Overview

overview

5

Static

static

1

Delta V3.6...97.exe

windows10-2004-x64

5

Resubmissions

05-12-2024 12:41

241205-pwwsqsvma1 5

05-12-2024 11:48

241205-nyfc4ayqhj 10

Analysis

  • max time kernel
    20s
  • max time network
    21s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-12-2024 12:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Delta V3.61 b_39625297.exe

  • Size

    5.7MB

  • MD5

    15d1c495ff66bf7cea8a6d14bfdf0a20

  • SHA1

    942814521fa406a225522f208ac67f90dbde0ae7

  • SHA256

    61c2c4a5d7c14f77ee88871ded4cc7f1e49dae3e4ef209504c66fedf4d22de42

  • SHA512

    063169f22108ac97a3ccb6f8e97380b1e48eef7a07b8fb20870b9bd5f03d7279d3fb10a69c09868beb4a1672ebe826198ae2d0ea81df4d29f9a288ea4f2b98d8

  • SSDEEP

    98304:+j8ab67Ht6RL8xpH4Tv7wPV6osBsBpPj7cZ+KCojTeEL78rqNkIi+bn:+j8aatLPV6oPrk38rqNj

Score
5/10
discovery

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 3 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Delta V3.61 b_39625297.exe
    "C:\Users\Admin\AppData\Local\Temp\Delta V3.61 b_39625297.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4696
    • C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\link.txt
      2⤵
      • System Location Discovery: System Language Discovery
      • Opens file in notepad (likely ransom note)
      PID:3580

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\link.txt
    Filesize

    57B

    MD5

    9b666c546debb465703eec8f5f033844

    SHA1

    841e51060ed5183f3fcff2fabb457f59219de2dc

    SHA256

    6987739b9adac2a8e5382dff6b8f2dedd59b8c0ac4c8c99e2858de886e8ce582

    SHA512

    a9449e545534e26663dd99333cbbbb2a682dd0cdaad1b4c27d38e51bb02aa0b9d1160875f7f4068dbaa112e6ddcbe76f86c776ea1e6b5aed26876053f7ef615a

    Download Submit