c96b41fac848211321861fcf957e5f475a950c56f9024f792e5c9584f1fbd3ef

Analysis

max time kernel
239s
max time network
245s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
22-11-2024 03:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ransomware1061911a3e0a74827a76bbd7bfe16d20.exe
Size

195KB
MD5

f75957ce3208ef38cfaae1e46bf5dad9
SHA1

4633cb0d8a55d8d9252a4e61a786f0b3110af74e
SHA256

74456d286d471069dee7171ce654f910722ef0ddf42e701337c2b4a1e0f5c36c
SHA512

29db93c1920e14bba0f668a5ad9a5ba39f960f68fa9188bb968c4dcd32a1013e2776fa7897e97667b7f870ee16b01bcb6576cc25a25eba9b0d3e000f31df061d
SSDEEP

3072:DwJ52Y7ZoH5XJaT45embG1bMxXa6LTDRQb73WMRqIlDoUtSVEPvKbSts:DwHysTtMG16XNY77qCoTVqVW

Score

9^/10

defense_evasion discovery execution impact persistence ransomware

Malware Config

Signatures

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ransomware1061911a3e0a74827a76bbd7bfe16d20.exe9784bb35.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\Geo\Nation	ransomware1061911a3e0a74827a76bbd7bfe16d20.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\Geo\Nation	9784bb35.exe

Deletes itself 1 IoCs

Processes:

9784bb35.exe

pid process

2784 9784bb35.exe
Executes dropped EXE 2 IoCs

Processes:

9784bb35.exe9784bb35.exe

pid process

2288 9784bb35.exe
2784 9784bb35.exe

pid	process
2784	9784bb35.exe

pid	process
2288	9784bb35.exe
2784	9784bb35.exe

Loads dropped DLL 7 IoCs

Processes:

ransomware1061911a3e0a74827a76bbd7bfe16d20.exeransomware1061911a3e0a74827a76bbd7bfe16d20.exe9784bb35.exe

pid	process
2748	ransomware1061911a3e0a74827a76bbd7bfe16d20.exe
2748	ransomware1061911a3e0a74827a76bbd7bfe16d20.exe
2804	ransomware1061911a3e0a74827a76bbd7bfe16d20.exe
2804	ransomware1061911a3e0a74827a76bbd7bfe16d20.exe
2804	ransomware1061911a3e0a74827a76bbd7bfe16d20.exe
2288	9784bb35.exe
2288	9784bb35.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

9784bb35.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\*9784bb35.exe = "C:\\Users\\Admin\\AppData\\Roaming\\9784bb35.exe"	9784bb35.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

ransomware1061911a3e0a74827a76bbd7bfe16d20.exe9784bb35.exe

description	pid	process	target process
PID 2748 set thread context of 2804	2748	ransomware1061911a3e0a74827a76bbd7bfe16d20.exe	ransomware1061911a3e0a74827a76bbd7bfe16d20.exe
PID 2288 set thread context of 2784	2288	9784bb35.exe	9784bb35.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

ransomware1061911a3e0a74827a76bbd7bfe16d20.exeransomware1061911a3e0a74827a76bbd7bfe16d20.exe9784bb35.exe9784bb35.exevssadmin.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ransomware1061911a3e0a74827a76bbd7bfe16d20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ransomware1061911a3e0a74827a76bbd7bfe16d20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9784bb35.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9784bb35.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe

NSIS installer 2 IoCs

installer

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\9784bb35.exe	nsis_installer_1
\Users\Admin\AppData\Roaming\9784bb35.exe	nsis_installer_2

Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Direct Volume Access
T1006

Processes:

vssadmin.exe

pid process

2504 vssadmin.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 2596 vssvc.exe
Token: SeRestorePrivilege 2596 vssvc.exe
Token: SeAuditPrivilege 2596 vssvc.exe

pid	process
2504	vssadmin.exe

description	pid	process
Token: SeBackupPrivilege	2596	vssvc.exe
Token: SeRestorePrivilege	2596	vssvc.exe
Token: SeAuditPrivilege	2596	vssvc.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

ransomware1061911a3e0a74827a76bbd7bfe16d20.exeransomware1061911a3e0a74827a76bbd7bfe16d20.exe9784bb35.exe9784bb35.exe

description	pid	process	target process
PID 2748 wrote to memory of 2804	2748	ransomware1061911a3e0a74827a76bbd7bfe16d20.exe	ransomware1061911a3e0a74827a76bbd7bfe16d20.exe
PID 2748 wrote to memory of 2804	2748	ransomware1061911a3e0a74827a76bbd7bfe16d20.exe	ransomware1061911a3e0a74827a76bbd7bfe16d20.exe
PID 2748 wrote to memory of 2804	2748	ransomware1061911a3e0a74827a76bbd7bfe16d20.exe	ransomware1061911a3e0a74827a76bbd7bfe16d20.exe
PID 2748 wrote to memory of 2804	2748	ransomware1061911a3e0a74827a76bbd7bfe16d20.exe	ransomware1061911a3e0a74827a76bbd7bfe16d20.exe
PID 2748 wrote to memory of 2804	2748	ransomware1061911a3e0a74827a76bbd7bfe16d20.exe	ransomware1061911a3e0a74827a76bbd7bfe16d20.exe
PID 2748 wrote to memory of 2804	2748	ransomware1061911a3e0a74827a76bbd7bfe16d20.exe	ransomware1061911a3e0a74827a76bbd7bfe16d20.exe
PID 2748 wrote to memory of 2804	2748	ransomware1061911a3e0a74827a76bbd7bfe16d20.exe	ransomware1061911a3e0a74827a76bbd7bfe16d20.exe
PID 2748 wrote to memory of 2804	2748	ransomware1061911a3e0a74827a76bbd7bfe16d20.exe	ransomware1061911a3e0a74827a76bbd7bfe16d20.exe
PID 2748 wrote to memory of 2804	2748	ransomware1061911a3e0a74827a76bbd7bfe16d20.exe	ransomware1061911a3e0a74827a76bbd7bfe16d20.exe
PID 2748 wrote to memory of 2804	2748	ransomware1061911a3e0a74827a76bbd7bfe16d20.exe	ransomware1061911a3e0a74827a76bbd7bfe16d20.exe
PID 2804 wrote to memory of 2288	2804	ransomware1061911a3e0a74827a76bbd7bfe16d20.exe	9784bb35.exe
PID 2804 wrote to memory of 2288	2804	ransomware1061911a3e0a74827a76bbd7bfe16d20.exe	9784bb35.exe
PID 2804 wrote to memory of 2288	2804	ransomware1061911a3e0a74827a76bbd7bfe16d20.exe	9784bb35.exe
PID 2804 wrote to memory of 2288	2804	ransomware1061911a3e0a74827a76bbd7bfe16d20.exe	9784bb35.exe
PID 2288 wrote to memory of 2784	2288	9784bb35.exe	9784bb35.exe
PID 2288 wrote to memory of 2784	2288	9784bb35.exe	9784bb35.exe
PID 2288 wrote to memory of 2784	2288	9784bb35.exe	9784bb35.exe
PID 2288 wrote to memory of 2784	2288	9784bb35.exe	9784bb35.exe
PID 2288 wrote to memory of 2784	2288	9784bb35.exe	9784bb35.exe
PID 2288 wrote to memory of 2784	2288	9784bb35.exe	9784bb35.exe
PID 2288 wrote to memory of 2784	2288	9784bb35.exe	9784bb35.exe
PID 2288 wrote to memory of 2784	2288	9784bb35.exe	9784bb35.exe
PID 2288 wrote to memory of 2784	2288	9784bb35.exe	9784bb35.exe
PID 2288 wrote to memory of 2784	2288	9784bb35.exe	9784bb35.exe
PID 2784 wrote to memory of 2504	2784	9784bb35.exe	vssadmin.exe
PID 2784 wrote to memory of 2504	2784	9784bb35.exe	vssadmin.exe
PID 2784 wrote to memory of 2504	2784	9784bb35.exe	vssadmin.exe
PID 2784 wrote to memory of 2504	2784	9784bb35.exe	vssadmin.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\ransomware1061911a3e0a74827a76bbd7bfe16d20.exe
"C:\Users\Admin\AppData\Local\Temp\ransomware1061911a3e0a74827a76bbd7bfe16d20.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2748
- C:\Users\Admin\AppData\Local\Temp\ransomware1061911a3e0a74827a76bbd7bfe16d20.exe
  "C:\Users\Admin\AppData\Local\Temp\ransomware1061911a3e0a74827a76bbd7bfe16d20.exe"
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Users\Admin\AppData\Roaming\9784bb35.exe
    "C:\Users\Admin\AppData\Roaming\9784bb35.exe" C:\Users\Admin\AppData\Local\Temp\RANSOM~1.EXE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2288
  - - C:\Users\Admin\AppData\Roaming\9784bb35.exe
      "C:\Users\Admin\AppData\Roaming\9784bb35.exe" C:\Users\Admin\AppData\Local\Temp\RANSOM~1.EXE
      4⤵
      Checks computer location settings
      Deletes itself
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2784
    - - C:\Windows\SysWOW64\vssadmin.exe
        
