Analysis

  • max time kernel
    144s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    12-10-2024 23:08

General

  • Target

    Bewerbung-Lena-Kretschmer.exe

  • Size

    908KB

  • MD5

    36ccd442755d482900b57188ae3a89a7

  • SHA1

    8cd96603cdd2637cf5469aba8ed2b149c35ef699

  • SHA256

    41364427dee49bf544dcff61a6899b3b7e59852435e4107931e294079a42de7c

  • SHA512

    0fcfc29a042342ccbf2529ac116e79698314778459d9dad2ca947b3eab2a7dec3d3622ce351b95909f88791c6d57a9943174ee352f13db246c706c9df1f57e9a

  • SSDEEP

    24576:jRi7/DwOpfmVEyMrUnla/PJJF3NagKGPHpZkxCcI1rC1yOh:NiXJpfmVEXgnlKj9aMICcorC1yOh

Malware Config

Signatures

  • Ordinypt

    Ordinypt is a destructive wiper malware that works in a way similar to ransomware.

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Renames multiple (206) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Drops file in Drivers directory 28 IoCs
  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 64 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies Internet Explorer settings 1 TTPs 28 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe
    "C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2236
    • C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe
      C:\Users\Admin\AppData\Local\Temp\Bewerbung-Lena-Kretschmer.exe
      2⤵
      • Drops file in Drivers directory
      • Drops startup file
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2876
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RUpOV_Entschluesselungs_Anleitung.html
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:796
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:796 CREDAT:275457 /prefetch:2
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:928
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:580
        • C:\Windows\SysWOW64\vssadmin.exe
          vssadmin.exe delete shadows /all /quiet
          4⤵
          • System Location Discovery: System Language Discovery
          • Interacts with shadow copies
          PID:2848
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2832

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\RUpOV_Entschluesselungs_Anleitung.html

    Filesize

    18KB

    MD5

    e460245660c1fe9bddd5b7a36587d22b

    SHA1

    88c04893a90048e398a654539521ca68339ed82a

    SHA256

    74677c7aa47090e2c511cf52f24942b52f7ac84aa16ccdd2ef4a43fae03550a7

    SHA512

    2ac4dd045fc20c0e94e262cad4a14a4c53cf2853ec1d89a491e3b713d8f3004486e23bb0d0c8a66da4b7f4a2c01ccb60c95f0cae1ad83fbc1388a2fd68b3bb22

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    27da7fc00a08d1fdb89fae7fbfd9decf

    SHA1

    72bc44183d8815ef0a71656ce8a1663ac64c6ae7

    SHA256

    8c3f4a10a40f89ecba67807e3c5bbca8348d1ed42d3baf9d558054db5e3a069e

    SHA512

    119a958a3b840bea5677d61ffa73fa6b818d86e0933a5c9dc437c036428a808acf817c3d647e08cdee1a6703eaff645962e5fff808413bd93c33d6693a3f4754

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    bfe272b325c3fe9eabb7e4fddfab2681

    SHA1

    7083163145b077fd3aa8d0d6d1dcc2af4f485401

    SHA256

    965b241694c1698b577ce696f35a2251e509daef0b5e388a56747767b5686b7b

    SHA512

    1254c22af0898c54dd0b7eaaef6c71c5da21895b3d4cb9e3bad34cbb44635a59d3f6ce96989340eb67c8dad3c30d32eaea65a49b5fe1d8dfb6b25db479192425

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    46a28df7eaee2b1147afc04258724a8f

    SHA1

    743e85b48e6110d86f19a3c673917674ad23382f

    SHA256

    c050783095e6e41ea7d5036bb94b6debb886b784d2658b125212590982698347

    SHA512

    be1d5b9c350a6baa3e788345912a351490195f48d3b71bfe4a903178eb248f93274d97f4f6c1815ce0983303a3de11a582ad4d83dc6acd57976ef76cff6651c5

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    029a633416f882ccd9916d215e3c41c3

