Overview

overview

10

Static

static

10

7d98972d5c...9c.exe

windows10-2004-x64

9

7d98972d5c...9c.exe

windows7-x64

9

7d98972d5c...9c.exe

windows10-2004-x64

9

7d98972d5c...9c.exe

windows10-ltsc_2021-x64

9

7d98972d5c...9c.exe

windows11-21h2-x64

9

87b9b910d5...cb.exe

windows10-ltsc_2021-x64

10

87b9b910d5...cb.exe

windows7-x64

10

87b9b910d5...cb.exe

windows10-2004-x64

10

87b9b910d5...cb.exe

windows10-ltsc_2021-x64

10

87b9b910d5...cb.exe

windows11-21h2-x64

10

8958d7b8c5...e2.exe

windows10-ltsc_2021-x64

10

8958d7b8c5...e2.exe

windows7-x64

10

8958d7b8c5...e2.exe

windows10-2004-x64

10

8958d7b8c5...e2.exe

windows10-ltsc_2021-x64

10

8958d7b8c5...e2.exe

windows11-21h2-x64

10

ab5be9e691...09.exe

windows10-ltsc_2021-x64

10

ab5be9e691...09.exe

windows7-x64

10

ab5be9e691...09.exe

windows10-2004-x64

10

ab5be9e691...09.exe

windows10-ltsc_2021-x64

10

ab5be9e691...09.exe

windows11-21h2-x64

10

b228a698ee...c0.exe

windows11-21h2-x64

b228a698ee...c0.exe

windows7-x64

b228a698ee...c0.exe

windows10-2004-x64

b228a698ee...c0.exe

windows10-ltsc_2021-x64

b228a698ee...c0.exe

windows11-21h2-x64

c864a70f78...1d.exe

windows10-ltsc_2021-x64

c864a70f78...1d.exe

windows7-x64

c864a70f78...1d.exe

windows10-2004-x64

c864a70f78...1d.exe

windows10-ltsc_2021-x64

c864a70f78...1d.exe

windows11-21h2-x64

Resubmissions

25/03/2025, 13:12

250325-qfl42aznw9 10

25/03/2025, 13:09

250325-qdtq4aznv6 10

25/03/2025, 13:05

250325-qbtcjszns3 10

25/03/2025, 13:01

250325-p9k86awxat 10

25/03/2025, 12:55

250325-p58tnawwe1 10

25/03/2025, 12:51

250325-p3txqazmt6 10

05/02/2025, 11:16

250205-ndjvsavrdm 10

16/07/2024, 08:54

240716-kt64gavakp 10

Analysis

  • max time kernel
    114s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    25/03/2025, 13:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7d98972d5c78e1d4969da76856d6818942b606c267efa67fd31d39ae77497e9c.exe

  • Size

    894KB

  • MD5

    ec8fef72a73ff94440235fc1b3f3f690

  • SHA1

    e651cd12a2493b9c2d7ebd8287a2fd29b8f4cd9c

  • SHA256

    7d98972d5c78e1d4969da76856d6818942b606c267efa67fd31d39ae77497e9c

  • SHA512

    b62f2f518f4ed3d74d96551a8c7431d50bd3349221b4b01dded18a270cbdbd1441f13f3eef7a6cc0db4aad200f1cf2babeb8e937edf8827faa7a03e4b59a35f2

  • SSDEEP

    12288:d31hZus7pQqiiyuuFuawu2zhjWBv4+1FMUUfW75CXQKXTZ1VG:1r1S+NjWx4+1SWV6Q4n

Score
9/10
credential_accessdefense_evasiondiscoveryexecutionimpactpersistenceransomwarespywarestealer

Malware Config

Signatures

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (9607) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

    credential_accessstealer
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops desktop.ini file(s) 47 IoCs
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 63 IoCs
  • Suspicious use of WriteProcessMemory 52 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\7d98972d5c78e1d4969da76856d6818942b606c267efa67fd31d39ae77497e9c.exe
    "C:\Users\Admin\AppData\Local\Temp\7d98972d5c78e1d4969da76856d6818942b606c267efa67fd31d39ae77497e9c.exe"
    1⤵
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2064
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:768
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin.exe Delete Shadows /All /Quiet
        3⤵
        • System Location Discovery: System Language Discovery
        • Interacts with shadow copies
        PID:2424
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} recoveryenabled No
      2⤵
      • System Location Discovery: System Language Discovery
      PID:832
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1796
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c wbadmin DELETE SYSTEMSTATEBACKUP
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1560
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c wmic SHADOWCOPY DELETE
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1328
      • C:\Windows\SysWOW64\Wbem\WMIC.exe
        wmic SHADOWCOPY DELETE
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2496
    • C:\Windows\SysWOW64\wbem\WMIC.exe
      "C:\Windows\System32\wbem\WMIC.exe" wmic SHADOWCOPY DELETE
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2492
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /TN Encrypter /TR C:\Users\Admin\AppData\Roaming\info.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2440
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC ONLOGON /TN EncrypterSt /TR C:\Users\Admin\AppData\Roaming\info.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2520
    • C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\recovery.txt
      2⤵
      • System Location Discovery: System Language Discovery
      • Opens file in notepad (likely ransom note)
      PID:2940
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2660
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {9CEC487A-6FEE-41C6-BDD3-4E1F8F50EA87} S-1-5-21-3692679935-4019334568-335155002-1000:BCXRJFKE\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3004
    • C:\Users\Admin\AppData\Roaming\info.exe
      C:\Users\Admin\AppData\Roaming\info.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2748
    • C:\Users\Admin\AppData\Roaming\info.exe
      C:\Users\Admin\AppData\Roaming\info.exe
      2⤵
      • Executes dropped EXE
      PID:2112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Direct Volume Access

