Overview

overview

10

Static

static

10

458455e843...98.exe

windows7-x64

9

458455e843...98.exe

windows10-2004-x64

9

Resubmissions

02-01-2025 17:33

250102-v45y9ssmhk 10

02-01-2025 16:44

250102-t82lza1nfk 10

Analysis

  • max time kernel
    118s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    02-01-2025 16:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    458455e84390b7cdcc4008e104717ef1255245707e3329978a22e0129374d898.exe

  • Size

    160KB

  • MD5

    f33a0c04a1984e22cf953cc811f6d4cf

  • SHA1

    90eb7457e9952738195f7203bdde11ee8a77c8ba

  • SHA256

    458455e84390b7cdcc4008e104717ef1255245707e3329978a22e0129374d898

  • SHA512

    e241c70576f99f84575a05c5d1e9a112e91d3ebb1578d364dac1a0f5d25a8c7fff82ca8aa5e1a5598e7e0800c149f4c648630b41a6ae790e37713040d802d5fb

  • SSDEEP

    3072:vDDDDDDDDDDDDDDDDDDDE45d/t6sVkgZqltP3368+QBVBuEsMeUI/EQ9BW:R5d/zugZqll3LHVeVB

Score
9/10
defense_evasiondiscoveryransomware

Malware Config

Signatures

  • Renames multiple (165) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\458455e84390b7cdcc4008e104717ef1255245707e3329978a22e0129374d898.exe
    "C:\Users\Admin\AppData\Local\Temp\458455e84390b7cdcc4008e104717ef1255245707e3329978a22e0129374d898.exe"
    1⤵
    • Loads dropped DLL
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3044
    • C:\ProgramData\BBB1.tmp
      "C:\ProgramData\BBB1.tmp"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:1244
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\BBB1.tmp >> NUL
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2300
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2924
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x148
    1⤵
      PID:2968

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\$Recycle.Bin\S-1-5-21-2039016743-699959520-214465309-1000\desktop.ini
      Filesize

      129B

      MD5

      5b0071920ac9d44af751b66cfa5e06f9

      SHA1

      95ac295a81b4fe0e3487a87ca6f83183c2dca13f

      SHA256

      b2f0c811bea519a1bf88221fc7e89ac367ff03e73caf02f249f2a3b57260c37a

      SHA512

      f7e87b417af76b253c5b8fd8a91e2e1c6cedef0f958fbe7510f29816e47dbe673ee980d89058fc6b2faa4a4a1b5bdd334eabee5e99aaae77302aefb4c02eae8d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
      Filesize

      160KB

      MD5

      be9ced9ae5ccc077207195ddb4c8b681

      SHA1

      8b23c7520fa7ee919999fb41463788bcde75fbf0

      SHA256

      4604dffa6ade545412802ee4534c77026693dfd2cc9179475e8bc8bb8191d021

      SHA512

      1de2d35a518fce90f342dc17f05e410c5c2c4a440763398187590ec41024eb728f451fcc37cb38ca9d9504aabab48ef090ddb794eceae54dc94657d802ccaf88

      Download Submit

    • C:\Users\XA2JxFVyZ.README.txt
      Filesize

      6KB

      MD5

      33c9444cf7e7eca4866c050fa0303c45

      SHA1

      96875a5838049c77cdfcaddd6a08f389b8c82194

      SHA256

      8a02f7e128b720e5a74e65de340282ff637b0d7163839cee7f6ee1392dca01cd

      SHA512

      0118ff08a15c15e149cc4acf3a772552742e310aa3a72950f27a53627d8f0b36814d3a6ce0ea5621e9264bbeb66ba9552a4da6e7a281a810aeba9aa2434602f6

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-2039016743-699959520-214465309-1000\DDDDDDDDDDD
      Filesize

      129B

      MD5

      9b189536a6d4169faa18cb76b3592226

      SHA1

      de596a91917e63000badd050629a77bd9e67d9b6

      SHA256

      7a686ce1f148def471232b93615a2bae9646d381c6a86f417cc3a28728f0f171

      SHA512

      25f8834eafd1aa6aabd57e5c1aa24675de6034f88b55f155df4da3d2ba32fde8dc064de13d3a13bec91c8593326b3fe6dbb50db3bde2572fe3fc76ec5635df65

      Download Submit

    • \ProgramData\BBB1.tmp
      Filesize

      14KB

      MD5

      294e9f64cb1642dd89229fff0592856b

      SHA1

      97b148c27f3da29ba7b18d6aee8a0db9102f47c9

      SHA256

      917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

      SHA512

      b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

      Download Submit

    • memory/1244-295-0x0000000000401000-0x0000000000404000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1244-297-0x0000000000400000-0x0000000000407000-memory.dmp

      Filesize

      28KB

      Download

    • memory/1244-326-0x0000000000400000-0x0000000000407000-memory.dmp

      Filesize

      28KB

      Download

    • memory/1244-329-0x0000000000400000-0x0000000000407000-memory.dmp

      Filesize

      28KB

      Download

    • memory/3044-0-0x0000000000A10000-0x0000000000A50000-memory.dmp

      Filesize

      256KB

      Download