ransomhub | 8b41f26e3063ae451f14111c69d28929e0ead8fbe4f11a40257761766553e657

Resubmissions

12/12/2024, 07:37

241212-jf7x6sypal 10

12/12/2024, 07:25

01/10/2024, 21:18

01/10/2024, 21:17

01/10/2024, 21:14

01/10/2024, 21:12

Analysis

max time kernel
575s
max time network
362s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
01/10/2024, 21:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

240907-vd8mgatfqr_pw_infected.zip
Size

2.4MB
MD5

19686df02e548da3e143c3873ac823fc
SHA1

0fa91a9de24c52d77d8dd47e4f8d80d690217952
SHA256

8b41f26e3063ae451f14111c69d28929e0ead8fbe4f11a40257761766553e657
SHA512

79c15cb87f036dae15617bdd5452ff00b04639cb6fcc43cba3d6816cefdf8fd0a0fea9e6a0675c7213d25190fc574a5a51dcaed877c2ad611cdfd4e6bf6a8c72
SSDEEP

49152:MrLbijd0NP+tF6dDQaG+gleGpBpBgYApYVNUbNQQTatfeTbjwvA1PLs:MrKjuIoenleGp7+cVNaLetm/jwvA1PI

Score

10^/10

ransomhub ransomware

Malware Config

Signatures

Detects Windows variants of RansomHub Ransomware 1 IoCs

resource	yara_rule
behavioral1/files/0x000800000001739f-3.dat	RansomHub_Windows

Ransomhub Ransomware
Ransomware first reported in Feburary 2024.
ransomware ransomhub

Executes dropped EXE 14 IoCs

pid	Process
1732	rundll3.exe
2012	rundll3.exe
1640	rundll3.exe
3048	rundll3.exe
1760	rundll3.exe
2460	rundll3.exe
1984	rundll3.exe
2140	rundll3.exe
2204	rundll3.exe
2548	rundll3.exe
2864	rundll3.exe
2720	rundll3.exe
2612	rundll3.exe
2944	rundll3.exe

Loads dropped DLL 40 IoCs

pid	Process
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
872	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1188	Process not Found
1972	Process not Found
1228	cmd.exe
1228	cmd.exe
1228	cmd.exe
1228	cmd.exe
1228	cmd.exe
1228	cmd.exe
1228	cmd.exe
1228	cmd.exe
1228	cmd.exe
1228	cmd.exe
1228	cmd.exe
1228	cmd.exe
1228	cmd.exe
1228	cmd.exe
1228	cmd.exe
1228	cmd.exe
1228	cmd.exe
1228	cmd.exe
1228	cmd.exe
1228	cmd.exe
1228	cmd.exe
1228	cmd.exe
1228	cmd.exe
1228	cmd.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
1732	rundll3.exe
2012	rundll3.exe
1640	rundll3.exe
1760	rundll3.exe
2460	rundll3.exe
1984	rundll3.exe
2548	rundll3.exe
2864	rundll3.exe
2720	rundll3.exe
2612	rundll3.exe
2944	rundll3.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	3004	7zG.exe
Token: 35	3004	7zG.exe
Token: SeSecurityPrivilege	3004	7zG.exe
Token: SeSecurityPrivilege	3004	7zG.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3004	7zG.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1228 wrote to memory of 1640	1228	cmd.exe	44
PID 1228 wrote to memory of 1640	1228	cmd.exe	44
PID 1228 wrote to memory of 1640	1228	cmd.exe	44
PID 1228 wrote to memory of 3048	1228	cmd.exe	45
PID 1228 wrote to memory of 3048	1228	cmd.exe	45
PID 1228 wrote to memory of 3048	1228	cmd.exe	45
PID 1228 wrote to memory of 1760	1228	cmd.exe	46
PID 1228 wrote to memory of 1760	1228	cmd.exe	46
PID 1228 wrote to memory of 1760	1228	cmd.exe	46
PID 1228 wrote to memory of 2460	1228	cmd.exe	47
PID 1228 wrote to memory of 2460	1228	cmd.exe	47
PID 1228 wrote to memory of 2460	1228	cmd.exe	47
PID 1228 wrote to memory of 1984	1228	cmd.exe	48
PID 1228 wrote to memory of 1984	1228	cmd.exe	48
PID 1228 wrote to memory of 1984	1228	cmd.exe	48
PID 1228 wrote to memory of 2140	1228	cmd.exe	49
PID 1228 wrote to memory of 2140	1228	cmd.exe	49
PID 1228 wrote to memory of 2140	1228	cmd.exe	49
PID 1228 wrote to memory of 2204	1228	cmd.exe	50
PID 1228 wrote to memory of 2204	1228	cmd.exe	50
PID 1228 wrote to memory of 2204	1228	cmd.exe	50
PID 1228 wrote to memory of 2548	1228	cmd.exe	51
PID 1228 wrote to memory of 2548	1228	cmd.exe	51
PID 1228 wrote to memory of 2548	1228	cmd.exe	51
PID 1228 wrote to memory of 2864	1228	cmd.exe	52
PID 1228 wrote to memory of 2864	1228	cmd.exe	52
PID 1228 wrote to memory of 2864	1228	cmd.exe	52
PID 1228 wrote to memory of 2720	1228	cmd.exe	53
PID 1228 wrote to memory of 2720	1228	cmd.exe	53
PID 1228 wrote to memory of 2720	1228	cmd.exe	53
PID 1228 wrote to memory of 2612	1228	cmd.exe	54
PID 1228 wrote to memory of 2612	1228	cmd.exe	54
PID 1228 wrote to memory of 2612	1228	cmd.exe	54
PID 1228 wrote to memory of 2944	1228	cmd.exe	55
PID 1228 wrote to memory of 2944	1228	cmd.exe	55
PID 1228 wrote to memory of 2944	1228	cmd.exe	55

