Overview

overview

10

Static

static

3

2024-10-19...ry.exe

windows7-x64

10

2024-10-19...ry.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-10-2024 09:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe

  • Size

    4.5MB

  • MD5

    8f95d249a8940a86f0518d676cfc3096

  • SHA1

    ac3c91f89d4fca14410e24bd348ced70891b543a

  • SHA256

    d0b41ed9435129ccdf1bf7ca87fa4b33649b5b924d8cdbc12966d33fb7b9b873

  • SHA512

    21e8fe5d0f2e2e9ea36a7ea5fc0230a9ac3657528f93ad9b83ef9895fccf2563ecc8f6115a625c60ca8581e6bc043a3a6560a50d650476676bf8c391975e1a82

  • SSDEEP

    24576:HgIWd8sPeH6qAoIqEU502aM56PemUnJNhxtP+AmUmey2s73tOOu55E9QiwzTUBUD:id8gez+AmUvy2s7s5e9QiE

Score
10/10
ffdroiderjupytermazebackdoordiscoveryevasionpersistenceprivilege_escalationransomwarespywarestealertrojan

Malware Config

Signatures

  • FFDroider

    Stealer targeting social media platform users first seen in April 2022.

    stealerffdroider
  • Jupyter, SolarMarker

    Jupyter is a backdoor and infostealer first seen in mid 2020.

    backdoortrojanstealerjupyter
  • Maze

    Ransomware family also known as ChaCha.

    trojanransomwaremaze
  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • UAC bypass 3 TTPs 3 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 1 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 2 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Drops file in Drivers directory 6 IoCs
  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation
  • Identifies Wine through registry keys 2 TTPs 3 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Reads ssh keys stored on the system 2 TTPs

    Tries to access SSH used by SSH programs.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Checks for any installed AV software in registry 1 TTPs 5 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks system information in the registry 2 TTPs 2 IoCs

    System information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 20 IoCs
  • Drops file in Windows directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 7 IoCs
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 15 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • System policy modification 1 TTPs 14 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-19_8f95d249a8940a86f0518d676cfc3096_derusbi_lockbit_wannacry.exe"
    1⤵
    • Modifies security service
    • Modifies visibility of file extensions in Explorer
    • UAC bypass
    • Windows security bypass
    • Disables RegEdit via registry modification
    • Drops file in Drivers directory
    • Identifies Wine through registry keys
    • Windows security modification
    • Checks for any installed AV software in registry
    • Checks system information in the registry
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • System policy modification
    PID:4968
  • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
    "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
    1⤵
    • Drops file in System32 directory
    • Checks processor information in registry
    • Enumerates system info in registry
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:3284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Component Object Model Hijacking

1
T1546.015

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Component Object Model Hijacking

1
T1546.015

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Impair Defenses

3
T1562

Disable or Modify Tools

3
T1562.001

Modify Registry

7
T1112

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Query Registry

5
T1012

Software Discovery

1
T1518

Security Software Discovery

1
T1518.001

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Virtualization/Sandbox Evasion

1
T1497

Lateral Movement

Collection

Data from Local System

2
T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\EXTROYAN\Windows\ADMIN\Tertm
    Filesize

    1KB

    MD5

    c5a4a23ab9fbd98d9c6005b8bde22836

    SHA1

    b8dfa880878ab958e8e3cd6ab4c54b903de714d7

    SHA256

    b181a052071577687a1bfbee654ee2524457d55bb1f0557e5736645f15ab89a3

    SHA512

    372540a0c4a300b02fc2f4f16d81a976b9a087a0d98aeaa8f8eba31a8d8bb4c27c0d600c00cdbba2ab157161d7e8fc27e8ff7ceed95dec868a8e25ca017b1b8e

