Overview

overview

10

Static

static

3

b7da7b8869...e2.exe

windows7-x64

10

b7da7b8869...e2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    111s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/03/2025, 07:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b7da7b88697e543da7c734ff276b5fe2.exe

  • Size

    300KB

  • MD5

    b7da7b88697e543da7c734ff276b5fe2

  • SHA1

    0f9429137d002162c3cf00df80ff352333a715da

  • SHA256

    09faaeeb52d5c0bdba222478e9787a5232bb88003ea42282bd7edc855a320de3

  • SHA512

    d8a3d397dd6ca84c59b6b55f8d2252e793ab9c152bf3f3102f1eb2df0e2f26765530b5ad6f090c753de086283484eedfadef8b973298be71d19f0bbde12a9335

  • SSDEEP

    1536:ALBZQ0g3ARPHQ+lgURkzY2wmYDuOzdBUdRHVbG9dz:eYMPwIgUscrgRHVbG9dz

Score
10/10
credential_accessdiscoveryexecutionransomwarespywarestealer

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://raw.githubusercontent.com/R4ven1elia/something/refs/heads/main/hacked.png
exe.dropper

https://drive.usercontent.google.com/download?id=15SxZaEWsqN64G-dGDWi5C31f94CpuuZc&export=download&confirm=t&uuid=b75378f6-8f6c-4166-a88d-75319d1472fa

Signatures

  • Renames multiple (3286) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Downloads MZ/PE file 1 IoCs
  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

    credential_accessstealer
  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b7da7b88697e543da7c734ff276b5fe2.exe
    "C:\Users\Admin\AppData\Local\Temp\b7da7b88697e543da7c734ff276b5fe2.exe"
    1⤵
    • Drops startup file
    • Suspicious use of WriteProcessMemory
    PID:540
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\Users\Admin\dosomething.ps1"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4996
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\Users\Admin\dosomething.ps1"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Downloads MZ/PE file
        • Sets desktop wallpaper using registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2532
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\x5lyzamz\x5lyzamz.cmdline"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:5376
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
            C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES614A.tmp" "c:\Users\Admin\AppData\Local\Temp\x5lyzamz\CSC9A5C14A046F347E7A1E429D69199B7CE.TMP"
            5⤵
              PID:748

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnWebGPUCache\data_0.Montelli
      Filesize

      8KB

      MD5

      8aa78af3b6405018d2c238125f0f9189

      SHA1

      2f5072f2f5cd1c9b7eedb48b716fe91c4125b3d3

      SHA256

      2e117c62e1d082ef62d4e22952ecff8fba9baff050a2db86ca28c4b525a71576

      SHA512

      0558b065479ec0717646cfbe9031f1eb4701ef2e4e86377038cb0330d228345bdf1f3299082c967a53226a4c08daa4d52a02e307ab537954be44102d8103b46f

      Download Submit

    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnWebGPUCache\data_1.Montelli
      Filesize

      264KB

      MD5

      edfc15e0f94be91dab0e882147012792

      SHA1

      b6529a331b1e6407682c3cf323fa063cc15dfa16

      SHA256

      3f2ee1fde50107cdbdddaca90e1dbca022acc85e340eabf61d8e6d9e546071c3

      SHA512

      badca93a3b54de4d61add8a296050d1115718b8dddda62ec8b8cbe432c068018df387f850b128dd9527ff93b9c41f7d68b5489fa0907b4726376aa8581322e6d

      Download Submit

    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnWebGPUCache\data_2.Montelli
      Filesize

      8KB

      MD5

      829355ead7c5a87eba571f97ce014e72

      SHA1

      d5d0d3a57622da865b0827e19c08cd2e0afd2d40

      SHA256

      e34996ffee97c3066b6436192ad51362046ceb2b4a17cfb09d3ccba460f07213

      SHA512

      ffb817f8af4f71aeddf30ca6b2d32bc80f9157f45a9db5986074eda986fa97b49260d379215a6222a37ef0b86d1dac9160a71fdbe9515ac6f3de210960410bf5

      Download Submit

    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnWebGPUCache\data_3.Montelli
      Filesize

      8KB

      MD5

      93e31093ddcc6709a981e26d1eca61b7

      SHA1

      c457e5d1879fd9ba1bc44da16fb4b6d64238d588

      SHA256

      b342862d6cad9ef7b9c81bfff9b75752d037517b5d3a83821f2816958c9202bd

      SHA512

      928347130c72c8c81f09df908cf7243392875b62fc7ce5dfb8d4b50710d844b998570e8b7b6c52026990f76ff218c85fa1c5482d6579a98159f5b6bd9b55d836

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\wasm\index.Montelli
      Filesize

      24B

      MD5

      757e75dbbe99b074224adc6aef9db591

      SHA1

      15a247459830cadaf3a6bb23b09f6927c54a7a58

      SHA256

      8aa09fd5d6c3b58992e0f3a32e2bcef5fd59e788f5605a0fa47cbfbeac3e18f9

      SHA512

      cd220129d0c6d96937722dd456f1984f2024b85eb5756536168a5afd4f8fd26f58c9793da97cfa9749a6642eb29ea93c1a1db2146edb3a6e502b6d83d0738a96

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\CURRENT.Montelli
      Filesize

      16B

      MD5

      0f5d1dbacdca468c785dbf5d55b851aa

      SHA1

      076fed87de9c125ff4147ed019c92513249ef8f9

      SHA256

      7d8e342c491082c1821fb3fd86831dd2826e320d8be4129e1476c0fd92b86488

      SHA512

      feb121e9fa7698e8f72d45d11b11085b2cccb85c35094584ab3c3ac0137bf2cbe07d32ad99fd5c5a5b704a96a3da1219f24fd85fef03104e00c9f344fed64cc0