    SHA1

    b50b2d6774e12eb284230892e693dc3024e2fe14

    SHA256

    735b9fa0796aa664849c101d19886dc68076991dfa3142d314f91661354951c3

    SHA512

    0ebc7c4ae9236de0b4397e1730cbb828a5d8e16e56155d46f078d5e7637cce25e3674be4bf0aa53444da50082c85b9935e29e085eb64f54cf4c843530a61c878

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    4da8d074acc2884451935577c01caba2

    SHA1

    ba0f4fcda03e9677fc55879d161500e972e69d6e

    SHA256

    57829d158a4ed8a4f0541750b1467af6d89c51cfe7d968a33317838e418fea32

    SHA512

    c175279be302e34237b8039c22bbbc836e89e7cc4226995ad6542d4635f5a1867f95d9ea020c7dc799957cc961780c3dc65e2a43932a520c74bd78680640117e

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    9203f4d82edd03bcf2d583697d763525

    SHA1

    4bcb2320ca54feb590de6147e6d972a4b3b4ee37

    SHA256

    2ab55ce0f00fd1d05c342c230d8a9f4e86a1bf69b2f15b7004ffe04db7235080

    SHA512

    33fffbd99f4d0e2670ba81f4de89c563f24aac84c4553ac2d8935a67b8318bee413e0779111bfa8fd055270a52e3d707afaf7882bf88b0f692aa0f6eb2f38f33

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    bac333955953b60173f8a4d15e125140

    SHA1

    b5f422a9e840466fb6f2d65f6c0cef097ae812a7

    SHA256

    377e1f2c0dce6955471d074c8ceddc579697777ff4970fcc1fc178f7be4e7d16

    SHA512

    18b984935af2b59c2e579559f0074a60c11e42abfa3d6ea15432c6d24d6f1a7e93859104741e136a98e93acc71e5142043cc3665f29ed51a7fdf698af7bebfd8

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    fd6f575f5f82a2326833662d9616ebe4

    SHA1

    942b8969ce8d265c9e5e9c449acfe0665650f5b1

    SHA256

    90642cabc117641497b81eab7a0d93e0c0f6484b87ad4487bf5b93a7dba02a80

    SHA512

    493bd815a6673ab916bedc9b523c0a199c4967ed90244b4c9d33cc5fa02c4e139d4b4025cb987861fea363d75ceaaa06489b759d27a4b97ecda1af6f92d54c71

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    e2ade3a411d3e47150a54b55197395af

    SHA1

    3b0221bbb986a74f03ce1e493b37ac12d552ba28

    SHA256

    20b16dbbd7d84e8b9ceb23dee8a0b09a571061058f771653367a9918cff63e86

    SHA512

    4ee5b311b183901aea5e1aaa10763e3895c9d6b6db4b50a8811f8fc0fd5ddc75a333c4bbd6d554f496c170812d4c5d98eee44423610453eb6a56df352a762424

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    512c7331d26c902ffb6a77b4f6824a6c

    SHA1

    290bb7e17d599fad2e488e705bb4258b915f3a64

    SHA256

    8fcb1ab351f598c67fa18d67030df71c0cd087e0d2128f7b81fb763d68f149b8

    SHA512

    c947e6156e272e2e11b998080387a845bdd023636d78ea26586e973c60bd850a5921634466f5c4b17b2bfca9dc9de2740d5407a5edf9c3646d6c170d95fd129e

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    c04e290a5acfbfd850a61da124e87086

    SHA1

    e4226f022d910ef60a38bbfc69e8ec720e214a0f

    SHA256

    490d6ac347e9d25fb4c9d7115fa586d0b3b5c7ce462cdd1f303bf89ceaa1a164

    SHA512

    13c7b49784a41150f41c14ec7280cf8a124481abbe1c75e9d54c425d1e3513de2205f30e664f3f0adaaa2d3a1432e78febfc30249c85610b47258b6525b51d3c

