Analysis
-
max time kernel
28s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
28-03-2023 00:27
Static task
static1
Behavioral task
behavioral1
Sample
q.exe
Resource
win7-20230220-en
General
-
Target
q.exe
-
Size
26KB
-
MD5
2c8df3499a2666c107a3a900335b8bd6
-
SHA1
dcbdd6e56552aa20bd867c43c7e3d4fec9957e49
-
SHA256
f6a4b33ecf988c80b0c5aa280a5a3850f44bb3931ae0d845df7c064803c5f7c7
-
SHA512
76b358c23bf11d21b748aef55e2fdaa633dea698eec2933fb2073ed0989574a1935e106a2ab92c0b0ecb1e112be26a708a1aecb2599b9944d8f4906547f2e435
-
SSDEEP
384:F+Qkwe/MEf4KCd+p5afqJnNiuRCpGP6aax9N7JmTnyvHRfeKiI4ZimJU:F+2eJWMTbiqeGPabsnyvHdTiBAX
Malware Config
Signatures
-
Modifies extensions of user files 4 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
q.exedescription ioc process File renamed C:\Users\Admin\Pictures\ConvertToSet.raw => \??\c:\users\admin\pictures\ConvertToSet.raw.encrypted q.exe File renamed C:\Users\Admin\Pictures\GrantWait.png => \??\c:\users\admin\pictures\GrantWait.png.encrypted q.exe File renamed C:\Users\Admin\Pictures\ImportComplete.raw => \??\c:\users\admin\pictures\ImportComplete.raw.encrypted q.exe File renamed C:\Users\Admin\Pictures\UnregisterGrant.raw => \??\c:\users\admin\pictures\UnregisterGrant.raw.encrypted q.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 916 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
taskmgr.exepid process 240 taskmgr.exe 240 taskmgr.exe 240 taskmgr.exe 240 taskmgr.exe 240 taskmgr.exe 240 taskmgr.exe 240 taskmgr.exe 240 taskmgr.exe 240 taskmgr.exe 240 taskmgr.exe 240 taskmgr.exe 240 taskmgr.exe 240 taskmgr.exe 240 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
taskmgr.exedescription pid process Token: SeDebugPrivilege 240 taskmgr.exe -
Suspicious use of FindShellTrayWindow 27 IoCs
Processes:
taskmgr.exepid process 240 taskmgr.exe 240 taskmgr.exe 240 taskmgr.exe 240 taskmgr.exe 240 taskmgr.exe 240 taskmgr.exe 240 taskmgr.exe 240 taskmgr.exe 240 taskmgr.exe 240 taskmgr.exe 240 taskmgr.exe 240 taskmgr.exe 240 taskmgr.exe 240 taskmgr.exe 240 taskmgr.exe 240 taskmgr.exe 240 taskmgr.exe 240 taskmgr.exe 240 taskmgr.exe 240 taskmgr.exe 240 taskmgr.exe 240 taskmgr.exe 240 taskmgr.exe 240 taskmgr.exe 240 taskmgr.exe 240 taskmgr.exe 240 taskmgr.exe -
Suspicious use of SendNotifyMessage 26 IoCs
Processes:
taskmgr.exepid process 240 taskmgr.exe 240 taskmgr.exe 240 taskmgr.exe 240 taskmgr.exe 240 taskmgr.exe 240 taskmgr.exe 240 taskmgr.exe 240 taskmgr.exe 240 taskmgr.exe 240 taskmgr.exe 240 taskmgr.exe 240 taskmgr.exe 240 taskmgr.exe 240 taskmgr.exe 240 taskmgr.exe 240 taskmgr.exe 240 taskmgr.exe 240 taskmgr.exe 240 taskmgr.exe 240 taskmgr.exe 240 taskmgr.exe 240 taskmgr.exe 240 taskmgr.exe 240 taskmgr.exe 240 taskmgr.exe 240 taskmgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\q.exe"C:\Users\Admin\AppData\Local\Temp\q.exe"1⤵
- Modifies extensions of user files
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\DECRYPT.TXT1⤵
- Opens file in notepad (likely ransom note)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\DECRYPT.TXTFilesize
607B
MD5e357eb9271c77460d19016b793125c53
SHA1d0c6ac79c3b2c8eb911592eb3f84d354cc5bebbb
SHA256f87cc0f1caded84e06027100472052da0b32ea9bc75f2f87da18e6b28a4f2789
SHA5126d46988485a4b9204fb87a08db0a7cfc3dfaf5ad661ba5c3b62e9722c72a4b95b1bdc190383220030ba32cef662cbec1ab9f6a9bad2b2da6adf8dc5d3755cef4
-
C:\Users\Admin\Desktop\DECRYPT_ReadMe1.TXT.ReadMeFilesize
4KB
MD50e7f3fcea239c2d0c77f1e6bb486846e
SHA1ac08c9f4ddd880cc50ee822efeea255cbf9e4bf0
SHA2567080c28f01d0faadd652ad863fc9fdaeda478d18c8ad29754cc54006e5889dd6
SHA512d3a694689bae1a7e6efb1b5b59be7d6b87819008dda5d8c97fc3df38c09e08266314d3dbbec065a68fe2033084c3c1618cee975f726449e38fe3927b188ac82a
-
C:\vcredist2010_x86.log.htmlFilesize
81KB
MD58e429bed7b6b10a2af9971bd25744f35
SHA1e10658497f31e73e83c5c19e66f2a364154fb380
SHA2560124bc0dbea6b2faae49f01f35985648f566257e45123bce44b9bca0cd4f3b09
SHA512d98a320c2ecc96f535e83120ac2abeb4aca6e0792b1e3a34ac6e03d5d93d5163c07382f3f510770b5407a0944e54685e290790d5578b6e9634d7cbac1a29df9c
-
memory/240-838-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/240-839-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/1940-54-0x0000000001360000-0x000000000136C000-memory.dmpFilesize
48KB
-
memory/1940-55-0x000000001B110000-0x000000001B190000-memory.dmpFilesize
512KB
-
memory/1940-84-0x000000001B110000-0x000000001B190000-memory.dmpFilesize
512KB
-
memory/1940-840-0x000000001B110000-0x000000001B190000-memory.dmpFilesize
512KB