b1ef7b267d887e34bf0242a94b38e7dc9fd5e6f8b2c5c440ce4ec98cc74642fb

Resubmissions

07/03/2025, 16:03

250307-thsw5ssygt 5

13/01/2025, 02:42

250113-c7dp3ssjew 5

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13/01/2025, 02:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b1ef7b267d887e34bf0242a94b38e7dc9fd5e6f8b2c5c440ce4ec98cc74642fb.exe
Size

5.2MB
MD5

54e383ca658ebd3caaf586f032f1c401
SHA1

bc013aace5491c65a869e944123a4344cea6c1f0
SHA256

b1ef7b267d887e34bf0242a94b38e7dc9fd5e6f8b2c5c440ce4ec98cc74642fb
SHA512

4d10c2f888b5f56b59341e1dee5c53f56f2d81a9034eda36182bfd04246274d1fdee85b3ceccd5677ae8608626c2952ddd30fbe730dac54e405983c2a35fe51c
SSDEEP

49152:UTyQOnGEoOozdSv3U4Yn0+U0vN52S7aoRPWicuRX3EYqDqmjVNiIhnU/hHYBWZh0:KSv31WaZlah4q1W61nH/a

Score

5^/10

ransomware

Malware Config

Signatures

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Desktop\Wallpaper = "\\\\?\\C:\\Users\\Admin\\AppData\\Local\\Temp\\downloaded_wallpaper.jpg"	b1ef7b267d887e34bf0242a94b38e7dc9fd5e6f8b2c5c440ce4ec98cc74642fb.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\gl.txt.Lock	b1ef7b267d887e34bf0242a94b38e7dc9fd5e6f8b2c5c440ce4ec98cc74642fb.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ps.txt.Lock	b1ef7b267d887e34bf0242a94b38e7dc9fd5e6f8b2c5c440ce4ec98cc74642fb.exe
File opened for modification	C:\Program Files\7-Zip\Lang\da.txt.Lock	b1ef7b267d887e34bf0242a94b38e7dc9fd5e6f8b2c5c440ce4ec98cc74642fb.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lt.txt.Lock	b1ef7b267d887e34bf0242a94b38e7dc9fd5e6f8b2c5c440ce4ec98cc74642fb.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng2.txt.Lock	b1ef7b267d887e34bf0242a94b38e7dc9fd5e6f8b2c5c440ce4ec98cc74642fb.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt-br.txt.Lock	b1ef7b267d887e34bf0242a94b38e7dc9fd5e6f8b2c5c440ce4ec98cc74642fb.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz-cyrl.txt.Lock	b1ef7b267d887e34bf0242a94b38e7dc9fd5e6f8b2c5c440ce4ec98cc74642fb.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-utility-l1-1-0.dll.Lock	b1ef7b267d887e34bf0242a94b38e7dc9fd5e6f8b2c5c440ce4ec98cc74642fb.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ga.txt.Lock	b1ef7b267d887e34bf0242a94b38e7dc9fd5e6f8b2c5c440ce4ec98cc74642fb.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hy.txt.Lock	b1ef7b267d887e34bf0242a94b38e7dc9fd5e6f8b2c5c440ce4ec98cc74642fb.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hi.txt.Lock	b1ef7b267d887e34bf0242a94b38e7dc9fd5e6f8b2c5c440ce4ec98cc74642fb.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ta.txt.Lock	b1ef7b267d887e34bf0242a94b38e7dc9fd5e6f8b2c5c440ce4ec98cc74642fb.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-environment-l1-1-0.dll.Lock	b1ef7b267d887e34bf0242a94b38e7dc9fd5e6f8b2c5c440ce4ec98cc74642fb.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fi.txt.Lock	b1ef7b267d887e34bf0242a94b38e7dc9fd5e6f8b2c5c440ce4ec98cc74642fb.exe
File opened for modification	C:\Program Files\7-Zip\Lang\he.txt.Lock	b1ef7b267d887e34bf0242a94b38e7dc9fd5e6f8b2c5c440ce4ec98cc74642fb.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lij.txt.Lock	b1ef7b267d887e34bf0242a94b38e7dc9fd5e6f8b2c5c440ce4ec98cc74642fb.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-localization-l1-2-0.dll.Lock	b1ef7b267d887e34bf0242a94b38e7dc9fd5e6f8b2c5c440ce4ec98cc74642fb.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fa.txt.Lock	b1ef7b267d887e34bf0242a94b38e7dc9fd5e6f8b2c5c440ce4ec98cc74642fb.