Overview

overview

10

Static

static

10

0a9f79abd4...51.exe

windows7-x64

3

0a9f79abd4...51.exe

windows10-2004-x64

3

0di3x.exe

windows7-x64

10

0di3x.exe

windows10-2004-x64

10

2019-09-02...10.exe

windows7-x64

10

2019-09-02...10.exe

windows10-2004-x64

10

2c01b00772...eb.exe

windows7-x64

10

2c01b00772...eb.exe

windows10-2004-x64

7

31.exe

windows7-x64

10

31.exe

windows10-2004-x64

10

3DMark 11 ...on.exe

windows7-x64

3

3DMark 11 ...on.exe

windows10-2004-x64

3

42f9729255...61.exe

windows7-x64

10

42f9729255...61.exe

windows10-2004-x64

10

5da0116af4...18.exe

windows7-x64

7

5da0116af4...18.exe

windows10-2004-x64

10

69c56d12ed...6b.exe

windows7-x64

10

69c56d12ed...6b.exe

windows10-2004-x64

10

905d572f23...50.exe

windows7-x64

10

905d572f23...50.exe

windows10-2004-x64

10

948340be97...54.exe

windows7-x64

10

948340be97...54.exe

windows10-2004-x64

10

Archive.zi...3e.exe

windows7-x64

8

Archive.zi...3e.exe

windows10-2004-x64

8

DiskIntern...en.exe

windows7-x64

3

DiskIntern...en.exe

windows10-2004-x64

3

ForceOp 2....ce.exe

windows7-x64

7

ForceOp 2....ce.exe

windows10-2004-x64

7

HYDRA.exe

windows7-x64

10

HYDRA.exe

windows10-2004-x64

10

KLwC6vii.exe

windows7-x64

1

KLwC6vii.exe

windows10-2004-x64

1

Resubmissions

01-02-2025 10:25

250201-mf4saszmgl 10

01-02-2025 10:23

250201-metkyaxqdt 10

25-01-2025 13:32

250125-qtfjeawpap 10

25-01-2025 13:32

250125-qtdptawpak 10

24-01-2025 13:12

250124-qfz1wszmcs 10

18-01-2025 16:31

250118-t1f1asxqft 10

Analysis

  • max time kernel
    149s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-01-2025 13:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe

  • Size

    669KB

  • MD5

    ead18f3a909685922d7213714ea9a183

  • SHA1

    1270bd7fd62acc00447b30f066bb23f4745869bf

  • SHA256

    5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18

  • SHA512

    6e532d9c3d186e4dac38823ae9152056346e283613f0caf088b21a1b3e5f4f6cf3bad8c407168b1072895a386e3be0b8c11ad1cb326d3d3ff0eb8562052def91

  • SSDEEP

    6144:bLUHLyHlwFjxDi2nEZkQ4NXxp0XMgkBWPqdN/jGdfYY7SRA7j4YlvfYAAjJ:4uFi02nEZh4jp0XLuxGdgTm73vL

Score
10/10
discoverypersistenceransomwareupx

Malware Config

Extracted

Path

C:\Users\Public\Documents\_readme.txt

Ransom Note
ATTENTION! Don't worry my friend, you can return all your files! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-T9WE5uiVT6 Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 046Sdsd3273yifhsisySD60h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1
URLs

https://we.tl/t-T9WE5uiVT6

Signatures

  • Renames multiple (135) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 20 IoCs
  • Looks up external IP address via web service 6 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    "C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4064
    • C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Users\Admin\AppData\Local\faca5ffa-5e2f-4994-abb0-1dd1641312b9" /deny *S-1-1-0:(OI)(CI)(DE,DC)
      2⤵
      • Modifies file permissions
      • System Location Discovery: System Language Discovery
      PID:1308
    • C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
      "C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Admin IsNotAutoStart IsNotTask
      2⤵
      • Drops desktop.ini file(s)
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4748
      • C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
        "C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --ForNetRes "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1 IsNotAutoStart IsNotTask
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1244
        • C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
          "C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 1244 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:2692
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 2692 -s 1656
            5⤵
            • Program crash
            PID:1356
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1244 -s 1680
          4⤵
          • Program crash
          PID:5112
      • C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
        "C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 4748 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:1096
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4064 -s 1844
      2⤵
      • Program crash
      PID:1944
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4064 -ip 4064
    1⤵
      PID:2160
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2692 -ip 2692
      1⤵
        PID:920
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1244 -ip 1244
        1⤵
          PID:3496

