Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    18-10-2024 02:55

General

  • Target

    df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe

  • Size

    175KB

  • MD5

    df1e348372d344568c4505dca7846e77

  • SHA1

    e0b4f55bb7fb8c0948b86511ce48ffdaac06bf71

  • SHA256

    df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9

  • SHA512

    bd924bbce90f1a2d4588960121ca1b74a7616d291ded5b8cf1a28e8a7c93358b3b9dc552c79b89d85bf76ebcb1200d91028bafacfce65058fd921f3e3b80d077

  • SSDEEP

    3072:ayPqTcNkM2jt3MuZOjr6GtDp5BSzFOrPJxFc60cRAp:aTcNkTt5OfZpv8QcBkAp

Malware Config

Signatures

  • Renames multiple (7478) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Runs ping.exe 1 TTPs 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe
    "C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe"
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2396
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Update BETA" /TR "C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe" /F
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2548
      • C:\Windows\SysWOW64\schtasks.exe
        SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Update BETA" /TR "C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe" /F
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:2148
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c rd /s /q P:\$RECYCLE.BIN,Q:\$RECYCLE.BIN,R:\$RECYCLE.BIN,S:\$RECYCLE.BIN,T:\$RECYCLE.BIN,U:\$RECYCLE.BIN,V:\$RECYCLE.BIN,W:\$RECYCLE.BIN,X:\$RECYCLE.BIN,F:\$RECYCLE.BIN,G:\$RECYCLE.BIN,K:\$RECYCLE.BIN,L:\$RECYCLE.BIN,M:\$RECYCLE.BIN,N:\$RECYCLE.BIN,O:\$RECYCLE.BIN,Y:\$RECYCLE.BIN,Z:\$RECYCLE.BIN,A:\$RECYCLE.BIN,B:\$RECYCLE.BIN,C:\$RECYCLE.BIN,D:\$RECYCLE.BIN,E:\$RECYCLE.BIN,H:\$RECYCLE.BIN,I:\$RECYCLE.BIN,J:\$RECYCLE.BIN
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2348
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c rd /s /q P:\Recycler,Q:\Recycler,R:\Recycler,S:\Recycler,T:\Recycler,U:\Recycler,V:\Recycler,W:\Recycler,X:\Recycler,F:\Recycler,G:\Recycler,K:\Recycler,L:\Recycler,M:\Recycler,N:\Recycler,O:\Recycler,Y:\Recycler,Z:\Recycler,A:\Recycler,B:\Recycler,C:\Recycler,D:\Recycler,E:\Recycler,H:\Recycler,I:\Recycler,J:\Recycler
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2516
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -inputformat none -outputformat none -NonInteractive -Command Remove -Item 'd:\$RECYCLE.BIN','c:\$RECYCLE.BIN' -Recurse -Force
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2520
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -inputformat none -outputformat none -NonInteractive -Command Remove -Item 'd:\$RECYCLE.BIN','c:\$RECYCLE.BIN' -Recurse -Force
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2704
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c rd /s /q P:\$RECYCLE.BIN,Q:\$RECYCLE.BIN,R:\$RECYCLE.BIN,S:\$RECYCLE.BIN,T:\$RECYCLE.BIN,U:\$RECYCLE.BIN,V:\$RECYCLE.BIN,W:\$RECYCLE.BIN,X:\$RECYCLE.BIN,F:\$RECYCLE.BIN,G:\$RECYCLE.BIN,K:\$RECYCLE.BIN,L:\$RECYCLE.BIN,M:\$RECYCLE.BIN,N:\$RECYCLE.BIN,O:\$RECYCLE.BIN,Y:\$RECYCLE.BIN,Z:\$RECYCLE.BIN,A:\$RECYCLE.BIN,B:\$RECYCLE.BIN,C:\$RECYCLE.BIN,D:\$RECYCLE.BIN,E:\$RECYCLE.BIN,H:\$RECYCLE.BIN,I:\$RECYCLE.BIN,J:\$RECYCLE.BIN
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3024
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c rd /s /q P:\Recycler,Q:\Recycler,R:\Recycler,S:\Recycler,T:\Recycler,U:\Recycler,V:\Recycler,W:\Recycler,X:\Recycler,F:\Recycler,G:\Recycler,K:\Recycler,L:\Recycler,M:\Recycler,N:\Recycler,O:\Recycler,Y:\Recycler,Z:\Recycler,A:\Recycler,B:\Recycler,C:\Recycler,D:\Recycler,E:\Recycler,H:\Recycler,I:\Recycler,J:\Recycler
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1828
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -inputformat none -outputformat none -NonInteractive -Command Remove -Item 'd:\$RECYCLE.BIN','c:\$RECYCLE.BIN' -Recurse -Force
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1276
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -inputformat none -outputformat none -NonInteractive -Command Remove -Item 'd:\$RECYCLE.BIN','c:\$RECYCLE.BIN' -Recurse -Force
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2268
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c "C:\ProgramData\ss.exe"
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:536
      • C:\ProgramData\ss.exe
        C:\ProgramData\ss.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2952
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c ping 127.0.0.1 -n 5 > nul & del "C:\ProgramData\ss.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          PID:204
          • C:\Windows\SysWOW64\PING.EXE
            ping 127.0.0.1 -n 5
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:216
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Delete /TN "Windows Update BETA" /F
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2956
      • C:\Windows\SysWOW64\schtasks.exe
        SCHTASKS.exe /Delete /TN "Windows Update BETA" /F
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2312
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 5 > nul & del "C:\Users\Admin\AppData\Local\Temp\df138c96b45614d5224eb00d3051ac7078fa12cf3e26dd86d9469f687c133dd9.exe"
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Suspicious use of WriteProcessMemory
      PID:1232
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 5
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2112
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2864

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Elons_Help.txt

    Filesize

    452B

    MD5

    f84a71740c0c41fcc0e63ab1cc6d1750

    SHA1

    2e7a66a6caeac383afc8952aff89bb179ba8ba3e

    SHA256

    d365234eaf09459997a8ced335ef6659b7c23af70b3bd6be2e653c8d9160c8f1

    SHA512

    d6a5378969520be3f2f561a087de08d99e80cbe4a7c432bee7c6fa31fcb15736f5380c44a0eb447b00e0b5f95552a0f314ef23e39bb267f7812e5e8558a8243e

  • C:\ProgramData\ss.exe

    Filesize

    6KB

    MD5

    39728325879572ffe56a194319f2731f

    SHA1

    3898a219352dd3aedc54ff924b01317107c9ce2f

    SHA256

    8e3ff1907d973d91167c2d74ac8414496d7f430687eef52e3201721e01513761

    SHA512

    7d80af3e2df1c02bfda76e5ada4b4ce25921418cfcd7f26434293e746968f4187f6c9cf5bbb1c7c4703117eaabdd958700f7b1cefcfa44bd11afe95ad7f1599b

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

    Filesize

    7KB

    MD5

    6e7e9e61495c9fdf80d792c761e38b55

    SHA1

    ee06e240fcb36c6648b3d5e0ec6e6583af70b43e

    SHA256

    8ee030da8fbffe2b516fef68c01280ba2d73e8ecd7c87b4b2bb49640975a669c

    SHA512

    0ef8615fb1c0bbdf0695cde7c3f85711ce11f3c9456697536a18e3260bf923196583fda667d85a13587e27290a3ff6fb642216ec9cf30a2019ce789e54f31e06