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ky.txt.Lock	b1ef7b267d887e34bf0242a94b38e7dc9fd5e6f8b2c5c440ce4ec98cc74642fb.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng.txt.Lock	b1ef7b267d887e34bf0242a94b38e7dc9fd5e6f8b2c5c440ce4ec98cc74642fb.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ug.txt.Lock	b1ef7b267d887e34bf0242a94b38e7dc9fd5e6f8b2c5c440ce4ec98cc74642fb.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hu.txt.Lock	b1ef7b267d887e34bf0242a94b38e7dc9fd5e6f8b2c5c440ce4ec98cc74642fb.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txt.Lock	b1ef7b267d887e34bf0242a94b38e7dc9fd5e6f8b2c5c440ce4ec98cc74642fb.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku.txt.Lock	b1ef7b267d887e34bf0242a94b38e7dc9fd5e6f8b2c5c440ce4ec98cc74642fb.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-filesystem-l1-1-0.dll.Lock	b1ef7b267d887e34bf0242a94b38e7dc9fd5e6f8b2c5c440ce4ec98cc74642fb.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bg.txt.Lock	b1ef7b267d887e34bf0242a94b38e7dc9fd5e6f8b2c5c440ce4ec98cc74642fb.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spc.txt.Lock	b1ef7b267d887e34bf0242a94b38e7dc9fd5e6f8b2c5c440ce4ec98cc74642fb.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l1-2-0.dll.Lock	b1ef7b267d887e34bf0242a94b38e7dc9fd5e6f8b2c5c440ce4ec98cc74642fb.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mn.txt.Lock	b1ef7b267d887e34bf0242a94b38e7dc9fd5e6f8b2c5c440ce4ec98cc74642fb.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mk.txt.Lock	b1ef7b267d887e34bf0242a94b38e7dc9fd5e6f8b2c5c440ce4ec98cc74642fb.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt.Lock	b1ef7b267d887e34bf0242a94b38e7dc9fd5e6f8b2c5c440ce4ec98cc74642fb.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bn.txt.Lock	b1ef7b267d887e34bf0242a94b38e7dc9fd5e6f8b2c5c440ce4ec98cc74642fb.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ext.txt.Lock	b1ef7b267d887e34bf0242a94b38e7dc9fd5e6f8b2c5c440ce4ec98cc74642fb.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fr.txt.Lock	b1ef7b267d887e34bf0242a94b38e7dc9fd5e6f8b2c5c440ce4ec98cc74642fb.exe
File opened for modification	C:\Program Files\7-Zip\Lang\is.txt.Lock	b1ef7b267d887e34bf0242a94b38e7dc9fd5e6f8b2c5c440ce4ec98cc74642fb.exe
File opened for modification	C:\Program Files\7-Zip\Lang\be.txt.Lock	b1ef7b267d887e34bf0242a94b38e7dc9fd5e6f8b2c5c440ce4ec98cc74642fb.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-processthreads-l1-1-1.dll.Lock	b1ef7b267d887e34bf0242a94b38e7dc9fd5e6f8b2c5c440ce4ec98cc74642fb.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kk.txt.Lock	b1ef7b267d887e34bf0242a94b38e7dc9fd5e6f8b2c5c440ce4ec98cc74642fb.exe
File opened for modification	C:\Program Files\7-Zip\Lang\et.txt.Lock	b1ef7b267d887e34bf0242a94b38e7dc9fd5e6f8b2c5c440ce4ec98cc74642fb.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt.Lock	b1ef7b267d887e34bf0242a94b38e7dc9fd5e6f8b2c5c440ce4ec98cc74642fb.exe
File opened for modification	C:\Program Files\7-Zip\Lang\az.txt.Lock	b1ef7b267d887e34bf0242a94b38e7dc9fd5e6f8b2c5c440ce4ec98cc74642fb.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ro.txt.Lock	b1ef7b267d887e34bf0242a94b38e7dc9fd5e6f8b2c5c440ce4ec98cc74642fb.exe
File opened for modification	C:\Program Files\7-Zip\Lang\va.txt.Lock	b1ef7b267d887e34bf0242a94b38e7dc9fd5e6f8b2c5c440ce4ec98cc74642fb.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-multibyte-l1-1-0.dll.Lock	b1ef7b267d887e34bf0242a94b38e7dc9fd5e6f8b2c5c440ce4ec98cc74642fb.exe
