Overview
overview
10Static
static
10757e3242f6...b4.exe
windows7-x64
976fe72e0ec...ss.exe
windows7-x64
778d4cf8df6...B3.exe
windows7-x64
778d4cf8df6...59.exe
windows7-x64
778db508226...69.exe
windows7-x64
97965f6adf3...ss.exe
windows7-x64
77B75B33BCF...B5.exe
windows7-x64
17E3903944E...72.exe
windows7-x64
77dd9312307...ca.dll
windows7-x64
37e4c9a7e39...1f.exe
windows7-x64
980eb72d781...B3.exe
windows7-x64
780eb72d781...9A.exe
windows7-x64
7845263c869...c8.exe
windows7-x64
98524224187...8f.exe
windows7-x64
686be3831f5...39.exe
windows7-x64
68791931bac...DA.exe
windows7-x64
78791931bac...69.exe
windows7-x64
787a4f3f9f6...88.exe
windows7-x64
789fb6d7ff2...f6.exe
windows7-x64
98c59148535...21.exe
windows7-x64
98d372fcf8a...e0.exe
windows7-x64
7900.exe
windows7-x64
9911d5905cb...b9.exe
windows7-x64
791d24e0657...eb.zip
windows7-x64
192ac6be4d9...5b.exe
windows7-x64
97512f4617...7c.exe
windows7-x64
1098aadc95c5...e7.exe
windows7-x64
109943256.exe
windows7-x64
109B9517FA15...DF.exe
windows7-x64
79b7eaffe4d...c8.exe
windows7-x64
10a322da0be4...44.exe
windows7-x64
10a42252e674...34.exe
windows7-x64
9Analysis
-
max time kernel
1200s -
max time network
845s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
22-11-2024 02:43
Behavioral task
behavioral1
Sample
757e3242f6a2685ed9957c9e66235af889a7accead5719514719106d0b3c6fb4.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
76fe72e0ecdc389b5749df5fe406cb70110b1ef8b64e51cf0a96da2fa2ec5eb2_not_packed_maybe_useless.exe
Resource
win7-20241010-en
Behavioral task
behavioral3
Sample
78d4cf8df6fe5717a0f4bad6cbfce6546fb59a45ee0ac3797b264b28e24ddc0b_Dumped_TDS=4F9911B3.exe
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
78d4cf8df6fe5717a0f4bad6cbfce6546fb59a45ee0ac3797b264b28e24ddc0b_TDS=4FA04B59.exe
Resource
win7-20240903-en
Behavioral task
behavioral5
Sample
78db508226ccacd363fc0f02b3ae326a2bdd0baed3ae51ddf59c3fc0fcf60669.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
7965f6adf3261e8820fe583e94dcb2d17dc665efa0442743e47d27c989fcb05f_not_packed_maybe_useless.exe
Resource
win7-20240903-en
Behavioral task
behavioral7
Sample
7B75B33BCF4ECF013B93F84ED98B3FB5.exe
Resource
win7-20240708-en
Behavioral task
behavioral8
Sample
7E3903944EAB7B61B495572BAA60FB72.exe
Resource
win7-20240903-en
Behavioral task
behavioral9
Sample
7dd93123078b383ec179c4c381f9119f4eac4efb287fe8f538a82e7336dfa4ca.dll
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
7e4c9a7e391be4367d79bd1ab92b748d440e13fd5ca6c0820b30e6e9c670871f.exe
Resource
win7-20240903-en
Behavioral task
behavioral11
Sample
80eb72d78175761e34378e06a5ca13b26edd6c47ee18e0d222fa068a249785f2_Dumped_TDS=4F9911B3.exe
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
80eb72d78175761e34378e06a5ca13b26edd6c47ee18e0d222fa068a249785f2_TDS=4FAAF59A.exe
Resource
win7-20240729-en
Behavioral task
behavioral13
Sample
845263c86931440e934cf40f4461dc14903a474f6f5eab4773482842855ba1c8.exe
Resource
win7-20241023-en
Behavioral task
behavioral14
Sample
85242241870190a81b55d0ea723c25391fff14140bac149a32630c5f892a3a8f.exe
Resource
win7-20240903-en
Behavioral task
behavioral15
Sample
86be3831f5d8a975b0924168117fc7fcd1f5067ac5935c657efbb4798cb6a439.exe
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
8791931bac7d8afbb30dc1d32a4dd54ee59a2160580a83d822a927039d8ca98f_Dumped_TDS=4F83FCDA.exe
Resource
win7-20240903-en
