Analysis
-
max time kernel
1179s -
max time network
232s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
12-11-2024 19:27
General
-
Target
7cf39ebb4409b13a7c153abff6661cc4d28d8d7109543d6419438ac9f2f1be57.exe
-
Size
443KB
-
MD5
fd5ae61959c9590036881cb809891029
-
SHA1
f930d520913b407ab3cb5d7ecf5ee2a7dca1c071
-
SHA256
7cf39ebb4409b13a7c153abff6661cc4d28d8d7109543d6419438ac9f2f1be57
-
SHA512
2feb832498370c7635d42913a4328b3ba797e67cf6f7cdadc769dd549b251b05f340899229fcf76ccc1f8fe5d1512d769f581079ac06c6459669d536ba1c1fbb
-
SSDEEP
6144:I9LJ4d2DvM1V4LKPx7WlkJhW0lNVel9zXAjqiORKmb+Ylr48ov/P:IIdBrSKPx+T597iOMOTh48ov
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\[HOW_TO_DECRYPT_FILES].html
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Drops file in System32 directory 7 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Drops file in Windows directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Modifies Internet Explorer settings 1 TTPs 35 IoCs
-
Modifies registry class 9 IoCs
-
Modifies system certificate store 2 TTPs 2 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: LoadsDriver 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 7 IoCs
-
Suspicious use of WriteProcessMemory 58 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\7cf39ebb4409b13a7c153abff6661cc4d28d8d7109543d6419438ac9f2f1be57.exe"C:\Users\Admin\AppData\Local\Temp\7cf39ebb4409b13a7c153abff6661cc4d28d8d7109543d6419438ac9f2f1be57.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Roaming\Ymteg\adde.exe"C:\Users\Admin\AppData\Roaming\Ymteg\adde.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\[HOW_TO_DECRYPT_FILES].html3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2696 CREDAT:275457 /prefetch:24⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\SysWOW64\cipher.exe"C:\Windows\System32\cipher.exe" /W:C3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cipher.exe"C:\Windows\System32\cipher.exe" /W:F3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp_75159f1b.bat"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic process call create "cmd.exe /c bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & vssadmin.exe delete shadows /all /quiet & net stop vss"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp_dd82c767.bat"3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp_7d6b826d.bat"2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: LoadsDriver
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R2⤵
-
-
C:\Windows\system32\cmd.execmd.exe /c bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & vssadmin.exe delete shadows /all /quiet & net stop vss1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} recoveryenabled no2⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures2⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet2⤵
