Overview

overview

9

Static

static

3

ec8952dc14...fd.exe

windows7-x64

9

ec8952dc14...fd.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    93s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/10/2024, 18:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe

  • Size

    146KB

  • MD5

    521666a43aeb19e91e7df9a3f9fe76ba

  • SHA1

    663081e2767df7083f765a3a8a994982959d4cbe

  • SHA256

    ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd

  • SHA512

    cd1414158094328ee2f56a995ee4724604f05c0df5a08f4ae1c653e19cb0158a58ffa2cafc3a2363fc13ef617320979e11bc6281c4c79066a6787c0545c6ec54

  • SSDEEP

    3072:S4PDTrekAooSPxQQvYO3ppr4nwd/T7YfeJFDGfYfaPLmy816SX:SOrNAmPiUprWKTMferDGmaP17SX

Score
9/10
discoveryransomwarespywarestealer

Malware Config

Signatures

  • Renames multiple (7738) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies registry class 1 IoCs
  • Runs ping.exe 1 TTPs 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe
    "C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe"
    1⤵
    • Checks computer location settings
    • Enumerates connected drives
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3868
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Update BETA" /TR "C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe" /F
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4200
      • C:\Windows\SysWOW64\schtasks.exe
        SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Update BETA" /TR "C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe" /F
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:1400
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c "C:\ProgramData\LPW5.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3708
      • C:\ProgramData\LPW5.tmp
        C:\ProgramData\LPW5.tmp
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4860
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c ping 127.0.0.1 -n 5 > nul & del "C:\ProgramData\LPW5.tmp"
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Suspicious use of WriteProcessMemory
          PID:3640
          • C:\Windows\SysWOW64\PING.EXE
            ping 127.0.0.1 -n 5
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:3812
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Delete /TN "Windows Update BETA" /F
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4468
      • C:\Windows\SysWOW64\schtasks.exe
        SCHTASKS.exe /Delete /TN "Windows Update BETA" /F
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1712
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 5 > nul & del "C:\Users\Admin\AppData\Local\Temp\ec8952dc14bac73174cef02a489539e244b378b7de76c771126a8ba7ce532efd.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Suspicious use of WriteProcessMemory
      PID:3332
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 5
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:4328
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:244
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
    1⤵
      PID:3940
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:2528

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Persistence

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Privilege Escalation

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Defense Evasion

    Credential Access

    Credentials from Password Stores

    1
    T1555

    Credentials from Web Browsers

    1
    T1555.003

    Unsecured Credentials

    1
    T1552

    Credentials In Files

    1
    T1552.001

    Discovery

    Peripheral Device Discovery

    1
    T1120

    Query Registry

    2
    T1012

    Remote System Discovery

    1
    T1018

    System Information Discovery

    3
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    System Network Configuration Discovery

    1
    T1016

    Internet Connection Discovery

    1
    T1016.001

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\CYLANCE_README.txt
      Filesize

      1KB

      MD5

      38aa4cc478c9256f32512e2e7ccbd9d2

      SHA1

      f54cc3fa07fea8d745e7c1a84935091f719e49c3

      SHA256

      30a49b4694c9b68f8343714a69c3f9fc96ac24c1d275da4cae47115428ffbf2b

      SHA512

      d94a315c0cefce6dab0687a4b0fcb18218b064ccdc300ea84ae07e48165b49c94f2c4ace54f214bec97af36336459f86806c7f8da0226299b85cabaa5378d464

      Download Submit

    • C:\ProgramData\LPW5.tmp
      Filesize

      5KB

      MD5

      ab65af4349e7c5b0872c8b808d036980

      SHA1

      414b2a2748b7ea6176c1d2453f89fdc8a2d349d0

      SHA256

      a6c41f368f42a7c57c307a48ce2440a60a744226b6414fadb6517a80a5d160a2

      SHA512

      2c61c56e8c299677bad4ce223e3187200c341aa4dd4503fac1217aa8e15687af03544a6d160bb2b1b131a56ea9df2967e00359aa622f12d1b82605c40cca6679

      Download Submit

    • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat
      Filesize

      13KB

      MD5

      42d04272230248b3f66292dbebae8db8

      SHA1

      6ae765f035b21e1d6fc17be1dc77f9dd50c4985a

      SHA256

      b6ac9df8d83928f31c00320e57f3f68cd6d542eb6ce8c063334400bd493831f6

      SHA512

      b93165544a57f8fe2ac8a120f11077c17a2b9499f49083bb44e8648f212e1c746e21ea6aeba99ec90bc316e722698bd548a1c10f51b068ce36307e8029c563bf

      Download Submit

    • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat
      Filesize

      14KB

      MD5

      ae634e124f836ea195b85c26b1a8a9d0

      SHA1

      b2f573a5f386297f9955d4dfc8944a1e14a30037

      SHA256

      45c60ee55e84d574aabed0240ec23a1e7459f271c1510a62707636bf710d1691

      SHA512

      b115c7388c1389abd33beca0b3d5bd9516206f5c2b839c14cd7f42e7373479e7209020aae35ebddfdcc5772921451df06566fd9ca03757527185b138d471a879

      Download Submit