    Download Submit

  • C:\EXTROYAN\Windows\ADMIN\Tertm
    Filesize

    1KB

    MD5

    760a777a04ea72842764dd85ae82c44f

    SHA1

    ee29595badc9895ad05b0c1ab2c6a96abf1b4d41

    SHA256

    fc4258438772c345d20ae2f93b5c115e28c7c26e96730c6effa4f04033add669

    SHA512

    54278cfc0b2c82571eaa05f04e0b406d63a2c12f79253eb24b988d59fc1c34e42eb1bb71d394a50089cfc665733d3de8d0024d7059ee890d03d549c28d85788d

    Download Submit

  • C:\EXTROYAN\Windows\ADMIN\Tertm
    Filesize

    1KB

    MD5

    7a5c4c639a026f6fac3c8a060c8014eb

    SHA1

    675e6ab7ccc674b06473017cdf34bb714a3821a9

    SHA256

    455774d6472d728fcdbb7d7928256799a439252dcff84ff48452514f06ac42a7

    SHA512

    f0dfde1f58f809d23c6e179f400d11a2fa6aaf7d15b75e5d85ddca1658ba30a9f59c23879fad5fd790eb28ab89fb62894203cf2095c1bfb6d7df6b68d19ff219

    Download Submit

  • C:\EXTROYAN\Windows\ADMIN\Tertm
    Filesize

    1KB

    MD5

    6843b50ec0f30f5b08a50e7a982c61c8

    SHA1

    298ec960b1bf19a56d163df294c7ef10e2ffd71a

    SHA256

    0ab242a0e3c71fb13ad093faf6c6d712badcd35c335e89e9d65a7f02f73a2464

    SHA512

    88f8dab7463ff63d5a7bed198ff011cfc598d09f8a287b5fc3b98424032826c390dc0f0773cf83fa752e44be299881054ad2613236e8d912c1e19df3d74e8d81

    Download Submit

  • C:\EXTROYAN\Windows\ADMIN\Tertm
    Filesize

    1KB

    MD5

    149d02e627f735018d5a166968ef2b99

    SHA1

    e2037ab75596fe0a583f5f34bc531b826cbfe21a

    SHA256

    3b2543ff099719de49a2907d27d4384b8ddbe4d493d5a147ae6cd5137d64ccbc

    SHA512

    569fd34821e306c08fb885bc354476d4e6c3ce2c46c514461e3542475265f8fb02e32989366505674a91c0fcb4009a84ec57a9472a94ed09009bc4d182c19c70

    Download Submit

  • C:\EXTROYAN\Windows\Tedea
    Filesize

    30B

    MD5

    ca158e51be6f234185e00e016b1cab56

    SHA1

    9fec6e4ec40641122080d4f90939287ede0c2baf

    SHA256

    9c6710d2995168e8793f24ce284f922764d8fb41b5caf40273c46767017afb54

    SHA512

    67d6414f1615155ad1be3567e6e569830bb2b8cd0d69cea60cdef194bcf0ef8e4d1ba39d30434abebab242c9850ef6c101150ca1009d6f9af2784b3cab3db0c1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Timetest
    Filesize

    22KB

    MD5

    1a90e77b7b642e5bb68de024d632f359

    SHA1

    882405d3c6f69040af5d6f35619e6f8955ee5526

    SHA256

    be9585ba49f97d3f7cbc832fe7eb730d0dfad024f30fe7e571356c29b39d9d49

    SHA512

    123570229b78c5da87bc48e5c43c4c30af63ef7db3685f0dbf8e9ed1c6883ed4bdbe241cc09620a46d7df019076706906909ace5a4960f7edf7c0efa70edc2bf

    Download Submit

  • C:\targets.xls
    Filesize

    20B

    MD5

    dc1187cdd2ecc593e027d5e0a22e3136

    SHA1

    a7b53cc8bd6a1e2cdd2c50edaece16eccd45c15e

    SHA256

    a9b7de9a4a699b745d4ac014f7f6bbe3c84cdc89834caf630a7509d3754e6f1f

    SHA512

    5ee7e518796d4b5c34af36cbf64be6c27807d27e3a5cc8a0068ac7338108cde2460bb4d8db4c7a096129d3145a3a05bc9d06bf7b90ebe50154f1e3bcfbc5195b

    Download Submit