471f3fb1a953fab38be3081eb835574694bc72b94f239edc400d1ce3d7a8ecb0

Analysis

max time kernel
1200s
max time network
845s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
22-11-2024 02:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

845263c86931440e934cf40f4461dc14903a474f6f5eab4773482842855ba1c8.exe
Size

246KB
MD5

7f61ab7160ccea4f69fed025fbbfdb30
SHA1

88d06d4124bca680bf28dde09cc1c3995002eef3
SHA256

845263c86931440e934cf40f4461dc14903a474f6f5eab4773482842855ba1c8
SHA512

8ff46db7d1bfddef6bab676c1439207a7b755280720bf83406d95a700eac364ef667978a7e538cc3d6e2836487b38ddc34df288100b510e32d16f013ffd07d98
SSDEEP

6144:clmE5hV/XRG4FmeAs32AcNhunE+AWTWk6+wv:2/XRG4FdAs32AeOWk

Score

9^/10

discovery persistence ransomware

Malware Config

Signatures

Renames multiple (145) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes itself 1 IoCs

Processes:

mshta.exe

pid process

2176 mshta.exe
Executes dropped EXE 1 IoCs

Processes:

trust.exe

pid process

2456 trust.exe

pid	process
2176	mshta.exe

pid	process
2456	trust.exe

Loads dropped DLL 5 IoCs

Processes:

845263c86931440e934cf40f4461dc14903a474f6f5eab4773482842855ba1c8.exeWerFault.exe

pid	process
2580	845263c86931440e934cf40f4461dc14903a474f6f5eab4773482842855ba1c8.exe
2580	845263c86931440e934cf40f4461dc14903a474f6f5eab4773482842855ba1c8.exe
1440	WerFault.exe
1440	WerFault.exe
1440	WerFault.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

mshta.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\SG = "C:\\Users\\Admin\\AppData\\Roaming\\trust.exe"	mshta.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1440 2456 WerFault.exe trust.exe

pid	pid_target	process	target process
1440	2456	WerFault.exe	trust.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

845263c86931440e934cf40f4461dc14903a474f6f5eab4773482842855ba1c8.exemshta.exetrust.exemshta.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	845263c86931440e934cf40f4461dc14903a474f6f5eab4773482842855ba1c8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	trust.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

mshta.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main mshta.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

