Overview
overview
10Static
static
100.46582298...58.exe
windows7-x64
700331dd25b...3a.exe
windows7-x64
10065988f36f...a0.exe
windows7-x64
30826716413...57.exe
windows7-x64
1008cf8ed94c...a4.exe
windows7-x64
100997ba7292...3c.exe
windows7-x64
30b7996bca4...5f.exe
windows7-x64
0c3431dbb8...ui.dll
windows7-x64
50cd7440ca9...bc.exe
windows7-x64
10100b8bfff5...ir.exe
windows7-x64
3101.ex_.exe
windows7-x64
3119.executable.exe
windows7-x64
6119.unp.exe
windows7-x64
611abb44de5...47.exe
windows7-x64
1011fb52c968...22.exe
windows7-x64
10123.exe
windows7-x64
1139.exe
windows7-x64
113E418BF18...73.dll
windows7-x64
3144.exe
windows7-x64
117697e1829...44.dll
windows7-x64
319561b3379...er.exe
windows7-x64
1019ec0d0e51...C5.exe
windows7-x64
71a6bed2aff...f2.exe
windows7-x64
101f210c60f9...40.exe
windows7-x64
101f3509cc11...dd.exe
windows7-x64
1020c6d29da8...7d.exe
windows7-x64
9234e77145d...2d.exe
windows7-x64
10263fc6fc9e...32.exe
windows7-x64
92e0da054d0...23.zip
windows7-x64
9Compenso.P...__.exe
windows7-x64
9301a3f5017...5f.exe
windows7-x64
1030620.ex_.exe
windows7-x64
10Analysis
-
max time kernel
299s -
max time network
306s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22-11-2024 02:14
Behavioral task
behavioral1
Sample
0.4658229854220858.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
00331dd25b83984d4b6d9753fec2b306e88ac87371ea48188df49cb630905d3a.exe
Resource
win7-20240903-en
Behavioral task
behavioral3
Sample
065988f36f3ab99ff40893c7ad756cfcc3baea1b8b5217f17cdd6e44160df0a0.exe
Resource
win7-20240729-en
Behavioral task
behavioral4
Sample
082671641341d89fe49d0da717846035ba6af02edb59840148eddc3586d21557.exe
Resource
win7-20240903-en
Behavioral task
behavioral5
Sample
08cf8ed94cc1ef6ae23133f3e506a50d8aad9047c6fa74568a0373d991261aa4.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
0997ba7292ddbac1c7e7ade6766ed53c.exe
Resource
win7-20240708-en
Behavioral task
behavioral7
Sample
0b7996bca486575be15e68dba7cbd802b1e5f90436ba23f802da66292c8a055f.exe
Resource
win7-20240708-en
Behavioral task
behavioral8
Sample
0c3431dbb8cd0478250eb4357257880e_localui.dll
Resource
win7-20241023-en
Behavioral task
behavioral9
Sample
0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
100b8bfff550fb74c98a2ef9a71d4bb53553d2d7ba509bb451fe32814ec57e48.exe.vir.exe
Resource
win7-20240903-en
Behavioral task
behavioral11
Sample
101.ex_.exe
Resource
win7-20240729-en
Behavioral task
behavioral12
Sample
119.executable.exe
Resource
win7-20241010-en
Behavioral task
behavioral13
Sample
119.unp.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
11abb44de53807e32980a010a473514694f901841e63ab33f5e0ff8754009b47.exe
Resource
win7-20240903-en
Behavioral task
behavioral15
Sample
11fb52c96853e12f011b7b7894e9884e56eb5522.exe
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
123.exe
Resource
win7-20240903-en
Behavioral task
behavioral17
Sample
139.exe
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
13E418BF18B03AC80580DB69ADA305A2B7093DFED00692DCF91A99D2526D3A73.dll
Resource
win7-20240903-en
Behavioral task
behavioral19
Sample
144.exe
Resource
win7-20241010-en
Behavioral task
behavioral20
Sample
17697e1829f0d18d2051a67bc2bca134_da3ded254909e9abaa46eb5bc3b10944.dll
Resource
win7-20240903-en