- Interacts with shadow copies
-
-
C:\Windows\system32\net.exenet stop vss2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop vss3⤵
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Direct Volume Access
1Indicator Removal
2File Deletion
2Modify Registry
4Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD5890dba67ae466cfb6c54863a1760dbb9
SHA101cc419fa2b99dc821b8721f0693575a3ad446bf
SHA2568f20c5bd39defd7de68d42b82c721125d78a1b2baf30925a48a8cbc58cb29d43
SHA5129afa8c54b8ae46bb58528689ddbdcff5dbd1a950f6d75ff060da68b167edb447a5df52d879d9d1f7860025f9954c6249d8f38b97f9cd410096cadb1f8f6b952b
-
Filesize
342B
MD5b6fb57a9f277a323d6ba5b37b45ce0aa
SHA1de7abe1b009ec06d8bf50a4bb75f3028604ebb72
SHA2561eb4b7c4ab97194fd1750f89728eaee4f3c01299b952f78c7272307835a07785
SHA512a2909370eb797f5357be7d73eeb6ea69fcc6e596442a132be9acf98fdebce6751c3c180872f022fde79c4f87146e353dcc057ec860b6034a20e6139515250ff1
-
Filesize
342B
MD57928e222758d0d9d3c7a7dc64944ee8c
SHA1d52a85208088a77ed0706d23623b57bd03c4037b
SHA25661df7e1b609e1fe66b6bb767294bd43de81ec8368e4f1a37384a9347bdad7d24
SHA5129a074fc8d26cba471a784c11f6d4a59e9159613f6774a83d827f17461c32de411dc2f92e4721e6933705cf9c8bf861bea5bb0f0c0381b57a595e8136bb888230
-
Filesize
342B
MD55ea1279e2f3d2e3b9666025220509ba2
SHA1efac731016bf35f943abb8ce53ceaac703436b34
SHA256e3ffdf3a0e63349cce6f6f181ee7b7ce50509231447e9010ba2484015e490f52
SHA512b26e4fd47054dc62ee9baf9bef8ab80297fa647af14fc4cd723545e21a5c272a61b11a1e6e8915819b4c6cfcd7010d18a14d646dc8778b1cfd50e8c2fc388921
-
Filesize
342B
MD583b5262cf5fc484bebb4b6d986b49d53
SHA1aea0ef47f1e6b9b9ad2fa442c602e07c5d9d1fe0
SHA25651fe7766c429f475b4e9864ee5d35dfd2df6ac8a058b328f1b22a383a83356db
SHA5125f953dec4bdf701b54da1bc2f08e9c9d83af2bac4c3a5978fd02b1f3e6322420f91683687394bc2de7461d3c60b5a8ea656f08989ba8782a83249c2fda9dda8c
-
Filesize
342B
MD550960384a320d928c297939d47cc075e
SHA109bf1185f3f7b0e3ed19b088cba7bd095e4bdca4
SHA2565b7f65143396b262327ee4c432b5bd5d344cca0fc16a8d77f4424f4a90d516ae
SHA51235cb2a7fa0eb682fcdad05327d7e2fd9b23c57fc277017d00ca770fdc1361c6e5b3feb58845e3e757e475a4940da672444cfc41de88162f8a28d71db8be8c5c3
-
Filesize
342B
MD5122f571e557bd3288277f80f6b72d606
SHA1f300631e22e94826955852a6f8198f536e24159a
SHA2560ecbc1a352eb08c2b60ccd9efb3d7d3b68c010a6d5440884e2c77ce6406bdf80
SHA512cbbcebb76f0183c7df061a96af40917ab9d362625cc50321def04062632c19accbc6e3be8b05a675a4679ff9d4c51ed0a3abe5c27bc3b855640f00d9ca0815a0
-
Filesize
342B
MD594fa0802507783027ce952d32252284d
SHA1d099fc2281220826299805dc41faf8f94ac42695
SHA256b6d8c7ded3d9a3be48628640e76e8335759c2beca32469f19ae652ef21010359
SHA5125138f17752d84c87918ff55956c12dc770b80aedd1b1e139327521b017e40ae8e4318b9c701ba3cd537cf173c6ef0642972f8efe866d081a0ff84d0ceff3e6bb
-
Filesize
342B
MD5e5f968f93800af890b7c325dd735a5c7