Behavioral task
behavioral17
Sample
8791931bac7d8afbb30dc1d32a4dd54ee59a2160580a83d822a927039d8ca98f_TDS=4F84A969.exe
Resource
win7-20241010-en
Behavioral task
behavioral18
Sample
87a4f3f9f6dc263378f2f01db5f2c988.exe
Resource
win7-20240903-en
Behavioral task
behavioral19
Sample
89fb6d7ff29b0c349c19df2e81028a62a2758c33f2c72b87dc11af4f22d3c6f6.exe
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
8c591485357e45a09dad3116496e6f686fa11f445a6bea5ef3cd5ed1ac078821.exe
Resource
win7-20240903-en
Behavioral task
behavioral21
Sample
8d372fcf8a97223ebb86cdfe707d3035dfbfd4501c5688cfa82a9a4889e637e0.exe
Resource
win7-20241010-en
Behavioral task
behavioral22
Sample
900.exe
Resource
win7-20241023-en
Behavioral task
behavioral23
Sample
911d5905cbe1dd462f171b7167cd15b9.exe
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
91d24e06572099ba0aa5c20be6b1021fa48e864913fe3676ed05323e6b68fceb.zip
Resource
win7-20240903-en
Behavioral task
behavioral25
Sample
92ac6be4d9215b237d624177ca0543844d0dc8d071660ae4a4cf7c93cc11505b.exe
Resource
win7-20240708-en
Behavioral task
behavioral26
Sample
97512f4617019c907cd0f88193039e7c.exe
Resource
win7-20240708-en
Behavioral task
behavioral27
Sample
98aadc95c589e064a542802bbf0ef01ef00595c34d195f1a1e6443909846d2e7.exe
Resource
win7-20240903-en
Behavioral task
behavioral28
Sample
9943256.exe
Resource
win7-20240903-en
Behavioral task
behavioral29
Sample
9B9517FA1515F47A502FE56536236A20BE5BBADF.exe
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
9b7eaffe4dffcbd06445d0b32785cdc8.exe
Resource
win7-20240903-en
Behavioral task
behavioral31
Sample
a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
Resource
win7-20240903-en
Behavioral task
behavioral32
Sample
a42252e674a09a0b689e71c88f59969f538a473da647cc4eb5457a5d5e03a234.exe
Resource
win7-20240903-en
General
-
Target
845263c86931440e934cf40f4461dc14903a474f6f5eab4773482842855ba1c8.exe
-
Size
246KB
-
MD5
7f61ab7160ccea4f69fed025fbbfdb30
-
SHA1
88d06d4124bca680bf28dde09cc1c3995002eef3
-
SHA256
845263c86931440e934cf40f4461dc14903a474f6f5eab4773482842855ba1c8
-
SHA512
8ff46db7d1bfddef6bab676c1439207a7b755280720bf83406d95a700eac364ef667978a7e538cc3d6e2836487b38ddc34df288100b510e32d16f013ffd07d98
-
SSDEEP
6144:clmE5hV/XRG4FmeAs32AcNhunE+AWTWk6+wv:2/XRG4FdAs32AeOWk
Malware Config
Signatures
-
Renames multiple (145) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
pid Process 2176 mshta.exe -
Executes dropped EXE 1 IoCs
pid Process 2456 trust.exe -
Loads dropped DLL 5 IoCs
pid Process 2580 845263c86931440e934cf40f4461dc14903a474f6f5eab4773482842855ba1c8.exe 2580 845263c86931440e934cf40f4461dc14903a474f6f5eab4773482842855ba1c8.exe 1440 WerFault.exe 1440 WerFault.exe 1440 WerFault.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\SG = "C:\\Users\\Admin\\AppData\\Roaming\\trust.exe" mshta.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 1440 2456 WerFault.exe 30 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 845263c86931440e934cf40f4461dc14903a474f6f5eab4773482842855ba1c8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language trust.