Resubmissions

15/01/2025, 23:09

250115-25d1hayqev 9

15/01/2025, 22:19

250115-18nhnsxlat 9

15/01/2025, 22:15

250115-158dnsxkas 9

Analysis

  • max time kernel
    900s
  • max time network
    431s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/01/2025, 22:19

General

  • Target

    2d9d3a0eb209d0bef59c55f89eb710d7bafd85f075a57b3c06867ae17d7a4f33.exe

  • Size

    108KB

  • MD5

    662593328e911803af64d886b6ae60eb

  • SHA1

    43712ea209da9f0ae47a3a5a87fef061a1e74a45

  • SHA256

    2d9d3a0eb209d0bef59c55f89eb710d7bafd85f075a57b3c06867ae17d7a4f33

  • SHA512

    208c98ed4373ae9523b8081a4c637860c79c6c89ea5595a6bc59ab2a551066d7524bbbe36fb605191526b2cd651a3ad0d85ad2a8326aaa01e1a4d2126ffe652a

  • SSDEEP

    1536:V7Zf/FAxTWoJJZENTBmRPsdj2hkAeCgI3i0CJS1Il+lM5QOVhFVh6Jb1Jb3rh:fny1tEyyj2yAeCgjJRDFDqrh

Malware Config

Signatures

  • Renames multiple (19866) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Drops file in Drivers directory 22 IoCs
  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops file in System32 directory 64 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

Processes

  • C:\Users\Admin\AppData\Local\Temp\2d9d3a0eb209d0bef59c55f89eb710d7bafd85f075a57b3c06867ae17d7a4f33.exe
    "C:\Users\Admin\AppData\Local\Temp\2d9d3a0eb209d0bef59c55f89eb710d7bafd85f075a57b3c06867ae17d7a4f33.exe"
    1⤵
    • Drops file in Drivers directory
    • Drops startup file
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    PID:3948

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\$Recycle.Bin\S-1-5-21-3227495264-2217614367-4027411560-1000\desktop.ini.tmp

          Filesize

          109KB

          MD5

          dcd592b3a6cdaff0d6f2b61e26bdd041

          SHA1

          5b6d8abe031bbd87095daf4b40f1098c6fcc48d6

          SHA256

          cdf630c2ae09f7ab7149f9e146b6ad9ce311eb0e51a7523de2b8a1617cb9085d

          SHA512

          88a440a2c13553f7484604e5b362b4a8e8d8837d035f1ab58e9f96b53f76974303461b97b171fdf941b4d24023e3576f5397f790e063d23f0402f73429b104e3

        • C:\Program Files\7-Zip\7-zip.dll.tmp

          Filesize

          207KB

          MD5

          a634e42afbbfdb77be885e764b3bf116

          SHA1

          782babd8659b23c94b3e6a4bef640e28e3a1be2c

          SHA256

          076f5e18738f93f194420454a665bda884ea906f6a4563d66452080e6517bac2

          SHA512

          5c0e2f47eba5b0e360810224e2936efe7a53d66667aa66bc8dbbd93297346969fff6044b70d5c39b223bc4166b8e261d3eafb5732a772b4d5191985b8ca0f67b

        • memory/3948-0-0x0000000000400000-0x000000000040B000-memory.dmp

          Filesize

          44KB

        • memory/3948-778-0x0000000000400000-0x000000000040B000-memory.dmp

          Filesize

          44KB