Overview
overview
10Static
static
7BitchTits ...P].exe
windows7-x64
7WannaFartCry.exe
windows7-x64
3Wannashiturself.exe
windows7-x64
10big FAT ti...RE.exe
windows7-x64
10big fat se...re.exe
windows7-x64
1bitch man ...re.exe
windows7-x64
8bro what t...at.dll
windows7-x64
7cocksucker...L].exe
windows7-x64
7fart poopy...re.exe
windows7-x64
7fart weewe...re.exe
windows7-x64
10farting po...re.exe
windows7-x64
10farty poo ...re.exe
windows7-x64
10fuck you.exe
windows7-x64
7large peni...24.exe
windows7-x64
niggaware ...29.exe
windows7-x64
10pee poo pi...re.exe
windows7-x64
10retard ransomware.exe
windows7-x64
1Analysis
-
max time kernel
1800s -
max time network
1566s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
20-07-2024 14:23
Behavioral task
behavioral1
Sample
BitchTits Ransomware [VIP].exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
WannaFartCry.exe
Resource
win7-20240704-en
Behavioral task
behavioral3
Sample
Wannashiturself.exe
Resource
win7-20240704-en
Behavioral task
behavioral4
Sample
big FAT tits RANSOMWARE.exe
Resource
win7-20240704-en
Behavioral task
behavioral5
Sample
big fat sexy dildo poop ransomware.exe
Resource
win7-20240708-en
Behavioral task
behavioral6
Sample
bitch man ransomware.exe
Resource
win7-20240708-en
Behavioral task
behavioral7
Sample
bro what the fuckkk ur seriously beliving that.dll
Resource
win7-20240704-en
Behavioral task
behavioral8
Sample
cocksucker ransomware [COOL].exe
Resource
win7-20240704-en
Behavioral task
behavioral9
Sample
fart poopy ransowmare.exe
Resource
win7-20240705-en
Behavioral task
behavioral10
Sample
fart weewee ransomware.exe
Resource
win7-20240708-en
Behavioral task
behavioral11
Sample
farting poop sex ransomware.exe
Resource
win7-20240708-en
Behavioral task
behavioral12
Sample
farty poo poo ransomware.exe
Resource
win7-20240705-en
Behavioral task
behavioral13
Sample
fuck you.exe
Resource
win7-20240705-en
Behavioral task
behavioral14
Sample
large penis ransomware 2024.exe
Resource
win7-20240704-en
Behavioral task
behavioral15
Sample
niggaware ransomware in 2029.exe
Resource
win7-20240704-en
Behavioral task
behavioral16
Sample
pee poo piss piss ransomware rare.exe
Resource
win7-20240705-en
Behavioral task
behavioral17
Sample
retard ransomware.exe
Resource
win7-20240705-en
General
-
Target
cocksucker ransomware [COOL].exe
-
Size
378KB
-
MD5
232fa9e369270ad2400f147358106f84
-
SHA1
652c7b72f2de9ac2b6a38f61bbab56c31cd4f56b
-
SHA256
eb08cd98561489036e4f156b1cf30312358a455a076396a1244a940cf91172ca
-
SHA512
088f6945749499224678e34624e8d91a8853bf574d3bfeb4b745b62a4c0198457272458491ff28b33dfa2bf88e0981db3314633d0dac1a242add86137b82b334
-
SSDEEP
6144:Dp7/yjcX8JtYa0exxWT+9g7jyOhM+9bHUm4pZdjBto+VXaWLtBLNKdeoS:djlX5asT6g7fhMjm43dzo+QOB1oS
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2624 dD28275IiBcA28275.exe -
Executes dropped EXE 1 IoCs
pid Process 2624 dD28275IiBcA28275.exe -
Loads dropped DLL 1 IoCs
pid Process 1696 cocksucker ransomware [COOL].exe -
resource yara_rule behavioral8/memory/1696-0-0x0000000000400000-0x00000000004CD000-memory.dmp upx behavioral8/memory/1696-5-0x0000000000400000-0x00000000004BF000-memory.dmp upx behavioral8/files/0x000500000001a4a2-12.dat upx behavioral8/memory/1696-16-0x0000000002B10000-0x0000000002BDD000-memory.dmp upx behavioral8/memory/2624-17-0x0000000000400000-0x00000000004CD000-memory.dmp upx behavioral8/memory/1696-19-0x0000000000400000-0x00000000004CD000-memory.dmp upx behavioral8/memory/1696-20-0x0000000000400000-0x00000000004BF000-memory.dmp upx behavioral8/memory/2624-22-0x0000000000400000-0x00000000004CD000-memory.dmp upx behavioral8/memory/2624-28-0x0000000000400000-0x00000000004CD000-memory.dmp upx behavioral8/memory/2624-21-0x0000000000400000-0x00000000004CD000-memory.dmp upx behavioral8/memory/2624-32-0x0000000000400000-0x00000000004CD000-memory.dmp upx behavioral8/memory/2624-41-0x0000000000400000-0x00000000004CD000-memory.dmp upx behavioral8/memory/2624-71-0x0000000000400000-0x00000000004CD000-memory.dmp upx behavioral8/memory/2624-77-0x0000000000400000-0x00000000004CD000-memory.dmp upx behavioral8/memory/2624-83-0x0000000000400000-0x00000000004CD000-memory.dmp upx behavioral8/memory/2624-90-0x0000000000400000-0x00000000004CD000-memory.dmp upx behavioral8/memory/2624-97-0x0000000000400000-0x00000000004CD000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\dD28275IiBcA28275 = "C:\\ProgramData\\dD28275IiBcA28275\\dD28275IiBcA28275.exe" dD28275IiBcA28275.