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\Microsoft\Network\Downloader\edbtmp.log
          Filesize

          1.3MB

          MD5

          f782b09fd215d3d9bb898d61ea2e7a37

          SHA1

          a382348e9592bdf93dd10c49773b815a992fa7c7

          SHA256

          7bd4646090dff9875e08ea00e5727b11be19fcb850344856e66360c152835694

          SHA512

          9342bd7a0cbabd7e699ea545897a6403371a0034e4bea067a9662dad9e492c5fa9b27efa4c850e1c001c79d6a76ffe0dacb6831010e41c8d5e2a92bd5b898606

          Download Submit

        • C:\ProgramData\Package Cache\{3A96B93E-763F-41E7-85C7-1F3CCC37EF27}v48.108.8828\dotnet-host-6.0.27-win-x64.msi
          Filesize

          736KB

          MD5

          c3c0fe1bf5f38a6c89cead208307b99c

          SHA1

          df5d4f184c3124d4749c778084f35a2c00066b0b

          SHA256

          f4f6d008e54b5a6bac3998fc3fe8e632c347d6b598813e3524d5489b84bd2eaf

          SHA512

          0f3e96d16c512e37025b04ff7989d60126c3d65fe868dbcfbeae4dac910ce04fc52d1089f0e41ce85c2def0182a927fdcc349094e74cdd21b45a42fde7f01806

          Download Submit

        • C:\ProgramData\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\packages\vcRuntimeMinimum_amd64\vc_runtimeMinimum_x64.msi
          Filesize

          180KB

          MD5

          b2e47100abd58190e40c8b6f9f672a36

          SHA1

          a754a78021b16e63d9e606cacc6de4fcf6872628

          SHA256

          889217bcb971387bc3cb6d76554646d2b0822eceb102320d40adf2422c829128

          SHA512

          d30da8c901e063df5901d011b22a01f884234ddddd44b9e81b3c43d93a51e10342074523339d155d69ff03a03a1df66c7d19e0137a16f47735b5b600616ca2a9

          Download Submit

        • C:\ProgramData\Package Cache\{CE4D7AE0-FCBA-486F-A58F-DBA3626FBE4B}v56.64.8781\dotnet-runtime-7.0.16-win-x64.msi
          Filesize

          5.2MB

          MD5

          9d8368fe54b1494d691d639d0ae7c76b

          SHA1

          7be3ddd9791c1b04976bbedb21b1b19524d6b174

          SHA256

          01543395bd376b0ed843afe4f3c76eb9eab252b37f354dfe35c26ff597e32053

          SHA512

          efbd32d456643e0ddc8ebde0a4ddea93346e91aa323e19736f0a0b2c6dce81f9461a4051dca2db1b8e1acd03662d15fcdde10078f6393a5b908701aeb71732f5

          Download Submit

        • C:\ProgramData\Package Cache\{E634F316-BEB6-4FB3-A612-F7102F576165}v48.108.8836\windowsdesktop-runtime-6.0.27-win-x64.msi
          Filesize

          4.7MB

          MD5

          3613a6a6966e62f6b126c6eeae5a6ff3

          SHA1

          ef19adb42b05435267c93fa6f2406040a1a6fe57

          SHA256

          d1611f1443460fb21b122172d6a13ae9f830856e7ea8ba52e9722c3178496b39

          SHA512

          2cc2777ac975b557f7f1a3e4423abb3b1bced8d16253b4382f376de2782d93d967ca7a88464c718b90e75db3ccc28920b980795a15cc0899a4cc9d2a55d7a2c4

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12
          Filesize

          1KB

          MD5

          c9be626e9715952e9b70f92f912b9787

          SHA1

          aa2e946d9ad9027172d0d321917942b7562d6abe

          SHA256

          c13e8d22800c200915f87f71c31185053e4e60ca25de2e41e160e09cd2d815d4

          SHA512

          7581b7c593785380e9db3ae760af85c1a889f607a3cd2aa5a2695a0e5a0fe8ee751578e88f7d8c997faeda804e2fc2655d859bee2832eace526ed4379edaa3f5

