9f35d284afd3dafb2ab44e4a09ec7ef7cb62574282edf847d8deb7e450665bd6

General

Target

9f35d284afd3dafb2ab44e4a09ec7ef7cb62574282edf847d8deb7e450665bd6.exe
Size

4.4MB
MD5

f155ec35d67f746593ce8cc4e64d33e5
SHA1

822e0997e6c6d577a7803018dedba01a5ec70dc3
SHA256

9f35d284afd3dafb2ab44e4a09ec7ef7cb62574282edf847d8deb7e450665bd6
SHA512

ed5d2470defa3ecb8cdcdfb6b315ed921ac0719b1a08099f646208770f365866b13e2687dea21f25598d858885d54dd62b60ccefc5c45080bc4ccd6bbc923021

Score

8^/10

ransomware spyware stealer

Malware Config

Signatures

Modifies extensions of user files 12 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

9f35d284afd3dafb2ab44e4a09ec7ef7cb62574282edf847d8deb7e450665bd6.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\ApproveOptimize.tif => C:\Users\Admin\Pictures\ApproveOptimize.tif.karen	9f35d284afd3dafb2ab44e4a09ec7ef7cb62574282edf847d8deb7e450665bd6.exe
File renamed	C:\Users\Admin\Pictures\CloseResume.tif => C:\Users\Admin\Pictures\CloseResume.tif.karen	9f35d284afd3dafb2ab44e4a09ec7ef7cb62574282edf847d8deb7e450665bd6.exe
File renamed	C:\Users\Admin\Pictures\PingInvoke.png => C:\Users\Admin\Pictures\PingInvoke.png.karen	9f35d284afd3dafb2ab44e4a09ec7ef7cb62574282edf847d8deb7e450665bd6.exe
File renamed	C:\Users\Admin\Pictures\RestartUse.raw => C:\Users\Admin\Pictures\RestartUse.raw.karen	9f35d284afd3dafb2ab44e4a09ec7ef7cb62574282edf847d8deb7e450665bd6.exe
File opened for modification	C:\Users\Admin\Pictures\ResumeConvertFrom.tiff	9f35d284afd3dafb2ab44e4a09ec7ef7cb62574282edf847d8deb7e450665bd6.exe
File renamed	C:\Users\Admin\Pictures\ResumeConvertFrom.tiff => C:\Users\Admin\Pictures\ResumeConvertFrom.tiff.karen	9f35d284afd3dafb2ab44e4a09ec7ef7cb62574282edf847d8deb7e450665bd6.exe
File renamed	C:\Users\Admin\Pictures\CompareRename.tif => C:\Users\Admin\Pictures\CompareRename.tif.karen	9f35d284afd3dafb2ab44e4a09ec7ef7cb62574282edf847d8deb7e450665bd6.exe
File renamed	C:\Users\Admin\Pictures\ReadResize.crw => C:\Users\Admin\Pictures\ReadResize.crw.karen	9f35d284afd3dafb2ab44e4a09ec7ef7cb62574282edf847d8deb7e450665bd6.exe
File opened for modification	C:\Users\Admin\Pictures\ReceiveUnpublish.tiff	9f35d284afd3dafb2ab44e4a09ec7ef7cb62574282edf847d8deb7e450665bd6.exe
File renamed	C:\Users\Admin\Pictures\ReceiveUnpublish.tiff => C:\Users\Admin\Pictures\ReceiveUnpublish.tiff.karen	9f35d284afd3dafb2ab44e4a09ec7ef7cb62574282edf847d8deb7e450665bd6.exe
File renamed	C:\Users\Admin\Pictures\ResetExport.raw => C:\Users\Admin\Pictures\ResetExport.raw.karen	9f35d284afd3dafb2ab44e4a09ec7ef7cb62574282edf847d8deb7e450665bd6.exe
File renamed	C:\Users\Admin\Pictures\ResetRepair.png => C:\Users\Admin\Pictures\ResetRepair.png.karen	9f35d284afd3dafb2ab44e4a09ec7ef7cb62574282edf847d8deb7e450665bd6.exe

Drops startup file 1 IoCs

Processes:

9f35d284afd3dafb2ab44e4a09ec7ef7cb62574282edf847d8deb7e450665bd6.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	9f35d284afd3dafb2ab44e4a09ec7ef7cb62574282edf847d8deb7e450665bd6.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 35 IoCs

Processes:

