247a5078b0ed9f048a02c52a9390b47aece84829f40c7e6060035bbb73524e9f

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13/09/2024, 04:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

247a5078b0ed9f048a02c52a9390b47aece84829f40c7e6060035bbb73524e9f.exe
Size

12.6MB
MD5

a630c6b79e557bdcceb0e240b5cdb8d5
SHA1

278efad96ceb7cc32a5189fb805929f591dc8623
SHA256

247a5078b0ed9f048a02c52a9390b47aece84829f40c7e6060035bbb73524e9f
SHA512

fec9b04539bbf07d7a8f56986850a749ca232d7f49bbcf44f198fb88571642a2df9beadaf99238475a33faaffc298ed6668e3874d6893d6059d80f5cbdaa5480
SSDEEP

393216:ADKcWpZEwAxn0lS3bvj5E28AlPqGYS9EMaiTQHmRNt:ADKciZEjL3bvj5EzA5JaMaiTQH2t

Score

9^/10

defense_evasion discovery evasion ransomware vmprotect

Malware Config

Signatures

Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
2552	bcdedit.exe

Deletes itself 1 IoCs

pid	Process
2784	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1852	oHNZGJJtzW.exe

Loads dropped DLL 4 IoCs

pid	Process
2360	247a5078b0ed9f048a02c52a9390b47aece84829f40c7e6060035bbb73524e9f.exe
1852	oHNZGJJtzW.exe
1852	oHNZGJJtzW.exe
1852	oHNZGJJtzW.exe

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/files/0x0004000000005c51-4.dat	vmprotect
behavioral1/memory/1852-14-0x0000000000400000-0x0000000001C24000-memory.dmp	vmprotect
behavioral1/memory/1852-33-0x0000000000400000-0x0000000001C24000-memory.dmp	vmprotect
behavioral1/memory/1852-47-0x0000000000400000-0x0000000001C24000-memory.dmp	vmprotect

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1852	oHNZGJJtzW.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\debug\ml.txt	247a5078b0ed9f048a02c52a9390b47aece84829f40c7e6060035bbb73524e9f.exe
File created	C:\Windows\debug\ml2.txt	247a5078b0ed9f048a02c52a9390b47aece84829f40c7e6060035bbb73524e9f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	247a5078b0ed9f048a02c52a9390b47aece84829f40c7e6060035bbb73524e9f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	oHNZGJJtzW.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
1512	taskkill.exe
1928	taskkill.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2360	247a5078b0ed9f048a02c52a9390b47aece84829f40c7e6060035bbb73524e9f.exe
2360	247a5078b0ed9f048a02c52a9390b47aece84829f40c7e6060035bbb73524e9f.exe
1852	oHNZGJJtzW.exe
2360	247a5078b0ed9f048a02c52a9390b47aece84829f40c7e6060035bbb73524e9f.exe
2360	247a5078b0ed9f048a02c52a9390b47aece84829f40c7e6060035bbb73524e9f.exe
2360	247a5078b0ed9f048a02c52a9390b47aece84829f40c7e6060035bbb73524e9f.exe
2360	247a5078b0ed9f048a02c52a9390b47aece84829f40c7e6060035bbb73524e9f.exe
2360	247a5078b0ed9f048a02c52a9390b47aece84829f40c7e6060035bbb73524e9f.exe
2360	247a5078b0ed9f048a02c52a9390b47aece84829f40c7e6060035bbb73524e9f.exe
2360	247a5078b0ed9f048a02c52a9390b47aece84829f40c7e6060035bbb73524e9f.exe
2360	247a5078b0ed9f048a02c52a9390b47aece84829f40c7e6060035bbb73524e9f.exe
2360	247a5078b0ed9f048a02c52a9390b47aece84829f40c7e6060035bbb73524e9f.exe
2360	247a5078b0ed9f048a02c52a9390b47aece84829f40c7e6060035bbb73524e9f.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1512	taskkill.exe
Token: SeDebugPrivilege	1928	taskkill.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2360	247a5078b0ed9f048a02c52a9390b47aece84829f40c7e6060035bbb73524e9f.exe
2360	247a5078b0ed9f048a02c52a9390b47aece84829f40c7e6060035bbb73524e9f.exe
1852	oHNZGJJtzW.exe
1852	oHNZGJJtzW.exe
1852	oHNZGJJtzW.exe

