Overview

overview

10

Static

static

6

D02D012970...94.exe

windows7-x64

1

DBm0yQwt.exe.ViR.exe

windows7-x64

10

ca6ec46ee9...52.apk

windows7-x64

3

calc.exe

windows7-x64

7

ccc71c83c8...B3.exe

windows7-x64

7

ccc71c83c8...68.exe

windows7-x64

7

cd2d085998...-0.dll

windows7-x64

8

cdffb7e75b...ss.exe

windows7-x64

3

cf7382c25a...c9.exe

windows7-x64

6

cgi19-alpt...e_.exe

windows7-x64

7

chrst.exe

windows7-x64

3

ci05l2a.exe

windows7-x64

cl.exe

windows7-x64

7

clean.exe

windows7-x64

3

coinvault.exe

windows7-x64

9

com_loader.exe

windows7-x64

3

csrss.ex_.exe

windows7-x64

6

d.exe

windows7-x64

3

d0a5cfec8e...B3.exe

windows7-x64

7

d0a5cfec8e...A6.exe

windows7-x64

7

d2164cdbc9...FB.exe

windows7-x64

3

d2164cdbc9...08.exe

windows7-x64

7

d4439055d2..._1.dll

windows7-x64

3

d54d2a216e...96.exe

windows7-x64

7

d5f29750a8...c5.apk

windows7-x64

3

d6c32b0146...4d.zip

windows7-x64

9

d889734783...48.exe

windows7-x64

daaa72f48b...2d.exe

windows7-x64

9

ddbf1840bf...e2.exe

windows7-x64

10

de882c049b..._3.dll

windows7-x64

3

decrypt.exe

windows7-x64

3

decrypted.ex_.exe

windows7-x64

6

Analysis

  • max time kernel
    298s
  • max time network
    303s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    22-11-2024 03:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d6c32b0146f219bdcb5cf524ea9e0047d9b9bd0fd7c395d5b11cbc4c3298824d.zip

  • Size

    284KB

  • MD5

    3751a4a1f68718405518d107a8bcc563

  • SHA1

    c58fe7477c0a639e64bcf1a49df79dee58961a34

  • SHA256

    d6c32b0146f219bdcb5cf524ea9e0047d9b9bd0fd7c395d5b11cbc4c3298824d

  • SHA512

    8fa33e5682069baf48c0e85375a4151356e5917d63fbe62642c1dc9f33ce77881a359c2300e2d221bce297fbe7349a66b55cc47ff8502125b2a44c23d59e8dfd

  • SSDEEP

    6144:ZcQu7L20QOPNMNYKEdf7Q0chT7WbK1xb5a:S20Q1YKMfE06ja

Score
9/10
collectiondefense_evasiondiscoveryevasionexecutionimpactpersistenceransomwaretrojan

Malware Config

Signatures

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • outlook_win_path 1 IoCs

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\d6c32b0146f219bdcb5cf524ea9e0047d9b9bd0fd7c395d5b11cbc4c3298824d.zip"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2092
    • C:\Users\Admin\AppData\Local\Temp\7zOC2892327\Transazione.Pdf______________________________________________________________.exe
      "C:\Users\Admin\AppData\Local\Temp\7zOC2892327\Transazione.Pdf______________________________________________________________.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:660
      • C:\Users\Admin\AppData\Local\Temp\7zOC2892327\Transazione.Pdf______________________________________________________________.exe
        "C:\Users\Admin\AppData\Local\Temp\7zOC2892327\Transazione.Pdf______________________________________________________________.exe"
        3⤵
        • Executes dropped EXE
        • Checks whether UAC is enabled
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2704
        • C:\Windows\SysWOW64\explorer.exe
          "C:\Windows\system32\explorer.exe"
          4⤵
          • Accesses Microsoft Outlook accounts
          • Accesses Microsoft Outlook profiles
          • Adds Run key to start application
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          • outlook_win_path
          PID:2300
          • C:\Windows\SysWOW64\vssadmin.exe
            vssadmin.exe Delete Shadows /All /Quiet
            5⤵
            • System Location Discovery: System Language Discovery
            • Interacts with shadow copies
            PID:2900
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1980

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\yvycuvufavytimur\01000000
    Filesize

    446KB

    MD5

    9db79db6cb4edab84bd158bf26e50e12

    SHA1

    6661cc46a228ef880446ce4e19c07cc465d8091c

    SHA256

    30b806f6572a13fb68c4a6112b2f16f90931fabdb4d7441b091ea4867e410061

    SHA512

    5dd5c3a35fd1a50fd308f8cea6dc8a5278000bdefe75b1fc1ae39af07d75a3abb61a816cfc640a40fb42b40993f2aa1b1286bdce8768152f4a68820a6b657457

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\7zOC2892327\Transazione.Pdf______________________________________________________________.exe
    Filesize

    446KB

    MD5

    93cbe4ed3d46abe732a124a41e7147a2

    SHA1

    94a24be60d90479ce27f7787a86678472aabdc6e

    SHA256

    89e71eb0a6403725d2f95cb9e6506b8b139a6948a61dc1c5cfedf18648241ec4

    SHA512

    8f46af90d8a2d78da003a8a395fd7f74cc235595238ee3a3e4d87fee2aa4c8abf6ece403bb3726122d3825437f5d079ea1f8d6b275153bb76b3b0d75c243ef09

    Download Submit

  • memory/2300-31-0x0000000000080000-0x00000000000BD000-memory.dmp

    Filesize

    244KB

    Download

  • memory/2300-43-0x0000000000080000-0x00000000000BD000-memory.dmp

    Filesize

    244KB

    Download

  • memory/2300-42-0x0000000000080000-0x00000000000BD000-memory.dmp

    Filesize

    244KB

    Download

  • memory/2300-39-0x0000000000080000-0x00000000000BD000-memory.dmp

    Filesize

    244KB

    Download

  • memory/2300-30-0x0000000000080000-0x00000000000BD000-memory.dmp

    Filesize

    244KB

    Download

  • memory/2704-23-0x0000000000400000-0x000000000043C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2704-14-0x0000000000400000-0x000000000043C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2704-17-0x0000000000400000-0x000000000043C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2704-19-0x0000000000400000-0x000000000043C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2704-21-0x0000000000400000-0x000000000043C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2704-25-0x0000000000400000-0x000000000043C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2704-34-0x0000000000400000-0x000000000043C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2704-28-0x0000000000400000-0x000000000043C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2704-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download