Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    12-10-2024 23:04

General

  • Target

    Bewerbung-Lena-Kretschmer.exe

  • Size

    908KB

  • MD5

    36ccd442755d482900b57188ae3a89a7

  • SHA1

    8cd96603cdd2637cf5469aba8ed2b149c35ef699

  • SHA256

    41364427dee49bf544dcff61a6899b3b7e59852435e4107931e294079a42de7c

  • SHA512

    0fcfc29a042342ccbf2529ac116e79698314778459d9dad2ca947b3eab2a7dec3d3622ce351b95909f88791c6d57a9943174ee352f13db246c706c9df1f57e9a

  • SSDEEP

    24576:jRi7/DwOpfmVEyMrUnla/PJJF3NagKGPHpZkxCcI1rC1yOh:NiXJpfmVEXgnlKj9aMICcorC1yOh

Malware Config

Signatures

  • Ordinypt

    Ordinypt is a destructive wiper malware that works in a way similar to ransomware.

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Renames multiple (210) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Drops file in Drivers directory 28 IoCs
  • Drops startup file 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 64 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies Internet Explorer settings 1 TTPs 28 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe
    "C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:796
    • C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe
      C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe
      2⤵
      • Drops file in Drivers directory
      • Drops startup file
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1636
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\dqn8v_Entschluesselungs_Anleitung.html
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2108
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2108 CREDAT:275457 /prefetch:2
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1520
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1872
        • C:\Windows\SysWOW64\vssadmin.exe
          vssadmin.exe delete shadows /all /quiet
          4⤵
          • System Location Discovery: System Language Discovery
          • Interacts with shadow copies
          PID:2164
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2044

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\dqn8v_Entschluesselungs_Anleitung.html

    Filesize

    18KB

    MD5

    039d2aff1e39a3c64f2b257b446b7312

    SHA1

    071fe40291476beeb80ce1c486ec16d101d80a3e

    SHA256

    66d5e3db79764fd38aa979e1b83803564079491166d90dd6bafa2e63a101878a

    SHA512

    e7a344fe637cbd60a8de4b9e997b4d90859a2bc94040c4c8777e8048e1a5e8cc24414cd3f72d9b7920d8749e450bcffd758d826b02e24fe4751dc71509997917

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    a8fc473578ce802ffe5d16d23210b479

    SHA1

    f674c58a06aa8843e384c6a2f071cc9eb1224db8

    SHA256

    73d361f2527a1aca332ff8c386dd0af6de4cbe7bccdf3b019c76f97edf3d9032

    SHA512

    ff44261327616c6a930aaa707e7a58750b2cc3d52ae4506589e14c911548ebebe9cc0b6e664f91a402acde91bcf859305bf90847782e407242da43b151288d62

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    8e4c8f6df96ea747faaf1c39d1d5b9a8

    SHA1

    9e38735a23e5c3a90eea0395c65b6a698fe32fbc

    SHA256

    8c4ecade441979e6cc4a92f2d9e34aa1ef557c7f8002615e3fac73f8c568ce5d

    SHA512

    6e2062a957a7f0b934b25975365d310f46b7a98a357c079bf272f2d6dba700fd1baf4e6b96e07f61d6ca16cf285042cfff9cb4926e67f710da55ab5e2666204a

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    02c349dbb577bdf7822fa67de5af4961

    SHA1

    a95f420cef4ed51401d7fbb16bc72e22cb3f01a8

    SHA256

    2cfd07990b1441f1177e2c867ca1ec2e8c227050e6e4b5051452ec9d4a6392a4

    SHA512

    5d91bb7ff9840b5a0146b1a837aea671af70423e5065736ffce0f582e4a8b3e662d0b2fd3bbed4e039edb9afb6cd2dd3d0698c6ded6ab8b0e8462a7100fb7220

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    285d84f8a51fd6a7dc19170abb79d254

    SHA1

    84b4bdb5c1d961e3c2a2e38037ed1984041b4dd8

    SHA256

    160c0f31f87a823a638707dd3bc59be40ac937f9d80902d605ad341e4f90dc11

    SHA512

    4ea893a18851d8002ba9b1786adc2373d8a0cc3aa5b41727bc4be4ff5067a83ca520b55ecd02dbcf6bf1e0929b6a0d2fd4779589efe279df796f1e134da3d33d

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    5ce78da4e048939fdf21ff72fe63f068

    SHA1

    4dd5b16571a8f85aa49c7dde373a878d0991ce55

    SHA256

    fe80866efcdd2b075b8d563997e1df42a79863d5261b3fbfebbad78c41e7d27e

    SHA512

    c8b44fff2c740b5cf88d0b92cad7b5fb10dee72caef13aea7d32e3139f8eacfee334a3e4834599ee3b1b3b861663024603e65c5ebb5975f0a2a1097acb29062b

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    0525b64bf57f94c7ac3806c2826911d2

    SHA1

    6e5ed5e97cf4fbc5d12d901aa9c61c3e65c57a91

    SHA256

    2d73a51bca37aba17cf3a3bacce696bd88b9bb74ac062d82e4cd76f78d37a529

    SHA512

    7b49f9ea3a8f8a1bda42d0f13882c2f07068fbfe0efd6b1523acb5a9c4705a87a66abe4a028c8cb79b0941ee0b0d999578f6f0ad1b7f2681e80fc54ebb80f77d

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    422b6fd5c144b1ffc9a8e8504ebaabc1

