Overview

overview

10

Static

static

10

458455e843...98.exe

windows11-21h2-x64

9

Resubmissions

02-01-2025 17:33

250102-v45y9ssmhk 10

02-01-2025 16:44

250102-t82lza1nfk 10

Analysis

  • max time kernel
    106s
  • max time network
    94s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    02-01-2025 17:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    458455e84390b7cdcc4008e104717ef1255245707e3329978a22e0129374d898.exe

  • Size

    160KB

  • MD5

    f33a0c04a1984e22cf953cc811f6d4cf

  • SHA1

    90eb7457e9952738195f7203bdde11ee8a77c8ba

  • SHA256

    458455e84390b7cdcc4008e104717ef1255245707e3329978a22e0129374d898

  • SHA512

    e241c70576f99f84575a05c5d1e9a112e91d3ebb1578d364dac1a0f5d25a8c7fff82ca8aa5e1a5598e7e0800c149f4c648630b41a6ae790e37713040d802d5fb

  • SSDEEP

    3072:vDDDDDDDDDDDDDDDDDDDE45d/t6sVkgZqltP3368+QBVBuEsMeUI/EQ9BW:R5d/zugZqll3LHVeVB

Score
9/10
defense_evasiondiscoveryransomware

Malware Config

Signatures

  • Renames multiple (171) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies registry class 5 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\458455e84390b7cdcc4008e104717ef1255245707e3329978a22e0129374d898.exe
    "C:\Users\Admin\AppData\Local\Temp\458455e84390b7cdcc4008e104717ef1255245707e3329978a22e0129374d898.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2820
    • C:\ProgramData\DCF2.tmp
      "C:\ProgramData\DCF2.tmp"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:3124
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\DCF2.tmp >> NUL
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3236
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1832
  • C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\XA2JxFVyZ.README.txt
    1⤵
    • Opens file in notepad (likely ransom note)
    PID:3532

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-2499603254-3415597248-1508446358-1000\AAAAAAAAAAA
    Filesize

    129B

    MD5

    98aab578e5c5282d9b779330a3e4b4d5

    SHA1

    c3ab51261cbddf47c2b38dd79313cde2e6e4caec

    SHA256

    8d05963410c01aae4fde98373e1e989b12e5fd79e030010ceff91d69c00cc55e

    SHA512

    20f66b59024f22b7498943032f04fc5f5d30f79dbff398035a732164f5662df1e8b59f602219db41d92d0169ba6297fa4562bc0928454c1ed771140dd6657fad

    Download Submit

  • C:\ProgramData\DCF2.tmp
    Filesize

    14KB

    MD5

    294e9f64cb1642dd89229fff0592856b

    SHA1

    97b148c27f3da29ba7b18d6aee8a0db9102f47c9

    SHA256

    917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

    SHA512

    b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
    Filesize

    160KB

    MD5

    b6da1153a50dee9845e34bbf6743cd39

    SHA1

    0c052ef222942d23234810fcd9e39bf57f1e7dd9

    SHA256

    414aa6a08ce11cdd63649d6fca90397d8c4f006519a5094c73bf342905be0a12

    SHA512

    80d2a2677189fa84acb1ea82643c72a4a0ad13d2b41c69f730001b0f3d35951d0d0e6684a1b68ee14299d23de3eafda8f408f0a745d53736796cd6654f788243

    Download Submit

  • C:\Users\Admin\Desktop\StepCheckpoint.mp2.XA2JxFVyZ
    Filesize

    627KB

    MD5

    39b1efbaf3f15f84756191d6aab9179c

    SHA1

    82e10afd553d3396f3feee5c294f1190dd5d4135

    SHA256

    dfb7d2661e83d82ac937b39cae399783bf8477394c59fdb74ff319d51b4b1e3c

    SHA512

    0dbec146f53f6c4329e176cc9bf41445e60ec379f32d55198aeb997a87100c837c31f7330e15bb55075b267842972ffd702b6f9c3072cc15225984caf4c2e0d3

    Download Submit

  • C:\Users\XA2JxFVyZ.README.txt
    Filesize

    6KB

    MD5

    43fec83d2c6d0e3f791c76170f7736c2

    SHA1

    0721b613c9cb2f65b1e498298c104c72527c730f

    SHA256

    999d75d2ab39ff1aeef0418309e8cf10b59ed4457db2dfa396900690d312a970

    SHA512

    6dd3688dafb0c0ddd72e91e9d444e0977762a4490afc7ee398b72d022e7b073509acd68ea88d34a450acf144a4704a70da7d1f5ba206957589cc5d60dbf775ea

    Download Submit

  • F:\$RECYCLE.BIN\S-1-5-21-2499603254-3415597248-1508446358-1000\DDDDDDDDDDD
    Filesize

    129B

    MD5

    4e55faa5c958c92690bc8a5ae58392ea

    SHA1

    cd97c3ec43a0ff4cbcd4a343e279b5376ad3948f

    SHA256

    efbdbbcc6539fd6060be79ea785276e75cfd5a6df2474ed115f2b098ae6119ae

    SHA512

    54ae6983d3f03e6a7c362f48fb81be636174304c24659cc5df90b489e7ffeeab92fa9aadf360757dfc62d8a1f727b3bf87693fb74a5f7e62b11c9837d0a735cb

    Download Submit

  • memory/2820-1-0x0000000002A60000-0x0000000002A70000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2820-2-0x0000000002A60000-0x0000000002A70000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2820-0-0x0000000002A60000-0x0000000002A70000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3124-321-0x00000000027B0000-0x00000000027C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3124-322-0x00000000027B0000-0x00000000027C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3124-320-0x000000007FE70000-0x000000007FE71000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3124-323-0x000000007FE50000-0x000000007FE51000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3124-324-0x000000007FDF0000-0x000000007FDF1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3124-354-0x00000000027B0000-0x00000000027C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3124-353-0x00000000027B0000-0x00000000027C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3124-358-0x000000007FE10000-0x000000007FE11000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3124-359-0x000000007FE30000-0x000000007FE31000-memory.dmp

    Filesize

    4KB

    Download