Overview

overview

10

Static

static

10

daf55a9d48...97.exe

windows7-x64

9

daf55a9d48...97.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    94s
  • max time network
    22s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    26/03/2025, 12:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    daf55a9d48dd736fa870acd24cf4ced89b079544051d3bd782195ea9b96d6397.exe

  • Size

    160KB

  • MD5

    ed6fa9757400a0de9596d59bd0262ebd

  • SHA1

    0836c5ab9bed96b1d9618bc802792185c6ee21ca

  • SHA256

    daf55a9d48dd736fa870acd24cf4ced89b079544051d3bd782195ea9b96d6397

  • SHA512

    37d93ce4b1796d205d090390645fa149181b99fa7a67c0afcfa548851644659dde27b169049f7f5bfc73e63bc448a59746236e1e6b47335d58a6b0eddd356412

  • SSDEEP

    3072:bDDDDDDDDDDDDDDDDDDDE45d/t6sVkgZqltP3368a0y5zxm8yNB41ctER6ptQtR2:15d/zugZqll3bQzmB3tQt5L

Score
9/10
defense_evasiondiscoveryransomware

Malware Config

Signatures

  • Renames multiple (171) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Control Panel 2 IoCs
    defense_evasion
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\daf55a9d48dd736fa870acd24cf4ced89b079544051d3bd782195ea9b96d6397.exe
    "C:\Users\Admin\AppData\Local\Temp\daf55a9d48dd736fa870acd24cf4ced89b079544051d3bd782195ea9b96d6397.exe"
    1⤵
    • Loads dropped DLL
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1768
    • C:\ProgramData\76D5.tmp
      "C:\ProgramData\76D5.tmp"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:2844
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\76D5.tmp >> NUL
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1492
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1952
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x148
    1⤵
      PID:2024

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\$Recycle.Bin\S-1-5-21-2703099537-420551529-3771253338-1000\desktop.ini
      Filesize

      129B

      MD5

      0b0c505497773cca6c13c6e5efb4ebe7

      SHA1

      376cbc4a8189c13219a34ee6d259e0e9f6f8e6f7

      SHA256

      c0892e48c41ecf26ccea6e4afbc35c4dc5185182ec3873007c6c72e9aaef6942

      SHA512

      aec3d0d32c17d7cff421365c24996057df76707b34d8d79b7944b6a71fa6329c4e81390fd56c2cbd1dd39b7ddcc4c527a64db67ae6de068c8efc54aabacb8170

      Download Submit

    • C:\Users\8ORZ41NKC.README.txt
      Filesize

      6KB

      MD5

      bdb3632fd11bc551dd7fedccfdccbcac

      SHA1

      70b1631eb99ae7c738b003f61f54b102767bcc37

      SHA256

      e36b07d2605c1e5d4e66c4180c959853152832876fd05d86932b423ae38acebc

      SHA512

      9e06854b0930fb7cb8411c9ca745fbf8fa6ff865dfde5802f6235771004fe6179121de76660ba6933007008d644f1294024eb8321ae25b52543129c9a84c3269

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
      Filesize

      160KB

      MD5

      c4f1ef8cf9397ab13eab7c70cb751b9c

      SHA1

      6b5d60729e56253260dabc46b51b0fc038f2fa0f

      SHA256

      2c873690913bde1b3dd56eaa471580a7ae0afb7f3bd88fbb515f15c8400ae823

      SHA512

      c6196ff25ca1607673318468ae8ed9d8f512c4c15f16eec83fbd9f13c3236a6c085fc1fff635bcc80cfdc084d6f49166574c608b675ea4a4c65ec7b8df761ca4

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-2703099537-420551529-3771253338-1000\DDDDDDDDDDD
      Filesize

      129B

      MD5

      a4c7efdd37cf45b74ad8fd048a2eb876

      SHA1

      e0a2a959e18fdf32977b5e71fc93f4f300b5dee9

      SHA256

      60c87b2a418551a817685e3a551e5c0ada6194918faf6be9a83b55b5b2011a6e

      SHA512

      7b5004472092ae7fe65186ba1966f53c30302b55da91914121e03776fe9ff27944e9b7fac3617ab230d68085957713e68db68f442501503aa072b18be36dc3fb

      Download Submit

    • \ProgramData\76D5.tmp
      Filesize

      14KB

      MD5

      294e9f64cb1642dd89229fff0592856b

      SHA1

      97b148c27f3da29ba7b18d6aee8a0db9102f47c9

      SHA256

      917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

      SHA512

      b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

      Download Submit

    • memory/1768-0-0x0000000000120000-0x0000000000160000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2844-301-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2844-305-0x000000007EF80000-0x000000007EF81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2844-304-0x000000007EF20000-0x000000007EF21000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2844-303-0x0000000002070000-0x00000000020B0000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2844-337-0x000000007EF60000-0x000000007EF61000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2844-336-0x000000007EF40000-0x000000007EF41000-memory.dmp

      Filesize

      4KB

      Download