Overview

overview

10

Static

static

10

daf55a9d48...97.exe

windows7-x64

9

daf55a9d48...97.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    65s
  • max time network
    67s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/03/2025, 12:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    daf55a9d48dd736fa870acd24cf4ced89b079544051d3bd782195ea9b96d6397.exe

  • Size

    160KB

  • MD5

    ed6fa9757400a0de9596d59bd0262ebd

  • SHA1

    0836c5ab9bed96b1d9618bc802792185c6ee21ca

  • SHA256

    daf55a9d48dd736fa870acd24cf4ced89b079544051d3bd782195ea9b96d6397

  • SHA512

    37d93ce4b1796d205d090390645fa149181b99fa7a67c0afcfa548851644659dde27b169049f7f5bfc73e63bc448a59746236e1e6b47335d58a6b0eddd356412

  • SSDEEP

    3072:bDDDDDDDDDDDDDDDDDDDE45d/t6sVkgZqltP3368a0y5zxm8yNB41ctER6ptQtR2:15d/zugZqll3bQzmB3tQt5L

Score
9/10
defense_evasiondiscoveryransomware

Malware Config

Signatures

  • Renames multiple (137) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Control Panel 2 IoCs
    defense_evasion
  • Modifies registry class 5 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\daf55a9d48dd736fa870acd24cf4ced89b079544051d3bd782195ea9b96d6397.exe
    "C:\Users\Admin\AppData\Local\Temp\daf55a9d48dd736fa870acd24cf4ced89b079544051d3bd782195ea9b96d6397.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2948
    • C:\ProgramData\8184.tmp
      "C:\ProgramData\8184.tmp"
      2⤵
      • Checks computer location settings
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:4980
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\8184.tmp >> NUL
        3⤵
        • System Location Discovery: System Language Discovery
        PID:512
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:5088
  • C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\8ORZ41NKC.README.txt
    1⤵
    • Opens file in notepad (likely ransom note)
    PID:3844

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-3920955164-3782810283-1225622749-1000\BBBBBBBBBBB
    Filesize

    129B

    MD5

    25c6be3039e44179d837bf405c7d7e03

    SHA1

    bf7a0d26737b2d12a66300b3a912edfdddb50759

    SHA256

    b307ebe763084eb889a5997a96968c0c44cb577a7f723138f61eb2f7b29eabce

    SHA512

    99e31239934d65c7d21a438a950e30950ab98fc8d3111a4d1500510a8dd4d07c846cf8b0cc47a97025079b88a0f6b89c12c7967192f3901dd65b82e120c9ffce

    Download Submit

  • C:\ProgramData\8184.tmp
    Filesize

    14KB

    MD5

    294e9f64cb1642dd89229fff0592856b

    SHA1

    97b148c27f3da29ba7b18d6aee8a0db9102f47c9

    SHA256

    917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

    SHA512

    b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

    Download Submit

  • C:\Users\8ORZ41NKC.README.txt
    Filesize

    6KB

    MD5

    a0e1909a33a894d300280a9b9f16ffb2

    SHA1

    fa1548dd90043c9bcd3c7d4c55d3f23263b955b1

    SHA256

    acf1d0070218a720231c32424d530be3247393b35f1e64c04944a7533d4b0a05

    SHA512

    baff597e311fbe0015877436a590e0d6d6dc5dbcadb63ed936eb8549f54da36fe384aefcf3eebebef985d5c1feea625dc3c6ea04d99f56f3e2c5ea6a291d05b8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
    Filesize

    160KB

    MD5

    d8ede747bcb6f2570031af941533c53c

    SHA1

    f14ca29a097aa3fe6b88a7ff9214ece4c3baaf5d

    SHA256

    2e4539f2e98fe5d9acb0d7e6628fd2eda75fa4fb9ad6d2ca4e065f102161098c

    SHA512

    95e79c2ea9dd0be3bce8f5a8865fdcd717263276aa9fdd6d73847157f21789192308bd36d9f306d946711cc753501c6b6194dbccb060fcb24f13f1cd50e16e7f

    Download Submit

  • F:\$RECYCLE.BIN\S-1-5-21-3920955164-3782810283-1225622749-1000\DDDDDDDDDDD
    Filesize

    129B

    MD5

    1f28097cc359bf24d3b362bea5347991

    SHA1

    4d6bb1cd9cf9bca3ca32b913cb5fb0c0bf1be91f

    SHA256

    9e8a50ce8584f05754be1513f2520b50eada270c6974210ffeb27f77182613a8

    SHA512

    3416d23e0a3a19ca5966f46a61b39bc1139087db7b678eede23052084e9cb06c93578a1d909c6525510a300efcc70221a456063359b508d775ee125dff27e476

    Download Submit

  • memory/2948-302-0x0000000000790000-0x00000000007A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2948-1-0x0000000000790000-0x00000000007A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2948-0-0x0000000000790000-0x00000000007A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2948-2-0x0000000000790000-0x00000000007A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4980-299-0x0000000002560000-0x0000000002570000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4980-301-0x000000007FDC0000-0x000000007FDC1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4980-300-0x000000007FE20000-0x000000007FE21000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4980-298-0x0000000002560000-0x0000000002570000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4980-297-0x000000007FE40000-0x000000007FE41000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4980-332-0x0000000002560000-0x0000000002570000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4980-331-0x0000000002560000-0x0000000002570000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4980-335-0x000000007FDE0000-0x000000007FDE1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4980-336-0x000000007FE00000-0x000000007FE01000-memory.dmp

    Filesize

    4KB

    Download