Overview

overview

10

Static

static

10

0845a8c3be...94.exe

windows7-x64

9

0845a8c3be...94.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    21-11-2024 20:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe

  • Size

    146KB

  • MD5

    33228a20a7e985f02e2ddd73cccde729

  • SHA1

    58ab960e629a609d135e1988c72f2991e5f76e30

  • SHA256

    0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194

  • SHA512

    075002dd1b0f8e536c1ff99d30368f5adfc90a2f3e7a74c9770119e7b54a5851236657b7edcb735d457e78a7e67b7c285b6ceaa6ca2907542ac208dfc8c9aabe

  • SSDEEP

    3072:36glyuxE4GsUPnliByocWepqFPUBwrqveV84:36gDBGpvEByocWe8MB4G

Score
9/10
defense_evasiondiscoveryransomwarespywarestealer

Malware Config

Signatures

  • Renames multiple (341) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 2 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe
    "C:\Users\Admin\AppData\Local\Temp\0845a8c3be602a72e23a155b23ad554495bd558fa79e1bb849aa75f79d069194.exe"
    1⤵
    • Loads dropped DLL
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2800
    • C:\ProgramData\537D.tmp
      "C:\ProgramData\537D.tmp"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:1120
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\537D.tmp >> NUL
        3⤵
        • System Location Discovery: System Language Discovery
        PID:624
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x14c
    1⤵
      PID:2796

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\$Recycle.Bin\S-1-5-21-1163522206-1469769407-485553996-1000\desktop.ini
      Filesize

      129B

      MD5

      7703d9be3ab1f0bd351220d20840e2e9

      SHA1

      3ac1eb87dd2a9fb1a14022182fcfc8a7afa48249

      SHA256

      ba09084d4c6a0436ecd151875af36c006945392393dd638f602dd0fbc004f269

      SHA512

      98a38dd950f4e725a970e5bf3dbec0518d00268511dc0babc16b4c0a81bff0581409ea0d81b5eb444d2c2f60f3b0f72a3f6e05bbc2845c6216c6928b3434b4f6

      Download Submit

    • C:\AFfGduKAp.README.txt
      Filesize

      388B

      MD5

      8ab02fa258c4a37f117d291ea2961749

      SHA1

      ab4233853da5b1f0607fb7dd960a4074a5932f57

      SHA256

      d06a43337366deab4b78bcf85ba92efb705a0e8391198367091d3e6ad16d036d

      SHA512

      a3f8c6c1aada2584214deb6fc9dc4ffed3a3650f5cf839276bb826e047ad545f981b8873a0a2b58191ee3d1f4e7fbdb148dfc5df3591b9c55e36351327a27cd4

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
      Filesize

      146KB

      MD5

      96270d5f3031c08ea788f56085b6c2ac

      SHA1

      cb94a7b402222e7a4666a48b7853b96694c0c880

      SHA256

      858b24aa1b44193550a9d717dbc96f00b260e79017e130b8578440ab3fc31618

      SHA512

      d393fcaa4882181d33e8a9ddf8908adf5451845c36a5ef3cd85c51db3dbe3f431aa3595e2fa345af7bf3c478c1e9ab4e6e0982c107dc6e3a2490055735005d82

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-1163522206-1469769407-485553996-1000\DDDDDDDDDDD
      Filesize

      129B

      MD5

      53bd1545ff5e6c696e9022c2aa35c68d

      SHA1

      29ab7aa6d8c5dfa519bbadc4637bd184b41d5638

      SHA256

      c0ace879f796f550461360e48db63289e37dbda678ef56aee5a283ccae087eb9

      SHA512

      340af14f0bf8da6227c11d30327005b671bfe4493081761514630c3f1ebd43a97ca9f69e58712a9c6e46e6ae11e52666ffcedb6cf43912c80ce7816cbca3158c

      Download Submit

    • \ProgramData\537D.tmp
      Filesize

      14KB

      MD5

      294e9f64cb1642dd89229fff0592856b

      SHA1

      97b148c27f3da29ba7b18d6aee8a0db9102f47c9

      SHA256

      917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

      SHA512

      b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

      Download Submit

    • memory/1120-875-0x000000007EF20000-0x000000007EF21000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1120-873-0x0000000000240000-0x0000000000280000-memory.dmp

      Filesize

      256KB

      Download

    • memory/1120-872-0x0000000000240000-0x0000000000280000-memory.dmp

      Filesize

      256KB

      Download

    • memory/1120-871-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1120-874-0x000000007EF80000-0x000000007EF81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1120-905-0x000000007EF60000-0x000000007EF61000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1120-904-0x000000007EF40000-0x000000007EF41000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2800-0-0x0000000000070000-0x00000000000B0000-memory.dmp

      Filesize

      256KB

      Download