        "C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet
        5⤵
        System Location Discovery: System Language Discovery
        Interacts with shadow copies
        
        PID:2504

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Bhajan.x

Filesize
100KB

MD5
003be194a4c2f7d800ab88dfca6a321c

SHA1
2495c7dfee325c9ffe7f5c60874371c055a623d1

SHA256
1a23271495ccac2afea48c2747b22612811081906b630b5b1707e3a92f395816

SHA512
3af7d5f1c562a6786fde34d7b8b93484e81c427a0caa85d1875d279bff428402571314d1d5e508423682115f076cdda79acf97c86511088196fc6349b1838f79

Download Submit
\Users\Admin\AppData\Local\Temp\nse7F3F.tmp\System.dll

Filesize
11KB

MD5
a436db0c473a087eb61ff5c53c34ba27

SHA1
65ea67e424e75f5065132b539c8b2eda88aa0506

SHA256
75ed40311875312617d6711baed0be29fcaee71031ca27a8d308a72b15a51e49

SHA512
908f46a855480af6eacb2fb64de0e60b1e04bbb10b23992e2cf38a4cbebdcd7d3928c4c022d7ad9f7479265a8f426b93eef580afec95570e654c360d62f5e08d

Download Submit
\Users\Admin\AppData\Local\Temp\profitability.dll

Filesize
96KB

MD5
774d0a49fa5fa5b050914358e3bf30c9

SHA1
24aefc2f6940b3f2e7fda172cde69182b73e99f6

SHA256
f59b09deabe3cd539fef7a758a44b7eca9cd23941d2ae111272a9fba9e8ecd00

SHA512
f9edce756200df32782f9f3715fc683103e4b87661ea98cc991f58b72010b1203e43790712919049ca315039a4f7fa4411cc9b0b7a808d4768dfa5753904fcf1

Download Submit
\Users\Admin\AppData\Roaming\9784bb35.exe

Filesize
195KB

MD5
f75957ce3208ef38cfaae1e46bf5dad9

SHA1
4633cb0d8a55d8d9252a4e61a786f0b3110af74e

SHA256
74456d286d471069dee7171ce654f910722ef0ddf42e701337c2b4a1e0f5c36c

SHA512
29db93c1920e14bba0f668a5ad9a5ba39f960f68fa9188bb968c4dcd32a1013e2776fa7897e97667b7f870ee16b01bcb6576cc25a25eba9b0d3e000f31df061d

Download Submit
memory/2288-54-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2748-9-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2784-78-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2784-74-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2784-73-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2784-71-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2804-22-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2804-25-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2804-26-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2804-24-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2804-41-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2804-12-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2804-14-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2804-16-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2804-20-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2804-18-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2804-10-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download