Overview

overview

10

Static

static

10

0c3b09213f...3c.exe

windows7-x64

8

0dab0428b4...50.exe

windows7-x64

10

14d09a259f...32.exe

windows7-x64

10

16c49d6775...56.exe

windows7-x64

7

1d241bd0b7...f4.exe

windows7-x64

9

2.exe

windows7-x64

6

287a6b75d1...ad.exe

windows7-x64

10

35b0676421...82.exe

windows7-x64

10

39deb2f02f...9f.exe

windows7-x64

8

4.exe

windows7-x64

7

4a0f399840...33.exe

windows7-x64

10

5.exe

windows7-x64

8

53bdaf567e...fc.exe

windows7-x64

7

6.exe

windows7-x64

5

646677375b...36.exe

windows7-x64

9

6dfb9490b1...f8.exe

windows7-x64

6

7.exe

windows7-x64

10

71a20e2700...db.exe

windows7-x64

3

835b0ef8f5...35.exe

windows7-x64

7

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...gs.dll

windows7-x64

3

b15b78937c...ac.exe

windows7-x64

7

$PLUGINSDIR/INetC.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...gs.dll

windows7-x64

3

b3dc1bb1c7...1b.exe

windows7-x64

5

b4e3091d31...81.exe

windows7-x64

10

c1b35d3d70...c3.exe

windows7-x64

10

caa5f52a78...78.exe

windows7-x64

10

d2878de61f...0b.exe

windows7-x64

7

dbadeff4af...30.exe

windows7-x64

10

f5d893afc4...e9.exe

windows7-x64

9

Analysis

  • max time kernel
    51s
  • max time network
    53s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    20-11-2024 13:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    646677375bc0ecaad279751d8d09220d5d44e20570548f8475f36803affda636.exe

  • Size

    285KB

  • MD5

    0dd4bcb59beff511516725118e7b2f80

  • SHA1

    db47da18c18d029d52d652643d41a54b5251cb1b

  • SHA256

    646677375bc0ecaad279751d8d09220d5d44e20570548f8475f36803affda636

  • SHA512

    4ecc53bd201cadedd413fa36eb5879fbe954400f8e2f69d74a44b5c15e53b9cb9ef3afc53f5d699b89a970e223482beddb3c9efa2dddb1a57ca1aa60e4695f85

  • SSDEEP

    6144:Ikio1/AqFDgwMo2jmRA30Ieyj+8qUyJbF7F6s9uArvGGNGY6xx+xO:Iq1BDgSjRKxeyDktFbi

Score
9/10
defense_evasiondiscoveryexecutionimpactransomware

Malware Config

Signatures

  • Contacts a large (7701) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Interacts with shadow copies 3 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Control Panel 1 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 28 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\646677375bc0ecaad279751d8d09220d5d44e20570548f8475f36803affda636.exe
    "C:\Users\Admin\AppData\Local\Temp\646677375bc0ecaad279751d8d09220d5d44e20570548f8475f36803affda636.exe"
    1⤵
    • Sets desktop wallpaper using registry
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies data under HKEY_USERS
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:3012
    • C:\Users\Admin\AppData\Local\Temp\646677375bc0ecaad279751d8d09220d5d44e20570548f8475f36803affda636.exe
      "C:\Users\Admin\AppData\Local\Temp\646677375bc0ecaad279751d8d09220d5d44e20570548f8475f36803affda636.exe" g
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of UnmapMainImage
      PID:2540
    • C:\Windows\SysWOW64\vssadmin.exe
      "C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet
      2⤵
      • System Location Discovery: System Language Discovery
      • Interacts with shadow copies
      PID:2760
    • C:\Windows\SysWOW64\vssadmin.exe
      "C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet
      2⤵
      • System Location Discovery: System Language Discovery
      • Interacts with shadow copies
      PID:1592
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2296
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\!Recovery_MLk.html
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2964
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2964 CREDAT:275457 /prefetch:2
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:2884

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    4d4f9126b8fd786c529c98581708f1e2

    SHA1

    e7ca8dba441260866d687073727d2d136bf80110

    SHA256

    af24163092212dec369b7eb288dcde99e030d531a7267b821fde26d323947118

    SHA512

    de2cfa83a840fbdf79b7a864a9a6ea4cf54577d8cc63575b95ac7f20a1f39a32215ec5d0b131773938075a8bb4995a2a56275e12d7d33a44ec93c19787f5fc38

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    046771883f7f647f2d8bd99b7adad474

    SHA1

    6a3f71c60d90ba336765ad92c7f2d51f517d1e3a

    SHA256

    405d8d7188fc996c56abbec13a3603db6d4777407a6dea839705bcc9d78d2112

    SHA512

    5b61402800f91cb2b77645a88be9e3650e6c3cdcf01be13414da00379b6c069408886ee3c25e106364833e3d39ab3eaf1ca0496e6a836d92d080c51833c42e11

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    dbd586e210eb3cca80c767ba56a9b4bf

    SHA1

    1b686e787d3e663569b22929280d54c1bda87312

    SHA256

    0d5a491f2a469bb14c91fa78bdfc147e0aff4f48232c7c67ce42141504116d00

    SHA512

    998a278ce5e8d4ef3f01f0cbccae7281055c900446b1f5a2abad573c8e0a344cae0f525afd4e0e1814abab147cee67a99255545c22b33ad9f34c6008772ee29e

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    4fad20bcae3ef5f84039a9ab71b68cd9

