Analysis
-
max time kernel
94s -
max time network
106s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
05-03-2022 17:57
Static task
static1
Behavioral task
behavioral1
Sample
3f6e996ee4a40d2d19b648669d9146562627359626239324937a5c75f8030824.exe
Resource
win7-20220223-en
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
3f6e996ee4a40d2d19b648669d9146562627359626239324937a5c75f8030824.exe
Resource
win10v2004-en-20220112
windows10-2004_x64
0 signatures
0 seconds
General
-
Target
3f6e996ee4a40d2d19b648669d9146562627359626239324937a5c75f8030824.exe
-
Size
425KB
-
MD5
8e2ccd9284e09ccc4e9eef325a83b435
-
SHA1
7710f609e7623a08f0dd7cb8fae1ff38d0c729ef
-
SHA256
3f6e996ee4a40d2d19b648669d9146562627359626239324937a5c75f8030824
-
SHA512
9827bdb32c04127ee0ccc41be9c84df40e7d2aa30c68dc9f9e5bfabcd920478884bbec0f3f8ddcbe5fba2eafafa3437b37af161d59fc39daa92202e2f884247f
Score
8/10
Malware Config
Signatures
-
Modifies extensions of user files 14 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\GroupResize.png => C:\Users\Admin\Pictures\GroupResize.png.99964C95A8F26BDC4804BE9370461E6A2C1A1C94179F496F9207C6804A3F4910 3f6e996ee4a40d2d19b648669d9146562627359626239324937a5c75f8030824.exe File renamed C:\Users\Admin\Pictures\RestoreImport.tiff => C:\Users\Admin\Pictures\RestoreImport.tiff.737B239BCF1F0AFC6355A250B4ACF8EE4C482F60A8B65799C99057B38E37B730 3f6e996ee4a40d2d19b648669d9146562627359626239324937a5c75f8030824.exe File renamed C:\Users\Admin\Pictures\CloseFormat.crw => C:\Users\Admin\Pictures\CloseFormat.crw.8823167E6E1AA497FEC4C4D5DE860E4DB270828914610414182FE4A13C6E221C 3f6e996ee4a40d2d19b648669d9146562627359626239324937a5c75f8030824.exe File renamed C:\Users\Admin\Pictures\GetReceive.tif => C:\Users\Admin\Pictures\GetReceive.tif.2B11BB1AFE46DB56575591E781EE0724DF8E21B1E5545235C81F76039EC26D35 3f6e996ee4a40d2d19b648669d9146562627359626239324937a5c75f8030824.exe File opened for modification C:\Users\Admin\Pictures\RestoreImport.tiff 3f6e996ee4a40d2d19b648669d9146562627359626239324937a5c75f8030824.exe File renamed C:\Users\Admin\Pictures\ResolvePing.tiff => C:\Users\Admin\Pictures\ResolvePing.tiff.6758131DD44EFD46048BDE3445E40881ED7715FD188903C40EDF3A29FEFF8230 3f6e996ee4a40d2d19b648669d9146562627359626239324937a5c75f8030824.exe File renamed C:\Users\Admin\Pictures\SubmitSend.tif => C:\Users\Admin\Pictures\SubmitSend.tif.12CA68CB17B016655ACFD20A58420A0EE3C449B9AEE29700EB2AFD36ABA07439 3f6e996ee4a40d2d19b648669d9146562627359626239324937a5c75f8030824.exe File opened for modification C:\Users\Admin\Pictures\ConnectResume.tiff 3f6e996ee4a40d2d19b648669d9146562627359626239324937a5c75f8030824.exe File opened for modification C:\Users\Admin\Pictures\RestoreSend.tiff 3f6e996ee4a40d2d19b648669d9146562627359626239324937a5c75f8030824.exe File renamed C:\Users\Admin\Pictures\RestoreSend.tiff => C:\Users\Admin\Pictures\RestoreSend.tiff.522DC73B75F52BD31C5E3342878DC297BA6E9FD7435732E8886C37A7081B6B1F 3f6e996ee4a40d2d19b648669d9146562627359626239324937a5c75f8030824.exe File renamed C:\Users\Admin\Pictures\BlockInvoke.tif => C:\Users\Admin\Pictures\BlockInvoke.tif.98444864888AFF99FD17C7812F08F5A98AEB4C9E6FA7B8EA1C57101C5C2EAC1E 3f6e996ee4a40d2d19b648669d9146562627359626239324937a5c75f8030824.exe File renamed C:\Users\Admin\Pictures\ConnectResume.tiff => C:\Users\Admin\Pictures\ConnectResume.tiff.EEAEFC3C3F33D6AFC7E5BF7275CF3F89A84181ED772A2FD7882083BCFCA87353 3f6e996ee4a40d2d19b648669d9146562627359626239324937a5c75f8030824.exe File renamed C:\Users\Admin\Pictures\ProtectExit.png => C:\Users\Admin\Pictures\ProtectExit.png.6FDECB7D477FFD4611040771EE12D29AD7D747EA913419B1FD62229FDD38A20B 3f6e996ee4a40d2d19b648669d9146562627359626239324937a5c75f8030824.exe File opened for modification C:\Users\Admin\Pictures\ResolvePing.tiff 3f6e996ee4a40d2d19b648669d9146562627359626239324937a5c75f8030824.