Resubmissions

11-12-2024 15:32

241211-sy44nssrdm 10

09-08-2024 21:57

240809-1t1vfs1cpm 10

06-08-2024 13:01

240806-p9f97szdlm 10

06-08-2024 12:52

240806-p3672stdkg 10

06-08-2024 12:29

240806-ppa8fsygqr 10

06-08-2024 12:26

240806-pmc92ashlh 10

Analysis

  • max time kernel
    12s
  • max time network
    27s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    06-08-2024 13:01

General

  • Target

    1/0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe

  • Size

    146KB

  • MD5

    2357ecbcf3b566c76c839daf7ecf2681

  • SHA1

    89d9b7c3eff0a15dc9dbbfe2163de7d5e9479f58

  • SHA256

    0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305

  • SHA512

    bb5630ae44e684f2dfc74478c57bf97a94045501a64022d563e87f2a60d777307cab2b5a14e6764d25a2fd1f27901624c1ee76ca551d5a5e3a21abc4befef401

  • SSDEEP

    3072:V6glyuxE4GsUPnliByocWepo2NVLiguo/pyEwUS:V6gDBGpvEByocWeauV2gvzwU

Malware Config

Extracted

Path

C:\7V7uPExzv.README.txt

Ransom Note
~~~NULLBULGE LOCK - BASED ON LOCKBIT~~~ >>>> Your data is encrypted... but dont freak out If we encrypted you, you majorly fucked up. But... all can be saved But not for free, we require an xmr payment >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption. Life is too short to be sad. Dont be sad money is only paper. Your files are more important than paper right? If we do not give you decrypter then nobody will pay us in the future. To us, our reputation is very important. There is no dissatisfied victim after payment. >>>> You may contact us and decrypt one file for free on these TOR sites with your personal DECRYPTION ID Download and install TOR Browser https://www.torproject.org/ Write to a chat and wait for the answer, we will always answer you. Sometimes you will need to wait a while Links for Tor Browser: http://nullblgtk7dwzpfklgktzll27ovvnj7pvqkoprmhubnnb32qcbmcpgid.onion/ Link for the normal browser http://group.goocasino.org https://nullbulge.com >>>> Your personal DECRYPTION ID: 217B9D5D58C4AD3CF4FE678D504A3DDC >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems!
URLs

http://nullblgtk7dwzpfklgktzll27ovvnj7pvqkoprmhubnnb32qcbmcpgid.onion/

http://group.goocasino.org

https://nullbulge.com

Signatures

  • Renames multiple (339) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 2 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Control Panel 2 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1\0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
    "C:\Users\Admin\AppData\Local\Temp\1\0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe"
    1⤵
    • Loads dropped DLL
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1744
    • C:\ProgramData\F2D7.tmp
      "C:\ProgramData\F2D7.tmp"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:1660
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\F2D7.tmp >> NUL
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2064

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-2958949473-3205530200-1453100116-1000\BBBBBBBBBBB

    Filesize

    129B

    MD5

    728cccf8367ac9838a97585caec41e11

    SHA1

    9655b4582631755a679ba4b54d8043ea66559ae5

    SHA256

    6a625ff9c0e7d7370932cc6297876f54092b5e6ca9c260bed89e0f10c019c29a

    SHA512

    6ca835d969e5ee74ef7d824186171612471c7638bf32371ce5e2e6e9cd5b787c486fa3f0f8f8c34904104df633c1e77036b0f73bdf975343b14c532c54622950

  • C:\7V7uPExzv.README.txt

    Filesize

    1KB

    MD5

    2f5b320fea9f951f10bee81a5a319245

    SHA1

    379757993f929d40ec21b1b0f7b5d68293f03842

    SHA256

    075a29694478bb1f3f7a07b7c5c5e1e08269509b6c024576cbd4ea15725f7e0c

    SHA512

    1848c5755684b29f31eeaa59d7bd39b30cca736d59b188fa82962e618b92f4c3d0929e1d720dded3c3fba3e3516d51d90c2d22d24327aff772f85e33be49a8d2

  • C:\Users\Admin\AppData\Local\Temp\1\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

    Filesize

    146KB

    MD5

    4b56e6d1a5e9bf4c7b048d922a9535b3

    SHA1

    4fcd6a9a3583e784bb9248b4855e2940ce6b86a3

    SHA256

    58e93ee03c9e8de49296d0d42c46978d67a267317c9c9fe492f7c138d9df625f

    SHA512

    b4f46d0d5100c7c6004c85c94b0d123b11f7e0fc4ed1db8a599575131789e063293aab89bb5c72d050e5d75dc86cd89ee06d1c9af70249fc3ab5610da4921a4f

  • F:\$RECYCLE.BIN\S-1-5-21-2958949473-3205530200-1453100116-1000\DDDDDDDDDDD

    Filesize

    129B

    MD5

    46b6cb052cc964f38b7d2f1c1c1978ae

    SHA1

    5bcf198031a9c35e9375f84e233c6af6b1f14b44

    SHA256

    b3bdae57eb1333bec586323a5225104cc32e7f6c818a1f2f00309c75e4f43b2f

    SHA512

    40287dc60e66dd2b8294691aac5a204522decb47eeda64188e353972ffef18e060ae2080de87a40cb596923f6cf1c0ac95781a3401d6261518f0166a92946f7c

  • \ProgramData\F2D7.tmp

    Filesize

    14KB

    MD5

    294e9f64cb1642dd89229fff0592856b

    SHA1

    97b148c27f3da29ba7b18d6aee8a0db9102f47c9

    SHA256

    917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

    SHA512

    b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

  • memory/1660-874-0x0000000000401000-0x0000000000404000-memory.dmp

    Filesize

    12KB

  • memory/1660-876-0x0000000000400000-0x0000000000407000-memory.dmp

    Filesize

    28KB

  • memory/1744-0-0x00000000020C0000-0x0000000002100000-memory.dmp

    Filesize

    256KB