Overview

overview

10

Static

static

10

1.exe

windows7-x64

10

1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    92s
  • max time network
    99s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-ja
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-jalocale:ja-jpos:windows10-2004-x64systemwindows
  • submitted
    26-07-2024 05:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1.exe

  • Size

    147KB

  • MD5

    e586722144cb8d90672ec57043dd85d0

  • SHA1

    44d79cc55fc09b556e5cd29d686ac5658e0b9ada

  • SHA256

    f885292741e1b6d1bd35d6c35cf125ade98b5956f88f64e6596bde835fb15984

  • SHA512

    90ec3e866ee29d6b40cb7616ca4b5e9d5935be30ac067d07c7d3e81630881670642457326176b6eab15c5c62de55c4e9581bdb767fe894cce63a6cb934a586e7

  • SSDEEP

    1536:QzICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xDHc4KWJXmP0bGAVXVd7YZx3JCTz:vqJogYkcSNm9V7DUWJXm8b7ld7IGTHT

Score
10/10
defense_evasiondiscoveryransomwarespywarestealer

Malware Config

Extracted

Path

C:\6MLkBJomc.README.txt

Ransom Note
------Dear managers!------ If you are reading this, it means your network has been attacked. What does that mean? We hacked your network and now all your files, documents, client database, projects and other important data safely encrypted with reliable algorithms. we also have a copy of all your data. WARNING!!! You don't have to go to the POLICE, etc. Otherwise we will not be able to help you. You cannot acces the files right now. But do not worry. You can get it back! It is easy to recover in a few steps. As proof, we can decrypt any 3 files you provide. We are not interested to ruin your business. We want to get ransom and be happy. Please bring this information to your team leaders as soon as possible. In case of a successfull transaction, we will restore your systems within 4-6 hours and also provide security recommendations. Don't cry, money is just paper! -----------------------WARNING----------------------- If you modify files - our decrypt software won't able to recover data If you use third party software - you can damage/modify files (see item 1) You nedd cipher key / our decrypt software to restore you files. The police or authorities will not be able to help you get the cipher key. We encourage you to consider your decisions. -----------------------RECOVERY----------------------- Use email: [email protected] (Alternate email address: [email protected]) You personal ID: 9203819856004948

Signatures

  • Renames multiple (642) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 2 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1.exe
    "C:\Users\Admin\AppData\Local\Temp\1.exe"
    1⤵
    • Drops desktop.ini file(s)
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4848
    • C:\ProgramData\D467.tmp
      "C:\ProgramData\D467.tmp"
      2⤵
      • Checks computer location settings
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:3260
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\D467.tmp >> NUL
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1108

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-2636447293-1148739154-93880854-1000\HHHHHHHHHHH
    Filesize

    129B

    MD5

    6eaf8d29a952ae11bd75f534ed233e36

    SHA1

    e7c8b0a899a0d01ea0e4d188afd3456d2311412a

    SHA256

    50de1b6a2934adc41f2dd680b6b75316cf2c8a97efac76fa0f128b3f54e09fe5

    SHA512

    7910b5649fc03f2b9c61207df531d00ce9c81fdc30f4716c1ec7518c9811224ec8d4eee9ad7c686beaec5931c37ab7a5822fc248ac83dc27e6f5555ac89a5888

    Download Submit

  • C:\6MLkBJomc.README.txt
    Filesize

    1KB

    MD5

    5d5e3bcf3bf2dbe5a7550905da970fe7

    SHA1

    435377160c7cc453c1b0f5434cf43f27f0e26f65

    SHA256

    3f87ea04b7b04c9d7d2fd2b631bc1b3273cfda1ffc1562de09feef03e60a706c

    SHA512

    4eb102f496c14d8dd1439b62a920ba0595f74391473c81f88d7ce30bac5c0741217b5065490f66344594f2534bffc2e6f8107b99683b1383e6d91d7e0443e62f

    Download Submit

  • C:\ProgramData\D467.tmp
    Filesize

    14KB

    MD5

    294e9f64cb1642dd89229fff0592856b

    SHA1

    97b148c27f3da29ba7b18d6aee8a0db9102f47c9

    SHA256

    917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

    SHA512

    b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DDDDD
    Filesize

    147KB

    MD5

    45009dc8c817f5f4e2e89846a61282d7

    SHA1

    82879f86fce8abe9c523533883cc8fba009548c8

    SHA256

    1109a6af31a0742c876c8948a386f10d1af1bd3769510a73acce5b12644c6913

    SHA512

    89c864ef8b69e83717f302c7b05b7e3a1a27a35d270195b3e627e1806dc67c8dbddb09e034a40105f58f80dccfda4948edee7d74b811d8b2aebed2352b74de07

    Download Submit

  • F:\$RECYCLE.BIN\S-1-5-21-2636447293-1148739154-93880854-1000\DDDDDDDDDDD
    Filesize

    129B

    MD5

    081021666f0890c5b10e7d9a371d4be9

    SHA1

    3fd0b7b4bc929a66a0bde1483fa111e7a05ca666

    SHA256

    73d9deb70939c08f8409731a1a01ef373b4da085c5b6110d110357aaec78efaf

    SHA512

    bb6603bc00a5506f2119efb286d7496406a0051bd4369d5c345c81a0613147964edd4be81d56e4852209b3b35a46819d167061ea068ff3d0db12313bed27cf19

    Download Submit

  • memory/3260-2798-0x000000007FDC0000-0x000000007FDC1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3260-2797-0x000000007FE20000-0x000000007FE21000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3260-2796-0x0000000002400000-0x0000000002410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3260-2795-0x0000000002400000-0x0000000002410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3260-2794-0x000000007FE40000-0x000000007FE41000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3260-2828-0x000000007FE00000-0x000000007FE01000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3260-2827-0x000000007FDE0000-0x000000007FDE1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4848-0-0x0000000000A90000-0x0000000000AA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4848-1-0x0000000000A90000-0x0000000000AA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4848-2-0x0000000000A90000-0x0000000000AA0000-memory.dmp

    Filesize

    64KB

    Download