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\YOUR_FILES_ARE_ENCRYPTED.HTML 3f6e996ee4a40d2d19b648669d9146562627359626239324937a5c75f8030824.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 28 IoCs
description ioc Process File opened for modification C:\Users\Admin\Documents\desktop.ini 3f6e996ee4a40d2d19b648669d9146562627359626239324937a5c75f8030824.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini 3f6e996ee4a40d2d19b648669d9146562627359626239324937a5c75f8030824.exe File opened for modification C:\Users\Admin\Music\desktop.ini 3f6e996ee4a40d2d19b648669d9146562627359626239324937a5c75f8030824.exe File opened for modification C:\Users\Admin\Searches\desktop.ini 3f6e996ee4a40d2d19b648669d9146562627359626239324937a5c75f8030824.exe File opened for modification C:\Users\Admin\Videos\desktop.ini 3f6e996ee4a40d2d19b648669d9146562627359626239324937a5c75f8030824.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini 3f6e996ee4a40d2d19b648669d9146562627359626239324937a5c75f8030824.exe File opened for modification C:\Users\Public\desktop.ini 3f6e996ee4a40d2d19b648669d9146562627359626239324937a5c75f8030824.exe File opened for modification C:\Users\Public\Downloads\desktop.ini 3f6e996ee4a40d2d19b648669d9146562627359626239324937a5c75f8030824.exe File opened for modification C:\Users\Admin\3D Objects\desktop.ini 3f6e996ee4a40d2d19b648669d9146562627359626239324937a5c75f8030824.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini 3f6e996ee4a40d2d19b648669d9146562627359626239324937a5c75f8030824.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini 3f6e996ee4a40d2d19b648669d9146562627359626239324937a5c75f8030824.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini 3f6e996ee4a40d2d19b648669d9146562627359626239324937a5c75f8030824.exe File opened for modification C:\Users\Public\Desktop\desktop.ini 3f6e996ee4a40d2d19b648669d9146562627359626239324937a5c75f8030824.exe File opened for modification C:\Users\Public\Libraries\desktop.ini 3f6e996ee4a40d2d19b648669d9146562627359626239324937a5c75f8030824.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini 3f6e996ee4a40d2d19b648669d9146562627359626239324937a5c75f8030824.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini 3f6e996ee4a40d2d19b648669d9146562627359626239324937a5c75f8030824.exe File opened for modification C:\Users\Public\Videos\desktop.ini 3f6e996ee4a40d2d19b648669d9146562627359626239324937a5c75f8030824.exe File opened for modification C:\Users\Public\Documents\desktop.ini 3f6e996ee4a40d2d19b648669d9146562627359626239324937a5c75f8030824.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini 3f6e996ee4a40d2d19b648669d9146562627359626239324937a5c75f8030824.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini 3f6e996ee4a40d2d19b648669d9146562627359626239324937a5c75f8030824.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini 3f6e996ee4a40d2d19b648669d9146562627359626239324937a5c75f8030824.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini 3f6e996ee4a40d2d19b648669d9146562627359626239324937a5c75f8030824.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini 3f6e996ee4a40d2d19b648669d9146562627359626239324937a5c75f8030824.