7e7c00740baa58af22ef6f825d86344732464a4e325b5eb6f93f33898de079fa

Analysis

max time kernel
1165s
max time network
862s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-11-2024 02:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

516874.exe
Size

1.2MB
MD5

9a60890fc062d10d826c31d049706ab7
SHA1

3ae8d97461fb08c4327431c0589322e3cbb1e3de
SHA256

c89944f9ec704c2b8da3a1acf726699022e7c68334110f72007d762217a9a4a5
SHA512

03de8351ab6ab1e46c4f1792f4caeeaaee4b8a18b407839c1697890032aa813cae9174e1a27cb582ef5286be0b47d23966a71e0b740feb6b1814137b779fcdcc
SSDEEP

24576:DDSANUv0/NUvKLpkr2dY/aBcjJOBHOBIQBajMtWvoJiLE1+XgRKz89G/4ZSb0FuH:T80/8KLpkr2dY/aBcjJOBHOBIQBajMtA

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2020	nRansom.exe

Loads dropped DLL 4 IoCs

pid	Process
2020	nRansom.exe
2020	nRansom.exe
2020	nRansom.exe
2020	nRansom.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	nRansom.exe
File opened (read-only)	\??\L:	nRansom.exe
File opened (read-only)	\??\M:	nRansom.exe
File opened (read-only)	\??\O:	nRansom.exe
File opened (read-only)	\??\S:	nRansom.exe
File opened (read-only)	\??\Z:	nRansom.exe
File opened (read-only)	\??\R:	nRansom.exe
File opened (read-only)	\??\U:	nRansom.exe
File opened (read-only)	\??\G:	nRansom.exe
File opened (read-only)	\??\H:	nRansom.exe
File opened (read-only)	\??\I:	nRansom.exe
File opened (read-only)	\??\J:	nRansom.exe
File opened (read-only)	\??\K:	nRansom.exe
File opened (read-only)	\??\Q:	nRansom.exe
File opened (read-only)	\??\V:	nRansom.exe
File opened (read-only)	\??\A:	nRansom.exe
File opened (read-only)	\??\N:	nRansom.exe
File opened (read-only)	\??\X:	nRansom.exe
File opened (read-only)	\??\B:	nRansom.exe
File opened (read-only)	\??\P:	nRansom.exe
File opened (read-only)	\??\T:	nRansom.exe
File opened (read-only)	\??\W:	nRansom.exe
File opened (read-only)	\??\Y:	nRansom.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	516874.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nRansom.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2020	nRansom.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2020	nRansom.exe
Token: SeIncBasePriorityPrivilege	2020	nRansom.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2344 wrote to memory of 2368	2344	516874.exe	31
PID 2344 wrote to memory of 2368	2344	516874.exe	31
PID 2344 wrote to memory of 2368	2344	516874.exe	31
PID 2344 wrote to memory of 2368	2344	516874.exe	31
PID 2368 wrote to memory of 2020	2368	cmd.exe	33
PID 2368 wrote to memory of 2020	2368	cmd.exe	33
PID 2368 wrote to memory of 2020	2368	cmd.exe	33
PID 2368 wrote to memory of 2020	2368	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\516874.exe
"C:\Users\Admin\AppData\Local\Temp\516874.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2344
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\D317.tmp\D318.bat C:\Users\Admin\AppData\Local\Temp\516874.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2368
- - C:\Users\Admin\AppData\Local\Temp\D317.tmp\nRansom.exe
    nRansom.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious use of AdjustPrivilegeToken
    PID:2020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\D317.tmp\AxInterop.WMPLib.dll

Filesize
52KB

MD5
e07847688ef6e8d206e3eb1f40308cce

SHA1
733599e59b6af851c67059dd4dc6b079b38add1c

SHA256
7c0d98877a3c3c5e3fdcf716d5456e11e8df60e13cf3236fc7dd2f6168e204cf

SHA512
17abe78ab787587bfedd840ef5baa70cd19030fe700710bc254ecab9b8047e528e4428ba2586e0189e7a844f0628bae768586c4a7a3731feaa3d61864684bcc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\D317.tmp\D318.bat