845263c86931440e934cf40f4461dc14903a474f6f5eab4773482842855ba1c8.exetrust.exe

description	pid	process	target process
PID 2580 wrote to memory of 2456	2580	845263c86931440e934cf40f4461dc14903a474f6f5eab4773482842855ba1c8.exe	trust.exe
PID 2580 wrote to memory of 2456	2580	845263c86931440e934cf40f4461dc14903a474f6f5eab4773482842855ba1c8.exe	trust.exe
PID 2580 wrote to memory of 2456	2580	845263c86931440e934cf40f4461dc14903a474f6f5eab4773482842855ba1c8.exe	trust.exe
PID 2580 wrote to memory of 2456	2580	845263c86931440e934cf40f4461dc14903a474f6f5eab4773482842855ba1c8.exe	trust.exe
PID 2580 wrote to memory of 2176	2580	845263c86931440e934cf40f4461dc14903a474f6f5eab4773482842855ba1c8.exe	mshta.exe
PID 2580 wrote to memory of 2176	2580	845263c86931440e934cf40f4461dc14903a474f6f5eab4773482842855ba1c8.exe	mshta.exe
PID 2580 wrote to memory of 2176	2580	845263c86931440e934cf40f4461dc14903a474f6f5eab4773482842855ba1c8.exe	mshta.exe
PID 2580 wrote to memory of 2176	2580	845263c86931440e934cf40f4461dc14903a474f6f5eab4773482842855ba1c8.exe	mshta.exe
PID 2456 wrote to memory of 2244	2456	trust.exe	mshta.exe
PID 2456 wrote to memory of 2244	2456	trust.exe	mshta.exe
PID 2456 wrote to memory of 2244	2456	trust.exe	mshta.exe
PID 2456 wrote to memory of 2244	2456	trust.exe	mshta.exe
PID 2456 wrote to memory of 1440	2456	trust.exe	WerFault.exe
PID 2456 wrote to memory of 1440	2456	trust.exe	WerFault.exe
PID 2456 wrote to memory of 1440	2456	trust.exe	WerFault.exe
PID 2456 wrote to memory of 1440	2456	trust.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\845263c86931440e934cf40f4461dc14903a474f6f5eab4773482842855ba1c8.exe
"C:\Users\Admin\AppData\Local\Temp\845263c86931440e934cf40f4461dc14903a474f6f5eab4773482842855ba1c8.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2580
- C:\Users\Admin\AppData\Roaming\trust.exe
  "C:\Users\Admin\AppData\Roaming\trust.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2456
- - C:\Windows\SysWOW64\mshta.exe
    mshta.exe "javascript:o=new ActiveXObject('WScript.Shell');setInterval(function(){try{o.RegWrite('HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\SG','C:\\Users\\Admin\\AppData\\Roaming\\trust.exe');}catch(e){}},10);"
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    PID:2244
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 404
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1440
- C:\Windows\SysWOW64\mshta.exe
  mshta.exe "javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('C:\\Users\\Admin\\AppData\\Local\\Temp\\845263~1.EXE');close()}catch(e){}},10);"
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\trust.exe

Filesize
246KB

MD5
7f61ab7160ccea4f69fed025fbbfdb30

SHA1
88d06d4124bca680bf28dde09cc1c3995002eef3

SHA256
845263c86931440e934cf40f4461dc14903a474f6f5eab4773482842855ba1c8

SHA512
8ff46db7d1bfddef6bab676c1439207a7b755280720bf83406d95a700eac364ef667978a7e538cc3d6e2836487b38ddc34df288100b510e32d16f013ffd07d98

Download Submit
C:\Users\Admin\Desktop\NewUninstall.xlsx.zendrz

Filesize
14KB

MD5
5768bdc028e4c020a02dfe73758b112c

SHA1
bd3ad237471c52478b4cff102a017da70e6bff17

SHA256
85269913956a82c24b4839d5c2a1515990dc9360324911a7a03e98aa5704bfca

SHA512
1d5d9e3f3742eeb2c740388f252412a498e5d6a8a75cd22e0a2d930e7d2ad6fdde2b6f99209e3e37b1f37cb0bf772f0af46f29151a627f1988491890333187c6

Download Submit
C:\Users\Admin\Favorites\Links for United States\Read Me Please.hta

Filesize
3KB

MD5
1ae9d5b2c231c60a2fff6156e6000d85

SHA1
eb0ebea2ce9c8d0bc1f10fcc69010c9da5874a80

SHA256
af51aae7a728f93fbb9a8ecb5d112503725eba9ce9d3f5ff899672994d954e1a

SHA512
941427a21a1be42b007936a0aa895062044b6159d4157e888049f5aaddbc20935109b2d5ebe18a632fb3746e154e2d8136d73fd751befeabdac419d41bd5cf47

Download Submit
C:\vcredist2010_x86.log.html.zendrz

Filesize
82KB

MD5
9336fc01ab54145f39ce552d5279c3ce

SHA1
f85569f3e59fdb7b012c414e692d3a1ee4075152

SHA256
35ce500691f1b2897fcbbbc3f4b6cb77e12a130d30efca73291fcca21047cc77

SHA512
a023c0cac718fa13236d3cfb6b8e419a82301638465f9b4846ab9ed5b2bc50dd6ae48fdeca4aeb4f20c58c52a21421ab8d292569c8ba5d03d504c2ab0e4cfdd9

Download Submit
memory/2456-467-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2456-468-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2580-9-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download