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini 3f6e996ee4a40d2d19b648669d9146562627359626239324937a5c75f8030824.exe File opened for modification C:\Users\Public\Pictures\desktop.ini 3f6e996ee4a40d2d19b648669d9146562627359626239324937a5c75f8030824.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini 3f6e996ee4a40d2d19b648669d9146562627359626239324937a5c75f8030824.exe File opened for modification C:\Users\Admin\Links\desktop.ini 3f6e996ee4a40d2d19b648669d9146562627359626239324937a5c75f8030824.exe File opened for modification C:\Users\Public\Music\desktop.ini 3f6e996ee4a40d2d19b648669d9146562627359626239324937a5c75f8030824.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: 3f6e996ee4a40d2d19b648669d9146562627359626239324937a5c75f8030824.exe File opened (read-only) \??\Z: 3f6e996ee4a40d2d19b648669d9146562627359626239324937a5c75f8030824.exe File opened (read-only) \??\U: 3f6e996ee4a40d2d19b648669d9146562627359626239324937a5c75f8030824.exe File opened (read-only) \??\I: 3f6e996ee4a40d2d19b648669d9146562627359626239324937a5c75f8030824.exe File opened (read-only) \??\F: 3f6e996ee4a40d2d19b648669d9146562627359626239324937a5c75f8030824.exe File opened (read-only) \??\G: 3f6e996ee4a40d2d19b648669d9146562627359626239324937a5c75f8030824.exe File opened (read-only) \??\L: 3f6e996ee4a40d2d19b648669d9146562627359626239324937a5c75f8030824.exe File opened (read-only) \??\Y: 3f6e996ee4a40d2d19b648669d9146562627359626239324937a5c75f8030824.exe File opened (read-only) \??\P: 3f6e996ee4a40d2d19b648669d9146562627359626239324937a5c75f8030824.exe File opened (read-only) \??\S: 3f6e996ee4a40d2d19b648669d9146562627359626239324937a5c75f8030824.exe File opened (read-only) \??\K: 3f6e996ee4a40d2d19b648669d9146562627359626239324937a5c75f8030824.exe File opened (read-only) \??\B: 3f6e996ee4a40d2d19b648669d9146562627359626239324937a5c75f8030824.exe File opened (read-only) \??\M: 3f6e996ee4a40d2d19b648669d9146562627359626239324937a5c75f8030824.exe File opened (read-only) \??\Q: 3f6e996ee4a40d2d19b648669d9146562627359626239324937a5c75f8030824.exe File opened (read-only) \??\W: 3f6e996ee4a40d2d19b648669d9146562627359626239324937a5c75f8030824.exe File opened (read-only) \??\E: 3f6e996ee4a40d2d19b648669d9146562627359626239324937a5c75f8030824.exe File opened (read-only) \??\O: 3f6e996ee4a40d2d19b648669d9146562627359626239324937a5c75f8030824.exe File opened (read-only) \??\V: 3f6e996ee4a40d2d19b648669d9146562627359626239324937a5c75f8030824.exe File opened (read-only) \??\N: 3f6e996ee4a40d2d19b648669d9146562627359626239324937a5c75f8030824.exe File opened (read-only) \??\R: 3f6e996ee4a40d2d19b648669d9146562627359626239324937a5c75f8030824.exe File opened (read-only) \??\T: 3f6e996ee4a40d2d19b648669d9146562627359626239324937a5c75f8030824.exe File opened (read-only) \??\J: 3f6e996ee4a40d2d19b648669d9146562627359626239324937a5c75f8030824.exe File opened (read-only) \??\X: 3f6e996ee4a40d2d19b648669d9146562627359626239324937a5c75f8030824.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeBackupPrivilege 1636 vssvc.exe Token: SeRestorePrivilege 1636 vssvc.exe Token: SeAuditPrivilege 1636 vssvc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3f6e996ee4a40d2d19b648669d9146562627359626239324937a5c75f8030824.exe"C:\Users\Admin\AppData\Local\Temp\3f6e996ee4a40d2d19b648669d9146562627359626239324937a5c75f8030824.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Enumerates connected drives
PID:3896
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1636