Overview

overview

10

Static

static

1

20240904f3...re.exe

windows7-x64

10

20240904f3...re.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    04/09/2024, 13:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    20240904f35b78f97f2b31cc26eabd0c1a2cf2efbkransomware.exe

  • Size

    1.4MB

  • MD5

    f35b78f97f2b31cc26eabd0c1a2cf2ef

  • SHA1

    75b50eed16180e7de405a3f636b31f35adfb2f39

  • SHA256

    aa646f07e89ee8923523aab6c25d88612fa6e1f4802c7f7af212c5bbc5a60500

  • SHA512

    92ce90cfd0f9c63e6171c810c2dc2864b33a75185be938ebc192220cd97880cff29d660d3a58a2cab4ff2313141f0c614a7a8d528c6e9a654e0e2f67061940a9

  • SSDEEP

    24576:E30mJ529+RipvL1SXk1QE1RGOTnIEQc4au9NgxnHNnHTfEEClkR:EE/9+ApwXk1QE1RzsEQPaxHNHTfEJ2

Score
10/10
discoveryevasion

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 7 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in Program Files directory 1 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\20240904f35b78f97f2b31cc26eabd0c1a2cf2efbkransomware.exe
    "C:\Users\Admin\AppData\Local\Temp\20240904f35b78f97f2b31cc26eabd0c1a2cf2efbkransomware.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1812
    • C:\Documents and Settings\tazebama.dl_
      "C:\Documents and Settings\tazebama.dl_"
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3060
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3060 -s 320
        3⤵
        • Loads dropped DLL
        • Program crash
        PID:2168

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\autorun.inf
    Filesize

    126B

    MD5

    163e20cbccefcdd42f46e43a94173c46

    SHA1

    4c7b5048e8608e2a75799e00ecf1bbb4773279ae

    SHA256

    7780bee9df142a17e0457f3dcb2788b50fc2792370089335597d33719126fb7e

    SHA512

    e5ac0ff6b087857799ab70f68067c9dc73eeb93ccfcad87047052380b95ade3e6eb2a7d01a0f850d548a39f4b1ebb60e299d603dbe25c31b9a3585b34a0c65a8

    Download Submit

  • C:\zPharaoh.exe
    Filesize

    157KB

    MD5

    1dab265dd1ac51bd097cc9f394ae53ae

    SHA1

    59e3f8f9d034e928f97cdb12bf237e89dbfe4903

    SHA256

    0a5ecf9ea78f3e9ce903eb9e26b7b431af82bddbabd946d72eb27f2851fd9928

    SHA512

    73dcf598c6a4e54a92699094fa642124ed65245cf9276c44f924f6a75bf79c1c6b423476a0991546661dae6cf6155fdc806b9e2e80183ad9dca6ee197aebd2ba

    Download Submit

  • F:\zPharaoh.exe
    Filesize

    157KB

    MD5

    fd07a18e76290f3067ac12c66d959736

    SHA1

    04d88210fcc0c1e5ccf459b0eedf27baaeb98071

    SHA256

    405b9b23e535cb1d6a691374fca8873bf830d385f580153d68545b6c22393e31

    SHA512

    3b97603dffd3fcec559b646410ab8ea12d3c72756a4be90ebc8ad2498030f63334f84cb23abf51bc6d4c1e2b7f7f5b6c435c0c351a148a73671875646aab2813

    Download Submit

  • \Users\tazebama.dl_
    Filesize

    157KB

    MD5

    100394180aae34fdc4797513e7b14b83

    SHA1

    f58f7f2b653745426c9582bf1e9632be420938af

    SHA256

    62c32d8bf5b74a02bdf40a93b2ff8be46325ea622463706bf389d82bbc9c42be

    SHA512

    905b11ad00572b61cb5f7e9bac9b13172e4527c90dd2588813d6b58ac58416e8bfeddc6ef068bdeb16e08ba8591670a70a9327ea4f4a13029d4cf407402899aa

    Download Submit

  • \Users\tazebama.dll
    Filesize

    32KB

    MD5

    b6a03576e595afacb37ada2f1d5a0529

    SHA1

    d598d4d0e70dec2ffa2849edaeb4db94fedcc0b8

    SHA256

    1707eaf60aa91f3791aa5643bfa038e9d8141878d61f5d701ebac51f4ae7aaad

    SHA512

    181b7cc6479352fe2c53c3630d45a839cdeb74708be6709c2a75847a54de3ffc1fdac8450270dde7174ecb23e5cb002f8ce39032429a3112b1202f3381b8918c

    Download Submit

  • memory/1812-13-0x0000000000250000-0x0000000000268000-memory.dmp

    Filesize

    96KB

    Download

  • memory/1812-14-0x0000000000416000-0x0000000000422000-memory.dmp

    Filesize

    48KB

    Download

  • memory/1812-12-0x0000000000250000-0x0000000000268000-memory.dmp

    Filesize

    96KB

    Download

  • memory/1812-15-0x0000000000400000-0x000000000054B000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1812-3-0x0000000000400000-0x000000000054B000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1812-49-0x0000000000400000-0x000000000054B000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/3060-16-0x0000000000400000-0x0000000000418000-memory.dmp

    Filesize

    96KB

    Download

  • memory/3060-50-0x0000000000400000-0x0000000000418000-memory.dmp

    Filesize

    96KB

    Download