Analysis

  • max time kernel
    61s
  • max time network
    59s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    12-11-2024 17:58

General

  • Target

    RNSM00326.7z

  • Size

    155KB

  • MD5

    57744ec3c17169dc996f48d24c6f400c

  • SHA1

    e25a3e0259d58e7553a6e23e34b95a85bf3e4397

  • SHA256

    af262121bcb7ad1a7a17c43ad57bf9febd4f01040841bc7a68f9ee25b2ad4ca8

  • SHA512

    03c2d914ba0f0e34b274cbb8f34925082ddf9d0543f8c45eba9a25539a443da010689c69ea3578a0961be59c6fef82470ee93f7201cf687c0ad0bfb5554ffbb3

  • SSDEEP

    3072:OYDBuBp0RacWMmqdWAPaOiIH9fFFtxNT4qgaOPZBqh50Z5VNw5o:59umacX17xT4qga0Bqhe5e5o

Malware Config

Signatures

  • Renames multiple (101) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Executes dropped EXE 8 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Control Panel 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 61 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 45 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00326.7z"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2212
  • C:\Users\Admin\Desktop\00326\HEUR-Trojan-Ransom.Win32.Agent.gen-2f40011df85d75556816ac944d805b6313da44c73c80778af62be5727c005811.exe
    "C:\Users\Admin\Desktop\00326\HEUR-Trojan-Ransom.Win32.Agent.gen-2f40011df85d75556816ac944d805b6313da44c73c80778af62be5727c005811.exe"
    1⤵
    • Executes dropped EXE
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1244
    • C:\Users\Admin\AppData\Local\Temp\T7ZKpCH7hbtSXNvQdiNXjUwKyT4lfFgR.exe
      "C:\Users\Admin\AppData\Local\Temp\T7ZKpCH7hbtSXNvQdiNXjUwKyT4lfFgR.exe"
      2⤵
      • Executes dropped EXE
      • Sets desktop wallpaper using registry
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Suspicious use of FindShellTrayWindow
      PID:852
  • C:\Users\Admin\Desktop\00326\HEUR-Trojan-Ransom.Win32.Generic-eebac7795eb25070116802292a26962fb080356f49eb0865af34365330e28936.exe
    "C:\Users\Admin\Desktop\00326\HEUR-Trojan-Ransom.Win32.Generic-eebac7795eb25070116802292a26962fb080356f49eb0865af34365330e28936.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1984
    • C:\Users\Admin\Desktop\00326\HEUR-Trojan-Ransom.Win32.Generic-eebac7795eb25070116802292a26962fb080356f49eb0865af34365330e28936.exe
      "C:\Users\Admin\Desktop\00326\HEUR-Trojan-Ransom.Win32.Generic-eebac7795eb25070116802292a26962fb080356f49eb0865af34365330e28936.exe"
      2⤵
      • Executes dropped EXE
      PID:1812
  • C:\Users\Admin\Desktop\00326\Trojan-Ransom.Win32.Foreign.cvjo-7634433f8fcf4d13fb46d680802e48eeb160e0f51e228cae058436845976381e.exe
    "C:\Users\Admin\Desktop\00326\Trojan-Ransom.Win32.Foreign.cvjo-7634433f8fcf4d13fb46d680802e48eeb160e0f51e228cae058436845976381e.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1716
    • C:\Users\Admin\Desktop\00326\Trojan-Ransom.Win32.Foreign.cvjo-7634433f8fcf4d13fb46d680802e48eeb160e0f51e228cae058436845976381e.exe
      "C:\Users\Admin\Desktop\00326\Trojan-Ransom.Win32.Foreign.cvjo-7634433f8fcf4d13fb46d680802e48eeb160e0f51e228cae058436845976381e.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:580
      • C:\Windows\SysWOW64\explorer.exe
        explorer.exe
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1740
        • C:\Users\Admin\AppData\Local\Temp\vowetyrjpa.pre
          C:\Users\Admin\AppData\Local\Temp\vowetyrjpa.pre
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2984
          • C:\Users\Admin\AppData\Local\Temp\vowetyrjpa.pre
            C:\Users\Admin\AppData\Local\Temp\vowetyrjpa.pre
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2404
            • C:\Windows\SysWOW64\ctfmon.exe
              ctfmon.exe
              6⤵
              • Adds Run key to start application
              • System Location Discovery: System Language Discovery
              PID:2948
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SendNotifyMessage
    PID:2316

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\T7ZKpCH7hbtSXNvQdiNXjUwKyT4lfFgR.exe

    Filesize

    14KB

    MD5

    f5289f5e2b26356e63f90a07055d3394

    SHA1

    b45c93ff2db91b192698d9ac7b6bcabdc6857e3b

    SHA256

    b7b4a5f4a857b3ae0c9bdd64f5408d562657bf6d993003f50b5d39094dcf476b

    SHA512

    174c21ed3db973b5fa813950ac436294850e0791a74f945a99bb283a3516ab9eaf2e93b214b4ccb0c0dec131a292e9aea2cde45ba735d5e9d65077f6cf0c8e0d

