Resubmissions

11-12-2024 15:32

241211-sy44nssrdm 10

09-08-2024 21:57

240809-1t1vfs1cpm 10

06-08-2024 13:01

240806-p9f97szdlm 10

06-08-2024 12:52

240806-p3672stdkg 10

06-08-2024 12:29

240806-ppa8fsygqr 10

06-08-2024 12:26

240806-pmc92ashlh 10

Analysis

  • max time kernel
    147s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-08-2024 21:57

General

  • Target

    1/0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe

  • Size

    146KB

  • MD5

    2357ecbcf3b566c76c839daf7ecf2681

  • SHA1

    89d9b7c3eff0a15dc9dbbfe2163de7d5e9479f58

  • SHA256

    0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305

  • SHA512

    bb5630ae44e684f2dfc74478c57bf97a94045501a64022d563e87f2a60d777307cab2b5a14e6764d25a2fd1f27901624c1ee76ca551d5a5e3a21abc4befef401

  • SSDEEP

    3072:V6glyuxE4GsUPnliByocWepo2NVLiguo/pyEwUS:V6gDBGpvEByocWeauV2gvzwU

Malware Config

Extracted

Path

C:\7V7uPExzv.README.txt

Ransom Note
~~~NULLBULGE LOCK - BASED ON LOCKBIT~~~ >>>> Your data is encrypted... but dont freak out If we encrypted you, you majorly fucked up. But... all can be saved But not for free, we require an xmr payment >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption. Life is too short to be sad. Dont be sad money is only paper. Your files are more important than paper right? If we do not give you decrypter then nobody will pay us in the future. To us, our reputation is very important. There is no dissatisfied victim after payment. >>>> You may contact us and decrypt one file for free on these TOR sites with your personal DECRYPTION ID Download and install TOR Browser https://www.torproject.org/ Write to a chat and wait for the answer, we will always answer you. Sometimes you will need to wait a while Links for Tor Browser: http://nullblgtk7dwzpfklgktzll27ovvnj7pvqkoprmhubnnb32qcbmcpgid.onion/ Link for the normal browser http://group.goocasino.org https://nullbulge.com >>>> Your personal DECRYPTION ID: 217B9D5D58C4AD3C1A2E0C1963505526 >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems!
URLs

http://nullblgtk7dwzpfklgktzll27ovvnj7pvqkoprmhubnnb32qcbmcpgid.onion/

http://group.goocasino.org

https://nullbulge.com

Signatures

  • Renames multiple (605) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 2 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Drops file in System32 directory 4 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Control Panel 2 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1\0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe
    "C:\Users\Admin\AppData\Local\Temp\1\0fb86a8ba8fdf57990c283080a671c1320cbcdfd0e8b5f5a250d9c38a6fce305.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2316
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
      • Drops file in System32 directory
      PID:3564
    • C:\ProgramData\C7A6.tmp
      "C:\ProgramData\C7A6.tmp"
      2⤵
      • Checks computer location settings
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:764
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\C7A6.tmp >> NUL
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3168
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
    1⤵
      PID:4776
    • C:\Windows\system32\printfilterpipelinesvc.exe
      C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
      1⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:556
      • C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
        /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{C18A4F2D-5382-4069-B148-7AFDF8228AC4}.xps" 133677142744290000
        2⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of SetWindowsHookEx
        PID:2604

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\$Recycle.Bin\S-1-5-21-786284298-625481688-3210388970-1000\GGGGGGGGGGG

      Filesize

      129B

      MD5

      f24a6af058aa1e16acf199bfdb9c50fe

      SHA1

      cabbbbc01e73f4469c71feffc0d3a85aed0c6c23

      SHA256

      2f181fabaedeeeacd0256943928ee91ee9f86d969c3713c037ad8445e5db2d0a

      SHA512

      5a7bf658a1fe2f025117486ec5cfce01bec033b4477452e2d001c3f760d2b183ed1fd92762d9b8b8fb6e51c6d711b47a37808f184f27e2af4c8faa80c8c8fa5a

    • C:\7V7uPExzv.README.txt

      Filesize

