Overview

overview

10

Static

static

10

241105-dtx...ed.zip

windows7-x64

1

241105-dtx...ed.zip

windows10-2004-x64

1

d91912b4b9...37.rar

windows7-x64

1

d91912b4b9...37.rar

windows10-2004-x64

1

0di3x.exe

windows7-x64

10

0di3x.exe

windows10-2004-x64

10

201106-9sx...ed.zip

windows7-x64

1

201106-9sx...ed.zip

windows10-2004-x64

1

2019-09-02...10.exe

windows7-x64

10

2019-09-02...10.exe

windows10-2004-x64

10

2c01b00772...eb.exe

windows7-x64

10

2c01b00772...eb.exe

windows10-2004-x64

7

31.exe

windows7-x64

10

31.exe

windows10-2004-x64

10

3DMark 11 ...on.exe

windows7-x64

3

3DMark 11 ...on.exe

windows10-2004-x64

3

42f9729255...61.exe

windows7-x64

10

42f9729255...61.exe

windows10-2004-x64

10

5da0116af4...18.exe

windows7-x64

7

5da0116af4...18.exe

windows10-2004-x64

10

6306868794.bin.zip

windows7-x64

1

6306868794.bin.zip

windows10-2004-x64

1

CVE-2018-1...oC.swf

windows7-x64

3

CVE-2018-1...oC.swf

windows10-2004-x64

3

DiskIntern...en.exe

windows7-x64

3

DiskIntern...en.exe

windows10-2004-x64

3

E2-2020111...59.zip

windows7-x64

1

E2-2020111...59.zip

windows10-2004-x64

1

ForceOp 2....ce.exe

windows7-x64

7

ForceOp 2....ce.exe

windows10-2004-x64

7

HYDRA.exe

windows7-x64

10

HYDRA.exe

windows10-2004-x64

10

Resubmissions

01/04/2025, 21:24

250401-z8184awycs 10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/02/2025, 23:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe

  • Size

    669KB

  • MD5

    ead18f3a909685922d7213714ea9a183

  • SHA1

    1270bd7fd62acc00447b30f066bb23f4745869bf

  • SHA256

    5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18

  • SHA512

    6e532d9c3d186e4dac38823ae9152056346e283613f0caf088b21a1b3e5f4f6cf3bad8c407168b1072895a386e3be0b8c11ad1cb326d3d3ff0eb8562052def91

  • SSDEEP

    6144:bLUHLyHlwFjxDi2nEZkQ4NXxp0XMgkBWPqdN/jGdfYY7SRA7j4YlvfYAAjJ:4uFi02nEZh4jp0XLuxGdgTm73vL

Score
10/10
discoverypersistenceransomwareupx

Malware Config

Extracted

Path

C:\Users\Public\Documents\_readme.txt

Ransom Note
ATTENTION! Don't worry my friend, you can return all your files! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-T9WE5uiVT6 Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 046Sdsd3273yifhsisySD60h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1
URLs

https://we.tl/t-T9WE5uiVT6

Signatures

  • Renames multiple (154) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 25 IoCs
  • Looks up external IP address via web service 6 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 5 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    "C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4856
    • C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Users\Admin\AppData\Local\7ca2b828-c01a-4920-91ef-5f782c46f6cb" /deny *S-1-1-0:(OI)(CI)(DE,DC)
      2⤵
      • Modifies file permissions
      • System Location Discovery: System Language Discovery
      PID:3596
    • C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
      "C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Admin IsNotAutoStart IsNotTask
      2⤵
      • Drops desktop.ini file(s)
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:400
      • C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
        "C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --ForNetRes "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1 IsNotAutoStart IsNotTask
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3632
        • C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
          "C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 3632 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:952
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 952 -s 1104
            5⤵
            • Program crash
            PID:1672
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3632 -s 1780
          4⤵
          • Program crash
          PID:4644
      • C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
        "C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 400 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:2740
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2740 -s 1868
          4⤵
          • Program crash
          PID:2068
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 400 -s 1644
        3⤵
        • Program crash
        PID:1148
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 1828
      2⤵
      • Program crash
      PID:3136
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4856 -ip 4856
    1⤵
      PID:2684
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 952 -ip 952
      1⤵
        PID:4196
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3632 -ip 3632
        1⤵
          PID:3200
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2740 -ip 2740
          1⤵
            PID:3208
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 400 -ip 400
            1⤵
              PID:220

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\ProgramData\Microsoft\Network\Downloader\edbtmp.log
              Filesize