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\240907-vd8mgatfqr_pw_infected.zip
1⤵
PID:2000

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\New folder\" -an -ai#7zMap22581:160:7zEvent15847
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3004

C:\Users\Admin\AppData\Local\Temp\New folder\rundll3.exe
"C:\Users\Admin\AppData\Local\Temp\New folder\rundll3.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1732

C:\Users\Admin\AppData\Local\Temp\New folder\rundll3.exe
"C:\Users\Admin\AppData\Local\Temp\New folder\rundll3.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2012

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1228
- C:\Users\Admin\AppData\Local\Temp\New folder\rundll3.exe
  rundll3.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1640
- C:\Users\Admin\AppData\Local\Temp\New folder\rundll3.exe
  rundll3.exe -h
  2⤵
  - Executes dropped EXE
  PID:3048
- C:\Users\Admin\AppData\Local\Temp\New folder\rundll3.exe
  rundll3.exe --pass hola -only-local
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1760
- C:\Users\Admin\AppData\Local\Temp\New folder\rundll3.exe
  rundll3.exe --pass hola -only-local -host 127.0.0.1
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2460
- C:\Users\Admin\AppData\Local\Temp\New folder\rundll3.exe
  rundll3.exe -pass hola -only-local -host 127.0.0.1
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1984
- C:\Users\Admin\AppData\Local\Temp\New folder\rundll3.exe
  rundll3.exe -pass hola -only-local -host 127.0.0.1 -[ath C://
  2⤵
  - Executes dropped EXE
  PID:2140
- C:\Users\Admin\AppData\Local\Temp\New folder\rundll3.exe
  rundll3.exe -pass hola -only-local -host 127.0.0.1 -path C://
  2⤵
  - Executes dropped EXE
  PID:2204
- C:\Users\Admin\AppData\Local\Temp\New folder\rundll3.exe
  rundll3.exe -pass hola -only-local -host 127.0.0.1 -path C://
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2548
- C:\Users\Admin\AppData\Local\Temp\New folder\rundll3.exe
  rundll3.exe -pass hola -disable-net -path C://
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2864
- C:\Users\Admin\AppData\Local\Temp\New folder\rundll3.exe
  rundll3.exe -pass hola -disable-net -path C://
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2720
- C:\Users\Admin\AppData\Local\Temp\New folder\rundll3.exe
  rundll3.exe -pass hola -disable-net -path C:// -verbose - only-local
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2612
- C:\Users\Admin\AppData\Local\Temp\New folder\rundll3.exe
  rundll3.exe -pass hola -disable-net -path C:// -verbose -only-local
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2944

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\New folder\rundll3.exe

Filesize
5.6MB

MD5
be8e765b8622989c5e4aa6414c2b030c

SHA1
b6cb7f1ffcceff8fbe572594ffc6aa515420e0a0

SHA256
6fdb160c3b7a5813f187afd606ef2e24cfde0e66e3a0663ce65cd1372fdc32ab

SHA512
e0522301c8d2c156fe6157d7d1ca3a305078ed35bd3a2cf1131bea2a97246eaa8e00751cb4ad9c63e26d97149bdf5898da6d443d8c224735c81589462bd571ad

Download Submit