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8
          Filesize

          436B

          MD5

          971c514f84bba0785f80aa1c23edfd79

          SHA1

          732acea710a87530c6b08ecdf32a110d254a54c8

          SHA256

          f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

          SHA512

          43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12
          Filesize

          174B

          MD5

          1d32dba865f615f1591a37192edd017a

          SHA1

          c73304412dfa4ffc2b5ba31d40420d46a9be223b

          SHA256

          7b915c3c7547528084d6fffe20188e6db09c5bf1b565e99c76cfe8eba865c854

          SHA512

          f40cbbd7045834fab11f9ff7faff3bf08463fe8ae12954470591fce29fe92e2f35592b1964e778a97fac9f35228f63ded97a0eeae631092e2be98a6f6c2cb904

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8
          Filesize

          170B

          MD5

          f27d9f2d5ef62c184d95495a326060ba

          SHA1

          98bb052ab21e0ec9483240d7e63a6e9c375013e1

          SHA256

          2f78a029493f00aef35a12a6410a0efb773f590045f5005c4432336c1c825072

          SHA512

          ee7ee3001af2a6bd079c1c26a81052a28f07caa01e8690dbe6c140fb3ad972887a7f49f3ffeb018f7df5a9f5f758d4057dde894362af32157f252f9f6921f343

          Download Submit

        • C:\Users\Admin\AppData\Local\faca5ffa-5e2f-4994-abb0-1dd1641312b9\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
          Filesize

          669KB

          MD5

          ead18f3a909685922d7213714ea9a183

          SHA1

          1270bd7fd62acc00447b30f066bb23f4745869bf

          SHA256

          5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18

          SHA512

          6e532d9c3d186e4dac38823ae9152056346e283613f0caf088b21a1b3e5f4f6cf3bad8c407168b1072895a386e3be0b8c11ad1cb326d3d3ff0eb8562052def91

          Download Submit

        • C:\Users\Public\Documents\_readme.txt
          Filesize

          1KB

          MD5

          d75064cfaac9c92f52aadf373dc7e463

          SHA1

          36ea05181d9b037694929ec81f276f13c7d2655c

          SHA256

          163ec5b903b6baadd32d560c44c1ea4dce241579a7493eb32c632eae9085d508

          SHA512

          43387299749f31c623c5dd4a53ff4d2eff5edfeb80fd4e2edd45860b5c9367d2767ae2ee9b60824b57301999dd2bd995b7d3bd5e7187e447aed76106272559d1

          Download Submit

        • memory/1096-32-0x0000000000400000-0x00000000004A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/1244-30-0x0000000000400000-0x00000000004A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/1244-27-0x0000000000400000-0x00000000004A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/1244-28-0x0000000000400000-0x00000000004A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/1244-39-0x0000000000400000-0x00000000004A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/1244-34-0x0000000000400000-0x00000000004A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/2692-36-0x0000000000400000-0x00000000004A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/2692-38-0x0000000000400000-0x00000000004A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/4064-0-0x0000000000400000-0x00000000004A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/4064-14-0x0000000000400000-0x00000000004A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/4064-15-0x0000000000400000-0x0000000000476000-memory.dmp

          Filesize

          472KB

          Download

        • memory/4064-3-0x0000000000400000-0x0000000000476000-memory.dmp

          Filesize

          472KB

          Download

        • memory/4064-2-0x0000000000630000-0x0000000000730000-memory.dmp

          Filesize

          1024KB

          Download

        • memory/4748-18-0x0000000000400000-0x00000000004A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/4748-31-0x0000000000400000-0x00000000004A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/4748-25-0x0000000000400000-0x00000000004A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/4748-24-0x0000000000400000-0x00000000004A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/4748-23-0x0000000000400000-0x00000000004A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/4748-17-0x0000000000400000-0x00000000004A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/4748-12-0x0000000000400000-0x00000000004A9000-memory.dmp

          Filesize

          676KB

          Download