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2580 wrote to memory of 2456 2580 845263c86931440e934cf40f4461dc14903a474f6f5eab4773482842855ba1c8.exe 30 PID 2580 wrote to memory of 2456 2580 845263c86931440e934cf40f4461dc14903a474f6f5eab4773482842855ba1c8.exe 30 PID 2580 wrote to memory of 2456 2580 845263c86931440e934cf40f4461dc14903a474f6f5eab4773482842855ba1c8.exe 30 PID 2580 wrote to memory of 2456 2580 845263c86931440e934cf40f4461dc14903a474f6f5eab4773482842855ba1c8.exe 30 PID 2580 wrote to memory of 2176 2580 845263c86931440e934cf40f4461dc14903a474f6f5eab4773482842855ba1c8.exe 31 PID 2580 wrote to memory of 2176 2580 845263c86931440e934cf40f4461dc14903a474f6f5eab4773482842855ba1c8.exe 31 PID 2580 wrote to memory of 2176 2580 845263c86931440e934cf40f4461dc14903a474f6f5eab4773482842855ba1c8.exe 31 PID 2580 wrote to memory of 2176 2580 845263c86931440e934cf40f4461dc14903a474f6f5eab4773482842855ba1c8.exe 31 PID 2456 wrote to memory of 2244 2456 trust.exe 32 PID 2456 wrote to memory of 2244 2456 trust.exe 32 PID 2456 wrote to memory of 2244 2456 trust.exe 32 PID 2456 wrote to memory of 2244 2456 trust.exe 32 PID 2456 wrote to memory of 1440 2456 trust.exe 34 PID 2456 wrote to memory of 1440 2456 trust.exe 34 PID 2456 wrote to memory of 1440 2456 trust.exe 34 PID 2456 wrote to memory of 1440 2456 trust.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\845263c86931440e934cf40f4461dc14903a474f6f5eab4773482842855ba1c8.exe"C:\Users\Admin\AppData\Local\Temp\845263c86931440e934cf40f4461dc14903a474f6f5eab4773482842855ba1c8.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Users\Admin\AppData\Roaming\trust.exe"C:\Users\Admin\AppData\Roaming\trust.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\mshta.exemshta.exe "javascript:o=new ActiveXObject('WScript.Shell');setInterval(function(){try{o.RegWrite('HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\SG','C:\\Users\\Admin\\AppData\\Roaming\\trust.exe');}catch(e){}},10);"3⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
PID:2244
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 4043⤵
- Loads dropped DLL
- Program crash
PID:1440
-
-
-
C:\Windows\SysWOW64\mshta.exemshta.exe "javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('C:\\Users\\Admin\\AppData\\Local\\Temp\\845263~1.EXE');close()}catch(e){}},10);"2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2176
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
246KB
MD57f61ab7160ccea4f69fed025fbbfdb30
SHA188d06d4124bca680bf28dde09cc1c3995002eef3
SHA256845263c86931440e934cf40f4461dc14903a474f6f5eab4773482842855ba1c8
SHA5128ff46db7d1bfddef6bab676c1439207a7b755280720bf83406d95a700eac364ef667978a7e538cc3d6e2836487b38ddc34df288100b510e32d16f013ffd07d98
-
Filesize
14KB
MD55768bdc028e4c020a02dfe73758b112c
SHA1bd3ad237471c52478b4cff102a017da70e6bff17
SHA25685269913956a82c24b4839d5c2a1515990dc9360324911a7a03e98aa5704bfca
SHA5121d5d9e3f3742eeb2c740388f252412a498e5d6a8a75cd22e0a2d930e7d2ad6fdde2b6f99209e3e37b1f37cb0bf772f0af46f29151a627f1988491890333187c6
-
Filesize
3KB
MD51ae9d5b2c231c60a2fff6156e6000d85
SHA1eb0ebea2ce9c8d0bc1f10fcc69010c9da5874a80
SHA256af51aae7a728f93fbb9a8ecb5d112503725eba9ce9d3f5ff899672994d954e1a
SHA512941427a21a1be42b007936a0aa895062044b6159d4157e888049f5aaddbc20935109b2d5ebe18a632fb3746e154e2d8136d73fd751befeabdac419d41bd5cf47
-
Filesize
82KB
MD59336fc01ab54145f39ce552d5279c3ce
SHA1f85569f3e59fdb7b012c414e692d3a1ee4075152
SHA25635ce500691f1b2897fcbbbc3f4b6cb77e12a130d30efca73291fcca21047cc77
SHA512a023c0cac718fa13236d3cfb6b8e419a82301638465f9b4846ab9ed5b2bc50dd6ae48fdeca4aeb4f20c58c52a21421ab8d292569c8ba5d03d504c2ab0e4cfdd9