Analysis
-
max time kernel
12s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
25-11-2024 01:10
General
-
Target
ransom/Build.bat
-
Size
741B
-
MD5
4e46e28b2e61643f6af70a8b19e5cb1f
-
SHA1
804a1d0c4a280b18e778e4b97f85562fa6d5a4e6
-
SHA256
8e83a1727696ced618289f79674b97305d88beeeabf46bd25fc77ac53c1ae339
-
SHA512
009b17b515ff0ea612e54d8751eef07f1e2b54db07e6cd69a95e7adf775f3c79a0ea91bff2fe593f2314807fdc00c75d80f1807b7dbe90f0fcf94607e675047b
Malware Config
Signatures
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 7 IoCs
-
Suspicious use of WriteProcessMemory 28 IoCs
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\ransom\Build.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ransom\keygen.exekeygen -path C:\Users\Admin\AppData\Local\Temp\ransom\Build -pubkey pub.key -privkey priv.key2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
-
C:\Users\Admin\AppData\Local\Temp\ransom\builder.exebuilder -type dec -privkey C:\Users\Admin\AppData\Local\Temp\ransom\Build\priv.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3Decryptor.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
-
C:\Users\Admin\AppData\Local\Temp\ransom\builder.exebuilder -type enc -exe -pubkey C:\Users\Admin\AppData\Local\Temp\ransom\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
-
C:\Users\Admin\AppData\Local\Temp\ransom\builder.exebuilder -type enc -exe -pass -pubkey C:\Users\Admin\AppData\Local\Temp\ransom\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3_pass.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
-
C:\Users\Admin\AppData\Local\Temp\ransom\builder.exebuilder -type enc -dll -pubkey C:\Users\Admin\AppData\Local\Temp\ransom\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3_Rundll32.dll2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
-
C:\Users\Admin\AppData\Local\Temp\ransom\builder.exebuilder -type enc -dll -pass -pubkey C:\Users\Admin\AppData\Local\Temp\ransom\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3_Rundll32_pass.dll2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
-
C:\Users\Admin\AppData\Local\Temp\ransom\builder.exebuilder -type enc -ref -pubkey C:\Users\Admin\AppData\Local\Temp\ransom\Build\pub.key -config config.json -ofile C:\Users\Admin\AppData\Local\Temp\ransom\Build\LB3_ReflectiveDll_DllMain.dll2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
344B
MD57394c82605c05303014951ffd2a09c56
SHA1c97c1a435a6498d9c22a6e55551b2e6843645c5f
SHA256657399280a211394f0e7789680b88e428a999458fb8d29494648fe1805ad198d
SHA5120364817ded401c16e193c6c72b1d73e2e1e07aac300b009b895109f4fb988958818d6949a18e9a697385624b8b7f21e953b73559e85ca1b8258eac5784f3bc61
-
Filesize
344B
MD50a890fa1564a45b37d9580836d476469
SHA111ad6073ea0804e628603cb65d5b60d7ab3820ec
SHA256c5f3810ec58ea47aca34c246ced34ff0b70dbd87dc86c0dde081981b9e8ba47c
SHA512fb831654bcd3bf3d066c075184d73e652973098aae741da561e10b57ad8de704ba97059f50e4c599fd9366bf527aa820ccb3044d1a0fda09e963be86911fa3ad