Analysis
-
max time kernel
74s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
27-03-2023 06:41
Static task
static1
Behavioral task
behavioral1
Sample
b12292b2b9a0e8eb5caeff405de4b926e6700c2547be524d122728101865e6b1.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
b12292b2b9a0e8eb5caeff405de4b926e6700c2547be524d122728101865e6b1.exe
Resource
win10v2004-20230220-en
General
-
Target
b12292b2b9a0e8eb5caeff405de4b926e6700c2547be524d122728101865e6b1.exe
-
Size
1.3MB
-
MD5
4820c3d99b0e5792ea96bf695f3cb3a4
-
SHA1
c8e14ec57cc742d81a001643dc90b6d8ea423643
-
SHA256
b12292b2b9a0e8eb5caeff405de4b926e6700c2547be524d122728101865e6b1
-
SHA512
16e348d3ec62830f328630677bfd8962981c0f06a14c17fe02c372aef2f7784c70a45efe80d95fa03804d6921888b23a9086515b23ffb157536d6e0383bd453f
-
SSDEEP
24576:VeyPR8Z010ZGcocGFWjplHF6QmhMvytAp20opY+t0BcBVilNlgZhmJxh:nP2k0ZGc3GMjplH3XvytA7+NuDgZhmJ
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\History.txt
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 1 IoCs
Processes:
r.exepid process 532 r.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
b12292b2b9a0e8eb5caeff405de4b926e6700c2547be524d122728101865e6b1.exer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" b12292b2b9a0e8eb5caeff405de4b926e6700c2547be524d122728101865e6b1.exe Key created \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows\CurrentVersion\Run r.exe Set value (str) \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lolol = "C:\\ProgramData\\lolol.exe" r.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce b12292b2b9a0e8eb5caeff405de4b926e6700c2547be524d122728101865e6b1.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
r.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wp.png" r.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
wmic.exevssvc.exedescription pid process Token: SeIncreaseQuotaPrivilege 1624 wmic.exe Token: SeSecurityPrivilege 1624 wmic.exe Token: SeTakeOwnershipPrivilege 1624 wmic.exe Token: SeLoadDriverPrivilege 1624 wmic.exe Token: SeSystemProfilePrivilege 1624 wmic.exe Token: SeSystemtimePrivilege 1624 wmic.exe Token: SeProfSingleProcessPrivilege 1624 wmic.exe Token: SeIncBasePriorityPrivilege 1624 wmic.exe Token: SeCreatePagefilePrivilege 1624 wmic.exe Token: SeBackupPrivilege 1624 wmic.exe Token: SeRestorePrivilege 1624 wmic.exe Token: SeShutdownPrivilege 1624 wmic.exe Token: SeDebugPrivilege 1624 wmic.exe Token: SeSystemEnvironmentPrivilege 1624 wmic.exe Token: SeRemoteShutdownPrivilege 1624 wmic.exe Token: SeUndockPrivilege 1624 wmic.exe Token: SeManageVolumePrivilege 1624 wmic.exe Token: 33 1624 wmic.exe Token: 34 1624 wmic.exe Token: 35 1624 wmic.exe Token: 36 1624 wmic.exe Token: SeIncreaseQuotaPrivilege 1624 wmic.exe Token: SeSecurityPrivilege 1624 wmic.exe Token: SeTakeOwnershipPrivilege 1624 wmic.exe Token: SeLoadDriverPrivilege 1624 wmic.exe Token: SeSystemProfilePrivilege 1624 wmic.exe Token: SeSystemtimePrivilege 1624 wmic.exe Token: SeProfSingleProcessPrivilege 1624 wmic.exe Token: SeIncBasePriorityPrivilege 1624 wmic.exe Token: SeCreatePagefilePrivilege 1624 wmic.exe Token: SeBackupPrivilege 1624 wmic.exe Token: SeRestorePrivilege 1624 wmic.exe Token: SeShutdownPrivilege 1624 wmic.exe Token: SeDebugPrivilege 1624 wmic.exe Token: SeSystemEnvironmentPrivilege 1624 wmic.exe Token: SeRemoteShutdownPrivilege 1624 wmic.exe Token: SeUndockPrivilege 1624 wmic.exe Token: SeManageVolumePrivilege 1624 wmic.exe Token: 33 1624 wmic.exe Token: 34 1624 wmic.exe Token: 35 1624 wmic.exe Token: 36 1624 wmic.exe Token: SeBackupPrivilege 2560 vssvc.exe Token: SeRestorePrivilege 2560 vssvc.exe Token: SeAuditPrivilege 2560 vssvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
