Analysis

  • max time kernel
    150s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    22-11-2024 09:21

General

  • Target

    845263c86931440e934cf40f4461dc14903a474f6f5eab4773482842855ba1c8.exe

  • Size

    246KB

  • MD5

    7f61ab7160ccea4f69fed025fbbfdb30

  • SHA1

    88d06d4124bca680bf28dde09cc1c3995002eef3

  • SHA256

    845263c86931440e934cf40f4461dc14903a474f6f5eab4773482842855ba1c8

  • SHA512

    8ff46db7d1bfddef6bab676c1439207a7b755280720bf83406d95a700eac364ef667978a7e538cc3d6e2836487b38ddc34df288100b510e32d16f013ffd07d98

  • SSDEEP

    6144:clmE5hV/XRG4FmeAs32AcNhunE+AWTWk6+wv:2/XRG4FdAs32AeOWk

Malware Config

Signatures

  • Renames multiple (153) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\845263c86931440e934cf40f4461dc14903a474f6f5eab4773482842855ba1c8.exe
    "C:\Users\Admin\AppData\Local\Temp\845263c86931440e934cf40f4461dc14903a474f6f5eab4773482842855ba1c8.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2724
    • C:\Users\Admin\AppData\Roaming\trust.exe
      "C:\Users\Admin\AppData\Roaming\trust.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2776
      • C:\Windows\SysWOW64\mshta.exe
        mshta.exe "javascript:o=new ActiveXObject('WScript.Shell');setInterval(function(){try{o.RegWrite('HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\SG','C:\\Users\\Admin\\AppData\\Roaming\\trust.exe');}catch(e){}},10);"
        3⤵
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        PID:2144
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2776 -s 404
        3⤵
        • Loads dropped DLL
        • Program crash
        PID:1984
    • C:\Windows\SysWOW64\mshta.exe
      mshta.exe "javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('C:\\Users\\Admin\\AppData\\Local\\Temp\\845263~1.EXE');close()}catch(e){}},10);"
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      PID:2848

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\Documents\UnblockPush.xlsx.zendrz

    Filesize

    13KB

    MD5

    37658b23f4ef634b09a9ade55852ef8b

    SHA1

    9d02db256e91db65627b918a41af4577ff56fca9

    SHA256

    555ab3c0718a2dc1299da44eca7d17370683ccf93c67f68e612a7cad9366e930

    SHA512

    ed66ec19a8ade118bdaf68a07a880418931019bb42cf68d73a48d272e36230d32575d49902113f2b8a38d25b8eac8e66cca5da2a589c85914ed49a2bc4301409

  • C:\Users\Admin\Favorites\Links for United States\Read Me Please.hta

    Filesize

    3KB

    MD5

    617093764a650bbe933f99d4e88fa6f3

    SHA1

    e4bcedd90246512f6f1e4e2593d38f305e6cf4e9

    SHA256

    d6004620c25bb1ab3537d796678f1a3e795bac8aedbea7bf43d499920e872980

    SHA512

    a40fa2041d8f5025e89b5bc36652e0c88e80f2d8bf921ff619e23e537556525fdce230741054e216ccb07801553fa081ffea16a135e664e2910373fa7ea17411

  • C:\vcredist2010_x86.log.html.zendrz

    Filesize

    82KB

    MD5

    c61d2fc01020c25670f1c86fe2e4598c

    SHA1

    79f78056b836666d0dcad15cfe7da56736da1c37

    SHA256

    23ae27f873257850a88713279ee037d1355c3d86d7619ca58da4d31d31f712fe

    SHA512

    93ec5549f8c18b952377c8a9b1809d633a9bfbdbe9c727a4f06d4cccd61ffd25bb46cf0badcb1234cbb44265c4fe19be3ce92739c30c8b464b22d1a279e748dc

  • \Users\Admin\AppData\Roaming\trust.exe

    Filesize

    246KB

    MD5

    7f61ab7160ccea4f69fed025fbbfdb30

    SHA1

    88d06d4124bca680bf28dde09cc1c3995002eef3

    SHA256

    845263c86931440e934cf40f4461dc14903a474f6f5eab4773482842855ba1c8

    SHA512

    8ff46db7d1bfddef6bab676c1439207a7b755280720bf83406d95a700eac364ef667978a7e538cc3d6e2836487b38ddc34df288100b510e32d16f013ffd07d98

  • memory/2724-9-0x0000000000400000-0x0000000000445000-memory.dmp

    Filesize

    276KB

  • memory/2776-492-0x0000000000400000-0x0000000000445000-memory.dmp

    Filesize

    276KB

  • memory/2776-493-0x0000000000400000-0x0000000000445000-memory.dmp

    Filesize

    276KB