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt.Lock	b1ef7b267d887e34bf0242a94b38e7dc9fd5e6f8b2c5c440ce4ec98cc74642fb.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ja.txt.Lock	b1ef7b267d887e34bf0242a94b38e7dc9fd5e6f8b2c5c440ce4ec98cc74642fb.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-runtime-l1-1-0.dll.Lock	b1ef7b267d887e34bf0242a94b38e7dc9fd5e6f8b2c5c440ce4ec98cc74642fb.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-time-l1-1-0.dll.Lock	b1ef7b267d887e34bf0242a94b38e7dc9fd5e6f8b2c5c440ce4ec98cc74642fb.exe
File opened for modification	C:\Program Files\7-Zip\History.txt.Lock	b1ef7b267d887e34bf0242a94b38e7dc9fd5e6f8b2c5c440ce4ec98cc74642fb.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mr.txt.Lock	b1ef7b267d887e34bf0242a94b38e7dc9fd5e6f8b2c5c440ce4ec98cc74642fb.exe
File opened for modification	C:\Program Files\7-Zip\Lang\yo.txt.Lock	b1ef7b267d887e34bf0242a94b38e7dc9fd5e6f8b2c5c440ce4ec98cc74642fb.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-conio-l1-1-0.dll.Lock	b1ef7b267d887e34bf0242a94b38e7dc9fd5e6f8b2c5c440ce4ec98cc74642fb.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.chm.Lock	b1ef7b267d887e34bf0242a94b38e7dc9fd5e6f8b2c5c440ce4ec98cc74642fb.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ko.txt.Lock	b1ef7b267d887e34bf0242a94b38e7dc9fd5e6f8b2c5c440ce4ec98cc74642fb.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe.Lock	b1ef7b267d887e34bf0242a94b38e7dc9fd5e6f8b2c5c440ce4ec98cc74642fb.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-xstate-l2-1-0.dll.Lock	b1ef7b267d887e34bf0242a94b38e7dc9fd5e6f8b2c5c440ce4ec98cc74642fb.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe.Lock	b1ef7b267d887e34bf0242a94b38e7dc9fd5e6f8b2c5c440ce4ec98cc74642fb.exe
File opened for modification	C:\Program Files\7-Zip\Lang\id.txt.Lock	b1ef7b267d887e34bf0242a94b38e7dc9fd5e6f8b2c5c440ce4ec98cc74642fb.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nl.txt.Lock	b1ef7b267d887e34bf0242a94b38e7dc9fd5e6f8b2c5c440ce4ec98cc74642fb.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sw.txt.Lock	b1ef7b267d887e34bf0242a94b38e7dc9fd5e6f8b2c5c440ce4ec98cc74642fb.exe
File opened for modification	C:\Program Files\7-Zip\7-zip32.dll.Lock	b1ef7b267d887e34bf0242a94b38e7dc9fd5e6f8b2c5c440ce4ec98cc74642fb.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eu.txt.Lock	b1ef7b267d887e34bf0242a94b38e7dc9fd5e6f8b2c5c440ce4ec98cc74642fb.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hr.txt.Lock	b1ef7b267d887e34bf0242a94b38e7dc9fd5e6f8b2c5c440ce4ec98cc74642fb.exe
File opened for modification	C:\Program Files\7-Zip\readme.txt.Lock	b1ef7b267d887e34bf0242a94b38e7dc9fd5e6f8b2c5c440ce4ec98cc74642fb.exe

Runs net.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3132 wrote to memory of 4680	3132	b1ef7b267d887e34bf0242a94b38e7dc9fd5e6f8b2c5c440ce4ec98cc74642fb.exe	84
PID 3132 wrote to memory of 4680	3132	b1ef7b267d887e34bf0242a94b38e7dc9fd5e6f8b2c5c440ce4ec98cc74642fb.exe	84
PID 4680 wrote to memory of 2556	4680	net.exe	85
PID 4680 wrote to memory of 2556	4680	net.exe	85

C:\Users\Admin\AppData\Local\Temp\b1ef7b267d887e34bf0242a94b38e7dc9fd5e6f8b2c5c440ce4ec98cc74642fb.exe
"C:\Users\Admin\AppData\Local\Temp\b1ef7b267d887e34bf0242a94b38e7dc9fd5e6f8b2c5c440ce4ec98cc74642fb.exe"
1⤵
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3132
- C:\Windows\system32\net.exe
  "net" session
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4680
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 session
    3⤵
    PID:2556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact