Overview

overview

10

Static

static

3

digit_by_h...ns.exe

windows7-x64

10

digit_by_h...ns.exe

windows10-2004-x64

7

digit_by_h...ns.lnk

windows7-x64

3

digit_by_h...ns.lnk

windows10-2004-x64

3

digit_by_h...er.dll

windows7-x64

3

digit_by_h...er.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    94s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-12-2024 17:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    digit_by_helkin86-d377w81/DiGiT/DiGiT/Instructions.exe

  • Size

    880KB

  • MD5

    ba480da41b6ec6f00fc0d7caf9f11cb3

  • SHA1

    f924f6baa35057ea88154faed0213c154eadcfa0

  • SHA256

    47256456d9897ef71eb4a944fbde08aa388aabb85645b5b79ba6dc0c9a106124

  • SHA512

    adfa3b2c264d1bcfa82e2d94187a073905cfe55aa08690a1d9e79d9a6a8bc7fe523e49d8bcbd43beec5ab62e26c558e57e7ff72e46d1aa5973fd77d5a39a0b9f

  • SSDEEP

    24576:9+6LCb7OdjFbdRGe9PiuImyEaNCXhgtNz5WhCdSjD4kbQsbq7480/uSUsQ6F:9pnCe9qIeNCqfb4j1bT

Score
7/10
discovery

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\digit_by_helkin86-d377w81\DiGiT\DiGiT\Instructions.exe
    "C:\Users\Admin\AppData\Local\Temp\digit_by_helkin86-d377w81\DiGiT\DiGiT\Instructions.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3044
    • C:\Users\Admin\AppData\Local\Temp\crypted.exe
      "C:\Users\Admin\AppData\Local\Temp\crypted.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1548
      • C:\Users\Admin\AppData\Local\Temp\crypted.exe
        "C:\Users\Admin\AppData\Local\Temp\crypted.exe"
        3⤵
          PID:2960
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Instructions.txt
        2⤵
        • Opens file in notepad (likely ransom note)
        PID:3000

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Instructions.txt
      Filesize

      360B

      MD5

      036d4adeb724a007fb00011734b5a3e2

      SHA1

      1d0f70d7b442bee1741702394dcc917cb13c9064

      SHA256

      e1a0dcf6046381884d91d8e70b48b76548520f2f3fb87391d14b6af0d9609036

      SHA512

      5d02f692e8ff7927498ef750091da86ae2b85b4f73f7ee29721207b1fb4055c0b47f38333dc0e2eaf7b0bca6a50f0291d68826637d4b7d467965c19866979d2f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\crypted.exe
      Filesize

      645KB

      MD5

      d2612794fd2d21874ffb92b2bfef2407

      SHA1

      a74255beeb2a61ef598dd10fd50f8e1ba25a574b

      SHA256

      6eb607fa53c977d8fbd3ad8578f574dad83bebd5daf865a04df0a8afb9daee33

      SHA512

      e0c594217064ac12cc6e780aa4e0b171103d974fbb59113ad9f7763601e24c7f8a91a607dc43179b5e28bab27bf47ee7c16598b1f9569620fc6ef0f83f7accfd

      Download Submit

    • memory/1548-20-0x0000000000400000-0x0000000000408000-memory.dmp

      Filesize

      32KB

      Download

    • memory/3044-0-0x00007FFFD2485000-0x00007FFFD2486000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3044-1-0x000000001B800000-0x000000001B8A6000-memory.dmp

      Filesize

      664KB

      Download

    • memory/3044-2-0x00007FFFD21D0000-0x00007FFFD2B71000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/3044-4-0x00007FFFD21D0000-0x00007FFFD2B71000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/3044-18-0x00007FFFD21D0000-0x00007FFFD2B71000-memory.dmp

      Filesize

      9.6MB

      Download