Analysis
-
max time kernel
22s -
max time network
13s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
19/11/2020, 08:31
Static task
static1
Behavioral task
behavioral1
Sample
f94fbc387e32abb67244f5130becb5f50d8094726eaf592fd71ba94c4efd17b1.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
f94fbc387e32abb67244f5130becb5f50d8094726eaf592fd71ba94c4efd17b1.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
f94fbc387e32abb67244f5130becb5f50d8094726eaf592fd71ba94c4efd17b1.exe
-
Size
130KB
-
MD5
c6d312f61bfa434c22e7c1eccb334b90
-
SHA1
6741b06dfbcf8fcbf2d409af021ca8f94eeb7124
-
SHA256
f94fbc387e32abb67244f5130becb5f50d8094726eaf592fd71ba94c4efd17b1
-
SHA512
23ccd656c1d36cb3d3c15068d63c8608f2508b2212562dd60624fe7bf292c0dea3a8f54bad70efd2df8f4d6eb3d33ff222fab4826bebb59231ec7b6a055fa07c
Score
8/10
Malware Config
Signatures
-
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\StartEnter.raw => C:\Users\Admin\Pictures\StartEnter.raw.3AF64EA418914714F19D5604B2D8356F90E98898BF586C2C75AE2E21C59FDE4D f94fbc387e32abb67244f5130becb5f50d8094726eaf592fd71ba94c4efd17b1.exe File renamed C:\Users\Admin\Pictures\MoveDisable.raw => C:\Users\Admin\Pictures\MoveDisable.raw.120EE8741E4CC3497A228D9FF4DB6AFE950BCA51C449AFA19CA5FFBF9495BD20 f94fbc387e32abb67244f5130becb5f50d8094726eaf592fd71ba94c4efd17b1.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 35 IoCs
description ioc Process File opened for modification C:\Users\Admin\Documents\desktop.ini f94fbc387e32abb67244f5130becb5f50d8094726eaf592fd71ba94c4efd17b1.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini f94fbc387e32abb67244f5130becb5f50d8094726eaf592fd71ba94c4efd17b1.exe File opened for modification C:\Users\Public\Downloads\desktop.ini f94fbc387e32abb67244f5130becb5f50d8094726eaf592fd71ba94c4efd17b1.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\5JH7AFHU\desktop.ini f94fbc387e32abb67244f5130becb5f50d8094726eaf592fd71ba94c4efd17b1.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\XHJ74TZW\desktop.ini f94fbc387e32abb67244f5130becb5f50d8094726eaf592fd71ba94c4efd17b1.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini f94fbc387e32abb67244f5130becb5f50d8094726eaf592fd71ba94c4efd17b1.exe File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini f94fbc387e32abb67244f5130becb5f50d8094726eaf592fd71ba94c4efd17b1.exe File opened for modification C:\Users\Admin\Music\desktop.ini f94fbc387e32abb67244f5130becb5f50d8094726eaf592fd71ba94c4efd17b1.exe File opened for modification C:\Users\Public\desktop.ini f94fbc387e32abb67244f5130becb5f50d8094726eaf592fd71ba94c4efd17b1.exe File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini f94fbc387e32abb67244f5130becb5f50d8094726eaf592fd71ba94c4efd17b1.exe File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini f94fbc387e32abb67244f5130becb5f50d8094726eaf592fd71ba94c4efd17b1.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini f94fbc387e32abb67244f5130becb5f50d8094726eaf592fd71ba94c4efd17b1.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini f94fbc387e32abb67244f5130becb5f50d8094726eaf592fd71ba94c4efd17b1.exe File opened for modification C:\Users\Public\Videos\desktop.ini f94fbc387e32abb67244f5130becb5f50d8094726eaf592fd71ba94c4efd17b1.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\6O9TWDTA\desktop.ini f94fbc387e32abb67244f5130becb5f50d8094726eaf592fd71ba94c4efd17b1.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini f94fbc387e32abb67244f5130becb5f50d8094726eaf592fd71ba94c4efd17b1.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini f94fbc387e32abb67244f5130becb5f50d8094726eaf592fd71ba94c4efd17b1.exe File opened for modification C:\Users\Public\Desktop\desktop.ini f94fbc387e32abb67244f5130becb5f50d8094726eaf592fd71ba94c4efd17b1.exe File opened for modification C:\Users\Public\Music\desktop.ini f94fbc387e32abb67244f5130becb5f50d8094726eaf592fd71ba94c4efd17b1.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini f94fbc387e32abb67244f5130becb5f50d8094726eaf592fd71ba94c4efd17b1.exe File opened for modification C:\Users\Admin\Videos\desktop.ini f94fbc387e32abb67244f5130becb5f50d8094726eaf592fd71ba94c4efd17b1.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini f94fbc387e32abb67244f5130becb5f50d8094726eaf592fd71ba94c4efd17b1.exe File opened for modification C:\Users\Public\Libraries\desktop.ini f94fbc387e32abb67244f5130becb5f50d8094726eaf592fd71ba94c4efd17b1.