Behavioral task
behavioral21
Sample
19561b33793dcb865eae56575a899ce8_kovter_from_Sakura82_taskmanger.exe
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
19ec0d0e5143940492a1c79c06eb8f18aa9feb356e41b8b79fdc6a16a3bcd7bf_TDS=4F9B33C5.exe
Resource
win7-20241010-en
Behavioral task
behavioral23
Sample
1a6bed2afff1b9880e42a29cea9b8139bcb12e34085fb008de13aa983b82a4f2.exe
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
1f210c60f90fd8403099482455f3220b56b2864bc4d2b6af0abda4a2c3854d40.exe
Resource
win7-20240903-en
Behavioral task
behavioral25
Sample
1f3509cc11ffa1f7d839df93615cf1ba0819d75cafd5ef59110d9b01fb90addd.exe
Resource
win7-20240903-en
Behavioral task
behavioral26
Sample
20c6d29da875075afa0ed7b4fb58e555de89d4bed13bf5ad109817c593ddd77d.exe
Resource
win7-20241023-en
Behavioral task
behavioral27
Sample
234e77145d329956192c389249e20520851853e2a33779be93530788201b612d.exe
Resource
win7-20240729-en
Behavioral task
behavioral28
Sample
263fc6fc9efa4c05a08d9ff1fc7bb060a7b8f376f82afa17fd3fc267bc8e8032.exe
Resource
win7-20240903-en
Behavioral task
behavioral29
Sample
2e0da054d03fde4e7b2c2057cc4aa410c64b6ab8777ee6d4fd43f031a5170a23.zip
Resource
win7-20240708-en
Behavioral task
behavioral30
Sample
Compenso.Pdf______________________________________________________________.exe
Resource
win7-20240903-en
Behavioral task
behavioral31
Sample
301a3f5017e578fb04b0eb33f45831bb9bb8318020e0a18d222ebea08bf1c75f.exe
Resource
win7-20240903-en
Behavioral task
behavioral32
Sample
30620.ex_.exe
Resource
win7-20241010-en
General
-
Target
263fc6fc9efa4c05a08d9ff1fc7bb060a7b8f376f82afa17fd3fc267bc8e8032.exe
-
Size
215KB
-
MD5
f97d91f8aebbce4628664231184af5a1
-
SHA1
19cbbf718826377ae342f7dd1dbee68d5dfb30f8
-
SHA256
263fc6fc9efa4c05a08d9ff1fc7bb060a7b8f376f82afa17fd3fc267bc8e8032
-
SHA512
786a72e6f41d84555061ee1a15dfa68046c5f676ed911ad86303f99d64c607b60f2ba424cefaa2a0ea5e61d9d2aa019b930b150e4d9ab0969c2d1d345aa0f1b3
-
SSDEEP
3072:JwJbQEHr/KGapjJzx15Ggz8DhGljxPaxXoyAq7NlCQ+VInzgYL8V3ZKJb8E1s1e8:eLLYpjzTzqUljx8XrAHY0YYEf4f
Malware Config
Signatures
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dd0964d.exe explorer.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\dd0964 = "C:\\dd0964d\\dd0964d.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*d0964 = "C:\\dd0964d\\dd0964d.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\dd0964d = "C:\\Users\\Admin\\AppData\\Roaming\\dd0964d.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*d0964d = "C:\\Users\\Admin\\AppData\\Roaming\\dd0964d.exe" explorer.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1448 set thread context of 2784 1448 263fc6fc9efa4c05a08d9ff1fc7bb060a7b8f376f82afa17fd3fc267bc8e8032.exe 30 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vssadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 263fc6fc9efa4c05a08d9ff1fc7bb060a7b8f376f82afa17fd3fc267bc8e8032.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 263fc6fc9efa4c05a08d9ff1fc7bb060a7b8f376f82afa17fd3fc267bc8e8032.exe -
