Overview
overview
10Static
static
100.46582298...58.exe
windows7-x64
700331dd25b...3a.exe
windows7-x64
10065988f36f...a0.exe
windows7-x64
30826716413...57.exe
windows7-x64
1008cf8ed94c...a4.exe
windows7-x64
100997ba7292...3c.exe
windows7-x64
30b7996bca4...5f.exe
windows7-x64
0c3431dbb8...ui.dll
windows7-x64
50cd7440ca9...bc.exe
windows7-x64
10100b8bfff5...ir.exe
windows7-x64
3101.ex_.exe
windows7-x64
3119.executable.exe
windows7-x64
6119.unp.exe
windows7-x64
611abb44de5...47.exe
windows7-x64
1011fb52c968...22.exe
windows7-x64
10123.exe
windows7-x64
1139.exe
windows7-x64
113E418BF18...73.dll
windows7-x64
3144.exe
windows7-x64
117697e1829...44.dll
windows7-x64
319561b3379...er.exe
windows7-x64
1019ec0d0e51...C5.exe
windows7-x64
71a6bed2aff...f2.exe
windows7-x64
101f210c60f9...40.exe
windows7-x64
101f3509cc11...dd.exe
windows7-x64
1020c6d29da8...7d.exe
windows7-x64
9234e77145d...2d.exe
windows7-x64
10263fc6fc9e...32.exe
windows7-x64
92e0da054d0...23.zip
windows7-x64
9Compenso.P...__.exe
windows7-x64
9301a3f5017...5f.exe
windows7-x64
1030620.ex_.exe
windows7-x64
10Analysis
-
max time kernel
181s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
22-11-2024 02:14
Behavioral task
behavioral1
Sample
0.4658229854220858.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
00331dd25b83984d4b6d9753fec2b306e88ac87371ea48188df49cb630905d3a.exe
Resource
win7-20240903-en
Behavioral task
behavioral3
Sample
065988f36f3ab99ff40893c7ad756cfcc3baea1b8b5217f17cdd6e44160df0a0.exe
Resource
win7-20240729-en
Behavioral task
behavioral4
Sample
082671641341d89fe49d0da717846035ba6af02edb59840148eddc3586d21557.exe
Resource
win7-20240903-en
Behavioral task
behavioral5
Sample
08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
0997ba7292ddbac1c7e7ade6766ed53c.exe
Resource
win7-20240708-en
Behavioral task
behavioral7
Sample
0b7996bca486575be15e68dba7cbd802b1e5f90436ba23f802da66292c8a055f.exe
Resource
win7-20240708-en
Behavioral task
behavioral8
Sample
0c3431dbb8cd0478250eb4357257880e_localui.dll
Resource
win7-20241023-en
Behavioral task
behavioral9
Sample
0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
100b8bfff550fb74c98a2ef9a71d4bb53553d2d7ba509bb451fe32814ec57e48.exe.vir.exe
Resource
win7-20240903-en
Behavioral task
behavioral11
Sample
101.ex_.exe
Resource
win7-20240729-en
Behavioral task
behavioral12
Sample
119.executable.exe
Resource
win7-20241010-en
Behavioral task
behavioral13
Sample
119.unp.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
11abb44de53807e32980a010a473514694f901841e63ab33f5e0ff8754009b47.exe
Resource
win7-20240903-en
Behavioral task
behavioral15
Sample
11fb52c96853e12f011b7b7894e9884e56eb5522.exe
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
123.exe
Resource
win7-20240903-en
Behavioral task
behavioral17
Sample
139.exe
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
13E418BF18B03AC80580DB69ADA305A2B7093DFED00692DCF91A99D2526D3A73.dll
Resource
win7-20240903-en
Behavioral task
behavioral19
Sample
144.exe
Resource
win7-20241010-en
Behavioral task
behavioral20
Sample
17697e1829f0d18d2051a67bc2bca134_da3ded254909e9abaa46eb5bc3b10944.dll
Resource
win7-20240903-en
Behavioral task
behavioral21
Sample
19561b33793dcb865eae56575a899ce8_kovter_from_Sakura82_taskmanger.exe
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
19ec0d0e5143940492a1c79c06eb8f18aa9feb356e41b8b79fdc6a16a3bcd7bf_TDS=4F9B33C5.exe
Resource
win7-20241010-en
Behavioral task
behavioral23
Sample