              1.3MB

              MD5

              f782b09fd215d3d9bb898d61ea2e7a37

              SHA1

              a382348e9592bdf93dd10c49773b815a992fa7c7

              SHA256

              7bd4646090dff9875e08ea00e5727b11be19fcb850344856e66360c152835694

              SHA512

              9342bd7a0cbabd7e699ea545897a6403371a0034e4bea067a9662dad9e492c5fa9b27efa4c850e1c001c79d6a76ffe0dacb6831010e41c8d5e2a92bd5b898606

              Download Submit

            • C:\ProgramData\Package Cache\{3A96B93E-763F-41E7-85C7-1F3CCC37EF27}v48.108.8828\dotnet-host-6.0.27-win-x64.msi
              Filesize

              736KB

              MD5

              c3c0fe1bf5f38a6c89cead208307b99c

              SHA1

              df5d4f184c3124d4749c778084f35a2c00066b0b

              SHA256

              f4f6d008e54b5a6bac3998fc3fe8e632c347d6b598813e3524d5489b84bd2eaf

              SHA512

              0f3e96d16c512e37025b04ff7989d60126c3d65fe868dbcfbeae4dac910ce04fc52d1089f0e41ce85c2def0182a927fdcc349094e74cdd21b45a42fde7f01806

              Download Submit

            • C:\ProgramData\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\packages\vcRuntimeMinimum_amd64\vc_runtimeMinimum_x64.msi
              Filesize

              180KB

              MD5

              b2e47100abd58190e40c8b6f9f672a36

              SHA1

              a754a78021b16e63d9e606cacc6de4fcf6872628

              SHA256

              889217bcb971387bc3cb6d76554646d2b0822eceb102320d40adf2422c829128

              SHA512

              d30da8c901e063df5901d011b22a01f884234ddddd44b9e81b3c43d93a51e10342074523339d155d69ff03a03a1df66c7d19e0137a16f47735b5b600616ca2a9

              Download Submit

            • C:\ProgramData\Package Cache\{CE4D7AE0-FCBA-486F-A58F-DBA3626FBE4B}v56.64.8781\dotnet-runtime-7.0.16-win-x64.msi
              Filesize

              4.4MB

              MD5

              b7af2ea479a58bd4b890e81d914686a3

              SHA1

              d7c0c7953d71f10b57565987c91760bc02c35efe

              SHA256

              e892c71fea11ec1da76c90e6bb3f52536ca911dd1040ed960873de3dc6dad2d4

              SHA512

              4437188b98c6734d48977084fb8ca0b2b35facab7c26f17bf6516a5835d2669b89f95fab6c5e8daae675eb6fd8dac5c527665f345de47f3d6fea1016dd59dbc6

              Download Submit

            • C:\ProgramData\Package Cache\{E634F316-BEB6-4FB3-A612-F7102F576165}v48.108.8836\windowsdesktop-runtime-6.0.27-win-x64.msi
              Filesize

              4.0MB

              MD5

              710e86063b3b0da02a13b49d08cd75dc

              SHA1

              2fa1f970816a5cd62fb006dfbd66acef63653087

              SHA256

              d5d40494d1407b2113fa9a7123ad3d32501a247bc7436505b2e015b8d713c579

              SHA512

              65ba635a834d3891d85b1f76846434be414660781fd9b198c4bf05e29653c50bff2eed3c6bd486119046d2c53d1e30053fd5e8f6abe0359648a77613b686d724

              Download Submit

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12
              Filesize

              1KB

              MD5

              c9be626e9715952e9b70f92f912b9787

              SHA1

              aa2e946d9ad9027172d0d321917942b7562d6abe

              SHA256

              c13e8d22800c200915f87f71c31185053e4e60ca25de2e41e160e09cd2d815d4

              SHA512

              7581b7c593785380e9db3ae760af85c1a889f607a3cd2aa5a2695a0e5a0fe8ee751578e88f7d8c997faeda804e2fc2655d859bee2832eace526ed4379edaa3f5

              Download Submit

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8
              Filesize

              436B

              MD5

              971c514f84bba0785f80aa1c23edfd79

              SHA1

              732acea710a87530c6b08ecdf32a110d254a54c8

              SHA256

              f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

              SHA512

              43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

              Download Submit

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12
              Filesize

              174B

              MD5

              f4d4ac584bc2223192fce41a9e665c64

              SHA1

              085bc30eca575ed7f89dbdb3390045ad1da3d7ca

              SHA256

              7d043a480703ada642d18b78526737b0e97f06eaf8643b79b5d28c346d40fbbb

              SHA512

              4ecc244ebdf782ca9a7df531ddd253d81f561b6831c86f822e03a339a9e7687b09a5e92cfc712fcc0af23181fe2d6fad62508e2698d7598441c59b9b126941f9

