Overview

overview

10

Static

static

10

421f922658...bN.exe

windows7-x64

7

421f922658...bN.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    30-11-2024 12:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    421f922658b985855a580ad3d6736c55817d252a9d6104c944786f7aae393b6bN.exe

  • Size

    156KB

  • MD5

    12ee1481a91f84a0bc71b45aa00844b0

  • SHA1

    309d2273d6875c14acb8976c429e022d9ed5a6ee

  • SHA256

    421f922658b985855a580ad3d6736c55817d252a9d6104c944786f7aae393b6b

  • SHA512

    e3293bc77e8177f7abc3a8b51ce05c20941735f9f3c9902201c8f7907529a25d3e1654704b7163324a6ed3b8604e6002ddcc7aa79ef2a8ec609ea548d160075a

  • SSDEEP

    3072:+DDDDDDDDDDDDDDDDDDDE45d/t6sVkgZqltP3368JmSLTFh1zgH3/W:I5d/zugZqll30SD1gH3

Score
7/10
defense_evasiondiscovery

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\421f922658b985855a580ad3d6736c55817d252a9d6104c944786f7aae393b6bN.exe
    "C:\Users\Admin\AppData\Local\Temp\421f922658b985855a580ad3d6736c55817d252a9d6104c944786f7aae393b6bN.exe"
    1⤵
    • Loads dropped DLL
    • Drops desktop.ini file(s)
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2920
    • C:\ProgramData\AD30.tmp
      "C:\ProgramData\AD30.tmp"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:1564
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\AD30.tmp >> NUL
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2152
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2728
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x14c
    1⤵
      PID:1548

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\$Recycle.Bin\S-1-5-21-2039016743-699959520-214465309-1000\desktop.ini
      Filesize

      129B

      MD5

      5dd4652c4132a7533b758ae4c93d90c8

      SHA1

      69e64122b1279f99bdee9dd40267db483dd418ca

      SHA256

      03db76a96495ab5e54cd8db74a42103ff22ac52ac646a00bd68407deadba814e

      SHA512

      729d5364709903643afbb3e79bd2b4a8a33fd3c715b9d4740ef43beaaa56cfb914080e5f6d096762d518b523f2541d7b49939149eccb481a85fd631282ae19d9

      Download Submit

    • C:\ProgramData\AD30.tmp
      Filesize

      14KB

      MD5

      294e9f64cb1642dd89229fff0592856b

      SHA1

      97b148c27f3da29ba7b18d6aee8a0db9102f47c9

      SHA256

      917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

      SHA512

      b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
      Filesize

      156KB

      MD5

      fd8aa8ad632919b8873343f610d24339

      SHA1

      23380ef3d6147306ae96b3f910b5de7d64deaf4a

      SHA256

      e0f55cb1e8f5630d1bbcec6380f83245aa18b13232d3f63cde5c2241a821536b

      SHA512

      6cbf2e68fbc114842b86ada7b00425991894c4a12310a863e30143e480cc3b8bda9bdd796456cd7d7b1c7c25e7bd127178869ec5eb39055c942f1105d940567f

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-2039016743-699959520-214465309-1000\DDDDDDDDDDD
      Filesize

      129B

      MD5

      196c4afcd528d2ff38a7df4ecfaf759c

      SHA1

      c3c7835d560b8b8d66ffa61e139c1d06be338237

      SHA256

      414e1246f60e8aaf64b131dc87e520d360a3060e5deee5a288046c71a7ca60f6

      SHA512

      2223c36adc67498d1cf878c2ea6ffbb64311db07d0f38728dd7a70e0ac83af7c0d98337a5fedb43085b575c50c035e0f21134fe2212c6611fac0886129d3692a

      Download Submit

    • memory/1564-88-0x0000000000401000-0x0000000000404000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1564-90-0x0000000000400000-0x0000000000407000-memory.dmp

      Filesize

      28KB

      Download

    • memory/1564-119-0x0000000000400000-0x0000000000407000-memory.dmp

      Filesize

      28KB

      Download

    • memory/1564-122-0x0000000000400000-0x0000000000407000-memory.dmp

      Filesize

      28KB

      Download

    • memory/2920-0-0x0000000002070000-0x00000000020B0000-memory.dmp

      Filesize

      256KB

      Download