Overview

overview

10

Static

static

10

458455e843...98.exe

windows7-x64

9

458455e843...98.exe

windows10-2004-x64

9

Resubmissions

02-01-2025 17:33

250102-v45y9ssmhk 10

02-01-2025 16:44

250102-t82lza1nfk 10

Analysis

  • max time kernel
    94s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-01-2025 16:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    458455e84390b7cdcc4008e104717ef1255245707e3329978a22e0129374d898.exe

  • Size

    160KB

  • MD5

    f33a0c04a1984e22cf953cc811f6d4cf

  • SHA1

    90eb7457e9952738195f7203bdde11ee8a77c8ba

  • SHA256

    458455e84390b7cdcc4008e104717ef1255245707e3329978a22e0129374d898

  • SHA512

    e241c70576f99f84575a05c5d1e9a112e91d3ebb1578d364dac1a0f5d25a8c7fff82ca8aa5e1a5598e7e0800c149f4c648630b41a6ae790e37713040d802d5fb

  • SSDEEP

    3072:vDDDDDDDDDDDDDDDDDDDE45d/t6sVkgZqltP3368+QBVBuEsMeUI/EQ9BW:R5d/zugZqll3LHVeVB

Score
9/10
defense_evasiondiscoveryransomware

Malware Config

Signatures

  • Renames multiple (148) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\458455e84390b7cdcc4008e104717ef1255245707e3329978a22e0129374d898.exe
    "C:\Users\Admin\AppData\Local\Temp\458455e84390b7cdcc4008e104717ef1255245707e3329978a22e0129374d898.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3260
    • C:\ProgramData\9078.tmp
      "C:\ProgramData\9078.tmp"
      2⤵
      • Checks computer location settings
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:2784
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\9078.tmp >> NUL
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1644
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1968

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-3442511616-637977696-3186306149-1000\desktop.ini
    Filesize

    129B

    MD5

    6f7860d62985df9f2448083724911c29

    SHA1

    ae5d66585bfea9d59364869feb16c606cd22dd25

    SHA256

    a5e7e16d999975fc9def44b5619eb38485ac594e734d1a754d629045a5334dd1

    SHA512

    0eb828d8e22da2fc26c3a762c4e9381c96475ea64ece0e3f3b20d4c49cfc495a7ac16ddb39570671c1184f1a501dda36c050ea355c3d3579913d2ea4bcb3c0ea

    Download Submit

  • C:\ProgramData\9078.tmp
    Filesize

    14KB

    MD5

    294e9f64cb1642dd89229fff0592856b

    SHA1

    97b148c27f3da29ba7b18d6aee8a0db9102f47c9

    SHA256

    917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

    SHA512

    b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE
    Filesize

    160KB

    MD5

    04bcfc8500e4fcd14e7650ab43b6f9b2

    SHA1

    b6f3541112e93332f2e1e78d9451e691ff899b84

    SHA256

    660dfe871ae2e698c4f9804d08913310153e3a83761055f58166a0f7d11fefd2

    SHA512

    6ed42a4a0337305f148f20d7debe4db05b0adca8e360334d95f733018a6e41c36c05e2a7bd87eafcabf6ded185cb4a1ce8b13a64f58845b6717ded292d85976a

    Download Submit

  • C:\Users\XA2JxFVyZ.README.txt
    Filesize

    6KB

    MD5

    22cef9141180558a1d7e327b1b61723f

    SHA1

    93aaa4eea02e58b618a97c48db52001e0c928a0e

    SHA256

    501a3219376dd6b3aef37b3321b6e87c6500faa80fbb0dafb9a8d164e62412fd

    SHA512

    c948a1abfaf94616d3e10421416f6f4279bd3692e73f6fa95a9664ee04067d106a267a2e4b5c411f6f5c210d1ae4372174d2d0e9541b36dec8eb4d707f241bec

    Download Submit

  • F:\$RECYCLE.BIN\S-1-5-21-3442511616-637977696-3186306149-1000\DDDDDDDDDDD
    Filesize

    129B

    MD5

    a309389892b43b81d3d2ef5fd4ff1075

    SHA1

    558ec7b18737b24b113b0165597187bbb0e1e44d

    SHA256

    5dfbd8c9521c344af4fb368c103ebb7bc8d98d92e55e638dbd820a4f4bdf632c

    SHA512

    918a4e63c411b9a4f808d33fa8d9aa2dfcb259a19fc03730f48b2cf7b755035f6f70e0f7a94c676a63f36776f8041b79c866b03647c4a376a7e8b633af4518a0

    Download Submit

  • memory/2784-302-0x000000007FE40000-0x000000007FE41000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2784-306-0x000000007FDC0000-0x000000007FDC1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2784-305-0x000000007FE20000-0x000000007FE21000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2784-304-0x0000000002940000-0x0000000002950000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2784-303-0x0000000002940000-0x0000000002950000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2784-336-0x0000000002940000-0x0000000002950000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2784-335-0x0000000002940000-0x0000000002950000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2784-339-0x000000007FDE0000-0x000000007FDE1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2784-340-0x000000007FE00000-0x000000007FE01000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3260-1-0x00000000029C0000-0x00000000029D0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3260-0-0x00000000029C0000-0x00000000029D0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3260-2-0x00000000029C0000-0x00000000029D0000-memory.dmp

    Filesize

    64KB

    Download