1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
Resource
win7-20240903-en
Behavioral task
behavioral25
Sample
1f3509cc11ffa1f7d839df93615cf1ba0819d75cafd5ef59110d9b01fb90addd.exe
Resource
win7-20240903-en
Behavioral task
behavioral26
Sample
20c6d29da875075afa0ed7b4fb58e555de89d4bed13bf5ad109817c593ddd77d.exe
Resource
win7-20241023-en
Behavioral task
behavioral27
Sample
234e77145d329956192c389249e20520851853e2a33779be93530788201b612d.exe
Resource
win7-20240729-en
Behavioral task
behavioral28
Sample
263fc6fc9efa4c05a08d9ff1fc7bb060a7b8f376f82afa17fd3fc267bc8e8032.exe
Resource
win7-20240903-en
Behavioral task
behavioral29
Sample
2e0da054d03fde4e7b2c2057cc4aa410c64b6ab8777ee6d4fd43f031a5170a23.zip
Resource
win7-20240708-en
Behavioral task
behavioral30
Sample
Compenso.Pdf______________________________________________________________.exe
Resource
win7-20240903-en
Behavioral task
behavioral31
Sample
301a3f5017e578fb04b0eb33f45831bb9bb8318020e0a18d222ebea08bf1c75f.exe
Resource
win7-20240903-en
Behavioral task
behavioral32
Sample
30620.ex_.exe
Resource
win7-20241010-en
General
-
Target
20c6d29da875075afa0ed7b4fb58e555de89d4bed13bf5ad109817c593ddd77d.exe
-
Size
2.0MB
-
MD5
217c23371f1d91e81beac74a759be045
-
SHA1
7aa2abe3c6d2decee0bd741198a59db9c92d4cbd
-
SHA256
20c6d29da875075afa0ed7b4fb58e555de89d4bed13bf5ad109817c593ddd77d
-
SHA512
5f8f0550b61bfeac6675c7c489cbf5e9d5d85ffe98798499e086d207a63a970aaae81bfb07eed841abff073df2505d6c2e271e01836658d940c6c3e1c62031f5
-
SSDEEP
49152:cbIZw+8h+93HIyboFW0eqqoD5PyyGBrmM/eZzUBSzPayRxcJ:zb3HlCW0eGIy6r//eZAIWyRxq
Malware Config
Signatures
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 1 IoCs
pid Process 1736 svchost .exe -
Loads dropped DLL 4 IoCs
pid Process 2372 20c6d29da875075afa0ed7b4fb58e555de89d4bed13bf5ad109817c593ddd77d.exe 2372 20c6d29da875075afa0ed7b4fb58e555de89d4bed13bf5ad109817c593ddd77d.exe 2372 20c6d29da875075afa0ed7b4fb58e555de89d4bed13bf5ad109817c593ddd77d.exe 2372 20c6d29da875075afa0ed7b4fb58e555de89d4bed13bf5ad109817c593ddd77d.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\Desktop\wallpaper reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\Desktop\wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\des1.jpg" reg.exe -
Launches sc.exe 7 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2332 sc.exe 1844 sc.exe 1888 sc.exe 316 sc.exe 2100 sc.exe 664 sc.exe 2312 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 17 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20c6d29da875075afa0ed7b4fb58e555de89d4bed13bf5ad109817c593ddd77d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost .exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe -
Interacts with shadow copies 3 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2720 vssadmin.exe 1756 vssadmin.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeBackupPrivilege 2688 vssvc.exe Token: SeRestorePrivilege 2688 vssvc.exe Token: SeAuditPrivilege 2688 vssvc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2372 wrote to memory of 1736 2372 20c6d29da875075afa0ed7b4fb58e555de89d4bed13bf5ad109817c593ddd77d.exe 30 PID 2372 wrote to memory of 1736 2372 20c6d29da875075afa0ed7b4fb58e555de89d4bed13bf5ad109817c593ddd77d.exe 30 PID 2372 wrote to memory of 1736 2372 20c6d29da875075afa0ed7b4fb58e555de89d4bed13bf5ad109817c593ddd77d.exe 30 PID 2372 wrote to memory of 1736 2372 20c6d29da875075afa0ed7b4fb58e555de89d4bed13bf5ad109817c593ddd77d.exe 30 PID 1736 wrote