1
T1006

Indicator Removal

2
T1070

File Deletion

2
T1070.004

Modify Registry

1
T1112

Credential Access

Credentials from Password Stores

2
T1555

Credentials from Web Browsers

1
T1555.003

Windows Credential Manager

1
T1555.004

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

Peripheral Device Discovery

1
T1120

Query Registry

1
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

2
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Microsoft.stdformat.dll.rapid
    Filesize

    14KB

    MD5

    e8e055a1b5dc282e32a0994255475fa5

    SHA1

    5726d5ab6a5d078d496b3e5989b7941b6cd0e17f

    SHA256

    5b3a2d71857a0a2d44c8de6246f4f448548d5bd4e2b343596a9867f0a170e0bd

    SHA512

    1378ef7a63fb12fa0f7b09223897a18b2a2a444f96146fbbe54065ba529d4a319e34bde64c3e21dfca5e2652d8a883349b1433ff337097917b6588c9125db09f

    Download Submit

  • C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\adodb.dll.rapid
    Filesize

    109KB

    MD5

    f9c854a81c45521f50aab386d43f89f1

    SHA1

    472c1d24e7ba8c28f9161beceb8f50080955f96e

    SHA256

    0fdc07cff2f136380111ffef95a4e0832f4c2cf0eb0ff2b4b6e3aba705a027e3

    SHA512

    730f12f82b9fd7d3888ff4a21dbe2bb2d2e567febf2360cb79fdcf0a276cf541bacc12f93192b533f00127ddc8ffb74a0f823dfcce640784d70d54b1c051cc72

    Download Submit

  • C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\msdatasrc.dll.rapid
    Filesize

    5KB

    MD5

    df577f8987a13b06035fc762984dbfcd

    SHA1

    5657ac79ee178236eb22a3ccfe43703e67de1894

    SHA256

    098cc8ab7580544f4c93840578039a1080027d0d8ee47c3ab1f705470c42e45e

    SHA512

    f5c5e8795e570e8c5031f9d24b9723c88160a7ddde621ea468f8a63f4a951420cdb76fa9bbaeebd8f8b116ce638e6dfb6431a5947632315776127f6549205fb6

    Download Submit

  • C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\stdole.dll.rapid
    Filesize

    17KB

    MD5

    71d4915d63ced89b4584022ab389996a

    SHA1

    9948f94dc8d98a3aac0c95c5975fb10cd0719914

    SHA256

    649fef539deef3b23c6a2c55e95f6327e9e938899ab15dd2622100a5ee2afb3c

    SHA512

    495362446d4b3b9c560a5ad2e9718f057441babf26032daa61d471d3f5cd09a3feb8f35387e3a66ac4c46289e292fc9b1928edbdc4acefee3bd6804ee17ece7e

    Download Submit

  • C:\Users\Admin\AppData\Roaming\info.exe
    Filesize

    894KB

    MD5

    ec8fef72a73ff94440235fc1b3f3f690

    SHA1

    e651cd12a2493b9c2d7ebd8287a2fd29b8f4cd9c

    SHA256

    7d98972d5c78e1d4969da76856d6818942b606c267efa67fd31d39ae77497e9c

    SHA512

    b62f2f518f4ed3d74d96551a8c7431d50bd3349221b4b01dded18a270cbdbd1441f13f3eef7a6cc0db4aad200f1cf2babeb8e937edf8827faa7a03e4b59a35f2

    Download Submit

  • C:\Users\Admin\AppData\Roaming\recovery.txt
    Filesize

    178B

    MD5

    f5325f1e6e23ffeebe6d50ff0acd89af

    SHA1

    f05b087c20512d9a971ff349582f9c12763adb56

    SHA256

    cccf0b099ef44454756a01902a8fe54562d12caf3464775e31bf5ba0e25663d9

    SHA512

    f034a5e0354a2fb421091f6e289e4437a7db3e801fe4a7e5192669bd264637ce24902243c47810b9d9f527d32ac0af5b002e80dfe695f6cee970a9d96929e88f

    Download Submit