Overview

overview

9

Static

static

3

bbd9622274...0N.exe

windows7-x64

9

bbd9622274...0N.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    120s
  • max time network
    18s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    14-09-2024 23:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bbd9622274814e7c111d3ffb3f1d74e0N.exe

  • Size

    91KB

  • MD5

    bbd9622274814e7c111d3ffb3f1d74e0

  • SHA1

    a9105de161ec5af55848d75b839e61461103ab6c

  • SHA256

    33c4a2ea8aa54e144b647750d211c9b58c57d459be298dcb8eb7cfd5f92c4418

  • SHA512

    f195b5bcc509ad8853d4a1bbc7362a82452194dbaf57211e8a9d7199cefd02d93144cab7704db0e5741dd89051bdf460e63b2e957b1d7441d3d832a8a7308cc4

  • SSDEEP

    768:W7Blp9pARFbhjJQWJQuvGjDE+BqKFkszYUzf2JdmwdAsCeHvJ5YFvqix3DZzmg0i:W7Z9pApjJQWJQVFUgCEHixUPig1juYow

Score
9/10
discoveryransomware

Malware Config

Signatures

  • Renames multiple (3328) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bbd9622274814e7c111d3ffb3f1d74e0N.exe
    "C:\Users\Admin\AppData\Local\Temp\bbd9622274814e7c111d3ffb3f1d74e0N.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3052
    • C:\Windows\SysWOW64\Zombie.exe
      "C:\Windows\system32\Zombie.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      PID:2800
    • C:\Users\Admin\AppData\Local\Temp\_createdump.exe
      "_createdump.exe"
      2⤵
      • Executes dropped EXE
      PID:2876

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-1846800975-3917212583-2893086201-1000\desktop.ini.tmp
    Filesize

    36KB

    MD5

    2c373d3bc7edf8be79b7cfe2ee1d3224

    SHA1

    e74eeae072f0bdf543206d9e70f1d0a5f1c6eda6

    SHA256

    b2f27a4431d829e0790e96c602c8ff0a98b767ff7a12955c42cf8e282fa37341

    SHA512

    31924f28374d443d705fafe68e3755ea76f293bdc0a0809d71f27627016fada2de743824714945dee4d42ca959c79852bb27b6d33a87ff0b56f63b2d8dbd9d72

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_createdump.exe
    Filesize

    54KB

    MD5

    9ca726be24244f2cf7e2dec95b714c46

    SHA1

    db976e979ec442e03799a26e861dc21847afe79a

    SHA256

    a6324117d0f5b16d0ecaccd1497f471495e4b3d315f1df0da66758d0bbab18af

    SHA512

    8e44e93e4cafba0cb6d3ad2d5f5935f5961cef0c841e534865f9f74f15f5d9007c6d304a597b97641d7cc001a1ef4675b4d19775ea7f4b9a778a882f3deeb449

    Download Submit

  • C:\Windows\SysWOW64\Zombie.exe
    Filesize

    36KB

    MD5

    5a7b2ba8007b8c5600f2ab0afbf52e96

    SHA1

    32775e957f3f981e4889607de5f532430930d147

    SHA256

    503b61a50e34cc18ed1b758350c5d5f7810d52819c35ab8bc83bdf2d0e58cea6

    SHA512

    56e7ad7bdbcaae2d0645feac683d456c99dfb9590e1d4c98f70b42e220111a8c393ae2e09c97cdc130c05fc2a9b24c7e144e2f666d6944c51a3c6d156e59cd5d

    Download Submit