Overview

overview

10

Static

static

10

daf55a9d48...97.exe

windows7-x64

9

daf55a9d48...97.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    38s
  • max time network
    22s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    26/03/2025, 12:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    daf55a9d48dd736fa870acd24cf4ced89b079544051d3bd782195ea9b96d6397.exe

  • Size

    160KB

  • MD5

    ed6fa9757400a0de9596d59bd0262ebd

  • SHA1

    0836c5ab9bed96b1d9618bc802792185c6ee21ca

  • SHA256

    daf55a9d48dd736fa870acd24cf4ced89b079544051d3bd782195ea9b96d6397

  • SHA512

    37d93ce4b1796d205d090390645fa149181b99fa7a67c0afcfa548851644659dde27b169049f7f5bfc73e63bc448a59746236e1e6b47335d58a6b0eddd356412

  • SSDEEP

    3072:bDDDDDDDDDDDDDDDDDDDE45d/t6sVkgZqltP3368a0y5zxm8yNB41ctER6ptQtR2:15d/zugZqll3bQzmB3tQt5L

Score
9/10
discoveryransomware

Malware Config

Signatures

  • Renames multiple (165) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Control Panel 2 IoCs
    defense_evasion
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\daf55a9d48dd736fa870acd24cf4ced89b079544051d3bd782195ea9b96d6397.exe
    "C:\Users\Admin\AppData\Local\Temp\daf55a9d48dd736fa870acd24cf4ced89b079544051d3bd782195ea9b96d6397.exe"
    1⤵
    • Loads dropped DLL
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2128
    • C:\ProgramData\C745.tmp
      "C:\ProgramData\C745.tmp"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: RenamesItself
      PID:2880
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1676

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-1488793075-819845221-1497111674-1000\TTTTTTTTTTT
    Filesize

    129B

    MD5

    80e20b9717211aa03ae19b2a48606641

    SHA1

    0df40ed180108166829b6aa533f5877d5aca7444

    SHA256

    02e5999c13643b892acec90a2532c31871e6d0dc2cd44aa809564a751bdc8077

    SHA512

    5926f728c60021a5db086b1c2665e9eee7bef396de4d2faa28be5eaddb9159929f4fc81634efd67d574115336380eb44391886fe3d9fcb7cff55dc9231ee4e9b

    Download Submit

  • C:\Users\8ORZ41NKC.README.txt
    Filesize

    6KB

    MD5

    32f4986df14926762cc5c05a8db626b9

    SHA1

    a1a0d445a63aa28efa733dd4238e2a5d0156fa8c

    SHA256

    8b89b5cba05385a51eda21713fc9ce2597cf3a87b41d4bd8e5a5120dace454cc

    SHA512

    bab7218e33f02e441135503afd86ec9ad198fc354c2857f307789d1fa6be9d3df801bce432c5ce1d2be12244f8b716337ae4d4542598687e938a846107c5a84a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
    Filesize

    160KB

    MD5

    545a18e11deec0607bb8002d9af8c6c5

    SHA1

    dba0eb02fa9e8968935689a8934aa81649d8fcfb

    SHA256

    1f7d52b4904101184e79ad8606f919a28453acdda2bb028d15f081d78474d178

    SHA512

    9379c94d7664ae930e9955a99dad69c87927d92e030894676566bad02a4fc2d41beb674c36b8ef1e890bf6be18efe00aa1f3c6eeb4083c5ad14fbb6baeb74f46

    Download Submit

  • F:\$RECYCLE.BIN\S-1-5-21-1488793075-819845221-1497111674-1000\EEEEEEEEEEE
    Filesize

    129B

    MD5

    c4fc6646a111b09c2b079bf2d1276cf8

    SHA1

    8d40520b86ec32112648fc4524f1d0104ac8b871

    SHA256

    c2365b3c7313dcdba208022aaa966f1244e6323d654031cab0482fb413dc342c

    SHA512

    48c7ccb7f5fd0225d904531655ad16522bb2a6657ffeb2071d4aae31951367e6cbf26d3d0edde9765fb0917ddafdf89d29a00e29c1e9802ed385b3c07d41d361

    Download Submit

  • \ProgramData\C745.tmp
    Filesize

    14KB

    MD5

    294e9f64cb1642dd89229fff0592856b

    SHA1

    97b148c27f3da29ba7b18d6aee8a0db9102f47c9

    SHA256

    917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

    SHA512

    b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

    Download Submit

  • memory/2128-0-0x0000000000360000-0x00000000003A0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2880-295-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2880-299-0x000000007EF20000-0x000000007EF21000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2880-298-0x000000007EF80000-0x000000007EF81000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2880-297-0x0000000002320000-0x0000000002360000-memory.dmp

    Filesize

    256KB

    Download