3e2ba9a25e9891c6dcb75ad73c1262d523e09f0eb3d095ede9ea9d11f42ebc28

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
28-11-2024 22:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ransomware-master.zip
Size

12.9MB
MD5

255ffabf0788a28c52889e9f9675c9dc
SHA1

4c61f9e16df1705db48ee91ec1a2ab3d84e2f107
SHA256

3e2ba9a25e9891c6dcb75ad73c1262d523e09f0eb3d095ede9ea9d11f42ebc28
SHA512

ccfbf169a47f7bcb653fa04b0b0b10762a594a703eae14f56bb6e0bb2e3ab0b7ee4b3a2c14ade7ee6509fcabfed1a5a4da2e7bf035295e797eba8140079eef3d
SSDEEP

393216:CMa/Yi2nfFSrjISVemu/GyBSFb+JYSWTmZ:CMaUnnlmk+bDSWs

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

Processes:

rundll32.exerundll32.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

7zFM.exe

pid	Process
2192	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

7zFM.exerundll32.exe

pid	Process
2192	7zFM.exe
2660	rundll32.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

7zFM.exe

description	pid	Process
Token: SeRestorePrivilege	2192	7zFM.exe
Token: 35	2192	7zFM.exe
Token: SeSecurityPrivilege	2192	7zFM.exe
Token: SeSecurityPrivilege	2192	7zFM.exe
Token: SeSecurityPrivilege	2192	7zFM.exe
Token: SeSecurityPrivilege	2192	7zFM.exe

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

7zFM.exe

pid	Process
2192	7zFM.exe
2192	7zFM.exe
2192	7zFM.exe
2192	7zFM.exe
2192	7zFM.exe
2192	7zFM.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

7zFM.exe

description	pid	Process	procid_target
PID 2192 wrote to memory of 2660	2192	7zFM.exe	30
PID 2192 wrote to memory of 2660	2192	7zFM.exe	30
PID 2192 wrote to memory of 2660	2192	7zFM.exe	30
PID 2192 wrote to memory of 1952	2192	7zFM.exe	31
PID 2192 wrote to memory of 1952	2192	7zFM.exe	31
PID 2192 wrote to memory of 1952	2192	7zFM.exe	31

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Ransomware-master.zip"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2192
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\7zO098781D6\Ransomware
  2⤵
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2660
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\7zO09802B38\warna.py
  2⤵
  - Modifies registry class
  PID:1952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zO09802B38\warna.py

Filesize
650B

MD5
19522678240a7e6d1e5531ed275b6a64

SHA1
01653b2ca19505c7e9a7972df2e7d6784cc627b6

SHA256
6986bfb870797a56611749719d8aabfdfcf272392765692a15c065c42f88c3cf

SHA512
8f2d1efd81a4bafa8d3a50fce740514469a7ccdb2d68f908b9e86d1714ca605525e75a5f0f5ac9dd798299db75810bdf0d06f88e0103609b4d0843ff12d24292

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware-master\Ransomware

Filesize
25KB

MD5
d54b447020c50a74fefeeacd7be46733

SHA1
96f347b8545bde22d52e36d95779dceff0401697

SHA256
d1ebf588dbbcca6b21d20ef37d368d48bf6d7a9cdb6636245010fe87e4533f70

SHA512
415825c912210b5115dab8f2388631120eab7ee98bd7cba04705b700d10e325e1b42b6f8dbe5ff37a3b411a203ae436915d4dd6b655750f354817382d31f0954

Download Submit