Suspicious use of WriteProcessMemory 49 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 2380	2360	247a5078b0ed9f048a02c52a9390b47aece84829f40c7e6060035bbb73524e9f.exe	31
PID 2360 wrote to memory of 2380	2360	247a5078b0ed9f048a02c52a9390b47aece84829f40c7e6060035bbb73524e9f.exe	31
PID 2360 wrote to memory of 2380	2360	247a5078b0ed9f048a02c52a9390b47aece84829f40c7e6060035bbb73524e9f.exe	31
PID 2360 wrote to memory of 2380	2360	247a5078b0ed9f048a02c52a9390b47aece84829f40c7e6060035bbb73524e9f.exe	31
PID 2360 wrote to memory of 2380	2360	247a5078b0ed9f048a02c52a9390b47aece84829f40c7e6060035bbb73524e9f.exe	31
PID 2360 wrote to memory of 2380	2360	247a5078b0ed9f048a02c52a9390b47aece84829f40c7e6060035bbb73524e9f.exe	31
PID 2360 wrote to memory of 2380	2360	247a5078b0ed9f048a02c52a9390b47aece84829f40c7e6060035bbb73524e9f.exe	31
PID 2360 wrote to memory of 2232	2360	247a5078b0ed9f048a02c52a9390b47aece84829f40c7e6060035bbb73524e9f.exe	32
PID 2360 wrote to memory of 2232	2360	247a5078b0ed9f048a02c52a9390b47aece84829f40c7e6060035bbb73524e9f.exe	32
PID 2360 wrote to memory of 2232	2360	247a5078b0ed9f048a02c52a9390b47aece84829f40c7e6060035bbb73524e9f.exe	32
PID 2360 wrote to memory of 2232	2360	247a5078b0ed9f048a02c52a9390b47aece84829f40c7e6060035bbb73524e9f.exe	32
PID 2360 wrote to memory of 2232	2360	247a5078b0ed9f048a02c52a9390b47aece84829f40c7e6060035bbb73524e9f.exe	32
PID 2360 wrote to memory of 2232	2360	247a5078b0ed9f048a02c52a9390b47aece84829f40c7e6060035bbb73524e9f.exe	32
PID 2360 wrote to memory of 2232	2360	247a5078b0ed9f048a02c52a9390b47aece84829f40c7e6060035bbb73524e9f.exe	32
PID 2380 wrote to memory of 2528	2380	cmd.exe	35
PID 2380 wrote to memory of 2528	2380	cmd.exe	35
PID 2380 wrote to memory of 2528	2380	cmd.exe	35
PID 2380 wrote to memory of 2528	2380	cmd.exe	35
PID 2528 wrote to memory of 2552	2528	cmd.exe	36
PID 2528 wrote to memory of 2552	2528	cmd.exe	36
PID 2528 wrote to memory of 2552	2528	cmd.exe	36
PID 2360 wrote to memory of 1852	2360	247a5078b0ed9f048a02c52a9390b47aece84829f40c7e6060035bbb73524e9f.exe	37
PID 2360 wrote to memory of 1852	2360	247a5078b0ed9f048a02c52a9390b47aece84829f40c7e6060035bbb73524e9f.exe	37
PID 2360 wrote to memory of 1852	2360	247a5078b0ed9f048a02c52a9390b47aece84829f40c7e6060035bbb73524e9f.exe	37
PID 2360 wrote to memory of 1852	2360	247a5078b0ed9f048a02c52a9390b47aece84829f40c7e6060035bbb73524e9f.exe	37
PID 2360 wrote to memory of 1852	2360	247a5078b0ed9f048a02c52a9390b47aece84829f40c7e6060035bbb73524e9f.exe	37
PID 2360 wrote to memory of 1852	2360	247a5078b0ed9f048a02c52a9390b47aece84829f40c7e6060035bbb73524e9f.exe	37
PID 2360 wrote to memory of 1852	2360	247a5078b0ed9f048a02c52a9390b47aece84829f40c7e6060035bbb73524e9f.exe	37
PID 2360 wrote to memory of 2784	2360	247a5078b0ed9f048a02c52a9390b47aece84829f40c7e6060035bbb73524e9f.exe	38
PID 2360 wrote to memory of 2784	2360	247a5078b0ed9f048a02c52a9390b47aece84829f40c7e6060035bbb73524e9f.exe	38
PID 2360 wrote to memory of 2784	2360	247a5078b0ed9f048a02c52a9390b47aece84829f40c7e6060035bbb73524e9f.exe	38
PID 2360 wrote to memory of 2784	2360	247a5078b0ed9f048a02c52a9390b47aece84829f40c7e6060035bbb73524e9f.exe	38
PID 2360 wrote to memory of 2784	2360	247a5078b0ed9f048a02c52a9390b47aece84829f40c7e6060035bbb73524e9f.exe	38
PID 2360 wrote to memory of 2784	2360	247a5078b0ed9f048a02c52a9390b47aece84829f40c7e6060035bbb73524e9f.exe	38
PID 2360 wrote to memory of 2784	2360	247a5078b0ed9f048a02c52a9390b47aece84829f40c7e6060035bbb73524e9f.exe	38
PID 2784 wrote to memory of 1512	2784	cmd.exe	40
PID 2784 wrote to memory of 1512	2784	cmd.exe	40
PID 2784 wrote to memory of 1512	2784	cmd.exe	40
PID 2784 wrote to memory of 1512	2784	cmd.exe	40
PID 2784 wrote to memory of 1512	2784	cmd.exe	40
PID 2784 wrote to memory of 1512	2784	cmd.exe	40
PID 2784 wrote to memory of 1512	2784	cmd.exe	40
PID 2784 wrote to memory of 1928	2784	cmd.exe	42
PID 2784 wrote to memory of 1928	2784	cmd.exe	42
PID 2784 wrote to memory of 1928	2784	cmd.exe	42
PID 2784 wrote to memory of 1928	2784	cmd.exe	42
PID 2784 wrote to memory of 1928	2784	cmd.exe	42
PID 2784 wrote to memory of 1928	2784	cmd.exe	42
PID 2784 wrote to memory of 1928	2784	cmd.exe	42