      Download Submit

    • C:\Users\Admin\AppData\Local\Packages\Microsoft.AccountsControl_cw5n1h2txyewy\Settings\settings.dat.Montelli
      Filesize

      8KB

      MD5

      d78c5040ef3d1407de0d05ad97fccec7

      SHA1

      a39b55b8e20da932d8f156b9f724a8330f499c62

      SHA256

      7585d8195b8515a9582fa647a941ddbdfa94218332e7ce74cff1e4c1ecb85bfd

      SHA512

      c306b098159afe41a9cb9e68fa00a704304407ea5278ddc71ae309eb9869f103616b51c5d8543aebee73faf9f3149f6656ba6eb3b6c5a555b875cd64159a4a24

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RES614A.tmp
      Filesize

      1KB

      MD5

      c7f580c7d7c04c3cae29c2a1634af472

      SHA1

      a0825b2a2bd8846fe2cb1e22220695a594f60a0a

      SHA256

      547dcdef04bde0e26bb96a634af38812d44b30f47885e4bb5c1ca05d1dd3e2b0

      SHA512

      973646f0f6d613fd614604bfa8427f287da9b0adc5d75a6d75dff66d5ad8c947b7bb6fe37b77f430d83075e7318cff69f3f6287a5fcec92da655797fb57cf5e4

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ouzhbnl3.vpi.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\x5lyzamz\x5lyzamz.dll
      Filesize

      3KB

      MD5

      b8c7ad9b7ba4790e0180284426bdf153

      SHA1

      92f4cc32f3b7a3d86792fd58cd8e55e71a9241af

      SHA256

      2588835c5f0870c4db16df811cfc8bf8683ee7e5488b16560c32b4ef1bcf7fd3

      SHA512

      455f730bf49035a3321483a43137e9bdfdceaaa26d88fa168920a1f2d2384bdf910e1d555c5f089b3cc1359212b673b26d1382e4fec17b1af4653ee2e567adec

      Download Submit

    • C:\Users\Admin\dosomething.ps1
      Filesize

      1KB

      MD5

      bd6efef6fa24fc009de3dc4bc4243696

      SHA1

      a37163cbf5d0a251a08e67c53476d7138112d4e1

      SHA256

      b62d1243c9bb0cabf768102235b383d61db9104b5808f2694add46f8c5fd49b6

      SHA512

      3149f22cecda8849255a94d3829d215a036c59127b575a4d416e868ab4d2aa974dc016281b8c6149d28b8ea9146f9d422d081b1f788c0fca296281a9817ec3e4

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\x5lyzamz\CSC9A5C14A046F347E7A1E429D69199B7CE.TMP
      Filesize

      652B

      MD5

      93f2fccf9b323fbdc11df411788a7968

      SHA1

      0d55bb52ec9c40c8d412eb33bf102fca3b7bcea9

      SHA256

      02c8c9a50dda4c395062eae21538a49a0abde274187defb193a03f63d3f39a8c

      SHA512

      5a924ac30740c4c88acbdc47167ac5c86777cbf8c70db4907248fd64c1170c40c480785d7843d1bd235a4785e3b6abd826855f136e1be2c37c8cd9920521f58e

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\x5lyzamz\x5lyzamz.0.cs
      Filesize

      395B

      MD5

      d52fa54dc6788928cf46390b6a9d4f36

      SHA1

      d7789090abeb88375c65c0a79f2e1352a72d25bf

      SHA256

      3d52b7995a732f2b562f791abdcb0dfcd237fb9af72cea603bd027c7238b3380

      SHA512

      d78318e0f12e79fa628692d501ad704506db035f7935f93c11bbd8dc0779292b1ff86162ef7e152b6e93389203b27f38726feb98475f5c7a618b0e8e241f565f

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\x5lyzamz\x5lyzamz.cmdline
      Filesize

      369B

      MD5

      bbd8d2a2e88f71453fa696705cde44d8

      SHA1

      511e17f967af7db5a0d9f44adecec039aceff407

      SHA256

      bab80d89c403fe8c4157b88ff1410267a0c9cf2db5c3f8a854b1f47ba13acfd0

      SHA512

      516bcf228b526aac1d07141957f3f18a883be29024673bed14de4e3fd266644afa69e898ec73f7bf1b5eb22ee2ebf00732375890384de49062a52450d1e38f22

      Download Submit

    • memory/2532-40-0x00000284BE9D0000-0x00000284BF176000-memory.dmp

      Filesize

      7.6MB

      Download

    • memory/2532-267-0x00007FFB19383000-0x00007FFB19385000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2532-269-0x00007FFB19380000-0x00007FFB19E41000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2532-331-0x00007FFB19380000-0x00007FFB19E41000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2532-358-0x00007FFB19380000-0x00007FFB19E41000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2532-428-0x00007FFB19380000-0x00007FFB19E41000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2532-65-0x00000284BE3B0000-0x00000284BE3B8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2532-47-0x00007FFB19380000-0x00007FFB19E41000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2532-46-0x00007FFB19380000-0x00007FFB19E41000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2532-1-0x00007FFB19383000-0x00007FFB19385000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2532-14-0x00007FFB19380000-0x00007FFB19E41000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2532-13-0x00007FFB19380000-0x00007FFB19E41000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2532-12-0x00000284A4E70000-0x00000284A4E92000-memory.dmp

      Filesize

      136KB

      Download