to memory of 2792 1736 svchost .exe 31 PID 1736 wrote to memory of 2792 1736 svchost .exe 31 PID 1736 wrote to memory of 2792 1736 svchost .exe 31 PID 1736 wrote to memory of 2792 1736 svchost .exe 31 PID 2792 wrote to memory of 2960 2792 cmd.exe 33 PID 2792 wrote to memory of 2960 2792 cmd.exe 33 PID 2792 wrote to memory of 2960 2792 cmd.exe 33 PID 2792 wrote to memory of 2960 2792 cmd.exe 33 PID 2792 wrote to memory of 2996 2792 cmd.exe 34 PID 2792 wrote to memory of 2996 2792 cmd.exe 34 PID 2792 wrote to memory of 2996 2792 cmd.exe 34 PID 2792 wrote to memory of 2996 2792 cmd.exe 34 PID 2792 wrote to memory of 2324 2792 cmd.exe 35 PID 2792 wrote to memory of 2324 2792 cmd.exe 35 PID 2792 wrote to memory of 2324 2792 cmd.exe 35 PID 2792 wrote to memory of 2324 2792 cmd.exe 35 PID 2792 wrote to memory of 2816 2792 cmd.exe 36 PID 2792 wrote to memory of 2816 2792 cmd.exe 36 PID 2792 wrote to memory of 2816 2792 cmd.exe 36 PID 2792 wrote to memory of 2816 2792 cmd.exe 36 PID 2792 wrote to memory of 2844 2792 cmd.exe 37 PID 2792 wrote to memory of 2844 2792 cmd.exe 37 PID 2792 wrote to memory of 2844 2792 cmd.exe 37 PID 2792 wrote to memory of 2844 2792 cmd.exe 37 PID 2792 wrote to memory of 2844 2792 cmd.exe 37 PID 2792 wrote to memory of 2844 2792 cmd.exe 37 PID 2792 wrote to memory of 2844 2792 cmd.exe 37 PID 2792 wrote to memory of 2720 2792 cmd.exe 38 PID 2792 wrote to memory of 2720 2792 cmd.exe 38 PID 2792 wrote to memory of 2720 2792 cmd.exe 38 PID 2792 wrote to memory of 2720 2792 cmd.exe 38 PID 2792 wrote to memory of 2100 2792 cmd.exe 40 PID 2792 wrote to memory of 2100 2792 cmd.exe 40 PID 2792 wrote to memory of 2100 2792 cmd.exe 40 PID 2792 wrote to memory of 2100 2792 cmd.exe 40 PID 2792 wrote to memory of 2332 2792 cmd.exe 41 PID 2792 wrote to memory of 2332 2792 cmd.exe 41 PID 2792 wrote to memory of 2332 2792 cmd.exe 41 PID 2792 wrote to memory of 2332 2792 cmd.exe 41 PID 2792 wrote to memory of 2312 2792 cmd.exe 42 PID 2792 wrote to memory of 2312 2792 cmd.exe 42 PID 2792 wrote to memory of 2312 2792 cmd.exe 42 PID 2792 wrote to memory of 2312 2792 cmd.exe 42 PID 2792 wrote to memory of 664 2792 cmd.exe 43 PID 2792 wrote to memory of 664 2792 cmd.exe 43 PID 2792 wrote to memory of 664 2792 cmd.exe 43 PID 2792 wrote to memory of 664 2792 cmd.exe 43 PID 2792 wrote to memory of 316 2792 cmd.exe 44 PID 2792 wrote to memory of 316 2792 cmd.exe 44 PID 2792 wrote to memory of 316 2792 cmd.exe 44 PID 2792 wrote to memory of 316 2792 cmd.exe 44 PID 2792 wrote to memory of 1844 2792 cmd.exe 45 PID 2792 wrote to memory of 1844 2792 cmd.exe 45 PID 2792 wrote to memory of 1844 2792 cmd.exe 45 PID 2792 wrote to memory of 1844 2792 cmd.exe 45 PID 2792 wrote to memory of 1888 2792 cmd.exe 46 PID 2792 wrote to memory of 1888 2792 cmd.exe 46 PID 2792 wrote to memory of 1888 2792 cmd.exe 46 PID 2792 wrote to memory of 1888 2792 cmd.exe 46 PID 2792 wrote to memory of 1756 2792 cmd.exe 47 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\20c6d29da875075afa0ed7b4fb58e555de89d4bed13bf5ad109817c593ddd77d.exe"C:\Users\Admin\AppData\Local\Temp\20c6d29da875075afa0ed7b4fb58e555de89d4bed13bf5ad109817c593ddd77d.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Users\Admin\AppData\Roaming\svchost .exe"C:\Users\Admin\AppData\Roaming\svchost .exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\desk.bat"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\reg.exereg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f4⤵
