Overview

overview

10

Static

static

10

The-MALWAR...om.exe

windows7-x64

10

The-MALWAR...om.exe

windows11-21h2-x64

10

The-MALWAR...nt.exe

windows7-x64

The-MALWAR...nt.exe

windows11-21h2-x64

The-MALWAR...ot.exe

windows7-x64

The-MALWAR...ot.exe

windows11-21h2-x64

The-MALWAR...re.exe

windows7-x64

7

The-MALWAR...re.exe

windows11-21h2-x64

7

The-MALWAR...ry.exe

windows7-x64

10

The-MALWAR...ry.exe

windows11-21h2-x64

10

The-MALWAR...0r.exe

windows7-x64

10

The-MALWAR...0r.exe

windows11-21h2-x64

10

The-MALWAR...as.exe

windows7-x64

1

The-MALWAR...as.exe

windows11-21h2-x64

3

The-MALWAR...ou.exe

windows7-x64

1

The-MALWAR...ou.exe

windows11-21h2-x64

3

The-MALWAR...MZ.exe

windows7-x64

6

The-MALWAR...MZ.exe

windows11-21h2-x64

6

The-MALWAR...er.exe

windows7-x64

3

The-MALWAR...er.exe

windows11-21h2-x64

The-MALWAR...LL.exe

windows7-x64

1

The-MALWAR...LL.exe

windows11-21h2-x64

1

Analysis

  • max time kernel
    18s
  • max time network
    49s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    24-10-2024 01:24

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    The-MALWARE-Repo-master/Ransomware/RedBoot.exe

  • Size

    1.2MB

  • MD5

    e0340f456f76993fc047bc715dfdae6a

  • SHA1

    d47f6f7e553c4bc44a2fe88c2054de901390b2d7

  • SHA256

    1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887

  • SHA512

    cac10c675d81630eefca49b2ac4cc83f3eb29115ee28a560db4d6c33f70bf24980e48bb48ce20375349736e3e6b23a1ca504b9367917328853fffc5539626bbc

  • SSDEEP

    24576:/4GHnhIzOasqUgEOr69/BRH7dCibu+XoAX0eOTva49ttrSpt81ekHPyWe:AshdasJgEOrGBRxCihH7OO49rveMG

Score
9/10
bootkitdiscoverypersistenceransomwareupx

Malware Config

Signatures

  • Renames multiple (147) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 5 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • AutoIT Executable 2 IoCs

    AutoIT scripts compiled to PE executables.

  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Ransomware\RedBoot.exe
    "C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Ransomware\RedBoot.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: RenamesItself
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1244
    • C:\Users\Admin\62374313\protect.exe
      "C:\Users\Admin\62374313\protect.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2832
    • C:\Users\Admin\62374313\assembler.exe
      "C:\Users\Admin\62374313\assembler.exe" -f bin "C:\Users\Admin\62374313\boot.asm" -o "C:\Users\Admin\62374313\boot.bin"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2908
    • C:\Users\Admin\62374313\overwrite.exe
      "C:\Users\Admin\62374313\overwrite.exe" "C:\Users\Admin\62374313\boot.bin"
      2⤵
      • Executes dropped EXE
      • Writes to the Master Boot Record (MBR)
      PID:2560
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x0
    1⤵
      PID:708
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x520
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2392
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x1
      1⤵
        PID:1160

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\62374313\assembler.exe
        Filesize

        589KB

        MD5

        7e3cea1f686207563c8369f64ea28e5b

        SHA1

        a1736fd61555841396b0406d5c9ca55c4b6cdf41

        SHA256

        2a5305369edb9c2d7354b2f210e91129e4b8c546b0adf883951ea7bf7ee0f2b2

        SHA512

        4629bc32094bdb030e6c9be247068e7295599203284cb95921c98fcbe3ac60286670be7e5ee9f0374a4017286c7af9db211bd831e3ea871d31a509d7bbc1d6a3

        Download Submit

      • C:\Users\Admin\62374313\boot.asm
        Filesize

        825B

        MD5

        def1219cfb1c0a899e5c4ea32fe29f70

        SHA1

        88aedde59832576480dfc7cd3ee6f54a132588a8

        SHA256

        91e74c438099172b057bedf693d877bd08677d5f2173763986be4974c0970581

        SHA512

        1e735d588cb1bb42324eaff1b9190ec6a8254f419d1ba4a13d03716ff5c102a335532b573a5befb08da90586e5670617066564ef9872f8c415b9a480836df423

        Download Submit

      • C:\Users\Admin\62374313\boot.bin
        Filesize

        512B

        MD5

        90053233e561c8bf7a7b14eda0fa0e84

        SHA1

        16a7138387f7a3366b7da350c598f71de3e1cde2

        SHA256

        a760d8bc77ad8c0c839d4ef162ce44d5897af6fa84e0cc05ecc0747759ea76c2

        SHA512

        63fda509cd02fd9d1374435f95515bc74f1ca8a9650b87d2299f8eee3a1c5a41b1cb8a4e1360c75f876f1dae193fdf4a96eba244683308f34d64d7ce37af2bb4

        Download Submit

      • C:\Users\Admin\Documents\ReceiveRemove.xlsx.locked
        Filesize

        12KB

        MD5

        129c8bac5fcdfb8b06339e86fa7c1309

        SHA1

        2b94b05e30506904028ed10fd552d5298b5c0df4

        SHA256

        0fe1e2183c9e18b8f6f2f7a2bd0c8ab19ed97d8d42f5036fc30e3726d8dcf44b

        SHA512

        a4dae06d77eb541f354412b77a9bf670c3ed9ed7be3796f57edf67de1edb2ee4174d7328912a31952845fdba370f5a92669500e8f7d82819d699fa353931c4f3

        Download Submit

      • \Users\Admin\62374313\overwrite.exe
        Filesize

        288KB

        MD5

        bc160318a6e8dadb664408fb539cd04b

        SHA1

        4b5eb324eebe3f84e623179a8e2c3743ccf32763

        SHA256

        f2bc5886b0f189976a367a69da8745bf66842f9bba89f8d208790db3dad0c7d2

        SHA512

        51bc090f2821c57d94cfe4399b1f372a68d2811ea0b87d1ac1d6cf8ae39b167038ac21c471b168f1d19c6b213762024abb7e9e5ca311b246b46af0888289e46c

        Download Submit

      • \Users\Admin\62374313\protect.exe
        Filesize

        837KB

        MD5

        fd414666a5b2122c3d9e3e380cf225ed

        SHA1

        de139747b42a807efa8a2dcc1a8304f9a29b862d

        SHA256

        e61a8382f7293e40cb993ddcbcaa53a4e5f07a3d6b6a1bfe5377a1a74a8dcac6

        SHA512

        9ab2163d7deff29c202ed88dba36d5b28f6c67e647a0cadb3d03cc725796e19e5f298c04b1c8523d1d1ee4307e1a5d6f8156fa4021627d6ca1bbd0830695ae05

        Download Submit

      • memory/708-198-0x00000000029C0000-0x00000000029C1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1244-0-0x00000000009B0000-0x0000000000C3E000-memory.dmp

        Filesize

        2.6MB

        Download

      • memory/1244-197-0x00000000009B0000-0x0000000000C3E000-memory.dmp

        Filesize

        2.6MB

        Download

      • memory/2560-48-0x0000000000400000-0x000000000043E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/2908-38-0x0000000000400000-0x000000000049B000-memory.dmp

        Filesize

        620KB

        Download