renamer | 0e4e50cd144c54ef6eaae2464d15977f3b60b2001118cfe6392731ccc671137c | Triage

Submit
Reports

Overview

overview

Static

static

3

7b13d92a5b...18.exe

windows7-x64

7

7b13d92a5b...18.exe

windows10-2004-x64

Sharing

General

Target

7b13d92a5bfc7ee0ee5d9c86eb07ce23_JaffaCakes118
Size

1.2MB
Sample

241028-3hg93sxpbt
MD5

7b13d92a5bfc7ee0ee5d9c86eb07ce23
SHA1

c2f5566d2a142388b9b7887c6e86ad9c619f8003
SHA256

0e4e50cd144c54ef6eaae2464d15977f3b60b2001118cfe6392731ccc671137c
SHA512

9e824a2ea95ffae8da28ec88ca6288250681a6064b8ac61210d12382f798121466d688ded6d18add1ddb85463a793d7b92cd97b13369598d832a1f6138600de1
SSDEEP

24576:Rj/ZAILiXtDtrn+LCHVYmpRqQYAe9GIdUfd40Qb4B/cWy52:RT+gibn++HV3pcQY7bdU1Qu/BM2

Score

10^/10

renamer discovery persistence worm

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

7b13d92a5bfc7ee0ee5d9c86eb07ce23_JaffaCakes118.exe

Resource

win7-20240903-en

discovery persistence

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

7b13d92a5bfc7ee0ee5d9c86eb07ce23_JaffaCakes118.exe

Resource

win10v2004-20241007-en

renamer discovery persistence worm

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Targets

- Target
  
  7b13d92a5bfc7ee0ee5d9c86eb07ce23_JaffaCakes118
- Size
  
  1.2MB
- MD5
  
  7b13d92a5bfc7ee0ee5d9c86eb07ce23
- SHA1
  
  c2f5566d2a142388b9b7887c6e86ad9c619f8003
- SHA256
  
  0e4e50cd144c54ef6eaae2464d15977f3b60b2001118cfe6392731ccc671137c
- SHA512
  
  9e824a2ea95ffae8da28ec88ca6288250681a6064b8ac61210d12382f798121466d688ded6d18add1ddb85463a793d7b92cd97b13369598d832a1f6138600de1
- SSDEEP
  
  24576:Rj/ZAILiXtDtrn+LCHVYmpRqQYAe9GIdUfd40Qb4B/cWy52:RT+gibn++HV3pcQY7bdU1Qu/BM2
Score

10^/10

discovery persistence renamer worm
- Detects Renamer worm.
  Renamer aka Grename is worm written in Delphi.
- Renamer family
  renamer
- Renamer, Grenam
  Renamer aka Grenam is a worm written in Delphi.
  worm renamer
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Replication Through Removable Media

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

discoverypersistence

behavioral2

renamerdiscoverypersistenceworm

© 2018-2024

Terms | Privacy