Overview

overview

9

Static

static

7

13e574d668...0N.exe

windows7-x64

9

13e574d668...0N.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    120s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/09/2024, 11:47

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    13e574d6685ff01ccce817e7749a6810N.exe

  • Size

    94KB

  • MD5

    13e574d6685ff01ccce817e7749a6810

  • SHA1

    1e59208fa6f94769fd22d37e1256d1b6bcda0c2f

  • SHA256

    23af64e12ea1c46c3bae219a2426266297185a3ed1c564d8d64a2b945964ee6e

  • SHA512

    c13ad18c12b3e3a9725ff9f9b7ff63f0e4c951aca9fd51637d4c2b6a2381f79d928e17b4319038d1a22291fe68b42c4fe326e88faad024c439312349426e1f51

  • SSDEEP

    1536:V7Zf/FAxTWoJJZENTBWv36Gr0ARZF6NFVogjQlRv/Lc:fny1tEevMwUhQ7Xg

Score
9/10
discoveryransomwareupx

Malware Config

Signatures

  • Renames multiple (4619) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Executes dropped EXE 2 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\13e574d6685ff01ccce817e7749a6810N.exe
    "C:\Users\Admin\AppData\Local\Temp\13e574d6685ff01ccce817e7749a6810N.exe"
    1⤵
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:728
    • C:\Windows\SysWOW64\Zombie.exe
      "C:\Windows\system32\Zombie.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      PID:2616
    • C:\Users\Admin\AppData\Local\Temp\_checksum.exe
      "_checksum.exe"
      2⤵
      • Executes dropped EXE
      PID:3208

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\$Recycle.Bin\S-1-5-21-355097885-2402257403-2971294179-1000\desktop.ini.exe
          Filesize

          58KB

          MD5

          c1fd0ed160081e41da5141ea05c958ad

          SHA1

          aa4736995c7bbb9de2a8f1d507c900bf37c1622f

          SHA256

          6943a27502b98bb5b59f2dea979478b2800102fabdf1142c9a675a235343b5a7

          SHA512

          3691401a17f4b52e4c23c591629674803c3d63ab1758281730e2b6b932a90140027300f8238ba83aa1a62057e222968741aa4ab0086d9a59b52ac1e5778fe610

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\_checksum.exe
          Filesize

          35KB

          MD5

          23f049f14ca0e68af4b9883514791dfe

          SHA1

          1224ecfda221e54d4536a4ac102a56235320ee25

          SHA256

          9562aabe1f71d7ff5ec879fd2fb5cfe4be2c8f62a7fa5a1aa49660c3a495f1fb

          SHA512

          ce91cd089a299ba88f047cf15fd06673389942dabbf8be5bf2e2666e1048bc6da261ce30cae1e2ecb3b50392441a335bf97cc4ed51540554bedabe65590be677

          Download Submit

        • C:\Windows\SysWOW64\Zombie.exe
          Filesize

          58KB

          MD5

          4566e3d6f2ebcc00a301277a5b2fe6c9

          SHA1

          1714f4bfcf9a2f2a7f8bd08151a25fdf0649efc2

          SHA256

          11a9e4402011a909128620ef58301285d228418abee9c33e8998acdb7ee5df43

          SHA512

          b0141eaf9b32a86789c76cd6becc57eaefb00254e4b676d5dd9b2e4eb76a13925ab491491c3c0a35339080d3a3422a6b83c02b32f4bc4c6d40dc92af4031980c

          Download Submit

        • memory/728-0-0x0000000000400000-0x000000000040B000-memory.dmp

          Filesize

          44KB

          Download

        • memory/728-25-0x0000000000400000-0x000000000040B000-memory.dmp

          Filesize

          44KB

          Download

        • memory/3208-21-0x00007FFF10DE3000-0x00007FFF10DE5000-memory.dmp

          Filesize

          8KB

          Download

        • memory/3208-20-0x0000000000C10000-0x0000000000C1E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/3208-28-0x00007FFF10DE0000-0x00007FFF118A1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/3208-873-0x00007FFF10DE0000-0x00007FFF118A1000-memory.dmp

          Filesize

          10.8MB

          Download