b12292b2b9a0e8eb5caeff405de4b926e6700c2547be524d122728101865e6b1.exer.exedescription pid process target process PID 4236 wrote to memory of 532 4236 b12292b2b9a0e8eb5caeff405de4b926e6700c2547be524d122728101865e6b1.exe r.exe PID 4236 wrote to memory of 532 4236 b12292b2b9a0e8eb5caeff405de4b926e6700c2547be524d122728101865e6b1.exe r.exe PID 4236 wrote to memory of 532 4236 b12292b2b9a0e8eb5caeff405de4b926e6700c2547be524d122728101865e6b1.exe r.exe PID 532 wrote to memory of 1624 532 r.exe wmic.exe PID 532 wrote to memory of 1624 532 r.exe wmic.exe PID 532 wrote to memory of 1624 532 r.exe wmic.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\b12292b2b9a0e8eb5caeff405de4b926e6700c2547be524d122728101865e6b1.exe"C:\Users\Admin\AppData\Local\Temp\b12292b2b9a0e8eb5caeff405de4b926e6700c2547be524d122728101865e6b1.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\r.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\r.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{14df477c-8711-4d5c-ac3e-349777767d52}\0.1.filtertrie.intermediate.txt.lololFilesize
53B
MD5cdc8df570b07fcbec956bed6a11d04e6
SHA14567949b96f6ca78dc527a5d2bd8d6876bbd23f2
SHA2568f56d5ef0f2bf53214e53ceaa12faea15c08ed600c99f38295ec10e9c8e13b3a
SHA512439d229fcedb890cae00be6e380e6f5bef6521c213f7bc06de88e6298765177f6e752e3ac17dd55457bd5a2e457957ec79163ae19249f50c3be00ba6c90f7737
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{14df477c-8711-4d5c-ac3e-349777767d52}\0.2.filtertrie.intermediate.txt.lololFilesize
53B
MD5d580065a2284b092a94d5b27f51fadf1
SHA1bf6cdbed4f3519732c75080fe5c2f1c062a667f0
SHA25657af3d1d80818dc06e08726784ed2c6dd89d365eb1cea1b62710dcb013b0b9c9
SHA51266f603ec48d2e535d9107ecb774205ad0155a9e11a6d85c901b4afa19f1c0edcb1cf898a321cd61185b057adfef55e687e0166aa3d7221f95adce4853a1e1c29
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133213997353165704.txt.lololFilesize
48KB
MD56ae5aab85b815ab68463c65a87befcaa
SHA12db479bd0a6e6123275b4801f2fd0c01ecef502a
SHA2568fc883b6f5afd7c43aae2037a3a017d7588b308258f4dfcb276a5ce32397a3fe
SHA51297962ac1c1b021b5dcb72a2ef7a5bafa5b22e5454f060f0377a0151488a25eb370e4902e6aa70f68bb6e6806dd802f9a94597b286e4f0b660d9e697b9bf3fd65
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133214005363349620.txt.lololFilesize
64KB
MD576735af216d9713cc320ac44b1ab2a26
SHA16a99e42ef85602d5ffdd892c58ae448e9698f20e
SHA256fa9e1c6640a130918a7cf8e0a4be41d48e2679bfb0340428fc8ec0f03582e429
SHA5120794b40cb7cfa82c82f3857e864d5892c3fdc72123534f976b2643ceef7f34a9b33dca394c332aa83aebe17e7d5eb2390bb7604b0e8b096ed113e651871d2a94
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\History.txtFilesize
54KB
MD5b1206a5abf93bc64601a3caa2dff47d4
SHA18f3ec5931b77f0841522324fb1202599b396e45a
SHA25624a8a7c00f0bb8ac3096f58f53bd47fa392b8d220c1c43d372100bd692c68e5f
SHA5126b13003fe209885f377ed93340a2472b936bc5699ed9e645f40a9dacc647d9aa280f78c991805b9646861fa4ca1e85e9799c3868daead643e21a9b351b2663f9
