Overview

overview

7

Static

static

3

f53f84ac24...6f.exe

windows7-x64

7

f53f84ac24...6f.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    22s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/03/2025, 09:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe

  • Size

    60KB

  • MD5

    dfac83994c43a8cba786c678f383e8f3

  • SHA1

    e809a61e0288fd77c3bbf43f55064fd2041f1df0

  • SHA256

    f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f

  • SHA512

    750831e315d847ba49985908ec1ebca591e3deb93396731199e03a0091f438d65be46b1876603e23d2a6622ff12e61d65d36d3e16c739258d5c36f8a36cc7031

  • SSDEEP

    768:b8KivX+gIMiYzTBO6d3tG4t29U4mvn+KxXWgQUfhNu5NhmncHhs50Z1Iw6Wx:bhivX0MDzTQmtG4tSd6+f+hgnh0p+Z5

Score
7/10
credential_accessdiscoverystealer

Malware Config

Signatures

  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

    credential_accessstealer
  • Deletes itself 1 IoCs
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe
    "C:\Users\Admin\AppData\Local\Temp\f53f84ac24e0ae43cd5b59a0e031d6423f8dce2400d21e0d59ea5511b57f256f.exe"
    1⤵
    • Deletes itself
    • Enumerates connected drives
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: RenamesItself
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1184
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F3901E1E-EF65-4703-B123-FE6E411FD552}'" delete
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:5032
      • C:\Windows\System32\wbem\WMIC.exe
        C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F3901E1E-EF65-4703-B123-FE6E411FD552}'" delete
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4948
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1380

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\ResiliencyLinks\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll.sig.DATA.735e2e2331fb
    Filesize

    1KB

    MD5

    6309bb7d16937a94be986d5995de0ba1

    SHA1

    28856c06d1ef4ee9c790d95d30adbd0d09567a1a

    SHA256

    4ccb123510113921f3292f84cf027fe4c85cb0ec55a175bb9796dccee84696d2

    SHA512

    03b058272b352217b6c018d091dcf3b5fd83f9072a823335ca8d669293389a334a19293abff8c638f67f34f395ca483a979bbfec19ee88deb0e97cc6050ebafe

    Download Submit

  • F:\$RECYCLE.BIN\S-1-5-21-805952410-2104024357-1716932545-1000\Restore-My-Files.txt
    Filesize

    6KB

    MD5

    84ca17a0259396d7c74382234f55f4e0

    SHA1

    b5a764178ce87efe0e12c2859dd3064810f192c0

    SHA256

    114e28c227be2b32f48fc80a8fb17332d28e3bfd3098beb3ba9b92ad709f7762

    SHA512

    d6728ea917a8f6591b20149b258b9ece3bf872038fe3b2272063024d04d6db6361e777eb3e49896b8b5079393be457b369d6bd8b017d04e6f19b94de00c4aec9

    Download Submit

  • memory/1184-0-0x0000000000A80000-0x0000000000B4A000-memory.dmp

    Filesize

    808KB

    Download

  • memory/1184-2596-0x0000000000A80000-0x0000000000B4A000-memory.dmp

    Filesize

    808KB

    Download

  • memory/1184-2595-0x0000000000A80000-0x0000000000B4A000-memory.dmp

    Filesize

    808KB

    Download

  • memory/1184-4903-0x0000000000A80000-0x0000000000B4A000-memory.dmp

    Filesize

    808KB

    Download

  • memory/1184-7610-0x0000000000A80000-0x0000000000B4A000-memory.dmp

    Filesize

    808KB

    Download

  • memory/1184-11228-0x0000000000A80000-0x0000000000B4A000-memory.dmp

    Filesize

    808KB

    Download

  • memory/1184-13265-0x0000000000A80000-0x0000000000B4A000-memory.dmp

    Filesize

    808KB

    Download

  • memory/1184-14247-0x0000000000A80000-0x0000000000B4A000-memory.dmp

    Filesize

    808KB

    Download

  • memory/1184-14248-0x0000000000A80000-0x0000000000B4A000-memory.dmp

    Filesize

    808KB

    Download

  • memory/1184-14250-0x0000000000A80000-0x0000000000B4A000-memory.dmp

    Filesize

    808KB

    Download