Overview

overview

5

Static

static

3

b1ef7b267d...fb.exe

windows7-x64

1

b1ef7b267d...fb.exe

windows10-2004-x64

5

Resubmissions

07/03/2025, 16:03 UTC

250307-thsw5ssygt 5

13/01/2025, 02:42 UTC

250113-c7dp3ssjew 5

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/01/2025, 02:42 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b1ef7b267d887e34bf0242a94b38e7dc9fd5e6f8b2c5c440ce4ec98cc74642fb.exe

  • Size

    5.2MB

  • MD5

    54e383ca658ebd3caaf586f032f1c401

  • SHA1

    bc013aace5491c65a869e944123a4344cea6c1f0

  • SHA256

    b1ef7b267d887e34bf0242a94b38e7dc9fd5e6f8b2c5c440ce4ec98cc74642fb

  • SHA512

    4d10c2f888b5f56b59341e1dee5c53f56f2d81a9034eda36182bfd04246274d1fdee85b3ceccd5677ae8608626c2952ddd30fbe730dac54e405983c2a35fe51c

  • SSDEEP

    49152:UTyQOnGEoOozdSv3U4Yn0+U0vN52S7aoRPWicuRX3EYqDqmjVNiIhnU/hHYBWZh0:KSv31WaZlah4q1W61nH/a

Score
5/10
ransomware

Malware Config

Signatures

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 64 IoCs
  • Runs net.exe
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b1ef7b267d887e34bf0242a94b38e7dc9fd5e6f8b2c5c440ce4ec98cc74642fb.exe
    "C:\Users\Admin\AppData\Local\Temp\b1ef7b267d887e34bf0242a94b38e7dc9fd5e6f8b2c5c440ce4ec98cc74642fb.exe"
    1⤵
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:3132
    • C:\Windows\system32\net.exe
      "net" session
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4680
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 session
        3⤵
          PID:2556

    Network

    • flag-us
      DNS
      8.8.8.8.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      8.8.8.8.in-addr.arpa
      IN PTR
      Response
      8.8.8.8.in-addr.arpa
      IN PTR
      dnsgoogle
    • flag-us
      DNS
      i.imgur.com
      b1ef7b267d887e34bf0242a94b38e7dc9fd5e6f8b2c5c440ce4ec98cc74642fb.exe
      Remote address:
      8.8.8.8:53
      Request
      i.imgur.com
      IN A
      Response
      i.imgur.com
      IN CNAME
      ipv4.imgur.map.fastly.net
      ipv4.imgur.map.fastly.net
      IN A
      199.232.196.193
      ipv4.imgur.map.fastly.net
      IN A
      199.232.192.193
    • flag-us
      GET
      https://i.imgur.com/mlUvWYT.jpeg
      b1ef7b267d887e34bf0242a94b38e7dc9fd5e6f8b2c5c440ce4ec98cc74642fb.exe
      Remote address:
      199.232.196.193:443
      Request
      GET /mlUvWYT.jpeg HTTP/1.1
      accept: */*
      host: i.imgur.com
      Response
      HTTP/1.1 200 OK
      Connection: keep-alive
      Content-Length: 238067
      Content-Type: image/jpeg
      Last-Modified: Wed, 01 Jan 2025 13:41:08 GMT
      ETag: "2fada8c05467d606e2675c5860da662a"
      x-amz-server-side-encryption: AES256
      X-Amz-Cf-Pop: IAD61-P5
      X-Amz-Cf-Id: he0cE4opGpsqjkylt_j3TXr7H3iv5Y8O7vQDtnJAM4F5NhN0jejlLg==
      cache-control: public, max-age=31536000
      Accept-Ranges: bytes
      Age: 997300
      Date: Mon, 13 Jan 2025 02:42:48 GMT
      X-Served-By: cache-iad-kiad7000108-IAD, cache-lcy-eglc8600077-LCY
      X-Cache: Miss from cloudfront, HIT, HIT
      X-Cache-Hits: 42, 0
      X-Timer: S1736736168.452290,VS0,VE1
      Strict-Transport-Security: max-age=300
      Access-Control-Allow-Methods: GET, OPTIONS
      Access-Control-Allow-Origin: *
      Server: cat factory 1.0
      X-Content-Type-Options: nosniff
    • flag-us
      DNS
      196.249.167.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      196.249.167.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      193.196.232.199.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      193.196.232.199.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      172.210.232.199.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      172.210.232.199.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      14.160.190.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      14.160.190.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      149.220.183.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      149.220.183.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      197.87.175.4.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      197.87.175.4.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      171.39.242.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      171.39.242.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      11.164.16.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      11.164.16.2.in-addr.arpa
      IN PTR
      Response
      11.164.16.2.in-addr.arpa
      IN PTR
      a2-16-164-11deploystaticakamaitechnologiescom
    • flag-us
      DNS
      133.130.81.91.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      133.130.81.91.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      172.214.232.199.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      172.214.232.199.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      89.65.42.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      89.65.42.20.in-addr.arpa
      IN PTR
      Response
    • 199.232.196.193:443
      https://i.imgur.com/mlUvWYT.jpeg
      tls, http
      b1ef7b267d887e34bf0242a94b38e7dc9fd5e6f8b2c5c440ce4ec98cc74642fb.exe
      4.9kB
       252.5kB
       99
      190

