Overview

overview

10

Static

static

3

Project2.exe

windows7-x64

10

Project2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-08-2024 10:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Project2.exe

  • Size

    12KB

  • MD5

    2e098fe6d840861abc61a0b542a0069b

  • SHA1

    e4dd6bb202abb8defa8688fd122e979311a80a0b

  • SHA256

    29c12e35c1942362bdb1e41cc45e65f51ec5f40a0b84c1406b56addf24d814bc

  • SHA512

    46323dbfacb5e67012300b207d8143bdc227f679c37104feefa91e62845457683d63de2de3457359b701e3f919289ef66af1293c8d5c2e9a65312f626f5f3ab2

  • SSDEEP

    96:QQJsYdT/L3YhpwbmTt7YJ/zUce6rsPX0zjQqeZ8CjRdGLj7jPrmFxe3Q5tfcsDJu:QYdTzI3OUe3SkjQxe3Q5tfFDA+Z2

Score
10/10
targetcompanydiscoveryevasionransomware

Malware Config

Extracted

Path

\Device\HarddiskVolume1\HOW TO BACK FILES.txt

Family

targetcompany

Ransom Note
Hello Your data has been stolen and encrypted We will delete the stolen data and help with the recovery of encrypted files after payment has been made Do not try to change or restore files yourself, this will break them We provide free decryption for any 3 files up to 3MB in size on our website How to contact with us: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: 2CA393AC719326BB62C427E8 5) You will see chat, payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: [email protected] [email protected] Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site. �
URLs

http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin

http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion

Signatures

  • TargetCompany,Mallox

    TargetCompany (aka Mallox) is a ransomware which encrypts files using a combination of ChaCha20, AES-128, and Curve25519, first seen in June 2021.

    ransomwaretargetcompany
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Renames multiple (6532) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 64 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\Project2.exe
    "C:\Users\Admin\AppData\Local\Temp\Project2.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2628
    • C:\Users\Public\fkFSqdHI.exe
      C:\Users\Public\fkFSqdHI.exe
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:4928
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c bcdedit /set {current} bootstatuspolicy ignoreallfailures
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1648
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {current} bootstatuspolicy ignoreallfailures
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:2880
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c bcdedit /set {current} recoveryenabled no
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4080
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {current} recoveryenabled no
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:5064

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\H9MX5QVK\1ZPVVCBO.txt
    Filesize

    13B

    MD5

    907326301a53876360553d631f2775c4

    SHA1

    e900c12c18a7295611f3e2234bc68e8dc0501e06

    SHA256

    d5543b3a5715587c9c0993a7f56f3e1ee445af837f62c38f2f3457a2ea8d00c8

    SHA512

    435c1fd96b79b70c370d6f769d44eca3e682404189ff42a6b5718c21bf9dc8358d72c115d68dc25014b8cb9c709af0e64de012103fce687cf4a340fa8f3ea2aa

    Download Submit

  • C:\Users\Public\TargetInfo.txt
    Filesize

    80B

    MD5

    59cebbdc59461b4e1c0047889f57853e

    SHA1

    d5d7bbfb2e72ee8a052ad71d93f6cd757c65e1d0

    SHA256

    43c21971a53bd5db73dd7f2df7c721444966b4a3777301fe1a5c0e7e9f7dcc34

    SHA512

    4d4d546aa620e0151233f29382dd4b7f1e2d89f80ce643a6b0cab4ad4fbcb8f610e2169eea0547642b7ff44d56f4f805ad4da5b27e28ab1fb4b151cadeea4071

    Download Submit

  • C:\Users\Public\fkFSqdHI.exe
    Filesize

    484KB

    MD5

    0aab6bab5024b02b33b3a1ab6403a63b

    SHA1

    042571a56c890ec611c626602573dba953155512

    SHA256

    d6e3f6e93f95b70c8d5c4721cc1dbe09e9ae5eaa4b5a0fb7da1e1206ab601d0b

    SHA512

    2470de2c1ba96989bab3a61c96e8dbedc1b51ca72def312cd352a21e1abd5b4b003e624079241948c978fd51e0c1842eb56c931ffb4c34609b531e274cc7d07e

    Download Submit

  • \Device\HarddiskVolume1\HOW TO BACK FILES.txt
    Filesize

    1KB

    MD5

    9590ae7df564e8ac48597410afec08d3

    SHA1

    4e36234684c0eb7cf9767089edeb03c0a28223b1

    SHA256

    e8e1a8e68d21ed670071bce211473eaa0894202a886fadded05a2391510dbf87

    SHA512

    f33217457ccb3ab9b5e5ac3d59698bf3fa25e6f9363cdaf5a8e9a25122600b7f92ef9dba704cf86b922a08910d919e338dd96593af226273a1f0b24ee764427e

    Download Submit

  • memory/2628-1-0x0000017F92390000-0x0000017F923F2000-memory.dmp

    Filesize

    392KB

    Download

  • memory/2628-0-0x0000017F92400000-0x0000017F92872000-memory.dmp

    Filesize

    4.4MB

    Download

  • memory/2628-2-0x0000017F923A0000-0x0000017F923A2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2628-3-0x0000017F923B0000-0x0000017F923B9000-memory.dmp

    Filesize

    36KB

    Download

  • memory/2628-4-0x0000017F923B0000-0x0000017F923B9000-memory.dmp

    Filesize

    36KB

    Download

  • memory/2628-1577-0x0000017F923B0000-0x0000017F923B9000-memory.dmp

    Filesize

    36KB

    Download

  • memory/2628-3644-0x0000017F92390000-0x0000017F923F2000-memory.dmp

    Filesize

    392KB

    Download

  • memory/2628-11909-0x0000017F92390000-0x0000017F92395000-memory.dmp

    Filesize

    20KB

    Download