Overview

overview

10

Static

static

10

1.exe

windows7-x64

10

1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240704-ja
  • resource tags

    arch:x64arch:x86image:win7-20240704-jalocale:ja-jpos:windows7-x64systemwindows
  • submitted
    26-07-2024 05:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1.exe

  • Size

    147KB

  • MD5

    e586722144cb8d90672ec57043dd85d0

  • SHA1

    44d79cc55fc09b556e5cd29d686ac5658e0b9ada

  • SHA256

    f885292741e1b6d1bd35d6c35cf125ade98b5956f88f64e6596bde835fb15984

  • SHA512

    90ec3e866ee29d6b40cb7616ca4b5e9d5935be30ac067d07c7d3e81630881670642457326176b6eab15c5c62de55c4e9581bdb767fe894cce63a6cb934a586e7

  • SSDEEP

    1536:QzICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xDHc4KWJXmP0bGAVXVd7YZx3JCTz:vqJogYkcSNm9V7DUWJXm8b7ld7IGTHT

Score
10/10
defense_evasiondiscoveryransomwarespywarestealer

Malware Config

Extracted

Path

C:\6MLkBJomc.README.txt

Ransom Note
------Dear managers!------ If you are reading this, it means your network has been attacked. What does that mean? We hacked your network and now all your files, documents, client database, projects and other important data safely encrypted with reliable algorithms. we also have a copy of all your data. WARNING!!! You don't have to go to the POLICE, etc. Otherwise we will not be able to help you. You cannot acces the files right now. But do not worry. You can get it back! It is easy to recover in a few steps. As proof, we can decrypt any 3 files you provide. We are not interested to ruin your business. We want to get ransom and be happy. Please bring this information to your team leaders as soon as possible. In case of a successfull transaction, we will restore your systems within 4-6 hours and also provide security recommendations. Don't cry, money is just paper! -----------------------WARNING----------------------- If you modify files - our decrypt software won't able to recover data If you use third party software - you can damage/modify files (see item 1) You nedd cipher key / our decrypt software to restore you files. The police or authorities will not be able to help you get the cipher key. We encourage you to consider your decisions. -----------------------RECOVERY----------------------- Use email: [email protected] (Alternate email address: [email protected]) You personal ID: 9203819856004948

Signatures

  • Renames multiple (345) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 2 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1.exe
    "C:\Users\Admin\AppData\Local\Temp\1.exe"
    1⤵
    • Loads dropped DLL
    • Drops desktop.ini file(s)
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2172
    • C:\ProgramData\ECFE.tmp
      "C:\ProgramData\ECFE.tmp"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:1496
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\ECFE.tmp >> NUL
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1144
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x14c
    1⤵
      PID:536

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\$Recycle.Bin\S-1-5-21-3294248377-1418901787-4083263181-1000\desktop.ini
      Filesize

      129B

      MD5

      20e13cd20dde0866522d0367733ad963

      SHA1

      4450671e3f5b3e554ee6a0a8ec926b35853d7f1a

      SHA256

      c04c0274cfe18e446017e9cf56365eab7dde129df605fc98134ef97213c11ae4

      SHA512

      ad5b0f6fe332e179310f2657576ba86a09d40030fee81f429407eabd98c5e072e5db0da9d21a14ea14a1a000f088f8c8b63896941657f72b627f122ff55a037f

      Download Submit

    • C:\6MLkBJomc.README.txt
      Filesize

      1KB

      MD5

      5d5e3bcf3bf2dbe5a7550905da970fe7

      SHA1

      435377160c7cc453c1b0f5434cf43f27f0e26f65

      SHA256

      3f87ea04b7b04c9d7d2fd2b631bc1b3273cfda1ffc1562de09feef03e60a706c

      SHA512

      4eb102f496c14d8dd1439b62a920ba0595f74391473c81f88d7ce30bac5c0741217b5065490f66344594f2534bffc2e6f8107b99683b1383e6d91d7e0443e62f

      Download Submit

    • C:\ProgramData\ECFE.tmp
      Filesize

      14KB

      MD5

      294e9f64cb1642dd89229fff0592856b

      SHA1

      97b148c27f3da29ba7b18d6aee8a0db9102f47c9

      SHA256

      917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

      SHA512

      b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\DDDDD
      Filesize

      147KB

      MD5

      74f94071bc3c213ad3d8e5b07a0668ef

      SHA1

      86e738c58e7a3f0db6763a1f3cee8106f6962693

      SHA256

      81845ca4e56d8629bcc00e73ea0e34ee8db98420467fb216b384e36a9d286d86

      SHA512

      5620c12c30f1bd7544316433c752d487d0dce95edd9a9a6f8ee531cb9e66cf4b53a07e906097b411f06a3348f6337f809578af143ad2ad852bdee7014c8f894d

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-3294248377-1418901787-4083263181-1000\DDDDDDDDDDD
      Filesize

      129B

      MD5

      1a0cf8c510241a3e177eb496a087573a

      SHA1

      e35795571d5037d4749e29529b0d449d60a98bce

      SHA256

      ac8ef1c93d0ab5cd8def13c9c5edb617660dace1a6b278565536cccd8867d5bd

      SHA512

      cee48a87c7dd541cf6078f87da9dadccdb99efb0e28db4abb7394a5bf90b283512cb790b1568b05ba41aef2a5d387b03ca13dd8699d8f80639852ed59929bfe2

      Download Submit

    • memory/1496-879-0x000000007EF20000-0x000000007EF21000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1496-878-0x000000007EF80000-0x000000007EF81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1496-877-0x0000000002350000-0x0000000002390000-memory.dmp

      Filesize

      256KB

      Download

    • memory/1496-876-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1496-909-0x000000007EF60000-0x000000007EF61000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1496-908-0x000000007EF40000-0x000000007EF41000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2172-0-0x00000000009C0000-0x0000000000A00000-memory.dmp

      Filesize

      256KB

      Download