Overview
overview
10Static
static
10757e3242f6...b4.exe
windows7-x64
976fe72e0ec...ss.exe
windows7-x64
778d4cf8df6...B3.exe
windows7-x64
778d4cf8df6...59.exe
windows7-x64
778db508226...69.exe
windows7-x64
97965f6adf3...ss.exe
windows7-x64
77B75B33BCF...B5.exe
windows7-x64
17E3903944E...72.exe
windows7-x64
77dd9312307...ca.dll
windows7-x64
37e4c9a7e39...1f.exe
windows7-x64
980eb72d781...B3.exe
windows7-x64
780eb72d781...9A.exe
windows7-x64
7845263c869...c8.exe
windows7-x64
98524224187...8f.exe
windows7-x64
686be3831f5...39.exe
windows7-x64
68791931bac...DA.exe
windows7-x64
78791931bac...69.exe
windows7-x64
787a4f3f9f6...88.exe
windows7-x64
789fb6d7ff2...f6.exe
windows7-x64
98c59148535...21.exe
windows7-x64
98d372fcf8a...e0.exe
windows7-x64
7900.exe
windows7-x64
9911d5905cb...b9.exe
windows7-x64
791d24e0657...eb.zip
windows7-x64
192ac6be4d9...5b.exe
windows7-x64
97512f4617...7c.exe
windows7-x64
1098aadc95c5...e7.exe
windows7-x64
109943256.exe
windows7-x64
109B9517FA15...DF.exe
windows7-x64
79b7eaffe4d...c8.exe
windows7-x64
10a322da0be4...44.exe
windows7-x64
10a42252e674...34.exe
windows7-x64
9Analysis
-
max time kernel
840s -
max time network
841s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
22-11-2024 02:43
Behavioral task
behavioral1
Sample
757e3242f6a2685ed9957c9e66235af889a7accead5719514719106d0b3c6fb4.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
76fe72e0ecdc389b5749df5fe406cb70110b1ef8b64e51cf0a96da2fa2ec5eb2_not_packed_maybe_useless.exe
Resource
win7-20241010-en
Behavioral task
behavioral3
Sample
78d4cf8df6fe5717a0f4bad6cbfce6546fb59a45ee0ac3797b264b28e24ddc0b_Dumped_TDS=4F9911B3.exe
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
78d4cf8df6fe5717a0f4bad6cbfce6546fb59a45ee0ac3797b264b28e24ddc0b_TDS=4FA04B59.exe
Resource
win7-20240903-en
Behavioral task
behavioral5
Sample
78db508226ccacd363fc0f02b3ae326a2bdd0baed3ae51ddf59c3fc0fcf60669.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
7965f6adf3261e8820fe583e94dcb2d17dc665efa0442743e47d27c989fcb05f_not_packed_maybe_useless.exe
Resource
win7-20240903-en
Behavioral task
behavioral7
Sample
7B75B33BCF4ECF013B93F84ED98B3FB5.exe
Resource
win7-20240708-en
Behavioral task
behavioral8
Sample
7E3903944EAB7B61B495572BAA60FB72.exe
Resource
win7-20240903-en
Behavioral task
behavioral9
Sample
7dd93123078b383ec179c4c381f9119f4eac4efb287fe8f538a82e7336dfa4ca.dll
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
7e4c9a7e391be4367d79bd1ab92b748d440e13fd5ca6c0820b30e6e9c670871f.exe
Resource
win7-20240903-en
Behavioral task
behavioral11
Sample
80eb72d78175761e34378e06a5ca13b26edd6c47ee18e0d222fa068a249785f2_Dumped_TDS=4F9911B3.exe
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
80eb72d78175761e34378e06a5ca13b26edd6c47ee18e0d222fa068a249785f2_TDS=4FAAF59A.exe
Resource
win7-20240729-en
Behavioral task
behavioral13
Sample
845263c86931440e934cf40f4461dc14903a474f6f5eab4773482842855ba1c8.exe
Resource
win7-20241023-en
Behavioral task
behavioral14
Sample
85242241870190a81b55d0ea723c25391fff14140bac149a32630c5f892a3a8f.exe
Resource
win7-20240903-en
Behavioral task
behavioral15
Sample
86be3831f5d8a975b0924168117fc7fcd1f5067ac5935c657efbb4798cb6a439.exe
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
8791931bac7d8afbb30dc1d32a4dd54ee59a2160580a83d822a927039d8ca98f_Dumped_TDS=4F83FCDA.exe
Resource
win7-20240903-en
Behavioral task
behavioral17
Sample
8791931bac7d8afbb30dc1d32a4dd54ee59a2160580a83d822a927039d8ca98f_TDS=4F84A969.exe
Resource
win7-20241010-en
Behavioral task
behavioral18
Sample
87a4f3f9f6dc263378f2f01db5f2c988.exe
Resource
win7-20240903-en
Behavioral task
behavioral19
Sample
89fb6d7ff29b0c349c19df2e81028a62a2758c33f2c72b87dc11af4f22d3c6f6.exe
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
8c591485357e45a09dad3116496e6f686fa11f445a6bea5ef3cd5ed1ac078821.exe
Resource
win7-20240903-en
Behavioral task
behavioral21
Sample
8d372fcf8a97223ebb86cdfe707d3035dfbfd4501c5688cfa82a9a4889e637e0.exe
Resource
win7-20241010-en
Behavioral task
behavioral22
Sample
900.exe
Resource
win7-20241023-en
Behavioral task
behavioral23
Sample
911d5905cbe1dd462f171b7167cd15b9.exe
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
91d24e06572099ba0aa5c20be6b1021fa48e864913fe3676ed05323e6b68fceb.zip
Resource
win7-20240903-en
Behavioral task
behavioral25
Sample
92ac6be4d9215b237d624177ca0543844d0dc8d071660ae4a4cf7c93cc11505b.exe
Resource
win7-20240708-en
Behavioral task
behavioral26
Sample
97512f4617019c907cd0f88193039e7c.exe
Resource
win7-20240708-en
Behavioral task
behavioral27
Sample
98aadc95c589e064a542802bbf0ef01ef00595c34d195f1a1e6443909846d2e7.exe
Resource
win7-20240903-en
Behavioral task
behavioral28
Sample
9943256.exe
Resource
win7-20240903-en
Behavioral task
behavioral29
Sample
9B9517FA1515F47A502FE56536236A20BE5BBADF.exe