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
PID:2960
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\des1.jpg" /f4⤵
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
PID:2996
-
-
C:\Windows\SysWOW64\reg.exereg delete "HKCU\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f4⤵
- System Location Discovery: System Language Discovery
PID:2324
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f4⤵
- System Location Discovery: System Language Discovery
PID:2816
-
-
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵
- System Location Discovery: System Language Discovery
PID:2844
-
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet4⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
PID:2720
-
-
C:\Windows\SysWOW64\sc.exesc stop VVS4⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2100
-
-
C:\Windows\SysWOW64\sc.exesc stop wscsvc4⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2332
-
-
C:\Windows\SysWOW64\sc.exesc stop WinDefend4⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2312
-
-
C:\Windows\SysWOW64\sc.exesc stop wuauserv4⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:664
-
-
C:\Windows\SysWOW64\sc.exesc stop BITS4⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:316
-
-
C:\Windows\SysWOW64\sc.exesc stop ERSvc4⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:1844
-
-
C:\Windows\SysWOW64\sc.exesc stop WerSvc4⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:1888
-
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet4⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
PID:1756
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2688
Network
MITRE ATT&CK Enterprise v15
Execution
System Services
1Service Execution
1Windows Management Instrumentation
1Defense Evasion
Direct Volume Access
1Impair Defenses
1Indicator Removal
2File Deletion
2Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
424KB
MD52cecdd72325a24a468ef66037dab094e
SHA1db98144940916c64cd37815c427134d0194ef832
SHA2568331afb29af322ab4a5a450f1067facac8b95bc4260eb7b102b224ed3c219d25
SHA512dab3fa4867e11687e8e3f99d1f7c67150a099efcde8aa17633a72780fb726d094fab0219fe1cefa41790388acfb6669685f469b23974b5958122be97077bfe4b
-
Filesize
704B
MD5f75fd3ea44c0022e1753ac797711f930
SHA16e71bc00fa7b8062ea547da705950c73a92788db
SHA256e4872ff8700d90b1d721a9b30148d8a48510b5e63d25b5f0918024bd27ce7b22
SHA512aa965f3e0ded2f0ffb53e2597a6d8deb9b6fc73ee2564cd238e81b7778e446c9432beac9891533dc3d3e92d925dff1a943837502bed464369b9fae367377fcfb
-
Filesize
5.0MB
MD53e7bd2126ad2d056b12a906ec74f4e75
SHA12147ec630ce348816fce2e9b7a36a14a0a7f56d0
SHA2567f1d3ed805910aa90172d72e7923d129d2967bfe50398e863ec48b71c952b199
SHA5127cf82908c203f6a9bab75ca60872dd0cd82f9d944395683bf36d3dd01611d8d95c00f4ca1e74ea397cae7da6afbd0bca6bbc1b5059e2751ed0f321b3b732a8fd
-
Filesize
10KB
MD56bb28eca731de08fde8e0ee1ef70bf16
SHA193baa64fcfc23aa54775bf5bb9976567f2563ad2
SHA256d416a04791a7b60b2091e7aeb013ab8fc9a376889197fdec41fd5c2259d75a28
SHA5121af6dd6caebe4734001a44074cddf41fd1972f6a98bb73df04212a4cb08dc4cc18bb083493751a416de3c65f1a26899df4a93f01c481a9ea80472ec336277382
-
Filesize
82KB
MD58affca1d19603744637dc8fa556628ef
SHA1067a5d311e45fe5e6ac28ba3a78d2ee6dc482843
SHA2562d3e4064f074318ee84f84a10ee99de97006e40af7bf022094a255e1515d025e
SHA512c6e345ee519c23fd7d61fb5a95dd4b7484eb31794ebbfb1ccedb4b2d75d529d12bfaa5b747e372b9ec4987d250cb9db17a7904e39473eb824d340e490fe9ac92