    SHA1

    681c3c96f061e46471cd745b36692b2815192cbd

    SHA256

    216b541d9fd1484d9143d2429dabc379e74b50de00513a18247fe49675306b00

    SHA512

    5356c11799102a33b15bcb2c90b707512a0dffde165480ff07ed258a4cf0fc867a9602fb9927fb0a3a5fe18ff8e8803d05bf49e852549faeb461dd583fa583de

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    513dce7936eff5c608b0cc156b9c69d9

    SHA1

    32f2c2c78181369427b442dad16045c0f1a25dda

    SHA256

    01cb9d799701aa0b0feb090206401c999b5c706d2234873e40c0d78dd1200f23

    SHA512

    718ed66f513146ca5790cfff0851994788548ca456ed35e8c6e4fbeec7d25d4709eac3a8e63847327acfcb9a0a2a064ece6f2c4db73aa257027cc65837e62067

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    32b00d14b38c1daa2f726025727cd90b

    SHA1

    1099dd77754478c254579e5a4168dfde72d20a04

    SHA256

    97e8c9bd03f062de60151a65fcdee71828e205eb8a90cf0000bfa0bb5020a6ac

    SHA512

    f488365d0fdd700555e6e1228c6867b9c0e617ba7c338f659a2e832a9a964f0529d439935b5d06e23e95d34c2879ed5b491fedd6d2f4553bb25c9060ab1f0ce1

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    7c976be26e8b57e59730352b58869c1f

    SHA1

    41d8195b4f237c7ff42982d4fc22d2dfddc211c8

    SHA256

    d347af0eafa3764a1f2a80967458b2140a65bd5242667fc9ced56ed376a0288d

    SHA512

    dc7d170b5c267fe21028c31b235c1eb1ef12dbdad8d427ba02cf66981e1d916de74c9812d9ea7fa62257af958b00bb1e3a686ffa399bc4e990110a4f384d15a1

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    bd4cb84c1b2fe61229eaa8c12f2e70ea

    SHA1

    15730a73cd2c0ad1334125dd08f3d253aa0ff989

    SHA256

    bd193992feb5059374f969fe7975ca0e91ccd29a72013f5d4d7fefe970306e65

    SHA512

    0cd9c779362ce72433d006b75dad6124715601631fa499d0a50afd9f38d45ed73001a7adf0e9265dbaa9b1699011f7a47a56ec689a80d30e94faed395bc3c651

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    7cff6bfbe87fceb262a2b421813011a3

    SHA1

    381cf93dbee4de97d06e7aa4fbd907fcba317322

    SHA256

    ba71f770676f9e68b8db29677407ad2e7ab13283c1f50698b3624201ccc8fdeb

    SHA512

    46f6205ef42d51d3a01fb8bd86eb4fcd58849552af3e227ff0addc2b326fd1c4a44c221c9b236d1f933057310f8b2a72131ccbdb4e290a95bb36f02667ddf412

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cab5044.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar5122.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • C:\Users\Admin\Music\!Recovery_MLk.html
    Filesize

    8KB

    MD5

    695abcb7a397371b5b8301ee57ccc7d5

    SHA1

    8298ad5879bbd12ddfd03b4774949c88893707a7

    SHA256

    042b2a1a0d2108ed24cc3a826ca8cfba2126937526d9bf6686dec35dfbce54dd

    SHA512

    e6e1b04f6c75e1ec6fd7a2cab0f4bcd977f336e2e3b16e00a49c6bcb940ffafc8779740532ba5719697228ded986fe47136d38d9b5701820b35dc43e17a3cb66

    Download Submit

  • F:\!Recovery_MLk.html
    Filesize

    8KB

    MD5

    62db4ea10450a56a348d755d8b20ad55

    SHA1

    417cc3e90430131e63b978aa6dce4d846e4a09c6

    SHA256

    99f87096426a2a129f78da9dc1cd6a103e7ffd69ba1fa2af2319b05e0e9638f4

    SHA512

    d4fb003a3e15f326d11dcd7d266e44947db3b9527a5ee5417bec3f70509b1447cdadc6a1e3af17c0a2006c7785ad2f75edbdfc3d6b2ae30a3618d011758465e8

    Download Submit

  • memory/2540-14-0x0000000000260000-0x0000000000264000-memory.dmp

    Filesize

    16KB

    Download

  • memory/2540-13-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/2540-12-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/2540-11-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/2540-20-0x0000000000260000-0x0000000000264000-memory.dmp

    Filesize

    16KB

    Download

  • memory/3012-10-0x0000000000370000-0x00000000003F2000-memory.dmp

    Filesize

    520KB

    Download

  • memory/3012-23-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3012-22-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3012-21-0x0000000002060000-0x0000000002070000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3012-18-0x0000000000260000-0x0000000000264000-memory.dmp

    Filesize

    16KB

    Download

  • memory/3012-19-0x0000000000290000-0x00000000002A4000-memory.dmp

    Filesize

    80KB

    Download

  • memory/3012-0-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/3012-8-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3012-6-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3012-5-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3012-3-0x0000000000260000-0x0000000000264000-memory.dmp

    Filesize

    16KB

    Download

  • memory/3012-4-0x0000000000290000-0x00000000002A4000-memory.dmp

    Filesize

    80KB

    Download

  • memory/3012-1-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download

  • memory/3012-2-0x0000000000400000-0x0000000000482000-memory.dmp

    Filesize

    520KB

    Download