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\History.txt.lololFilesize
54KB
MD5368cc2e9979e8d169ff5b8faeae77c7f
SHA1d9158fc250ba74dd2d62f9d00585d36dda307376
SHA2567b10367f9b052a9e3c8c7c740493c35291b0dcdbb5adb348eeee075c523884f7
SHA512ed26c7660d522dd5f61052e9bfc3b3c6a53e9b4c6a8805ba60a0167c0e62ea4365ea4959007f19702639a58cd5c22c9d4d5ce1a0798ff99a60fe5d4616782c74
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\License.txtFilesize
3KB
MD5fcb4f2486eaba2743c10991ca7ba2c85
SHA1c47e84a7d22713762d5776bed5c0ce8cfc42250e
SHA256c3dd6ef20f70f046cff5270c09cbb48c818bc0b2dd34a00181fd9bedce35f1bf
SHA5123c2786983e0d1bae01ffc921bc2596e8a9a81c9f56b2fa13fc8da05182a598a09f743255fc7b364ef390c70ebf04bbde1c72451879023589c7e9037778504ac9
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\License.txt.lololFilesize
3KB
MD5c83ee59a78ce69fa2aafb4cf6d430e55
SHA1e4d458fc7d192b353bdd73de8d6f42e90c72a8b2
SHA2562a8eb05a35990926618a636b7fd0fd299e0c6c09cabcb0acf85d8677087da390
SHA512b22711c6b79461cf3236f018b2416d31675ee51fbd4fb9ad700a66f334a91d7844543ed3fdfc8607c0c12be12a15af1b02b47d706d50ce899837573337254582
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WHATS_GOING_ON.lolol.txtFilesize
275B
MD5569c75a631209494fe66031b6b77d4b8
SHA1564679a5f9de6c4533dc74b0f0a2f180ec2c29cc
SHA256f475e03f09e7c3c613b256fec3879b2a9b70c338afde2e9a41ea7bdbb424c389
SHA5123773452c02e863ff15d9d4580b5e349673ad6954725c1bfc5ffc73f18abc1ace3fde302483e8a46de4763ace3c79881767860661cec0881e0841562bd3807b7e
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\r.exeFilesize
28KB
MD5162bb53da302d0beeb76281b509b0149
SHA1462503512ce09132993993d9d1514958ef04de97
SHA2562be5b98ebfaf0123e550e69be3c2e834fab49519824fc5727486a0ee21b8258a
SHA51239634bbda6cb2ee814edb826ad74b41ade82cb96b78e85c5d6ab3815ce4df1bf2627b907925160ab1516518b2b092f11286daacacfdeafc73321b0dc46dc76e6
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\r.exeFilesize
28KB
MD5162bb53da302d0beeb76281b509b0149
SHA1462503512ce09132993993d9d1514958ef04de97
SHA2562be5b98ebfaf0123e550e69be3c2e834fab49519824fc5727486a0ee21b8258a
SHA51239634bbda6cb2ee814edb826ad74b41ade82cb96b78e85c5d6ab3815ce4df1bf2627b907925160ab1516518b2b092f11286daacacfdeafc73321b0dc46dc76e6
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\readme.txtFilesize
1KB
MD5b57c8b97c0d018d14786e06eabe0734f
SHA10c30b73f29600dd9ee51dd87ecc718f48022294a
SHA25678452b7a10fdd6b2131d3e98f3ffa533b415ed58a0edd3f644d3ec8c98ceb23f
SHA512b503ab083a4eda004e3020cbc887a2cd49b80dd74b08f73f86e7b9d04ceaae8b3c43d59a7abe3153ae220c601fb3da2b5ce020446492cb9d85dd2ea102dfcfe7
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\readme.txt.lololFilesize
1KB
MD57dc4d3661305beca317759c226c7e5f5
SHA11d6fb869f5d5c87d0b7cff308682a7988bb3961d
SHA256ea2272062bfb446f21b98af551a527dfb399fb6c57e36375d8b4b7e99a564d0d
SHA512dc1765280168d06673f3c47df90c635a54f7e279f75d35ff8c8b6296fa8807fc1891ea4f8e07460f61c56ee1e7169831354fb6e12c2d0c661c9b96e8df533ba5
-
C:\Users\Admin\Pictures\Camera Roll\WHATS_GOING_ON.lolol.txtFilesize
275B
MD5569c75a631209494fe66031b6b77d4b8
SHA1564679a5f9de6c4533dc74b0f0a2f180ec2c29cc
SHA256f475e03f09e7c3c613b256fec3879b2a9b70c338afde2e9a41ea7bdbb424c389
SHA5123773452c02e863ff15d9d4580b5e349673ad6954725c1bfc5ffc73f18abc1ace3fde302483e8a46de4763ace3c79881767860661cec0881e0841562bd3807b7e