Analysis
-
max time kernel
28s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
-
submitted
28-03-2023 00:27
General
-
Target
q.exe
-
Size
26KB
-
MD5
2c8df3499a2666c107a3a900335b8bd6
-
SHA1
dcbdd6e56552aa20bd867c43c7e3d4fec9957e49
-
SHA256
f6a4b33ecf988c80b0c5aa280a5a3850f44bb3931ae0d845df7c064803c5f7c7
-
SHA512
76b358c23bf11d21b748aef55e2fdaa633dea698eec2933fb2073ed0989574a1935e106a2ab92c0b0ecb1e112be26a708a1aecb2599b9944d8f4906547f2e435
-
SSDEEP
384:F+Qkwe/MEf4KCd+p5afqJnNiuRCpGP6aax9N7JmTnyvHRfeKiI4ZimJU:F+2eJWMTbiqeGPabsnyvHdTiBAX
Malware Config
Signatures
-
Modifies extensions of user files 4 IoCs
Ransomware generally changes the extension on encrypted files.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 27 IoCs
-
Suspicious use of SendNotifyMessage 26 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\q.exe"C:\Users\Admin\AppData\Local\Temp\q.exe"1⤵
- Modifies extensions of user files
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\DECRYPT.TXT1⤵
- Opens file in notepad (likely ransom note)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\DECRYPT.TXTFilesize
607B
MD5e357eb9271c77460d19016b793125c53
SHA1d0c6ac79c3b2c8eb911592eb3f84d354cc5bebbb
SHA256f87cc0f1caded84e06027100472052da0b32ea9bc75f2f87da18e6b28a4f2789
SHA5126d46988485a4b9204fb87a08db0a7cfc3dfaf5ad661ba5c3b62e9722c72a4b95b1bdc190383220030ba32cef662cbec1ab9f6a9bad2b2da6adf8dc5d3755cef4
-
C:\Users\Admin\Desktop\DECRYPT_ReadMe1.TXT.ReadMeFilesize
4KB
MD50e7f3fcea239c2d0c77f1e6bb486846e
SHA1ac08c9f4ddd880cc50ee822efeea255cbf9e4bf0
SHA2567080c28f01d0faadd652ad863fc9fdaeda478d18c8ad29754cc54006e5889dd6
SHA512d3a694689bae1a7e6efb1b5b59be7d6b87819008dda5d8c97fc3df38c09e08266314d3dbbec065a68fe2033084c3c1618cee975f726449e38fe3927b188ac82a
-
C:\vcredist2010_x86.log.htmlFilesize
81KB
MD58e429bed7b6b10a2af9971bd25744f35
SHA1e10658497f31e73e83c5c19e66f2a364154fb380
SHA2560124bc0dbea6b2faae49f01f35985648f566257e45123bce44b9bca0cd4f3b09
SHA512d98a320c2ecc96f535e83120ac2abeb4aca6e0792b1e3a34ac6e03d5d93d5163c07382f3f510770b5407a0944e54685e290790d5578b6e9634d7cbac1a29df9c
-
memory/240-838-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/240-839-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/1940-54-0x0000000001360000-0x000000000136C000-memory.dmpFilesize
48KB
-
memory/1940-55-0x000000001B110000-0x000000001B190000-memory.dmpFilesize
512KB
-
memory/1940-84-0x000000001B110000-0x000000001B190000-memory.dmpFilesize
512KB
-
memory/1940-840-0x000000001B110000-0x000000001B190000-memory.dmpFilesize
512KB