              Download Submit

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8
              Filesize

              170B

              MD5

              fc0b204cb74b7c0c3882d77f6f1784a0

              SHA1

              4d81230ce6d15691b67d3f5d26cdbf1502d257c0

              SHA256

              a716437d1ff03f0265dea4744ea326ca6d6a0830dbd273188bf1593fd60696fb

              SHA512

              5d81c55a92f19d49aae1a8d8126928c86120b3ce8c220c17aed36da8d00ed022d32d84e17d5a3c6316f66c337c7db4ad13980846c98f5e44162b4b6ee28e3d9d

              Download Submit

            • C:\Users\Admin\AppData\Local\7ca2b828-c01a-4920-91ef-5f782c46f6cb\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
              Filesize

              669KB

              MD5

              ead18f3a909685922d7213714ea9a183

              SHA1

              1270bd7fd62acc00447b30f066bb23f4745869bf

              SHA256

              5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18

              SHA512

              6e532d9c3d186e4dac38823ae9152056346e283613f0caf088b21a1b3e5f4f6cf3bad8c407168b1072895a386e3be0b8c11ad1cb326d3d3ff0eb8562052def91

              Download Submit

            • C:\Users\Public\Documents\_readme.txt
              Filesize

              1KB

              MD5

              d75064cfaac9c92f52aadf373dc7e463

              SHA1

              36ea05181d9b037694929ec81f276f13c7d2655c

              SHA256

              163ec5b903b6baadd32d560c44c1ea4dce241579a7493eb32c632eae9085d508

              SHA512

              43387299749f31c623c5dd4a53ff4d2eff5edfeb80fd4e2edd45860b5c9367d2767ae2ee9b60824b57301999dd2bd995b7d3bd5e7187e447aed76106272559d1

              Download Submit

            • memory/400-22-0x0000000000400000-0x00000000004A9000-memory.dmp

              Filesize

              676KB

              Download

            • memory/400-23-0x0000000000400000-0x00000000004A9000-memory.dmp

              Filesize

              676KB

              Download

            • memory/400-24-0x0000000000400000-0x00000000004A9000-memory.dmp

              Filesize

              676KB

              Download

            • memory/400-1080-0x0000000000400000-0x00000000004A9000-memory.dmp

              Filesize

              676KB

              Download

            • memory/400-17-0x0000000000400000-0x00000000004A9000-memory.dmp

              Filesize

              676KB

              Download

            • memory/400-16-0x0000000000400000-0x00000000004A9000-memory.dmp

              Filesize

              676KB

              Download

            • memory/400-30-0x0000000000400000-0x00000000004A9000-memory.dmp

              Filesize

              676KB

              Download

            • memory/952-35-0x0000000000400000-0x00000000004A9000-memory.dmp

              Filesize

              676KB

              Download

            • memory/952-37-0x0000000000400000-0x00000000004A9000-memory.dmp

              Filesize

              676KB

              Download

            • memory/2740-27-0x0000000000400000-0x00000000004A9000-memory.dmp

              Filesize

              676KB

              Download

            • memory/2740-31-0x0000000000400000-0x00000000004A9000-memory.dmp

              Filesize

              676KB

              Download

            • memory/2740-1079-0x0000000000400000-0x00000000004A9000-memory.dmp

              Filesize

              676KB

              Download

            • memory/2740-26-0x0000000000400000-0x00000000004A9000-memory.dmp

              Filesize

              676KB

              Download

            • memory/3632-33-0x0000000000400000-0x00000000004A9000-memory.dmp

              Filesize

              676KB

              Download

            • memory/3632-38-0x0000000000400000-0x00000000004A9000-memory.dmp

              Filesize

              676KB

              Download

            • memory/3632-29-0x0000000000400000-0x00000000004A9000-memory.dmp

              Filesize

              676KB

              Download

            • memory/4856-0-0x0000000000400000-0x00000000004A9000-memory.dmp

              Filesize

              676KB

              Download

            • memory/4856-14-0x0000000000400000-0x0000000000476000-memory.dmp

              Filesize

              472KB

              Download

            • memory/4856-13-0x0000000000400000-0x00000000004A9000-memory.dmp

              Filesize

              676KB

              Download

            • memory/4856-3-0x0000000000400000-0x0000000000476000-memory.dmp

              Filesize

              472KB

              Download

            • memory/4856-2-0x0000000000710000-0x0000000000810000-memory.dmp

              Filesize

              1024KB

              Download