Overview

overview

10

Static

static

10

458455e843...98.exe

windows7-x64

9

458455e843...98.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    66s
  • max time network
    22s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    02-01-2025 17:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    458455e84390b7cdcc4008e104717ef1255245707e3329978a22e0129374d898.exe

  • Size

    160KB

  • MD5

    f33a0c04a1984e22cf953cc811f6d4cf

  • SHA1

    90eb7457e9952738195f7203bdde11ee8a77c8ba

  • SHA256

    458455e84390b7cdcc4008e104717ef1255245707e3329978a22e0129374d898

  • SHA512

    e241c70576f99f84575a05c5d1e9a112e91d3ebb1578d364dac1a0f5d25a8c7fff82ca8aa5e1a5598e7e0800c149f4c648630b41a6ae790e37713040d802d5fb

  • SSDEEP

    3072:vDDDDDDDDDDDDDDDDDDDE45d/t6sVkgZqltP3368+QBVBuEsMeUI/EQ9BW:R5d/zugZqll3LHVeVB

Score
9/10
defense_evasiondiscoveryransomware

Malware Config

Signatures

  • Renames multiple (200) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\458455e84390b7cdcc4008e104717ef1255245707e3329978a22e0129374d898.exe
    "C:\Users\Admin\AppData\Local\Temp\458455e84390b7cdcc4008e104717ef1255245707e3329978a22e0129374d898.exe"
    1⤵
    • Loads dropped DLL
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2652
    • C:\ProgramData\BFE5.tmp
      "C:\ProgramData\BFE5.tmp"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:2700
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\BFE5.tmp >> NUL
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2412
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2012
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x14c
    1⤵
      PID:1224

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\$Recycle.Bin\S-1-5-21-2703099537-420551529-3771253338-1000\desktop.ini
      Filesize

      129B

      MD5

      a2386ed2c027c1e86785f6aaff9d003c

      SHA1

      fa622cbc2bc32f284e90dc5c237623c87b3e98ac

      SHA256

      184d7d2d10c042ce4751f8be8c812154d82244a44529c25c7fe7d213800713c3

      SHA512

      b2807de98a44c9de63e843e85b4a0210d312e0d94e62412a839aae6aa83458d0bc6643ce711c50282588f2849b546d03aa58a78e2707046c4836c51f143b6403

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
      Filesize

      160KB

      MD5

      e6275ac2c4678b3635f8b27ac82fad3c

      SHA1

      7b97f9fa3ead238106392b630769fa2fcbb09ae1

      SHA256

      88fdeae5b0dbdb6a91c4232d47d3974790b0c1263ff04c5f637726db558250b9

      SHA512

      3a44e0f112972491dff4a405942377f48590a10078ee8e5484ddcff6f8e6f2ef37b880b8f8d43e8ef19264acf8d4fa51c9e6c7794dd443ebbb5b9a564d381fc2

      Download Submit

    • C:\Users\XA2JxFVyZ.README.txt
      Filesize

      6KB

      MD5

      03c584e712951ed29442a6fa017920a4

      SHA1

      111cb2f4f090e4292c1292da8158ad44841b7565

      SHA256

      b87d002d02e94708f646dd810045dc2b62ef9f6a11c7e83d806bb9d2a8c178c3

      SHA512

      def2311e4c81c278821a2227d291fc53be58a8d1507247a304da889cfec19cd0b76fd30d6b1abddbd13222bdededac5b70f9cc146f8dc5e5356a47cfc04e7adf

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-2703099537-420551529-3771253338-1000\DDDDDDDDDDD
      Filesize

      129B

      MD5

      a2487ed0d3d6b3f361736bb932870f25

      SHA1

      ad3c431f79cc056079d0cf4c5c8d6dd71ed0a9bc

      SHA256

      ea4973e56912cf5ebccd6fdb97581a15572207e8bfcb77114f490fb640427cbf

      SHA512

      59a977947813e0f87ca5d2acc9421739e161ca075d3499c9ed051443b81229328a5c0e17487a89b65f7dbb61cd8ed54a472352bd36bf559c700d842c1bf50553

      Download Submit

    • \ProgramData\BFE5.tmp
      Filesize

      14KB

      MD5

      294e9f64cb1642dd89229fff0592856b

      SHA1

      97b148c27f3da29ba7b18d6aee8a0db9102f47c9

      SHA256

      917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

      SHA512

      b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

      Download Submit

    • memory/2652-0-0x0000000002290000-0x00000000022D0000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2700-330-0x0000000000401000-0x0000000000404000-memory.dmp

      Filesize

      12KB

      Download

    • memory/2700-332-0x0000000000400000-0x0000000000407000-memory.dmp

      Filesize

      28KB

      Download

    • memory/2700-361-0x0000000000400000-0x0000000000407000-memory.dmp

      Filesize

      28KB

      Download

    • memory/2700-364-0x0000000000400000-0x0000000000407000-memory.dmp

      Filesize

      28KB

      Download