Filesize
35B

MD5
47135f10b1e0f478a8a64cae518619b6

SHA1
bd520aa0b4937f707ea0881232fe1cf10faf2de7

SHA256
5f49ad7e1ca7bc4cb2c94fb89e79ac4a993a27852d150fe22e3d8b6c6172389f

SHA512
5deed2302097e5be3f1f157480e87bcc0e61939d2215b6fc46b32fd80651a33b35e64b19e613f92964b1cc6f079aafd51af240ee9115a88693b8c344723140ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\D317.tmp\Interop.WMPLib.dll

Filesize
323KB

MD5
9cc37f967a871e437ee3640f195e1637

SHA1
5a5855cd4a72118309d2b82276b5f2c7a683135e

SHA256
33914c07aab0e92bf85e87e2d1be739746693a60ca9961cabaf95f417d2a466f

SHA512
884a88e755769b8a444fb59fdb82e384010bbf4198bfaefa047aaf194063a2d20d1376b75a0d13fdc4b6088c9eac31a0e82c4984530e9f7a9f5e4a6ce21b6a08

Download Submit
C:\Users\Admin\AppData\Local\Temp\D317.tmp\Tools\your-mom-gay.mp3

Filesize
594KB

MD5
bd85b4d057816c91104df6a123c246e8

SHA1
0935b746352105d50b6edac8bf9e8464f5a11922

SHA256
6a0a9638ab66f3a66b38779c20bd91a9d66ff770827b27d95fcfd247918c8984

SHA512
e260b2d8f0853cab48460cf40321db3555c91397167b61ddc4296d23e7db5b63d9e817b09d1d250d8d07dfb2df9709a38cd6b6bc3e781b76ecd17da2ca76480c

Download Submit
C:\Users\Admin\AppData\Local\Temp\D317.tmp\nRansom.exe

Filesize
189KB

MD5
773776263762568ed199228579fe4a54

SHA1
43986aaefd50cd2006a027939947e34e0633e60a

SHA256
9e4f9175ef942d0e84f7f9c64dc89505c4c8ffb20787513e02b4eaaf502f5ec4

SHA512
77956d7b18a1435dcbf837d9924d6fd9733d825811c134c3b5806813a32f127b9b1b67abb729a7dbbcce399e3e2cf099e4ce95b95e9e9fdfc106a662679bedce

Download Submit
memory/2020-22-0x0000000074550000-0x0000000074C3E000-memory.dmp

Filesize
6.9MB

Download
memory/2020-17-0x0000000000540000-0x0000000000554000-memory.dmp

Filesize
80KB

Download
memory/2020-21-0x0000000000560000-0x00000000005B8000-memory.dmp

Filesize
352KB

Download
memory/2020-13-0x0000000001300000-0x0000000001336000-memory.dmp

Filesize
216KB

Download
memory/2020-23-0x0000000074550000-0x0000000074C3E000-memory.dmp

Filesize
6.9MB

Download
memory/2020-24-0x0000000074550000-0x0000000074C3E000-memory.dmp

Filesize
6.9MB

Download
memory/2020-12-0x000000007455E000-0x000000007455F000-memory.dmp

Filesize
4KB

Download
memory/2020-26-0x0000000074550000-0x0000000074C3E000-memory.dmp

Filesize
6.9MB

Download
memory/2020-27-0x0000000074550000-0x0000000074C3E000-memory.dmp

Filesize
6.9MB

Download
memory/2020-28-0x000000007455E000-0x000000007455F000-memory.dmp

Filesize
4KB

Download
memory/2020-29-0x0000000074550000-0x0000000074C3E000-memory.dmp

Filesize
6.9MB

Download
memory/2020-30-0x0000000074550000-0x0000000074C3E000-memory.dmp

Filesize
6.9MB

Download