09faaeeb52d5c0bdba222478e9787a5232bb88003ea42282bd7edc855a320de3

Analysis

max time kernel
150s
max time network
125s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
28/03/2025, 07:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b7da7b88697e543da7c734ff276b5fe2.exe
Size

300KB
MD5

b7da7b88697e543da7c734ff276b5fe2
SHA1

0f9429137d002162c3cf00df80ff352333a715da
SHA256

09faaeeb52d5c0bdba222478e9787a5232bb88003ea42282bd7edc855a320de3
SHA512

d8a3d397dd6ca84c59b6b55f8d2252e793ab9c152bf3f3102f1eb2df0e2f26765530b5ad6f090c753de086283484eedfadef8b973298be71d19f0bbde12a9335
SSDEEP

1536:ALBZQ0g3ARPHQ+lgURkzY2wmYDuOzdBUdRHVbG9dz:eYMPwIgUscrgRHVbG9dz

Score

10^/10

credential_access discovery execution ransomware spyware stealer

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://raw.githubusercontent.com/R4ven1elia/something/refs/heads/main/hacked.png

exe.dropper

https://drive.usercontent.google.com/download?id=15SxZaEWsqN64G-dGDWi5C31f94CpuuZc&export=download&confirm=t&uuid=b75378f6-8f6c-4166-a88d-75319d1472fa

Signatures

Renames multiple (785) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2896	powershell.exe

Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.Montelli	b7da7b88697e543da7c734ff276b5fe2.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\hacked.png"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\My Wallpaper.jpg"	powershell.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2896	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2896	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2908 wrote to memory of 2224	2908	b7da7b88697e543da7c734ff276b5fe2.exe	31
PID 2908 wrote to memory of 2224	2908	b7da7b88697e543da7c734ff276b5fe2.exe	31
PID 2908 wrote to memory of 2224	2908	b7da7b88697e543da7c734ff276b5fe2.exe	31
PID 2224 wrote to memory of 2896	2224	cmd.exe	32
PID 2224 wrote to memory of 2896	2224	cmd.exe	32
PID 2224 wrote to memory of 2896	2224	cmd.exe	32
PID 2896 wrote to memory of 2860	2896	powershell.exe	34
PID 2896 wrote to memory of 2860	2896	powershell.exe	34
PID 2896 wrote to memory of 2860	2896	powershell.exe	34
PID 2860 wrote to memory of 2404	2860	csc.exe	35
PID 2860 wrote to memory of 2404	2860	csc.exe	35
PID 2860 wrote to memory of 2404	2860	csc.exe	35
PID 2908 wrote to memory of 3048	2908	b7da7b88697e543da7c734ff276b5fe2.exe	36
PID 2908 wrote to memory of 3048	2908	b7da7b88697e543da7c734ff276b5fe2.exe	36
PID 2908 wrote to memory of 3048	2908	b7da7b88697e543da7c734ff276b5fe2.exe	36

C:\Users\Admin\AppData\Local\Temp\b7da7b88697e543da7c734ff276b5fe2.exe
"C:\Users\Admin\AppData\Local\Temp\b7da7b88697e543da7c734ff276b5fe2.exe"
1⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:2908
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\Users\Admin\dosomething.ps1"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2224
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\Users\Admin\dosomething.ps1"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Sets desktop wallpaper using registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2896
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\75b7yjo_.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2860
    - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES71D7.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC71D6.tmp"
        5⤵
        
        PID:2404
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2908 -s 240
  2⤵
  PID:3048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini.Montelli

Filesize
67B

MD5
d41744f73cd9f9413a540470ae5ce1a5

SHA1
3d3e780ee8ca67d6959b63df4326016c71581918

SHA256
44cf1631d2324ae4635f68fef669e50a25f581fc89ccc0069b761c9be15dcb8f

SHA512
d9896ea4e8ab7fc5bb3ada23932d4a8bf5fab244e7deb7baaf47a668b0ca79626a1c804d76e90b4b2162b45b095f2062bbdcdfb8d062c6b151a86a3b60b2abf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\75b7yjo_.dll

Filesize
3KB

MD5
b0350821fdc738b8048498b2bd0a685e

SHA1
c45f5adb35cced57f02c44a45a6ca8e0e0f278a3

SHA256
45e6f555bc0a98758fd4275d5744bcadcb210b6eb05dc8db3e9fc3848185515f

SHA512
293ea6e6a5c52ae62ec69dd3028ca78026a4f3edb1bdee54b63e032d32d65781d9afbed4a0014a15be97a255e55aab075890edc44dd7ecefcf7d8eb1e8451bbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\75b7yjo_.pdb

Filesize
7KB

MD5
0689f6ca1ff2b12b25a85e69b2f9cb42

SHA1
1c1a5190d195bd9290804c86eec2bd70a858040b

SHA256
1d12c8cf1036eeee724bf08e8e23683e626f30fb91c3f33ebffe9d77ce2caf6e

SHA512
51a61a710ec8125b92583fa900afdcc068cfae7f2567226e9252bd307eedb26e15857d2f6eb27b72e93b84b093bcf87c8b2ead581dbcdcfa685c6bec718a4cf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES71D7.tmp