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
9b7eaffe4dffcbd06445d0b32785cdc8.exe
Resource
win7-20240903-en
Behavioral task
behavioral31
Sample
a322da0be4f0be8d85eab815ca708c8452b63f24d0e2d2d6d896a9f9331a6244.exe
Resource
win7-20240903-en
Behavioral task
behavioral32
Sample
a42252e674a09a0b689e71c88f59969f538a473da647cc4eb5457a5d5e03a234.exe
Resource
win7-20240903-en
General
-
Target
900.exe
-
Size
12KB
-
MD5
5a43d2db5c8cc3b8ec273aa470ccc931
-
SHA1
dfcc68945b9daf7e9f49be4837a6934560ec635f
-
SHA256
2424a7ce5e885bf460aeb8968ceab48057813430973c5a2e27d846553e79402c
-
SHA512
ffae7fe714667cb44d200f87c36a6f60735926d03ce86dd5756b7e91ab1bd04e7b98dccd1dc0b3f652ea50f5d4c74ffa1f66245052b61e00fd0e8273681a99d3
-
SSDEEP
192:LvJ8ZxTFrv7bg1d4/QkODGAoyjwlkp7qQT6yNQ+pJYMq6fdw4RI2P:d8zt+UFxy9p7qk3DfC4RI
Malware Config
Signatures
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (1077) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\HOW_TO_RESTORE_FILES.txt 900.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 35 IoCs
description ioc Process File opened for modification C:\Users\Public\desktop.ini 900.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini 900.exe File opened for modification C:\Users\Admin\Links\desktop.ini 900.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini 900.exe File opened for modification C:\Users\Public\Documents\desktop.ini 900.exe File opened for modification C:\Users\Public\Music\desktop.ini 900.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini 900.exe File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini 900.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini 900.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\SMFN3Z3Q\desktop.ini 900.exe File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini 900.exe File opened for modification C:\Users\Public\Videos\desktop.ini 900.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini 900.exe File opened for modification C:\Users\Public\Downloads\desktop.ini 900.exe File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini 900.exe File opened for modification C:\Users\Admin\Videos\desktop.ini 900.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\JEDNWX6E\desktop.ini 900.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini 900.exe File opened for modification C:\Users\Admin\Searches\desktop.ini 900.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini 900.exe File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini 900.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini 900.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini 900.exe File opened for modification C:\Users\Admin\Music\desktop.ini 900.exe File opened for modification C:\Users\Public\Libraries\desktop.ini 900.exe File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini 900.exe File opened for modification C:\Users\Public\Recorded TV\desktop.ini 900.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\4FXYHFK9\desktop.ini 900.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini 900.exe File opened for modification C:\Users\Public\Desktop\desktop.ini 900.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini 900.exe File opened for modification C:\Users\Public\Pictures\desktop.ini 900.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\DQFI3FMT\desktop.ini 900.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini 900.exe File opened for modification C:\Users\Admin\Documents\desktop.ini 900.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 900.exe -
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1900 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1388 900.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeBackupPrivilege 676 vssvc.exe Token: SeRestorePrivilege 676 vssvc.exe Token: SeAuditPrivilege 676 vssvc.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1388 wrote to memory of 1900 1388 900.exe 30 PID 1388 wrote to memory of 1900 1388 900.exe 30 PID 1388 wrote to memory of 1900 1388 900.exe 30 PID 1388 wrote to memory of 1900 1388 900.exe 30 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\900.exe"C:\Users\Admin\AppData\Local\Temp\900.exe"1⤵
- Drops startup file
- Drops desktop.ini file(s)
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Windows\system32\vssadmin.exedelete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:1900
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:676
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD55fafc3b6b68f49c29eac195e146bfcf9
SHA1e0bca64754c0209847eac372d7ce04b88891b773
SHA2562938570788156bb73a583b6bf420d93c1236bccaa36baa074b53d7ec30a8dcb0
SHA51259812e3a820cf6a9ee23478203cd5f9eb814baff3d210dc4ac29568544756e80aad62f42607e81f3a94720646a427c2bbcf3ba66b8277d4be33fddef469ecbf2