Overview

overview

9

Static

static

7

45428f6df3...4N.exe

windows7-x64

9

45428f6df3...4N.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    150s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    19/09/2024, 00:28

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    45428f6df3f06fa14f580e035f7ee950f0517c45d14e6f446af19dce921bda74N.exe

  • Size

    571KB

  • MD5

    14c34996703a2ea48391d760c7a1de20

  • SHA1

    6d1709b7fda47e19f9e2659feca125578c8aae98

  • SHA256

    45428f6df3f06fa14f580e035f7ee950f0517c45d14e6f446af19dce921bda74

  • SHA512

    a342416a7e160d236692457169553cac5c9f62ec1be03ff780efdf950c3df31d608a28e7d0f1a1f80f2c353900b986ae9df72ce1ae5a4ea9400a216ec8bf98f8

  • SSDEEP

    6144:nE7cV3iwbAFRWAbd4nf0H05yqE6Hl0ChW0+ksllAXBu0lWGWUJJQ4HQHQQf+L+JV:E7a3iwbihym2g7XO3LWUyfh4Coc

Score
9/10
discoveryransomwareupx

Malware Config

Signatures

  • Renames multiple (4090) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\45428f6df3f06fa14f580e035f7ee950f0517c45d14e6f446af19dce921bda74N.exe
    "C:\Users\Admin\AppData\Local\Temp\45428f6df3f06fa14f580e035f7ee950f0517c45d14e6f446af19dce921bda74N.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1952
    • C:\Windows\SysWOW64\Zombie.exe
      "C:\Windows\system32\Zombie.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      PID:1940
    • C:\Users\Admin\AppData\Local\Temp\_7z.exe
      "_7z.exe"
      2⤵
      • Executes dropped EXE
      PID:1372

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\$Recycle.Bin\S-1-5-21-3551809350-4263495960-1443967649-1000\desktop.ini.tmp
          Filesize

          27KB

          MD5

          1ae750cbe0a6f2cc3b50a9b8d0e78883

          SHA1

          61992ae6a4ed0793900caa2a0b58af0dff5ced5a

          SHA256

          13fa59e80b9cd42a89fd537b8780db382989cb36606831fca75df247e1e94e59

          SHA512

          12fa919e024709748374604c5c1eba40c7ebd7d9249646aefdf579faecb3a5a8833447911b3ef1002748a37f6d70a3de806b7519a045eb493fb4feb572ed89cf

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\_7z.exe
          Filesize

          544KB

          MD5

          1d4cf7e1503382452e4c9c86cc138e6e

          SHA1

          c5f2a375a71a29c3918c14b24c63e327d5365b88

          SHA256

          cb0c646dc2a28f5fcadd7683e55a17c5f088c3b7f2009a83ee17424bfefb4a68

          SHA512

          84b1ba1d0f850662d8956bcd11440b1125664d815dd1d9e36aa6f094e4a726b53e55d0ddce356da6afcb42adcaf939dbf9c19bbcaf02a183140922ff3850c9d5

          Download Submit

        • \Windows\SysWOW64\Zombie.exe
          Filesize

          27KB

          MD5

          00055bc4caee8f4422b6c3d84c09fb4f

          SHA1

          5c6d365b745a00f94ed17fc6f3dea55661bb35aa

          SHA256

          697cbe42570a9ac3aa98a97fa6195883d1253b62886f564ba8c0afd2ed7cba75

          SHA512

          1a9b2c10573b8550caf8575ba0f37c81ff520528d6ecd854261e1e3a64ad76dfa66921d228088952241f0e3627dabbbbdfe9a4b41f62e530ee437811b2d74544

          Download Submit

        • memory/1940-13-0x0000000000400000-0x000000000040A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/1952-0-0x0000000000400000-0x000000000040A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/1952-12-0x00000000002E0000-0x00000000002EA000-memory.dmp

          Filesize

          40KB

          Download

        • memory/1952-11-0x00000000002E0000-0x00000000002EA000-memory.dmp

          Filesize

          40KB

          Download