9f35d284afd3dafb2ab44e4a09ec7ef7cb62574282edf847d8deb7e450665bd6.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	9f35d284afd3dafb2ab44e4a09ec7ef7cb62574282edf847d8deb7e450665bd6.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	9f35d284afd3dafb2ab44e4a09ec7ef7cb62574282edf847d8deb7e450665bd6.exe
File created	C:\Users\Admin\Links\desktop.ini	9f35d284afd3dafb2ab44e4a09ec7ef7cb62574282edf847d8deb7e450665bd6.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	9f35d284afd3dafb2ab44e4a09ec7ef7cb62574282edf847d8deb7e450665bd6.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	9f35d284afd3dafb2ab44e4a09ec7ef7cb62574282edf847d8deb7e450665bd6.exe
File created	C:\Users\Admin\Searches\desktop.ini	9f35d284afd3dafb2ab44e4a09ec7ef7cb62574282edf847d8deb7e450665bd6.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	9f35d284afd3dafb2ab44e4a09ec7ef7cb62574282edf847d8deb7e450665bd6.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	9f35d284afd3dafb2ab44e4a09ec7ef7cb62574282edf847d8deb7e450665bd6.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	9f35d284afd3dafb2ab44e4a09ec7ef7cb62574282edf847d8deb7e450665bd6.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	9f35d284afd3dafb2ab44e4a09ec7ef7cb62574282edf847d8deb7e450665bd6.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	9f35d284afd3dafb2ab44e4a09ec7ef7cb62574282edf847d8deb7e450665bd6.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	9f35d284afd3dafb2ab44e4a09ec7ef7cb62574282edf847d8deb7e450665bd6.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	9f35d284afd3dafb2ab44e4a09ec7ef7cb62574282edf847d8deb7e450665bd6.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	9f35d284afd3dafb2ab44e4a09ec7ef7cb62574282edf847d8deb7e450665bd6.exe
File created	C:\Users\Admin\Desktop\desktop.ini	9f35d284afd3dafb2ab44e4a09ec7ef7cb62574282edf847d8deb7e450665bd6.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	9f35d284afd3dafb2ab44e4a09ec7ef7cb62574282edf847d8deb7e450665bd6.exe
File created	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	9f35d284afd3dafb2ab44e4a09ec7ef7cb62574282edf847d8deb7e450665bd6.exe
File created	C:\Users\Admin\Favorites\Links\desktop.ini	9f35d284afd3dafb2ab44e4a09ec7ef7cb62574282edf847d8deb7e450665bd6.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	9f35d284afd3dafb2ab44e4a09ec7ef7cb62574282edf847d8deb7e450665bd6.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	9f35d284afd3dafb2ab44e4a09ec7ef7cb62574282edf847d8deb7e450665bd6.exe
File created	C:\Users\Admin\Contacts\desktop.ini	9f35d284afd3dafb2ab44e4a09ec7ef7cb62574282edf847d8deb7e450665bd6.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	9f35d284afd3dafb2ab44e4a09ec7ef7cb62574282edf847d8deb7e450665bd6.exe
File created	C:\Users\Admin\Documents\desktop.ini	9f35d284afd3dafb2ab44e4a09ec7ef7cb62574282edf847d8deb7e450665bd6.exe
File created	C:\Users\Admin\OneDrive\desktop.ini	9f35d284afd3dafb2ab44e4a09ec7ef7cb62574282edf847d8deb7e450665bd6.exe
File created	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	9f35d284afd3dafb2ab44e4a09ec7ef7cb62574282edf847d8deb7e450665bd6.exe
File created	C:\Users\Admin\Videos\desktop.ini	9f35d284afd3dafb2ab44e4a09ec7ef7cb62574282edf847d8deb7e450665bd6.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	9f35d284afd3dafb2ab44e4a09ec7ef7cb62574282edf847d8deb7e450665bd6.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	9f35d284afd3dafb2ab44e4a09ec7ef7cb62574282edf847d8deb7e450665bd6.exe
File created	C:\Users\Admin\Downloads\desktop.ini	9f35d284afd3dafb2ab44e4a09ec7ef7cb62574282edf847d8deb7e450665bd6.exe
File created	C:\Users\Admin\Favorites\desktop.ini	9f35d284afd3dafb2ab44e4a09ec7ef7cb62574282edf847d8deb7e450665bd6.exe
File created	C:\Users\Admin\Music\desktop.ini	9f35d284afd3dafb2ab44e4a09ec7ef7cb62574282edf847d8deb7e450665bd6.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	9f35d284afd3dafb2ab44e4a09ec7ef7cb62574282edf847d8deb7e450665bd6.exe
File created	C:\Users\Admin\Pictures\desktop.ini	9f35d284afd3dafb2ab44e4a09ec7ef7cb62574282edf847d8deb7e450665bd6.exe
File created	C:\Users\Admin\Saved Games\desktop.ini	9f35d284afd3dafb2ab44e4a09ec7ef7cb62574282edf847d8deb7e450665bd6.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	9f35d284afd3dafb2ab44e4a09ec7ef7cb62574282edf847d8deb7e450665bd6.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

9f35d284afd3dafb2ab44e4a09ec7ef7cb62574282edf847d8deb7e450665bd6.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b660537f000000010000000e000000300c060a2b0601040182370a03047e000000010000000800000000c001b39667d601030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	9f35d284afd3dafb2ab44e4a09ec7ef7cb62574282edf847d8deb7e450665bd6.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 5c0000000100000004000000000800001900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c137e000000010000000800000000c001b39667d6017f000000010000000e000000300c060a2b0601040182370a03041d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589100b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000006200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703080f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d040000000100000010000000410352dc0ff7501b16f0028eba6f45c520000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	9f35d284afd3dafb2ab44e4a09ec7ef7cb62574282edf847d8deb7e450665bd6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	9f35d284afd3dafb2ab44e4a09ec7ef7cb62574282edf847d8deb7e450665bd6.exe

C:\Users\Admin\AppData\Local\Temp\9f35d284afd3dafb2ab44e4a09ec7ef7cb62574282edf847d8deb7e450665bd6.exe
"C:\Users\Admin\AppData\Local\Temp\9f35d284afd3dafb2ab44e4a09ec7ef7cb62574282edf847d8deb7e450665bd6.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Modifies system certificate store
PID:752