Overview

overview

9

Static

static

3

d67b69a0bf...16.exe

windows7-x64

9

d67b69a0bf...16.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    150s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240730-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/08/2024, 05:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d67b69a0bf734abe727ee7230ebbf11963fb1dbfb735b3c6a8999c96a3ae4816.exe

  • Size

    486KB

  • MD5

    7e912cdb25fb72e44c27eee361e27297

  • SHA1

    c83e37b1516d42cdc7ea9299d1dd497efad86eac

  • SHA256

    d67b69a0bf734abe727ee7230ebbf11963fb1dbfb735b3c6a8999c96a3ae4816

  • SHA512

    2341f31e622c6e2677424e6411f2b5ce9f1c7cd4a2a51262b864ccdbd143cfae712872f9c2951ba88d644eda14fe067a1df5ba3da2953f5666b2675ca7d64708

  • SSDEEP

    12288:Z0md3/94A2p8GnqZycIr+VtKzvFWOC3aEX92:Zx/WnSyhbzv8O0w

Score
9/10
discoveryransomware

Malware Config

Signatures

  • Renames multiple (5172) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d67b69a0bf734abe727ee7230ebbf11963fb1dbfb735b3c6a8999c96a3ae4816.exe
    "C:\Users\Admin\AppData\Local\Temp\d67b69a0bf734abe727ee7230ebbf11963fb1dbfb735b3c6a8999c96a3ae4816.exe"
    1⤵
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4708
    • C:\Windows\SysWOW64\Zombie.exe
      "C:\Windows\system32\Zombie.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      PID:4880
    • C:\Users\Admin\AppData\Local\Temp\_vcredist_x86.exe
      "_vcredist_x86.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3792
      • C:\Users\Admin\AppData\Local\Temp\_vcredist_x86.exe
        "C:\Users\Admin\AppData\Local\Temp\_vcredist_x86.exe" -burn.unelevated BurnPipe.{F3317EB4-F74C-4CD2-9ED9-492B063821F7} {07038652-E07F-4791-B159-C74C1B44A3A1} 3792
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:2204

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-2951562807-3718269429-4208157415-1000\desktop.ini.exe
    Filesize

    43KB

    MD5

    9a684b88e9e08b5afc88ea9a9e8bf7eb

    SHA1

    641ad152e3889e0300836e933da7200ff803ce08

    SHA256

    be69e8a2d83a9a239570498d645937d54cba34fb06cdb763ec9604d9bbf71bd7

    SHA512

    d66176a264f1caa7ef72cf11f39fd2114dbb26c18513ca3057e92956079d7bd21dfc3176f39448dcbbe39e2aaeb7dac80f5082f24bd2d681e1df01bc811d42ca

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_vcredist_x86.exe
    Filesize

    443KB

    MD5

    39e2f79a5becdc5ffdf17003402c2f82

    SHA1

    7d2c053093cedf3e4b556628b3d8192275b983a8

    SHA256

    76583dd73769247f3ee4b1a74dfca1dd9792c74aaa246c324f97201c34ed1a5a

    SHA512

    2f4fba7ec629275f0cc64587d885ca9c1d8b5fb6e968b98b7307be93d6cf02a56871b8cc04990a3939ccb5b5840cf55b6a2f5093b3ee0c4d4cc72a996e6d343b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\{95716cce-fc71-413f-8ad5-56c2892d4b3a}\.ba1\logo.png
    Filesize

    1KB

    MD5

    d6bd210f227442b3362493d046cea233

    SHA1

    ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

    SHA256

    335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

    SHA512

    464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\{95716cce-fc71-413f-8ad5-56c2892d4b3a}\.ba1\wixstdba.dll
    Filesize

    126KB

    MD5

    d7bf29763354eda154aad637017b5483

    SHA1

    dfa7d296bfeecde738ef4708aaabfebec6bc1e48

    SHA256

    7f5f8fcfd84132579f07e395e65b44e1b031fe01a299bce0e3dd590131c5cb93

    SHA512

    1c76175732fe68b9b12cb46077daa21e086041adbd65401717a9a1b5f3c516e03c35a90897c22c7281647d6af4a1a5ffb3fbd5706ea376d8f6e574d27396019c

    Download Submit

  • C:\Windows\SysWOW64\Zombie.exe
    Filesize

    42KB

    MD5

    61e790b0ac1d69d204f95a40f2f8e2b6

    SHA1

    65bcef81df0547bb1420a1beef725f1767b5f3bd

    SHA256

    aa3617d45cb9858fbf90b82550121bd85fd0d416b035f71471a5aa68e77e9703

    SHA512

    cb3b9c3f0f1a6c292582c58228cbf8bff634d33258acfc926ae609e5f1f552b4b325c32ce57fcf3936eabd656c4ead21d57b879ba317df4e48c7c91e2915100f

    Download Submit