Overview

overview

10

Static

static

10

3c380d5492...97.exe

windows7-x64

10

3c380d5492...97.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    95s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-12-2024 19:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3c380d5492add3084df3876e715ef641ae0ba910cf84395e2f1f22bee33dad97.exe

  • Size

    4.6MB

  • MD5

    87ed0fc8118723ea66be965e8cea3764

  • SHA1

    bcc642835880fbf922cc2b029d362b3d82fac938

  • SHA256

    3c380d5492add3084df3876e715ef641ae0ba910cf84395e2f1f22bee33dad97

  • SHA512

    70974198ed89c9a325c03b3c78c1576d90b8a83b7adf3735fdfe2f30ea83309ba76bc34a3c78e9eb52defb161e5d5fb0e8813690a3960ce74975a2655b3f359a

  • SSDEEP

    98304:lpzHHcNCDnfENtGVKSqnJe9pANQvlsisx:ldHHcN2nfENGOYvlsjx

Score
10/10
credential_accessdefense_evasiondiscoveryexecutionimpactransomwarespywarestealer

Malware Config

Extracted

Path

C:\Program Files\Crashpad\reports\HOW TO RESTORE YOUR FILES.TXT

Ransom Note
Hello! All your files are encrypted and only we can decrypt them. Contact us: [email protected] or [email protected] Write us if you want to return your files - we can do it very quickly! The header of letter must contain extension of encrypted files. We always reply within 24 hours. If not - check spam folder, resend your letter or try send letter from another email service (like protonmail.com). Attention! Do not rename or edit encrypted files: you may have permanent data loss. To prove that we can recover your files, we am ready to decrypt any three files (less than 1Mb) for free (except databases, Excel and backups). HURRY UP! If you do not email us in the next 48 hours then your data may be lost permanently.

Signatures

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (8193) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

    credential_accessstealer
  • Drops startup file 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Program Files directory 64 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\3c380d5492add3084df3876e715ef641ae0ba910cf84395e2f1f22bee33dad97.exe
    "C:\Users\Admin\AppData\Local\Temp\3c380d5492add3084df3876e715ef641ae0ba910cf84395e2f1f22bee33dad97.exe"
    1⤵
    • Drops startup file
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:1964
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vabdwvhfsfjjcvf.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4380
      • C:\Windows\system32\sc.exe
        SC QUERY
        3⤵
        • Launches sc.exe
        PID:1728
      • C:\Windows\system32\findstr.exe
        FINDSTR SERVICE_NAME
        3⤵
          PID:1160
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nnfpejdf.bat
        2⤵
          PID:4780
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gpkgtexygoj.bat
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:4744
          • C:\Windows\system32\vssadmin.exe
            vssadmin delete shadows /all /quiet
            3⤵
            • Interacts with shadow copies
            PID:5100
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\menghftiqkgyslvfk.bat
          2⤵
            PID:2008
        • C:\Windows\system32\vssvc.exe
          C:\Windows\system32\vssvc.exe
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:3596

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files\Crashpad\reports\HOW TO RESTORE YOUR FILES.TXT
          Filesize

          758B

          MD5

          362c51682bf01718f78792252759ea48

          SHA1

          d2a7021fad7dc0551a9b19274d114fdebd0d24db

          SHA256

          8104414020397799ae6c4f779a8486a8a5c2975f4a5cee250151ccfa9911f8ab

          SHA512

          b6ed4e553e0d414cd83025d9c1a4170c8940744364f8662f5e86fbbe4d60c60471c5bd6d58fe28b9aec04b7d09ad9a688093c1632f22baa66cb0c1969a644154

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\gpkgtexygoj.bat
          Filesize

          47B

          MD5

          2202e846ba05d7f0bb20adbc5249c359

          SHA1

          4115d2d15614503456aea14db61d71a756cc7b8c

          SHA256

          0965cb8ee38adedd9ba06bdad9220a35890c2df0e4c78d0559cd6da653bf740f

          SHA512

          cd6ce6d89a8e5f75724405bc2694b706819c3c554b042075d5eb47fdb75653235160ac8a85e7425a49d98f25b3886faaaec5599bcf66d20bf6115dc3af4ba9c7

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\vabdwvhfsfjjcvf.bat
          Filesize

          43B

          MD5

          55310bb774fff38cca265dbc70ad6705

          SHA1

          cb8d76e9fd38a0b253056e5f204dab5441fe932b

          SHA256

          1fbdb97893d09d59575c3ef95df3c929fe6b6ddf1b273283e4efadf94cdc802d

          SHA512

          40e5a5e8454ca3eaac36d732550e2c5d869a235e3bbc4d31c4afa038fe4e06f782fa0885e876ad8119be766477fdcc12c1d5d04d53cf6b324e366b5351fc7cd4

          Download Submit