Overview

overview

10

Static

static

1

2024090715...re.exe

windows7-x64

10

2024090715...re.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    134s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    07/09/2024, 10:50

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    202409071570e083f752001536b68694ef464704bkransomware.exe

  • Size

    1.4MB

  • MD5

    1570e083f752001536b68694ef464704

  • SHA1

    ff45e1727d3146f61c8cd437fee9d9ccc3c5d057

  • SHA256

    b6123559a74d83caabc9c15508c32afe5e202800ab8056896fd9cd2a9bf03fb1

  • SHA512

    18a0e118b015c8d908180e65816318918de96a22cce17194976ade6e9b23dfaca318214a7dd7cb47ede0f76d80695553dad51e144b7c59b0b2b399a1b8033646

  • SSDEEP

    24576:E30XJ529+RipvL1SXk1QE1RGOTnIEQc4au9NgxnHNnkv+IFT5:EEW9+ApwXk1QE1RzsEQPaxHN8n

Score
10/10
discoveryevasion

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in Program Files directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\202409071570e083f752001536b68694ef464704bkransomware.exe
    "C:\Users\Admin\AppData\Local\Temp\202409071570e083f752001536b68694ef464704bkransomware.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2856
    • C:\Documents and Settings\tazebama.dl_
      "C:\Documents and Settings\tazebama.dl_"
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2464

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\autorun.inf
          Filesize

          126B

          MD5

          163e20cbccefcdd42f46e43a94173c46

          SHA1

          4c7b5048e8608e2a75799e00ecf1bbb4773279ae

          SHA256

          7780bee9df142a17e0457f3dcb2788b50fc2792370089335597d33719126fb7e

          SHA512

          e5ac0ff6b087857799ab70f68067c9dc73eeb93ccfcad87047052380b95ade3e6eb2a7d01a0f850d548a39f4b1ebb60e299d603dbe25c31b9a3585b34a0c65a8

          Download Submit

        • C:\zPharaoh.exe
          Filesize

          151KB

          MD5

          c19ee7b4445fd7908e3aa6e9315d8fa7

          SHA1

          8a84d570e8e10307b179a490fa5568d78891b737

          SHA256

          6c835bca7c361fed304fef525272a0c815f1b856268cad56e2d6413c5363ccb7

          SHA512

          77b055d55f2aa4507e3cc00e375355fd27b7f874e067e7fbf8632b02c3edb23f76abdd80321aa3cd1cfb43b546606ac2c40abbd2742079a7c1c69683e5cc9847

          Download Submit

        • F:\$RECYCLE.BIN\S-1-5-21-1506706701-1246725540-2219210854-1000\RCX66D0.tmp
          Filesize

          69KB

          MD5

          8ba404e90194c38541e324657e72f74c

          SHA1

          ad9fda28f95b7747579a7fbb8a18e1d1e6311a49

          SHA256

          8145e4c62390f9c55343cc6dadb790dc2cb9463c4f578fa57bf43f12c4720340

          SHA512

          1f594ebb6b970c9cb86b97d642351106a52db407c6e90db7391b50e97a1136e5ba13aeec66c9b985192c377d8c5c70d3746a00f37bcc83855fea316cf8d82362

          Download Submit

        • F:\$RECYCLE.BIN\S-1-5-21-1506706701-1246725540-2219210854-1000\S-1-5-21-1506706701-1246725540-2219210854-1000 .exe
          Filesize

          151KB

          MD5

          f74b0bbe97e28921bd75b928f2ebab0a

          SHA1

          6b9f8230f7383e0509d00a51fa58d0b1a8ce6c30

          SHA256

          dc65c5c6c0e98412e50ba9d442393277160f8a0ae10c3ff10377bc5f2082bb08

          SHA512

          d078f856a0074db0268b1fbb151c112057688f6d044d2efdf06028b885a8146a75736cad81c5059ed6ecc3e75a1e80b8cd519727aaeffcadf62ac049aaccccb5

          Download Submit

        • F:\$RECYCLE.BIN\S-1-5-21-1506706701-1246725540-2219210854-1000\WinrRarSerialInstall.exe
          Filesize

          151KB

          MD5

          07abf57e6e8aba5cab5b00d587607bc3

          SHA1

          923771805d806dd74a4079fcdb67f8d18f2f1d39

          SHA256

          617e1278e0c2979ced0b0f22ffd7bc5a4753d947d7bc6574e8881090647767b5

          SHA512

          fc26fd5d36e4958ef67330a744487de3fdef4c802ebee822ab51a88ae5ecd98165052a3672e4c16f4f56277429105c910c47eb5020eb697c9995c3b592c5327b

          Download Submit

        • F:\zPharaoh.exe
          Filesize

          151KB

          MD5

          fd7933969bf2b506c9675e5077c4d0a1

          SHA1

          8cf2ef70b5bc8d16892b75d6c922566e2659da61

          SHA256

          32cad49bfbc2198318d4719f09068f6878fab06d4df140a49540f18e8cb44b02

          SHA512

          612d3a9150088609169e6fc751116edc41e8b0ece6a608c6876eb202fb7f8902b21eaa155717e52512f4fbadba9b6f96e803868f8914de5757ef57e40a51aa0d

          Download Submit

        • \Users\tazebama.dl_
          Filesize

          151KB

          MD5

          330bf7399c385ca93a53f90e1ea5e2c7

          SHA1

          9fa1fb65691848277297f91c930bf1032961111d

          SHA256

          253d47febe50818b80646d16bd64e99db90e411dce0c677b5c5687e188c278c8

          SHA512

          6023ff5680fb59284fed819fac0cb43aa065957336f0c47eab8b6ad81968e8a0a21b4cfb9384678138c2f1927c7cdb937902388ccd720ee264def94bbabc813a

          Download Submit

        • \Users\tazebama.dll
          Filesize

          32KB

          MD5

          b6a03576e595afacb37ada2f1d5a0529

          SHA1

          d598d4d0e70dec2ffa2849edaeb4db94fedcc0b8

          SHA256

          1707eaf60aa91f3791aa5643bfa038e9d8141878d61f5d701ebac51f4ae7aaad

          SHA512

          181b7cc6479352fe2c53c3630d45a839cdeb74708be6709c2a75847a54de3ffc1fdac8450270dde7174ecb23e5cb002f8ce39032429a3112b1202f3381b8918c

          Download Submit

        • memory/2464-30-0x0000000000400000-0x0000000000416000-memory.dmp

          Filesize

          88KB

          Download

        • memory/2464-506-0x0000000000400000-0x0000000000416000-memory.dmp

          Filesize

          88KB

          Download

        • memory/2856-1-0x0000000000400000-0x000000000054B000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2856-16-0x0000000000400000-0x000000000054B000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2856-12-0x0000000000290000-0x00000000002A6000-memory.dmp

          Filesize

          88KB

          Download

        • memory/2856-13-0x0000000000290000-0x00000000002A6000-memory.dmp

          Filesize

          88KB

          Download

        • memory/2856-14-0x0000000000416000-0x0000000000422000-memory.dmp

          Filesize

          48KB

          Download

        • memory/2856-116-0x0000000000400000-0x000000000054B000-memory.dmp

          Filesize

          1.3MB

          Download