      1KB

      MD5

      637c0fbd50521f0b18e3f0a4fab0ce14

      SHA1

      9012a3c9387c5af96a831b6ae6313b07406f3700

      SHA256

      f129ddae4ee989df352ca24de3bc1b0ee669e622e185f451ff8fc2f8aedc8834

      SHA512

      a3d490e40516dbf4c3399db73da46a602608033af99a13301aae274c91922bd470fb0cde2d27b8d978b39a4e57a65cff1a160f4abe5d5cad0bea09f3be9cc00c

    • C:\ProgramData\C7A6.tmp

      Filesize

      14KB

      MD5

      294e9f64cb1642dd89229fff0592856b

      SHA1

      97b148c27f3da29ba7b18d6aee8a0db9102f47c9

      SHA256

      917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

      SHA512

      b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{C18A4F2D-5382-4069-B148-7AFDF8228AC4}.xps

      Filesize

      12.9MB

      MD5

      3e96e3ecef54036d5a2e23690af59991

      SHA1

      87c142223d4012358434299b2ed3db36804e3d32

      SHA256

      c50bbbd1f95105085614baa66112d183f3b81cc1d9315b70d5c1bbe3e1d8f204

      SHA512

      c7f3e05be86de70b7fc201a05ee1db8ddd6a9723f03a1904ea173e2281477d1d5dc2079788b9963e550b5ac68a76f753653edaaf9d870d1696dfcce292847b7f

    • C:\Users\Admin\AppData\Local\Temp\1\EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE

      Filesize

      146KB

      MD5

      b359141d3552f5df9b9b5923e0e5471a

      SHA1

      240caca787b0f786b646fac33ecdb08f6f08219c

      SHA256

      2ee54d8e483846f0cb2e45db4dc4c5a0da5bca73d0cdaa7ac353e126e625bb5d

      SHA512

      5bec58fb37182ff8bb3de9d8827936b0384ea489e90a6a12222c89fbee53d87e208cf64408d047e73f76d8510e9d8a888bd027999fc516eff2e342484b4b545e

    • C:\Users\Admin\AppData\Local\Temp\{3DAC844E-D88A-4326-B1CA-4C44E768A4DF}

      Filesize

      4KB

      MD5

      62a0f7a446e083528ce2cfc5ea081756

      SHA1

      b3a11a12e3e806b631525c8c3c9f2995bf131258

      SHA256

      d5db56de5fe3a80243629936823c302e42f98872484b1fbaa70315bf7e946261

      SHA512

      8efdaa3ada5ec4ce2ff23deeb01978a47a458202c078d7d5c8534936de6dac76677a1651993c88e2907b5f7df4e05455fa1b8c0f39917b59ba571534714b1a3a

    • C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

      Filesize

      16B

      MD5

      d29962abc88624befc0135579ae485ec

      SHA1

      e40a6458296ec6a2427bcb280572d023a9862b31

      SHA256

      a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866

      SHA512

      4311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f

    • C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

      Filesize

      2B

      MD5

      f3b25701fe362ec84616a93a45ce9998

      SHA1

      d62636d8caec13f04e28442a0a6fa1afeb024bbb

      SHA256

      b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

      SHA512

      98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

    • F:\$RECYCLE.BIN\S-1-5-21-786284298-625481688-3210388970-1000\DDDDDDDDDDD

      Filesize

      129B

      MD5

      b7575dd0b0b3e5abd4b8d1f09cf58b9b

      SHA1

      f83639d1c7f0ef01459819632f93e06ba2199367

      SHA256

      637c72956d48e6986882989095a26f7c8dbebd69cefa7a92e06d7d55e3e08373

      SHA512

      f64a0c48febf6086618fa6ca8d1e317373dd9b31cf88e06038d1b71c819a542d119fac73c445b20fa44af8104656279b35539501b6cccc96c9bb3796272cccaa

    • memory/2316-0-0x0000000002B60000-0x0000000002B70000-memory.dmp

      Filesize

      64KB

    • memory/2316-1-0x0000000002B60000-0x0000000002B70000-memory.dmp

      Filesize

      64KB

    • memory/2316-2-0x0000000002B60000-0x0000000002B70000-memory.dmp

      Filesize

      64KB

    • memory/2604-2810-0x00007FFBC0130000-0x00007FFBC0140000-memory.dmp

      Filesize

      64KB

    • memory/2604-2809-0x00007FFBC0130000-0x00007FFBC0140000-memory.dmp

      Filesize

      64KB

    • memory/2604-2812-0x00007FFBC0130000-0x00007FFBC0140000-memory.dmp

      Filesize

      64KB

    • memory/2604-2811-0x00007FFBC0130000-0x00007FFBC0140000-memory.dmp

      Filesize

      64KB

    • memory/2604-2841-0x00007FFBBD980000-0x00007FFBBD990000-memory.dmp

      Filesize

      64KB

    • memory/2604-2842-0x00007FFBBD980000-0x00007FFBBD990000-memory.dmp

      Filesize

      64KB

    • memory/2604-2806-0x00007FFBC0130000-0x00007FFBC0140000-memory.dmp

      Filesize

      64KB