C:\Users\Admin\AppData\Local\Temp\247a5078b0ed9f048a02c52a9390b47aece84829f40c7e6060035bbb73524e9f.exe
"C:\Users\Admin\AppData\Local\Temp\247a5078b0ed9f048a02c52a9390b47aece84829f40c7e6060035bbb73524e9f.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c c:\windows\sysnative\cmd /c bcdedit.exe /set {current} nx AlwaysOff
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2380
- - \??\c:\windows\system32\cmd.exe
    c:\windows\sysnative\cmd /c bcdedit.exe /set {current} nx AlwaysOff
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2528
  - - C:\Windows\system32\bcdedit.exe
      bcdedit.exe /set {current} nx AlwaysOff
      4⤵
      Modifies boot configuration data using bcdedit
      PID:2552
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c rmdir /s /q "C:\Users\Admin\AppData\Local\Temp\2344857676"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2232
- C:\Users\Admin\AppData\Local\Temp\oHNZGJJtzW.exe
  "C:\Users\Admin\AppData\Local\Temp\oHNZGJJtzW.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1852
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\259457758.bat
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /pid 2360 -f
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1512
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /pid 2360 -f
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\259457758.bat

Filesize
288B

MD5
f8ad67e264422c83f2cbb46a73fdd884

SHA1
f63462c665e330368a3d39525c9559557c7b9076

SHA256
83807920b3df8e5cfed8f0be02514e4d1c606ea33b7d065f98ebc556a6fa711e

SHA512
14e2142ba2ab9c53e126ab171e78c1add0a455d1ec21018ed100d4b3f86809fad636a12d1bdad6cacf518a2955dc647a75e40a0a91037f2f76e0ee5c160860ab

Download Submit
\Users\Admin\AppData\Local\Temp\oHNZGJJtzW.exe

Filesize
11.7MB

MD5
ceb93780a823b83f6100920733524e23

SHA1
0aebfd81055ba2061ded35db87196923474ca9eb

SHA256
9eb791c22e2b4dd4974652282e195472c5432a405cfc07e45cbe0a6363274751

SHA512
3cb6a7331fd3bcf4492218b0a007e506a9ecdf450045f0708036c32277edafa4946b8aca42f10a193b82ed2c18b0ddb8e89a827ffc4f2ba0a29b83ad571473d4

Download Submit
memory/1852-27-0x00000000774F0000-0x00000000774F1000-memory.dmp

Filesize
4KB

Download
memory/1852-19-0x0000000002380000-0x0000000003BA4000-memory.dmp

Filesize
24.1MB

Download
memory/1852-20-0x0000000002380000-0x0000000003BA4000-memory.dmp

Filesize
24.1MB

Download
memory/1852-31-0x0000000076960000-0x0000000076961000-memory.dmp

Filesize
4KB

Download
memory/1852-14-0x0000000000400000-0x0000000001C24000-memory.dmp

Filesize
24.1MB

Download
memory/1852-25-0x00000000774F0000-0x00000000774F1000-memory.dmp

Filesize
4KB

Download
memory/1852-33-0x0000000000400000-0x0000000001C24000-memory.dmp

Filesize
24.1MB

Download
memory/1852-36-0x0000000004D00000-0x0000000004E00000-memory.dmp

Filesize
1024KB

Download
memory/1852-42-0x0000000004D00000-0x0000000004E00000-memory.dmp

Filesize
1024KB

Download
memory/1852-47-0x0000000000400000-0x0000000001C24000-memory.dmp

Filesize
24.1MB

Download
memory/2360-48-0x00000000051D0000-0x00000000069F4000-memory.dmp

Filesize
24.1MB

Download
memory/2360-12-0x00000000051D0000-0x00000000069F4000-memory.dmp

Filesize
24.1MB

Download