SHA18920468269ec1183d9e2d601cddff3984c7edac1
SHA256af539db1362f8753ee8fef6c01c90b9d5ff6862b858e097210b223849bfaf04a
SHA512be81e5a52499285a018fa8b8ce2ec308a931f4623db91aabca3d5ff2f88f45c9a1f1f95537026248726614a3f322f78a1f6f63f43d4d888077641ec6d5eccc8d
-
Filesize
342B
MD5a274d65c816ace464b60fe6b18c26442
SHA1650987007d6da7ddd4e8d5ea68c43a4cd51b28dc
SHA256e430558999bffaef49c87eb6496e247096ec736890f71349f7d557c70f0b9bd6
SHA51202d8d991cc2b5877fd0a5ddb6e05635fb4be445e627561ebf339fe34fa77229a777425000fedb9bcfec35c4711bdac0e37c76907798fe78084b825c7455010cb
-
Filesize
342B
MD5f768c1e47610b4e4fb6aea7628163bdf
SHA14820d0b589f584dbaf760fdb16f31fab9a45ebf2
SHA256b84cb27263488ac5cf4e97b56e3b18be7268ef37d4f530a79d645820cf86d8b7
SHA512ff9ba13adcedecbdf922392e7c2f308b556c115478a6fc49ab535c0e9fef2238db0210a303cec13641385899903f606984d46dedfda7a0e793ce26a93819b382
-
Filesize
342B
MD59bb8837e25766f1db891829b86792c48
SHA172f27ecdaa6f518e5ad2ff891aea91d8ae356544
SHA2568c643222ce10cacda9c87040bd7a39bd336755def97a75d905162b91b7fb795f
SHA5129d543ebc3e2deea10ac4966dc797900d15639090e8065c15867f3c2c0294ec447d0b2f5de80a94befb654916bce38b74056a368aa3c8b150916f4db5f3daa015
-
Filesize
342B
MD5587ea684b784e62bd0214936ca77ccb4
SHA192322f7ae84932f40ee1c315dce3c423436b7a96
SHA256d1366d950e97bc8d9f17f0fbd2ed7c9c20bda4d6f52f17929673e58fc5ccf86b
SHA512b5fc31d6dd65c4bc50d555dc555c219709bf610a5db791fda0803d1c24f7854a17fa5b73bca2fb89f082a4135c7743944db95f688c2b3b608120f122fa163bcf
-
Filesize
342B
MD500a25a6dfcdc6e5f71085c7945fe38c3
SHA1026ded109e27964c5e6e533b749baea4013a4c31
SHA25640f9dd4e8eb457f6e4b00ae15a932918a8f658fab70486aa80a2b7cddefe1178
SHA512dfea2de34fef09491d6f9368eb47879ed0abe56e6020aa40aed94fb5a4e13f2862b5a9a6125d1fb1e1ee6c7fe0b5d8b7f7294b42d8f73abc87bb0a7adc277d9b
-
Filesize
342B
MD5ffe12b33e8780727fbd59deaef9731dd
SHA12c1d183093173baa474428d1a7eaa81acb06165f
SHA2562a1c3fa7a6b88d8a0155f29765b9e57a4d0c918bfd2c8e4a8961e05eba839699
SHA512462647150ea4136e4d058666ec2f5e74ed34c17a909bc3f425eb7dcc897cc6cb823735de2d38bcf3d9a9314ef01c30fb330be5fc18c3459fd4a2b0407fe89639
-
Filesize
342B
MD518ed2e2fdf40144e3735f5fc30bba49c
SHA1a9a05c86621cd7afd978fed09e727014d31bf359
SHA256217215c7c111174df621c5b844029762dce55ffcc9d63194bf2a75bf1d035e39
SHA5129ad3bc1c855efcfe57bf486556d9d23369f6e7d9d734aa4317b94467efb4785897a86a428a8bc7e0ec6298b4d24bc816afb0219448b903ce7f6a8a4cd3f7a923
-
Filesize
342B
MD58d54d64f899f6db6454f90d071dea9ca
SHA1d620cf710c5f234b0e7bb623376487d2f50b3015
SHA256fe32057f43e2861af5e40a797df1310c5d3478a9d5558abc8c4f5925f05d80f9
SHA512d45e6a7b2913592586496f31cb2ddbc5381ad6ac3c2269dd93e6238e953c152f40076d4de70bf24178fc5487d854245778abc317c980cb2e080d244671388852
-
Filesize
342B
MD58b8fe0bf5b188ca38b50641ae33efee8
SHA1f74f62666e067298894cf074bdc279d1e2a473ba
SHA256c203e844e837846f164d90a4a5459c64e46f7e25498822dfa3529605b9856275