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1696 cocksucker ransomware [COOL].exe 2624 dD28275IiBcA28275.exe 2624 dD28275IiBcA28275.exe 2624 dD28275IiBcA28275.exe 2624 dD28275IiBcA28275.exe 2624 dD28275IiBcA28275.exe 2624 dD28275IiBcA28275.exe 2624 dD28275IiBcA28275.exe 2624 dD28275IiBcA28275.exe 2624 dD28275IiBcA28275.exe 2624 dD28275IiBcA28275.exe 2624 dD28275IiBcA28275.exe 2624 dD28275IiBcA28275.exe 2624 dD28275IiBcA28275.exe 2624 dD28275IiBcA28275.exe 2624 dD28275IiBcA28275.exe 2624 dD28275IiBcA28275.exe 2624 dD28275IiBcA28275.exe 2624 dD28275IiBcA28275.exe 2624 dD28275IiBcA28275.exe 2624 dD28275IiBcA28275.exe 2624 dD28275IiBcA28275.exe 2624 dD28275IiBcA28275.exe 2624 dD28275IiBcA28275.exe 2624 dD28275IiBcA28275.exe 2624 dD28275IiBcA28275.exe 2624 dD28275IiBcA28275.exe 2624 dD28275IiBcA28275.exe 2624 dD28275IiBcA28275.exe 2624 dD28275IiBcA28275.exe 2624 dD28275IiBcA28275.exe 2624 dD28275IiBcA28275.exe 2624 dD28275IiBcA28275.exe 2624 dD28275IiBcA28275.exe 2624 dD28275IiBcA28275.exe 2624 dD28275IiBcA28275.exe 2624 dD28275IiBcA28275.exe 2624 dD28275IiBcA28275.exe 2624 dD28275IiBcA28275.exe 2624 dD28275IiBcA28275.exe 2624 dD28275IiBcA28275.exe 2624 dD28275IiBcA28275.exe 2624 dD28275IiBcA28275.exe 2624 dD28275IiBcA28275.exe 2624 dD28275IiBcA28275.exe 2624 dD28275IiBcA28275.exe 2624 dD28275IiBcA28275.exe 2624 dD28275IiBcA28275.exe 2624 dD28275IiBcA28275.exe 2624 dD28275IiBcA28275.exe 2624 dD28275IiBcA28275.exe 2624 dD28275IiBcA28275.exe 2624 dD28275IiBcA28275.exe 2624 dD28275IiBcA28275.exe 2624 dD28275IiBcA28275.exe 2624 dD28275IiBcA28275.exe 2624 dD28275IiBcA28275.exe 2624 dD28275IiBcA28275.exe 2624 dD28275IiBcA28275.exe 2624 dD28275IiBcA28275.exe 2624 dD28275IiBcA28275.exe 2624 dD28275IiBcA28275.exe 2624 dD28275IiBcA28275.exe 2624 dD28275IiBcA28275.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1696 cocksucker ransomware [COOL].exe Token: SeDebugPrivilege 2624 dD28275IiBcA28275.exe -
Suspicious use of FindShellTrayWindow 8 IoCs
pid Process 2624 dD28275IiBcA28275.exe 2624 dD28275IiBcA28275.exe 2624 dD28275IiBcA28275.exe 2624 dD28275IiBcA28275.exe 2624 dD28275IiBcA28275.exe 2624 dD28275IiBcA28275.exe 2624 dD28275IiBcA28275.exe 2624 dD28275IiBcA28275.exe -
Suspicious use of SendNotifyMessage 7 IoCs
pid Process 2624 dD28275IiBcA28275.exe 2624 dD28275IiBcA28275.exe 2624 dD28275IiBcA28275.exe 2624 dD28275IiBcA28275.exe 2624 dD28275IiBcA28275.exe 2624 dD28275IiBcA28275.exe 2624 dD28275IiBcA28275.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2624 dD28275IiBcA28275.exe 2624 dD28275IiBcA28275.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1696 wrote to memory of 2624 1696 cocksucker ransomware [COOL].exe 30 PID 1696 wrote to memory of 2624 1696 cocksucker ransomware [COOL].exe 30 PID 1696 wrote to memory of 2624 1696 cocksucker ransomware [COOL].exe 30 PID 1696 wrote to memory of 2624 1696 cocksucker ransomware [COOL].exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\cocksucker ransomware [COOL].exe"C:\Users\Admin\AppData\Local\Temp\cocksucker ransomware [COOL].exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\ProgramData\dD28275IiBcA28275\dD28275IiBcA28275.exe"C:\ProgramData\dD28275IiBcA28275\dD28275IiBcA28275.exe" "C:\Users\Admin\AppData\Local\Temp\cocksucker ransomware [COOL].exe"2⤵
- Deletes itself
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2624
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
192B
MD5f27921957d93a4a0baa5b86a0d0b832f
SHA1fc6bfb0485319084954412b35f02c5d2f8494660
SHA256f9ead79f4d07bad48410f26128fb4618ba3118765a8d63f4892d74dc76b3c957
SHA51279d27353fa7165d0fdef25471f985fd4488686ae3173337fbbd8f4a1634e1a3176eeb8411bdf7d579f640b1e03e17ac3b1a4305dc8334d43ade4aac571d23f13
-
Filesize
378KB
MD5efc456061ce7573f647d3e221145b920
SHA195abe225a31375b2b1a89cf47d4fb895c31ff9ac
SHA256f720d594d41405adcbeb5c66130b2f049c628165b0262f60aed9251ae7c151d3
SHA5127d632d76979d0c2a567aee6b71edb2469f787cf8805ca3f138b8df1ff3608295f42139ab2f36f664d5f1366275f7f8f7a69507f53be357f899d46e73c39e3575