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2580 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2772 explorer.exe 2772 explorer.exe 2772 explorer.exe 2772 explorer.exe 2772 explorer.exe 2772 explorer.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 2784 263fc6fc9efa4c05a08d9ff1fc7bb060a7b8f376f82afa17fd3fc267bc8e8032.exe 2772 explorer.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeBackupPrivilege 2628 vssvc.exe Token: SeRestorePrivilege 2628 vssvc.exe Token: SeAuditPrivilege 2628 vssvc.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 1448 wrote to memory of 2784 1448 263fc6fc9efa4c05a08d9ff1fc7bb060a7b8f376f82afa17fd3fc267bc8e8032.exe 30 PID 1448 wrote to memory of 2784 1448 263fc6fc9efa4c05a08d9ff1fc7bb060a7b8f376f82afa17fd3fc267bc8e8032.exe 30 PID 1448 wrote to memory of 2784 1448 263fc6fc9efa4c05a08d9ff1fc7bb060a7b8f376f82afa17fd3fc267bc8e8032.exe 30 PID 1448 wrote to memory of 2784 1448 263fc6fc9efa4c05a08d9ff1fc7bb060a7b8f376f82afa17fd3fc267bc8e8032.exe 30 PID 1448 wrote to memory of 2784 1448 263fc6fc9efa4c05a08d9ff1fc7bb060a7b8f376f82afa17fd3fc267bc8e8032.exe 30 PID 1448 wrote to memory of 2784 1448 263fc6fc9efa4c05a08d9ff1fc7bb060a7b8f376f82afa17fd3fc267bc8e8032.exe 30 PID 1448 wrote to memory of 2784 1448 263fc6fc9efa4c05a08d9ff1fc7bb060a7b8f376f82afa17fd3fc267bc8e8032.exe 30 PID 1448 wrote to memory of 2784 1448 263fc6fc9efa4c05a08d9ff1fc7bb060a7b8f376f82afa17fd3fc267bc8e8032.exe 30 PID 1448 wrote to memory of 2784 1448 263fc6fc9efa4c05a08d9ff1fc7bb060a7b8f376f82afa17fd3fc267bc8e8032.exe 30 PID 1448 wrote to memory of 2784 1448 263fc6fc9efa4c05a08d9ff1fc7bb060a7b8f376f82afa17fd3fc267bc8e8032.exe 30 PID 2784 wrote to memory of 2772 2784 263fc6fc9efa4c05a08d9ff1fc7bb060a7b8f376f82afa17fd3fc267bc8e8032.exe 31 PID 2784 wrote to memory of 2772 2784 263fc6fc9efa4c05a08d9ff1fc7bb060a7b8f376f82afa17fd3fc267bc8e8032.exe 31 PID 2784 wrote to memory of 2772 2784 263fc6fc9efa4c05a08d9ff1fc7bb060a7b8f376f82afa17fd3fc267bc8e8032.exe 31 PID 2784 wrote to memory of 2772 2784 263fc6fc9efa4c05a08d9ff1fc7bb060a7b8f376f82afa17fd3fc267bc8e8032.exe 31 PID 2772 wrote to memory of 2588 2772 explorer.exe 32 PID 2772 wrote to memory of 2588 2772 explorer.exe 32 PID 2772 wrote to memory of 2588 2772 explorer.exe 32 PID 2772 wrote to memory of 2588 2772 explorer.exe 32 PID 2772 wrote to memory of 2580 2772 explorer.exe 33 PID 2772 wrote to memory of 2580 2772 explorer.exe 33 PID 2772 wrote to memory of 2580 2772 explorer.exe 33 PID 2772 wrote to memory of 2580 2772 explorer.exe 33 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\263fc6fc9efa4c05a08d9ff1fc7bb060a7b8f376f82afa17fd3fc267bc8e8032.exe"C:\Users\Admin\AppData\Local\Temp\263fc6fc9efa4c05a08d9ff1fc7bb060a7b8f376f82afa17fd3fc267bc8e8032.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Users\Admin\AppData\Local\Temp\263fc6fc9efa4c05a08d9ff1fc7bb060a7b8f376f82afa17fd3fc267bc8e8032.exe"C:\Users\Admin\AppData\Local\Temp\263fc6fc9efa4c05a08d9ff1fc7bb060a7b8f376f82afa17fd3fc267bc8e8032.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\syswow64\explorer.exe"C:\Windows\syswow64\explorer.exe"3⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\syswow64\svchost.exe-k netsvcs4⤵
- System Location Discovery: System Language Discovery
PID:2588
-
-
C:\Windows\syswow64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet4⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
PID:2580
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2628