      HTTP Request

      GET https://i.imgur.com/mlUvWYT.jpeg

      HTTP Response

      200
    • 8.8.8.8:53
      8.8.8.8.in-addr.arpa
      dns
      66 B
       90 B
       1
      1

      DNS Request

      8.8.8.8.in-addr.arpa

    • 8.8.8.8:53
      i.imgur.com
      dns
      b1ef7b267d887e34bf0242a94b38e7dc9fd5e6f8b2c5c440ce4ec98cc74642fb.exe
      57 B
       128 B
       1
      1

      DNS Request

      i.imgur.com

      DNS Response

      199.232.196.193
      199.232.192.193

    • 8.8.8.8:53
      196.249.167.52.in-addr.arpa
      dns
      73 B
       147 B
       1
      1

      DNS Request

      196.249.167.52.in-addr.arpa

    • 8.8.8.8:53
      193.196.232.199.in-addr.arpa
      dns
      74 B
       128 B
       1
      1

      DNS Request

      193.196.232.199.in-addr.arpa

    • 8.8.8.8:53
      172.210.232.199.in-addr.arpa
      dns
      74 B
       128 B
       1
      1

      DNS Request

      172.210.232.199.in-addr.arpa

    • 8.8.8.8:53
      14.160.190.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      14.160.190.20.in-addr.arpa

    • 8.8.8.8:53
      95.221.229.192.in-addr.arpa
      dns
      73 B
       144 B
       1
      1

      DNS Request

      95.221.229.192.in-addr.arpa

    • 8.8.8.8:53
      149.220.183.52.in-addr.arpa
      dns
      73 B
       147 B
       1
      1

      DNS Request

      149.220.183.52.in-addr.arpa

    • 8.8.8.8:53
      197.87.175.4.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      197.87.175.4.in-addr.arpa

    • 8.8.8.8:53
      171.39.242.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      171.39.242.20.in-addr.arpa

    • 8.8.8.8:53
      11.164.16.2.in-addr.arpa
      dns
      70 B
       133 B
       1
      1

      DNS Request

      11.164.16.2.in-addr.arpa

    • 8.8.8.8:53
      133.130.81.91.in-addr.arpa
      dns
      72 B
       147 B
       1
      1

      DNS Request

      133.130.81.91.in-addr.arpa

    • 8.8.8.8:53
      172.214.232.199.in-addr.arpa
      dns
      74 B
       128 B
       1
      1

      DNS Request

      172.214.232.199.in-addr.arpa

    • 8.8.8.8:53
      89.65.42.20.in-addr.arpa
      dns
      70 B
       156 B
       1
      1

      DNS Request

      89.65.42.20.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.