8b0f9d248e67199bb7f1a778a03e4caee7d267e61d8a7d70fa1c1f6d7944e96a

Analysis

max time kernel
1442s
max time network
1447s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-11-2024 02:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4561647.exe
Size

7KB
MD5

ebbc82f619471384f392efd5c4d05883
SHA1

17d91b45c8615d0f09d1100d2be396cbcba21fde
SHA256

e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c
SHA512

3e33bd22c440e9ab4a065d216467c1220780aa2a39a38ea4aec81d050d3e6048e87244341fbeac2cdefebae9fe987b713e0d4fcf34adf1390b5ccda6dd448241
SSDEEP

96:uP/EuJO5ER8KDGrru1M2mIspl5SgOj9/xVKzAQTH1osaxnkK:unE5ORTD91M2mIGyxhp2AQRONkK

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (980) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes itself 1 IoCs

Processes:

WScript.exe

pid process

1056 WScript.exe

pid	process
1056	WScript.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

4561647.exe

description	ioc	process
File opened (read-only)	\??\E:	4561647.exe
File opened (read-only)	\??\H:	4561647.exe
File opened (read-only)	\??\O:	4561647.exe
File opened (read-only)	\??\T:	4561647.exe
File opened (read-only)	\??\I:	4561647.exe
File opened (read-only)	\??\L:	4561647.exe
File opened (read-only)	\??\P:	4561647.exe
File opened (read-only)	\??\R:	4561647.exe
File opened (read-only)	\??\J:	4561647.exe
File opened (read-only)	\??\K:	4561647.exe
File opened (read-only)	\??\N:	4561647.exe
File opened (read-only)	\??\Q:	4561647.exe
File opened (read-only)	\??\W:	4561647.exe
File opened (read-only)	\??\X:	4561647.exe
File opened (read-only)	\??\Y:	4561647.exe
File opened (read-only)	\??\G:	4561647.exe
File opened (read-only)	\??\M:	4561647.exe
File opened (read-only)	\??\S:	4561647.exe
File opened (read-only)	\??\U:	4561647.exe
File opened (read-only)	\??\V:	4561647.exe
File opened (read-only)	\??\Z:	4561647.exe

Drops file in Program Files directory 64 IoCs

Processes:

4561647.exe

description	ioc	process
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\gadget.xml._CRYPT	4561647.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\js\weather.js._CRYPT	4561647.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\GRIP.JPG._CRYPT	4561647.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN096.XML._CRYPT	4561647.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\css\!_READ_ME_!.txt	4561647.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\en-US\!_READ_ME_!.txt	4561647.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382836.JPG._CRYPT	4561647.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01239K.JPG._CRYPT	4561647.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\OliveGreen.css._CRYPT	4561647.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\BTOPENWORLD.COM.XML._CRYPT	4561647.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\gadget.xml._CRYPT	4561647.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.htm._CRYPT	4561647.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\HandPrints.jpg._CRYPT	4561647.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SoftBlue.css._CRYPT	4561647.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsPrintTemplate.html._CRYPT	4561647.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\js\!_READ_ME_!.txt	4561647.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\InfoPath.en-us\SETUP.XML._CRYPT	4561647.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\1033\DATES.XML._CRYPT	4561647.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382960.JPG._CRYPT	4561647.exe
File created	C:\Program Files (x86)\Microsoft Office\Stationery\1033\TECHTOOL.HTM._CRYPT	4561647.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\settings.html._CRYPT	4561647.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\css\!_READ_ME_!.txt	4561647.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\js\settings.js._CRYPT	4561647.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf._CRYPT	4561647.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME40.CSS._CRYPT	4561647.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ZoomIcons.jpg._CRYPT	4561647.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL002.XML._CRYPT	4561647.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\!_READ_ME_!.txt	4561647.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\en-US\css\cpu.css._CRYPT	4561647.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145904.JPG._CRYPT	4561647.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0321179.JPG._CRYPT	4561647.exe
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Grid.xml._CRYPT	4561647.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Maroon.css._CRYPT	4561647.exe
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Technic.xml._CRYPT	4561647.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DataListIconImages.jpg._CRYPT	4561647.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\js\init.js._CRYPT	4561647.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\js\settings.js._CRYPT	4561647.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0148757.JPG._CRYPT	4561647.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341447.JPG._CRYPT	4561647.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0387591.JPG._CRYPT	4561647.exe
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Paper.xml._CRYPT	4561647.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03041I.JPG._CRYPT	4561647.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME45.CSS._CRYPT	4561647.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\!_READ_ME_!.txt	4561647.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\PSS10R.CHM._CRYPT	4561647.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsHomePageScript.js._CRYPT	4561647.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Sts2.css._CRYPT	4561647.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGCOUPON.XML._CRYPT	4561647.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.BusinessData.xml._CRYPT	4561647.exe
File created	C:\Program Files (x86)\Microsoft Office\Stationery\1033\NOTEBOOK.JPG._CRYPT	4561647.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0384900.JPG._CRYPT	4561647.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\Components\!_READ_ME_!.txt	4561647.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate.css._CRYPT	4561647.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\CircleIcons.jpg._CRYPT	4561647.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\TableTextServiceYi.txt._CRYPT	4561647.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\gadget.xml._CRYPT	4561647.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\OfficeMUISet.XML._CRYPT	4561647.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0387578.JPG._CRYPT	4561647.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.Office.Interop.InfoPath.SemiTrust.xml._CRYPT	4561647.exe
File created	C:\Program Files (x86)\Microsoft Office\Stationery\1033\PAWPRINT.HTM._CRYPT	4561647.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\InfoPathWelcomeImage.jpg._CRYPT	4561647.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\!_READ_ME_!.txt	4561647.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\helpmap.txt._CRYPT	4561647.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\InactiveTabImage.jpg._CRYPT	4561647.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

4561647.exeWScript.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4561647.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

4561647.exe

description	pid	process	target process
PID 2476 wrote to memory of 1056	2476	4561647.exe	WScript.exe
PID 2476 wrote to memory of 1056	2476	4561647.exe	WScript.exe
PID 2476 wrote to memory of 1056	2476	4561647.exe	WScript.exe
PID 2476 wrote to memory of 1056	2476	4561647.exe	WScript.exe

C:\Users\Admin\AppData\Local\Temp\4561647.exe
"C:\Users\Admin\AppData\Local\Temp\4561647.exe"
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2476
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4561647.vbs"
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\!_READ_ME_!.txt

Filesize
502B

MD5
d77ef60365a97e613df9b8d14a4a1e5f

SHA1
95144eed42fed5f7f4e022fd673c7e461bf5d38c

SHA256
1f373d14bb2276f95b7b7f2ad46f330ecec9853f8bfb859b3c78d92e7e7eac8d

SHA512
5e460e0717ebd6c368dc6cfd92907518105f2221ee04028c16697be5f75157003e6f3fbf46e879ce133f94e3830cf0d3aa3996bf52bcf2b78d9a952b2ccadbf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\4561647.vbs

Filesize
373B

MD5
5c9b9a4fe85362e6c42b9ace3f231981

SHA1
ee667214f20c1ee5551c522b27a4f3252fee3e24

SHA256
7a5df25d2805fd496a47c6c2315d3dcea10d14d85b159c1fe9113430cc25bb3e

SHA512
8248243f786049f80304ae76e8a9d5e1ac182f5ad9d1e37998f771acb6e4aebf54a2ec08650cf472a921ab1a8a7462e3b0ff340054b1bab1da4facc10c6039fc

Download Submit
memory/2476-121-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download
memory/2476-1618-0x0000000000400000-0x0000000000507000-memory.dmp

Filesize
1.0MB

Download