    SHA1

    968c1d28879071918123d994218a31869bf08f45

    SHA256

    8df4a8c7f2d552fb1525a8f4a82846998c276683fa2a762f751ecea65cdb8cdc

    SHA512

    3ebc0a4d57a806b803bdfd807eba2f3e4f88ba0ce707d26a27443bb286c3adfb9ce73e3f3166e6cff28a3de89875f7d3b38fb35561a4d8c764b75e0fb4b88d79

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    2328a91a9cd49e276cb89ba8e6376b38

    SHA1

    f6e5ef023922fdc91c42924643b0e6d844fab69c

    SHA256

    c29b78fe552fb334ec8ae55c7464728ceec171025592a92a6ae713f62a77b253

    SHA512

    1b074a79a4e3dc1668d3389a8e0a1d1de426cc0afcbc938c8db16cc5fbe88f0d9863830b2cf985b574d84f1eb51429d99a68b0f65dbef8232162eb9b2c37d6b2

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    5c16e168fdac17dde1fefa3ceb3eb87b

    SHA1

    4a82dd11cbd2dcdd1d841c16d49080cc45337095

    SHA256

    66413a2e692aa34dccbc588690c2c861921f6f3bb85766e3b9387509e4f97195

    SHA512

    b2ea8a5f0ff0616c4792340e3fe7ed43b31350b3f2e166298a735494f7e15c88f574fbdcc63bf5fae61fae2744c1ca9f18bcca72b7475ca73e2d23133fd410b6

  • C:\Users\Admin\AppData\Local\Temp\Cab6A98.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\Tar6A99.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\dqn8v_Entschluesselungs_Anleitung.html

    Filesize

    18KB

    MD5

    715fee6a82c9cd1800b53a56c5fe708c

    SHA1

    64e5bd15955edf8e206854711a52d51d53189f4a

    SHA256

    0fb7f641200d841330dd15150d617ee0f1eb88cc0bdacfefb88da6840ae4432e

    SHA512

    a7af77bbac8e745286c2d4bdf3304c23cf65f9714dde96910cbeb0ba4b3c54bfcc37f3e7ca9e7eaae3a036e3a967539be03a3d5a71548c5e2c593022c1acc442

  • C:\Users\Admin\Desktop\dqn8v_Entschluesselungs_Anleitung.html

    Filesize

    18KB

    MD5

    68c06f104e7aa960ae7743d425e29835

    SHA1

    f870229ff9044fb36e309e2fe6607f97cc8a2792

    SHA256

    80bd45d55f1838b8f55aad972872ae5b98c3d14ec26b50c7a5ff0dd5c87c2ebf

    SHA512

    d8add0ab00c3c9719531d6716eff9865d60750a15b2965054126961269d2d0aa22c0952b82fcb31f5141cbea3b2f00990ec04fb8e8805d425c053d609547a3e4

  • memory/796-4-0x00000000008F0000-0x00000000008F1000-memory.dmp

    Filesize

    4KB

  • memory/796-0-0x0000000001E10000-0x0000000001E43000-memory.dmp

    Filesize

    204KB

  • memory/796-5-0x0000000001E10000-0x0000000001E43000-memory.dmp

    Filesize

    204KB

  • memory/796-3-0x00000000008F0000-0x00000000008F1000-memory.dmp

    Filesize

    4KB

  • memory/796-6-0x00000000008F0000-0x00000000008F1000-memory.dmp

    Filesize

    4KB

  • memory/796-2-0x00000000008F0000-0x00000000008F1000-memory.dmp

    Filesize

    4KB

  • memory/796-14-0x0000000001E10000-0x0000000001E43000-memory.dmp

    Filesize

    204KB

  • memory/796-1-0x00000000008F0000-0x00000000008F1000-memory.dmp

    Filesize

    4KB

  • memory/1636-7743-0x0000000000400000-0x0000000000471000-memory.dmp

    Filesize

    452KB

  • memory/1636-7744-0x0000000000400000-0x0000000000471000-memory.dmp

    Filesize

    452KB

  • memory/1636-7760-0x0000000000400000-0x0000000000471000-memory.dmp

    Filesize

    452KB

  • memory/1636-1645-0x0000000000400000-0x0000000000471000-memory.dmp

    Filesize

    452KB

  • memory/1636-811-0x0000000000230000-0x0000000000231000-memory.dmp

    Filesize

    4KB

  • memory/1636-4029-0x0000000000400000-0x0000000000471000-memory.dmp

    Filesize

    452KB

  • memory/1636-809-0x0000000000400000-0x0000000000471000-memory.dmp

    Filesize

    452KB

  • memory/1636-2978-0x0000000000400000-0x0000000000471000-memory.dmp

    Filesize

    452KB

  • memory/1636-5539-0x0000000000400000-0x0000000000471000-memory.dmp

    Filesize

    452KB

  • memory/1636-7-0x0000000000230000-0x0000000000231000-memory.dmp

    Filesize

    4KB

  • memory/1636-7741-0x0000000000400000-0x0000000000471000-memory.dmp

    Filesize

    452KB

  • memory/1636-6767-0x0000000000400000-0x0000000000471000-memory.dmp

    Filesize

    452KB

  • memory/1636-7740-0x0000000000400000-0x0000000000471000-memory.dmp

    Filesize

    452KB

  • memory/1636-7739-0x0000000000400000-0x0000000000471000-memory.dmp

    Filesize

    452KB

  • memory/1636-8208-0x0000000000400000-0x0000000000471000-memory.dmp

    Filesize

    452KB