Analysis

  • max time kernel
    1800s
  • max time network
    1795s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    20-07-2024 14:23

General

  • Target

    bitch man ransomware.exe

  • Size

    54KB

  • MD5

    5d55ed9e61bbd72c30793c5db6c4e2c0

  • SHA1

    cad90549d832bf16e8bd15e9613800cdee495bbd

  • SHA256

    b74b57fc010ceb1457978ca8d089c880fe854d112a1fb20f931718f4d77f1513

  • SHA512

    0d72487a19773bb674b22a22b67d30d5e7349108a9bff46ff521ad99547ff590e933300ca38bc8c3517d8a1fbc65cff64dbf949492efb0c69012bd86791607ba

  • SSDEEP

    1536:u3kgIekvc/f/tugCsxPSEAyZhuKuJmUJoKg1Wai:YbIekQHZBhuKjU+KgM

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 3 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Drops file in Drivers directory 28 IoCs
  • Deletes itself 1 IoCs
  • Drops startup file 4 IoCs
  • Executes dropped EXE 1 IoCs
  • Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bitch man ransomware.exe
    "C:\Users\Admin\AppData\Local\Temp\bitch man ransomware.exe"
    1⤵
    • Loads dropped DLL
    • Drops desktop.ini file(s)
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2324
    • C:\Windows\programs\ini.exe
      C:\Windows\programs\ini.exe
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Drops file in Drivers directory
      • Drops startup file
      • Executes dropped EXE
      • Impair Defenses: Safe Mode Boot
      • Adds Run key to start application
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      PID:2972
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\BITCHM~1.EXE > nul
      2⤵
      • Deletes itself
      PID:2820

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wsock32.dll

    Filesize

    17KB

    MD5

    9b42fd2333c9e6bd2c4c260433a90b42

    SHA1

    0c0842a3abc9ccf0d1a6d192c948ccb492d4cf5d

    SHA256

    fd5644490ff5be33a22c3976f65ccc0b1338e9775bdf6cec22b4d34db6a3aed6

    SHA512

    7526358814c3e2557aca828eb81a252e1c7a32c58fb83c931724326d4c197eab8aba28647a5db81ce04d21d0d1c63eb113163945d98787e222a9c7980af78452

  • C:\Windows\programs\fuckme.vbs

    Filesize

    98B

    MD5

    0925bdaa312fecb530c1d48b220d31ce

    SHA1

    de8d85a93acb9babfa71a74ebb40402b02853043

    SHA256

    3016b31ecee1ad7211b2f541d3314955e4a21d64a820b245bffdc7ac7e8e5d15

    SHA512

    61afae90f93fea10fec1377dbc9181f2746b97b7210ada515d28239354f092ab34e40fb1b53293fbdcea13ded1d99fa3fdcbc14464f41354f54aecfa227e8af7

  • C:\Windows\system32é—ôÿÿ

    Filesize

    904B

    MD5

    fddf3a7b7372d7b7c0aa2eae2cb582a6

    SHA1

    492f336df8c1a3467b38978955f1ad5ae03a65fd

    SHA256

    5de04384652accddd8e528fbf05453443031b47e23e12a5e219893497cb7a61a

    SHA512

    20ec9393053a3ab47a11ee0c3dcea771fdf7544525f6e89c08bc7b2ac744d8a10265512001377e6520e656f5afa4582fbb9f6616d2e32efdb7173fc255e02c0f

  • \Windows\programs\ini.exe

    Filesize

    54KB

    MD5

    e654688cd7db7e2a1b5e4a25f8d95b3a

    SHA1

    3da2af687ce9cddd4a59c4561209d79f4b328288

    SHA256

    1978e7a0abb130627bcce010403c065b1f1ab16b8324b5d9839d5a5e9c8e6bea

    SHA512

    ae5691b3b137d3eb9a21a7e03f27ff1ae309bbe95db82d4be05d969b472ce93370574a09abd29eaf68266b8f70cdaa2403684eb7e6cf0468e812e8e7f425eb87