Filesize
1KB

MD5
962c46db8ba51b0e7df0b2c58d906698

SHA1
f0d12fb4bb33be01bfc6eb6589bac142474b74cc

SHA256
ab30176f33a2881a2fd333fd20a9875176d725b1e8af168c3bc45bd2da4d9603

SHA512
91e276b07a78d6caf16874e87b994ca94c4148e824a1614bce8808aa82ad2a3e081c40e6a44f44c5d038eb5d3f3fe4fc07ade2c95e265c49f3d661c457d03797

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
1f08f73feeee759c90cd386ea70f15c1

SHA1
79019bc66b2ed767c46ec3359cb2211183628b02

SHA256
823cc35c59b5e660a5d0192d44f04b8e0cae3556bf3ca02cdaae3ee161b7cbe5

SHA512
0e688670db72d2a0cd6e38cf958d96ebebb67212066594014b20177e2ab2c99d386bcaac207e4d06c26740de46fabcef0b5f2a401bf3de68c78a96bd5672b125

Download Submit
C:\Users\Admin\dosomething.ps1

Filesize
1KB

MD5
bd6efef6fa24fc009de3dc4bc4243696

SHA1
a37163cbf5d0a251a08e67c53476d7138112d4e1

SHA256
b62d1243c9bb0cabf768102235b383d61db9104b5808f2694add46f8c5fd49b6

SHA512
3149f22cecda8849255a94d3829d215a036c59127b575a4d416e868ab4d2aa974dc016281b8c6149d28b8ea9146f9d422d081b1f788c0fca296281a9817ec3e4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\75b7yjo_.0.cs

Filesize
395B

MD5
d52fa54dc6788928cf46390b6a9d4f36

SHA1
d7789090abeb88375c65c0a79f2e1352a72d25bf

SHA256
3d52b7995a732f2b562f791abdcb0dfcd237fb9af72cea603bd027c7238b3380

SHA512
d78318e0f12e79fa628692d501ad704506db035f7935f93c11bbd8dc0779292b1ff86162ef7e152b6e93389203b27f38726feb98475f5c7a618b0e8e241f565f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\75b7yjo_.cmdline

Filesize
309B

MD5
e2ef2b3547fbb77e3edf0b34a3a49e7b

SHA1
22ac094ad0d3bdaedb5b64b9fbdb65b696e79e13

SHA256
b34e20fd304da53a08c2ad9103501cfda952e7bc9678ef90c1dc184d988706b4

SHA512
56908c6e0f10f67311181b16a25d143912d7ec82b1df4b53bbc3c647647133980902588ec62708df1c2e2f2ab6352b6ec385595e87e12906bcaccf9b503c8f0a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC71D6.tmp

Filesize
652B

MD5
b45d7ebcf2739439927c507909e0c6f8

SHA1
075352018e8ccb3f2047e659f294baf2b83824d6

SHA256
5a198474ee7a6b8bfac0c4c75e20b2e22be2ea108816a2991e2cb4adde6587c1

SHA512
abe93cee884bda39eee14f6a73b4ee9a74ebdcbff9d197f42efa47aa1753ea908eb80fa1b550cf9d0470b416db24865ed36a120534ed8481b762a358095fed6b

Download Submit
memory/2860-147-0x000007FEF5720000-0x000007FEF60BD000-memory.dmp

Filesize
9.6MB

Download
memory/2860-126-0x000007FEF5720000-0x000007FEF60BD000-memory.dmp

Filesize
9.6MB

Download
memory/2896-50-0x000007FEF5720000-0x000007FEF60BD000-memory.dmp

Filesize
9.6MB

Download
memory/2896-56-0x000007FEF5720000-0x000007FEF60BD000-memory.dmp

Filesize
9.6MB

Download
memory/2896-11-0x000007FEF59DE000-0x000007FEF59DF000-memory.dmp

Filesize
4KB

Download
memory/2896-39-0x000007FEF5720000-0x000007FEF60BD000-memory.dmp

Filesize
9.6MB

Download
memory/2896-34-0x000007FEF5720000-0x000007FEF60BD000-memory.dmp

Filesize
9.6MB

Download
memory/2896-149-0x0000000002A10000-0x0000000002A18000-memory.dmp

Filesize
32KB

Download
memory/2896-305-0x000007FEF5720000-0x000007FEF60BD000-memory.dmp

Filesize
9.6MB

Download
memory/2896-306-0x000007FEF5720000-0x000007FEF60BD000-memory.dmp

Filesize
9.6MB

Download
memory/2896-307-0x000007FEF59DE000-0x000007FEF59DF000-memory.dmp

Filesize
4KB

Download
memory/2896-310-0x000007FEF5720000-0x000007FEF60BD000-memory.dmp

Filesize
9.6MB

Download
memory/2896-316-0x000007FEF5720000-0x000007FEF60BD000-memory.dmp

Filesize
9.6MB

Download
memory/2896-15-0x0000000001F40000-0x0000000001F48000-memory.dmp

Filesize
32KB

Download
memory/2896-13-0x000000001B1B0000-0x000000001B492000-memory.dmp

Filesize
2.9MB

Download