Overview

overview

10

Static

static

6

DUMP_00A10...iR.exe

windows7-x64

7

DgH5SjZFle...DI.exe

windows7-x64

10

Dumped_.exe

windows7-x64

7

EntrateSetup.exe

windows7-x64

9

ErrorFileRemover.exe

windows7-x64

10

ExtraTools.exe

windows7-x64

7

F45F47EDCE...54.exe

windows7-x64

10

decrypt_00...00.exe

windows7-x64

6

dffde400ad...3d.exe

windows7-x64

10

dircrypt.deobf.exe

windows7-x64

10

dma locker 4.0.exe

windows7-x64

9

downloader.js

windows7-x64

10

dump.mem.exe

windows7-x64

6

e0ff79cc94...ss.exe

windows7-x64

7

e37dc428ec...ad.vbs

windows7-x64

1

e5df2d114c...8a.exe

windows7-x64

10

e6c4ae4709...ss.exe

windows7-x64

7

e77df2ce34...2d.exe

windows7-x64

1

e8e07496df...d2.exe

windows7-x64

ea8292721a...1e.exe

windows7-x64

5

eaa857c95f...er.dll

windows7-x64

1

ed3a685ca6...91.exe

windows7-x64

9

edffa07d66...9d5.js

windows7-x64

10

encrypter.exe

windows7-x64

10

encryptor_...81.exe

windows7-x64

9

f002618c01...35.apk

windows7-x64

3

f213e54c85...ea.exe

windows7-x64

1

f2c8eee2cd...3f.exe

windows7-x64

10

f31bfe95e3...7_.exe

windows7-x64

7

f6a8d7a429...da.exe

windows7-x64

10

f915110765...da.exe

windows7-x64

7

fb8823e949...-0.dll

windows7-x64

1

Analysis

  • max time kernel
    599s
  • max time network
    600s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    22-11-2024 03:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ed3a685ca65de70b79faf95bbd94c343e73a150e83184f67e0bdb35b11d05791.exe

  • Size

    1.2MB

  • MD5

    0ced87772881b63caf95f1d828ba40c5

  • SHA1

    6e5fca51a018272d1b1003b16dce6ee9e836908c

  • SHA256

    ed3a685ca65de70b79faf95bbd94c343e73a150e83184f67e0bdb35b11d05791

  • SHA512

    65f3a52930dd560cf27a9a6e7386ae1bba22d663a1112b44fa1db043bd0b980f7dcb1d5fe21b873bb93db69c5c4d0b3c7dcf13ea110836970454b56dc16e57bb

  • SSDEEP

    24576:DxIWmj1GwuqWt6GoXrxv7EJoD7p1YQzA+GdctrOvpk5P4TB5tP9P6F:Dnqqo5PzA+Gda4TB5tFP6F

Score
9/10
defense_evasiondiscoveryexecutionimpactransomwarespywarestealer

Malware Config

Signatures

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\ed3a685ca65de70b79faf95bbd94c343e73a150e83184f67e0bdb35b11d05791.exe
    "C:\Users\Admin\AppData\Local\Temp\ed3a685ca65de70b79faf95bbd94c343e73a150e83184f67e0bdb35b11d05791.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1076
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet && exit
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1532
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin delete shadows /all /quiet
        3⤵
        • System Location Discovery: System Language Discovery
        • Interacts with shadow copies
        PID:1168
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C wmic logicaldisk where drivetype=2 get deviceid | findstr . > %tmp%\y
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2408
      • C:\Windows\SysWOW64\Wbem\WMIC.exe
        wmic logicaldisk where drivetype=2 get deviceid
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:1424
      • C:\Windows\SysWOW64\findstr.exe
        findstr .
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2568
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C wmic logicaldisk where drivetype=3 get deviceid | findstr . > %tmp%\y
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2732
      • C:\Windows\SysWOW64\Wbem\WMIC.exe
        wmic logicaldisk where drivetype=3 get deviceid
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2900
      • C:\Windows\SysWOW64\findstr.exe
        findstr .
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2928
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C wmic logicaldisk where drivetype=4 get deviceid | findstr . > %tmp%\y
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2636
      • C:\Windows\SysWOW64\Wbem\WMIC.exe
        wmic logicaldisk where drivetype=4 get deviceid
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2744
      • C:\Windows\SysWOW64\findstr.exe
        findstr .
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2780
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C wmic path win32_physicalmedia get SerialNumber | findstr . > %tmp%\y && wmic cpu get ProcessorId | findstr . >> %tmp%\y && wmic path win32_BASEBOARD get Product | findstr . >> %tmp%\y
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1496
      • C:\Windows\SysWOW64\Wbem\WMIC.exe
        wmic path win32_physicalmedia get SerialNumber
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2040
      • C:\Windows\SysWOW64\findstr.exe
        findstr .
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2144
      • C:\Windows\SysWOW64\Wbem\WMIC.exe
        wmic cpu get ProcessorId
        3⤵
        • System Location Discovery: System Language Discovery
        PID:448
      • C:\Windows\SysWOW64\findstr.exe
        findstr .
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2260
      • C:\Windows\SysWOW64\Wbem\WMIC.exe
        wmic path win32_BASEBOARD get Product
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1152
      • C:\Windows\SysWOW64\findstr.exe
        findstr .
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1976
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2332

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\y
    Filesize

    83B

    MD5

    445e94a8ece8238758d3a897fef6822b

    SHA1

    2c5e5cb3ce480d98d74fe5a0ed23d31848ebb407

    SHA256

    543e763d191bc04c5564cf6521eeff6c154b74415575303c72b46f32bd24594b

    SHA512

    c6347eb9214eab5b8e2f61358153244203480c11d4d83f83e1e37cdd3f922a6e50c5568618fb27cb2a70487d7b9bea44614a065631934fca5894a6daec1f82a6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\y
    Filesize

    39B

    MD5

    730a1c06f8273df68828bbebb3e1fab0

    SHA1

    1c269bdd515ca992df2c07c2b4c0eda26f1a6c91

    SHA256

    da51411ba8d69f112382c4ada4c02ad9e5ab3fcececca4bd50bb11122e473679

    SHA512

    1d56e0d3704d75dff9f20347ff3e712c114a1d9e5383e6356a71a9705dd4a3bb311c174c6d026cc60707abc56f7bfda011293a8dbd7f79a299fb712d3ad33f30

    Download Submit