SHA5120c8b7d585b8e528cbd0b2eb0b6d62075d0ebb14c72a5dd0fa95a25987a51ea913c6ba477a01cfc9711fb22a1f5563d9da694e5d72083156610370466d78c4459
-
Filesize
342B
MD532257eadcdcf61fc1118568bcc8761cb
SHA17a7a663b2eb332359cf5a5ea8f6683fc275dff86
SHA256c0e55bab5c60a814e069738688ade66a7cde5f9749d6f18b92e539120dccd3e3
SHA51235033ea9f0a9423aab14c6ebc739d43ef7e0752dc3c74b60033e56aa7ba2461b55a15e0eb576019089bef33c1ec46cc650dda8f844cad50765d6f41df0a1c9f6
-
Filesize
342B
MD50e7abe2d920eec479c7431e58d088747
SHA19f810eb1cc0031c5f6b0cf2626decd1a9dee43a5
SHA256fd02de9249a17545941094a18765d51773683192676cca62e375bd9de6093431
SHA51226acf700cd8e3a86cd9958727fbe579ee46b47b4bd112ba3a0543951c7cff4af1b24411e47ce4b34f982e3ff8e24d5d81e3b03b4e85fe44278f36a0cc3e2e976
-
Filesize
8KB
MD5fe28ed2aa28a50df5174f9928f7ede95
SHA1c501737e06f3fab2abb52861fe67d730b937ef3b
SHA2564e5fd461c29450cb701d7286f09fcecb8e5b163b362ce8f4d2ddb96ce78bbf33
SHA5128a2849fed2e7518e5704b4ed687f63357b7c0b964b60cbba6f334c432e8170a09bc4c9f5ab110319967516389c3801e7801398f5252ed2ca1ac33d6a9463602b
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
278B
MD5d4dab16676c503e84f8a09b377cc6fe0
SHA10055f3b82c7b6df183c07b944f8cd280ace42086
SHA25616646eb1fb40ae9eb42433414713ae6149ee17a83d18957af899df1fa8f3465a
SHA51204f500b2c5a75e942a6b2e85f6cc8652159ffe28f8f0f62638fdfb5d5986334516a4e06273b9d3737e04dad7e5aac2c65bef9b5b9031dd0b547c0de0740fa4c9
-
Filesize
308B
MD55e0252b89d082c9d4b6a999211820184
SHA12edcccf84d0ac4518d4e5bab3789708249b6be99
SHA2564f672ff068dfdd06c71bfa02e33aab35f7c198eb752c23ef6c80f4b22b150ed0
SHA5122e7d372d9b9815b4404df10250c09858d4a032197db408c428caf753b79c39e566c843c775952f0c30dc66949362a041a9e00195b46590395728a3dc47dac1df
-
Filesize
181B
MD55396c18f491c40b50b42a23b486c120e
SHA16b3b9faf5754bdffbed48d47b2e35b4a89ef7ea7
SHA256647edd46f1275f8ed84806cdef2c2f9890f4a0204a489364aafddf88cdc6f6ce
SHA51241ec7e286836798355c50ac5a4cb251da8aaa6917c6bf7ce206260019e5b7b19bc7e762b129858d626f3a1838e9edea7d3940f7dc3d0d7ac1363570b3f615ff3
-
Filesize
443KB
MD5fd5ae61959c9590036881cb809891029
SHA1f930d520913b407ab3cb5d7ecf5ee2a7dca1c071
SHA2567cf39ebb4409b13a7c153abff6661cc4d28d8d7109543d6419438ac9f2f1be57
SHA5122feb832498370c7635d42913a4328b3ba797e67cf6f7cdadc769dd549b251b05f340899229fcf76ccc1f8fe5d1512d769f581079ac06c6459669d536ba1c1fbb
-
Filesize
2KB
MD54181903ca4d55a5bde27c5edaa23e71f
SHA136465683557a02398850e5b67846bf64f76061a7
SHA256152c6354db1ae8792726b469cee27b974fa18ffb8116a8a46055f354b2147f20
SHA512fa6af301fed8207bd88689a7e783ea2e04aab3a67734b4b99def30ad6c0a3ef4c4013771505b5199b915e1d3fdd6fe085fed835318033e8a33c2fafc3188f385
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
324KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
4KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
324KB