  • C:\Users\Admin\AppData\Local\Temp\CabC2F2.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\TarD9A1.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\RUpOV_Entschluesselungs_Anleitung.html

    Filesize

    18KB

    MD5

    edfc224acd4257b87d137c309e1dd1b0

    SHA1

    2fa8f14ad3f6ef2657d9237134fc908e7dfac029

    SHA256

    0975e705bf2cd448a83fd06dfe2e81bb0accc3f8a7a8888e78c0d8e7e64a4d26

    SHA512

    28da34bd6438673d74d983221256950b96d645139d0803edd437def0402f786cd42aec52a99182d1ff5602759a54f86a5d3f3daea6a631788963745e4d670001

  • C:\Users\Admin\Desktop\RUpOV_Entschluesselungs_Anleitung.html

    Filesize

    18KB

    MD5

    63bf958cc80993435ab9d2fda0172f5a

    SHA1

    f53a79cf8f8fc9244d82666fb7e00eaf6ac8a571

    SHA256

    8cbc859f2849f8196a7d24d73e8f3cad805800df3c932182fce38c1c10da914e

    SHA512

    3f098808014d5d2b70a4eae3399f9f8ae99f7194683db476ba8936ac3bb68fbdae32d2700448c9c2cd9bae4b9d44694b5ef9efa58bb546d68023d865278116cd

  • memory/2236-11-0x0000000001CF0000-0x0000000001D23000-memory.dmp

    Filesize

    204KB

  • memory/2236-0-0x0000000001CF0000-0x0000000001D23000-memory.dmp

    Filesize

    204KB

  • memory/2236-1-0x0000000001D70000-0x0000000001D71000-memory.dmp

    Filesize

    4KB

  • memory/2236-2-0x0000000001D70000-0x0000000001D71000-memory.dmp

    Filesize

    4KB

  • memory/2236-3-0x0000000001D70000-0x0000000001D71000-memory.dmp

    Filesize

    4KB

  • memory/2236-4-0x0000000001D70000-0x0000000001D71000-memory.dmp

    Filesize

    4KB

  • memory/2236-5-0x0000000001D70000-0x0000000001D71000-memory.dmp

    Filesize

    4KB

  • memory/2236-6-0x0000000001CF0000-0x0000000001D23000-memory.dmp

    Filesize

    204KB

  • memory/2236-7-0x0000000001D70000-0x0000000001D71000-memory.dmp

    Filesize

    4KB

  • memory/2876-5584-0x0000000000400000-0x0000000000471000-memory.dmp

    Filesize

    452KB

  • memory/2876-1181-0x0000000000400000-0x0000000000471000-memory.dmp

    Filesize

    452KB

  • memory/2876-1182-0x0000000000230000-0x0000000000231000-memory.dmp

    Filesize

    4KB

  • memory/2876-2582-0x0000000000400000-0x0000000000471000-memory.dmp

    Filesize

    452KB

  • memory/2876-8-0x0000000000230000-0x0000000000231000-memory.dmp

    Filesize

    4KB

  • memory/2876-7781-0x0000000000400000-0x0000000000471000-memory.dmp

    Filesize

    452KB

  • memory/2876-3837-0x0000000000400000-0x0000000000471000-memory.dmp

    Filesize

    452KB

  • memory/2876-7734-0x0000000000400000-0x0000000000471000-memory.dmp

    Filesize

    452KB

  • memory/2876-7076-0x0000000000400000-0x0000000000471000-memory.dmp

    Filesize

    452KB

  • memory/2876-7738-0x0000000000400000-0x0000000000471000-memory.dmp

    Filesize

    452KB

  • memory/2876-7737-0x0000000000400000-0x0000000000471000-memory.dmp

    Filesize

    452KB

  • memory/2876-7735-0x0000000000400000-0x0000000000471000-memory.dmp

    Filesize

    452KB

  • memory/2876-8211-0x0000000000400000-0x0000000000471000-memory.dmp

    Filesize

    452KB