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini f94fbc387e32abb67244f5130becb5f50d8094726eaf592fd71ba94c4efd17b1.exe File opened for modification C:\Users\Public\Recorded TV\desktop.ini f94fbc387e32abb67244f5130becb5f50d8094726eaf592fd71ba94c4efd17b1.exe File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini f94fbc387e32abb67244f5130becb5f50d8094726eaf592fd71ba94c4efd17b1.exe File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini f94fbc387e32abb67244f5130becb5f50d8094726eaf592fd71ba94c4efd17b1.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\X6969WXQ\desktop.ini f94fbc387e32abb67244f5130becb5f50d8094726eaf592fd71ba94c4efd17b1.exe File opened for modification C:\Users\Admin\Links\desktop.ini f94fbc387e32abb67244f5130becb5f50d8094726eaf592fd71ba94c4efd17b1.exe File opened for modification C:\Users\Public\Documents\desktop.ini f94fbc387e32abb67244f5130becb5f50d8094726eaf592fd71ba94c4efd17b1.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini f94fbc387e32abb67244f5130becb5f50d8094726eaf592fd71ba94c4efd17b1.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini f94fbc387e32abb67244f5130becb5f50d8094726eaf592fd71ba94c4efd17b1.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini f94fbc387e32abb67244f5130becb5f50d8094726eaf592fd71ba94c4efd17b1.exe File opened for modification C:\Users\Admin\Searches\desktop.ini f94fbc387e32abb67244f5130becb5f50d8094726eaf592fd71ba94c4efd17b1.exe File opened for modification C:\Users\Public\Pictures\desktop.ini f94fbc387e32abb67244f5130becb5f50d8094726eaf592fd71ba94c4efd17b1.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\P: f94fbc387e32abb67244f5130becb5f50d8094726eaf592fd71ba94c4efd17b1.exe File opened (read-only) \??\G: f94fbc387e32abb67244f5130becb5f50d8094726eaf592fd71ba94c4efd17b1.exe File opened (read-only) \??\L: f94fbc387e32abb67244f5130becb5f50d8094726eaf592fd71ba94c4efd17b1.exe File opened (read-only) \??\N: f94fbc387e32abb67244f5130becb5f50d8094726eaf592fd71ba94c4efd17b1.exe File opened (read-only) \??\W: f94fbc387e32abb67244f5130becb5f50d8094726eaf592fd71ba94c4efd17b1.exe File opened (read-only) \??\E: f94fbc387e32abb67244f5130becb5f50d8094726eaf592fd71ba94c4efd17b1.exe File opened (read-only) \??\T: f94fbc387e32abb67244f5130becb5f50d8094726eaf592fd71ba94c4efd17b1.exe File opened (read-only) \??\Y: f94fbc387e32abb67244f5130becb5f50d8094726eaf592fd71ba94c4efd17b1.exe File opened (read-only) \??\M: f94fbc387e32abb67244f5130becb5f50d8094726eaf592fd71ba94c4efd17b1.exe File opened (read-only) \??\Q: f94fbc387e32abb67244f5130becb5f50d8094726eaf592fd71ba94c4efd17b1.exe File opened (read-only) \??\J: f94fbc387e32abb67244f5130becb5f50d8094726eaf592fd71ba94c4efd17b1.exe File opened (read-only) \??\K: f94fbc387e32abb67244f5130becb5f50d8094726eaf592fd71ba94c4efd17b1.exe File opened (read-only) \??\V: f94fbc387e32abb67244f5130becb5f50d8094726eaf592fd71ba94c4efd17b1.exe File opened (read-only) \??\F: f94fbc387e32abb67244f5130becb5f50d8094726eaf592fd71ba94c4efd17b1.exe File opened (read-only) \??\H: f94fbc387e32abb67244f5130becb5f50d8094726eaf592fd71ba94c4efd17b1.exe File opened (read-only) \??\Z: f94fbc387e32abb67244f5130becb5f50d8094726eaf592fd71ba94c4efd17b1.exe File opened (read-only) \??\B: f94fbc387e32abb67244f5130becb5f50d8094726eaf592fd71ba94c4efd17b1.exe File opened (read-only) \??\U: f94fbc387e32abb67244f5130becb5f50d8094726eaf592fd71ba94c4efd17b1.exe File opened (read-only) \??\I: f94fbc387e32abb67244f5130becb5f50d8094726eaf592fd71ba94c4efd17b1.exe File opened (read-only) \??\A: f94fbc387e32abb67244f5130becb5f50d8094726eaf592fd71ba94c4efd17b1.exe File opened (read-only) \??\S: f94fbc387e32abb67244f5130becb5f50d8094726eaf592fd71ba94c4efd17b1.exe File opened (read-only) \??\R: f94fbc387e32abb67244f5130becb5f50d8094726eaf592fd71ba94c4efd17b1.exe File opened (read-only) \??\O: f94fbc387e32abb67244f5130becb5f50d8094726eaf592fd71ba94c4efd17b1.exe File opened (read-only) \??\X: f94fbc387e32abb67244f5130becb5f50d8094726eaf592fd71ba94c4efd17b1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f94fbc387e32abb67244f5130becb5f50d8094726eaf592fd71ba94c4efd17b1.exe"C:\Users\Admin\AppData\Local\Temp\f94fbc387e32abb67244f5130becb5f50d8094726eaf592fd71ba94c4efd17b1.exe"1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Enumerates connected drives
PID:1684