2024.exe cmd.exe PID 3044 wrote to memory of 2908 3044 large penis ransomware 2024.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\large penis ransomware 2024.exe"C:\Users\Admin\AppData\Local\Temp\large penis ransomware 2024.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\cmd.execmd.exe /c REG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v 2170829702 /t REG_SZ /d "%userprofile%\2170829702.exe" /f2⤵
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\reg.exeREG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v 2170829702 /t REG_SZ /d "C:\Users\Admin\2170829702.exe" /f3⤵
- Adds Run key to start application
PID:2828
-
-
-
C:\Windows\SysWOW64\shutdown.exe"C:\Windows\System32\shutdown.exe" /r /f /t 32⤵
- Suspicious use of AdjustPrivilegeToken
PID:2836
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\LARGEP~1.EXE > nul2⤵
- Deletes itself
PID:2908
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵PID:2668
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵PID:712