Overview

overview

9

Static

static

7

183cd5f034...7b.exe

windows7-x64

9

183cd5f034...7b.exe

windows10-2004-x64

Resubmissions

26/09/2024, 03:06

240926-dlyc2atfqp 9

19/09/2024, 03:30

240919-d2hyaayfqk 9

19/09/2024, 03:22

240919-dwwl7ayble 9

19/09/2024, 03:15

240919-drxnpaxhpa 9

19/09/2024, 03:14

240919-drgbpsxhmf 9

18/09/2024, 21:46

240918-1mv1mavcje 9

Analysis

  • max time kernel
    13s
  • max time network
    1s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    19/09/2024, 03:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe

  • Size

    581KB

  • MD5

    8b70ba0f3b9818b5e2909e370254ea48

  • SHA1

    56ffda57fd9161b441f0715d848cbcc0c0ccf5bf

  • SHA256

    183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b

  • SHA512

    53e8a9319f9cb58b2de4069c8a579cb0ad49408ba93f052d58eb5fb7e8996953fb8569babf5b6853f89d054309c457162277a360947972e9e4e8f0ec67f0cb28

  • SSDEEP

    12288:N9C7oO/76BYSuTDqymSutZLcTra3qxsOeNMzrTKcJmVcgrdC:N94DmSuteagsUzXJmmgrdC

Score
9/10
bootkitdiscoverypersistenceransomwareupx

Malware Config

Signatures

  • Renames multiple (295) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Loads dropped DLL 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops desktop.ini file(s) 6 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in Windows directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe
    "C:\Users\Admin\AppData\Local\Temp\183cd5f034f18b0a5ed3a56f0b058da06b992c024c01f514326768ac9688747b.exe"
    1⤵
    • Loads dropped DLL
    • Drops desktop.ini file(s)
    • Writes to the Master Boot Record (MBR)
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2512
    • C:\Windows\SysWOW64\notepad.exe
      C:\Windows\system32\notepad.exe
      2⤵
      • System Location Discovery: System Language Discovery
      PID:576

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Wallpaper.png
    Filesize

    46KB

    MD5

    6bf1d5d255a107cb4fab6303374a8d1d

    SHA1

    cda293fdd257127f2378a7925a92ba0bfe70ee26

    SHA256

    f154681d0474568b2a63ff34688c9f973b916de6616b13b80214d2059260cc9a

    SHA512

    76c472d5062423902f42f14c34de54ded76f0b208ca4f2992776144c038bdc2dabbaddf6ce29c5ec319f5b72d7da4bd95279b157a0405b6d752ea462c7255f16

    Download Submit

  • \Users\Admin\AppData\Local\Temp\lframe32.dll
    Filesize

    91KB

    MD5

    e473f639723972758004181c216e7654

    SHA1

    b99232cdee41a86599861a882d8a92c71509f803

    SHA256

    df96be89403fed5ca5fc815dca978c85a03064e24ccf9df15df1c99cc8aa491e

    SHA512

    10b1a515850e24ddfe3aa389f40bded1552f2525179b350b58cc057342d6ef97b5a764a74643ea5afbd25608f524661c93d1e204689a05a7a4567b5f308a656a

    Download Submit

  • memory/2512-0-0x0000000000400000-0x0000000000676000-memory.dmp

    Filesize

    2.5MB

    Download

  • memory/2512-349-0x0000000000400000-0x0000000000676000-memory.dmp

    Filesize

    2.5MB

    Download

  • memory/2512-362-0x0000000000400000-0x0000000000676000-memory.dmp

    Filesize

    2.5MB

    Download