Overview

overview

10

Static

static

3

Project2.exe

windows7-x64

10

Project2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    05-08-2024 10:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Project2.exe

  • Size

    12KB

  • MD5

    2e098fe6d840861abc61a0b542a0069b

  • SHA1

    e4dd6bb202abb8defa8688fd122e979311a80a0b

  • SHA256

    29c12e35c1942362bdb1e41cc45e65f51ec5f40a0b84c1406b56addf24d814bc

  • SHA512

    46323dbfacb5e67012300b207d8143bdc227f679c37104feefa91e62845457683d63de2de3457359b701e3f919289ef66af1293c8d5c2e9a65312f626f5f3ab2

  • SSDEEP

    96:QQJsYdT/L3YhpwbmTt7YJ/zUce6rsPX0zjQqeZ8CjRdGLj7jPrmFxe3Q5tfcsDJu:QYdTzI3OUe3SkjQxe3Q5tfFDA+Z2

Score
10/10
cobaltstriketargetcompanybackdoorevasionransomwaretrojan

Malware Config

Extracted

Path

C:\HOW TO BACK FILES.txt

Family

targetcompany

Ransom Note
Hello Your data has been stolen and encrypted We will delete the stolen data and help with the recovery of encrypted files after payment has been made Do not try to change or restore files yourself, this will break them We provide free decryption for any 3 files up to 3MB in size on our website How to contact with us: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: 1D074FC2E748BAA03A2E3E4E 5) You will see chat, payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: [email protected] [email protected] Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site. �
URLs

http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin

http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion

Signatures

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

    trojanbackdoorcobaltstrike
  • TargetCompany,Mallox

    TargetCompany (aka Mallox) is a ransomware which encrypts files using a combination of ChaCha20, AES-128, and Curve25519, first seen in June 2021.

    ransomwaretargetcompany
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Renames multiple (7236) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\Project2.exe
    "C:\Users\Admin\AppData\Local\Temp\Project2.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2980
    • C:\Users\Public\fkFSqdHI.exe
      C:\Users\Public\fkFSqdHI.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2800
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c bcdedit /set {current} bootstatuspolicy ignoreallfailures
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2772
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {current} bootstatuspolicy ignoreallfailures
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:2892
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c bcdedit /set {current} recoveryenabled no
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2464
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {current} recoveryenabled no
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:2712

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\HOW TO BACK FILES.txt
    Filesize

    1KB

    MD5

    238e44aa7c7079f6700b2da4301b72f8

    SHA1

    357fca9c0374c64103580cf4c6ba9600b02541b8

    SHA256

    18d42b77456dcd8991cc3e80c02532a2d1f389e6eeec804d41068c520aab319c

    SHA512

    44475c6c091444c6f1e676dd091a068f865fef46f632caf05d6404a0a67dc70a25bb87a5b0577f841a0f7bc218d11d043bb34f9c6eb9636a356ff078538f9569

    Download Submit

  • C:\Users\Public\TargetInfo.txt
    Filesize

    84B

    MD5

    46ec5e5765bfea48c4f3384daade4051

    SHA1

    9c3ddbb1b32df22d7a28a01240a06907d081e739

    SHA256

    18b33e7c2b477ee114e5b6f6f2ce73131021856b9479ec3b30479982ee95907b

    SHA512

    ef5192f70e2bf49ac69e233f304c3ad7433b41a5764c8bc71eec14e51e8897c96eb451502983d98028cd7b4938b6f2933be6edd508d0f406fed467be99e0c557

    Download Submit

  • \Users\Public\fkFSqdHI.exe
    Filesize

    484KB

    MD5

    0aab6bab5024b02b33b3a1ab6403a63b

    SHA1

    042571a56c890ec611c626602573dba953155512

    SHA256

    d6e3f6e93f95b70c8d5c4721cc1dbe09e9ae5eaa4b5a0fb7da1e1206ab601d0b

    SHA512

    2470de2c1ba96989bab3a61c96e8dbedc1b51ca72def312cd352a21e1abd5b4b003e624079241948c978fd51e0c1842eb56c931ffb4c34609b531e274cc7d07e

    Download Submit

  • memory/2980-1-0x00000000001D0000-0x0000000000232000-memory.dmp

    Filesize

    392KB

    Download

  • memory/2980-0-0x0000000000360000-0x00000000007D2000-memory.dmp

    Filesize

    4.4MB

    Download

  • memory/2980-2-0x0000000000210000-0x0000000000212000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2980-3-0x0000000000220000-0x0000000000229000-memory.dmp

    Filesize

    36KB

    Download

  • memory/2980-4-0x0000000000220000-0x0000000000229000-memory.dmp

    Filesize

    36KB

    Download

  • memory/2980-1092-0x00000000001D0000-0x0000000000232000-memory.dmp

    Filesize

    392KB

    Download

  • memory/2980-4450-0x0000000000220000-0x0000000000229000-memory.dmp

    Filesize

    36KB

    Download