  • C:\Users\Admin\Desktop\00326\HEUR-Trojan-Ransom.Win32.Agent.gen-2f40011df85d75556816ac944d805b6313da44c73c80778af62be5727c005811.exe

    Filesize

    58KB

    MD5

    e76eca2f7d0450c84417a8ac242b424c

    SHA1

    abdb8a43a6d0bf9c60d9cd4223da787c33b341bb

    SHA256

    2f40011df85d75556816ac944d805b6313da44c73c80778af62be5727c005811

    SHA512

    242f6e558fbe5dff48f9ca4776ffe58042741c9569d6b26ef45029dd035b1c61f5ef871d5d1645326fd816a8ef31baf1edac0e55cc4612e6d374bf834c144fa6

  • C:\Users\Admin\Desktop\00326\HEUR-Trojan-Ransom.Win32.Generic-eebac7795eb25070116802292a26962fb080356f49eb0865af34365330e28936.exe

    Filesize

    134KB

    MD5

    7043a9b4fd3687dd2ef2e18fd2d53e92

    SHA1

    ca0dc27097aab46d75876793f2dc94d8cc157ec1

    SHA256

    eebac7795eb25070116802292a26962fb080356f49eb0865af34365330e28936

    SHA512

    e9ab84d1c2991a4ba4e0fb009f3ed47b73641461564fbd5a886303f3fcca6db5b628fb0c8e6a9bab7b59c52263870ebd60fa7c79e994a810a9edc86673c390c8

  • C:\Users\Admin\Desktop\00326\Trojan-Ransom.Win32.Foreign.cvjo-7634433f8fcf4d13fb46d680802e48eeb160e0f51e228cae058436845976381e.exe

    Filesize

    102KB

    MD5

    1b2d2a4b97c7c2727d571bbf9376f54f

    SHA1

    1fc29938ec5c209ba900247d2919069b320d33b0

    SHA256

    7634433f8fcf4d13fb46d680802e48eeb160e0f51e228cae058436845976381e

    SHA512

    506fc96423e5e2e38078806591e09a6eb3cf924eb748af528f7315aa0b929890823798a3ef2a5809c14023c3ff8a3db36277bc90c7b099218422aafa4e0c2ee0

  • C:\Users\Admin\Documents\ImportRedo.xlsx.donut

    Filesize

    10KB

    MD5

    19768692b439104395d97c7556931ad7

    SHA1

    5cde1a8e12d2b80d46164ba8f31cf4e29af686f3

    SHA256

    6320e4c6e078eaa712948f3da51aea443cc70e759daaea4215b532d3f9f39681

    SHA512

    da7874402c6a995405e0a4c93d3c6225d324fd16a05b5105a2ed9c6a343dd08d27a4326f4c6cc70d752532f0fb629a97f42e18e131ed41f114b6d641186f043c

  • C:\Users\Admin\Documents\decrypt.txt

    Filesize

    400B

    MD5

    97595afa89a4d8adb619ab8f6332a4ba

    SHA1

    a9d230166a8f1d1ce5dc144d9cb4e612867770ca

    SHA256

    16f9b995526bcfb6f5d4c714ceea9188224fdc00ef250aca848793b3a85bb20f

    SHA512

    58f18f2eed1d589cd912ed91da6cba6daf11277880d2469900b507cb65d46b31578cc188aad2a6a980c40c7fc4cea1952b3d5aa1df9d4bf86a5861f94a7b27e3

  • memory/580-152-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

  • memory/580-147-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

  • memory/580-148-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

  • memory/580-146-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

  • memory/580-143-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/580-141-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

  • memory/580-139-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

  • memory/580-137-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

  • memory/1740-151-0x000000007EFA0000-0x000000007EFAE000-memory.dmp

    Filesize

    56KB

  • memory/1740-149-0x000000007EFA0000-0x000000007EFAE000-memory.dmp

    Filesize

    56KB

  • memory/1740-175-0x000000007EFA0000-0x000000007EFAE000-memory.dmp

    Filesize

    56KB

  • memory/1812-76-0x0000000000400000-0x0000000000412000-memory.dmp

    Filesize

    72KB

  • memory/1812-77-0x0000000000400000-0x0000000000412000-memory.dmp

    Filesize

    72KB

  • memory/1812-74-0x0000000000400000-0x0000000000412000-memory.dmp

    Filesize

    72KB

  • memory/2316-163-0x0000000140000000-0x00000001405E8000-memory.dmp

    Filesize

    5.9MB

  • memory/2316-164-0x0000000140000000-0x00000001405E8000-memory.dmp

    Filesize

    5.9MB

  • memory/2316-190-0x0000000140000000-0x00000001405E8000-memory.dmp

    Filesize

    5.9MB

  • memory/2404-178-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

  • memory/2948-181-0x000000007EFA0000-0x000000007EFAE000-memory.dmp

    Filesize

    56KB

  • memory/2948-184-0x000000007EFA0000-0x000000007EFAE000-memory.dmp

    Filesize

    56KB

  • memory/2948-189-0x000000007EFA0000-0x000000007EFAE000-memory.dmp

    Filesize

    56KB