Analysis Overview
SHA256
f6a4b33ecf988c80b0c5aa280a5a3850f44bb3931ae0d845df7c064803c5f7c7
Threat Level: Likely malicious
The file q.ex was found to be: Likely malicious.
Malicious Activity Summary
Modifies extensions of user files
Reads user/profile data of web browsers
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Opens file in notepad (likely ransom note)
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-03-28 00:27
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-03-28 00:27
Reported
2023-03-28 00:28
Platform
win7-20230220-en
Max time kernel
28s
Command Line
Signatures
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File renamed | C:\Users\Admin\Pictures\ConvertToSet.raw => \??\c:\users\admin\pictures\ConvertToSet.raw.encrypted | C:\Users\Admin\AppData\Local\Temp\q.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\GrantWait.png => \??\c:\users\admin\pictures\GrantWait.png.encrypted | C:\Users\Admin\AppData\Local\Temp\q.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ImportComplete.raw => \??\c:\users\admin\pictures\ImportComplete.raw.encrypted | C:\Users\Admin\AppData\Local\Temp\q.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\UnregisterGrant.raw => \??\c:\users\admin\pictures\UnregisterGrant.raw.encrypted | C:\Users\Admin\AppData\Local\Temp\q.exe | N/A |
Reads user/profile data of web browsers
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Processes
C:\Users\Admin\AppData\Local\Temp\q.exe
"C:\Users\Admin\AppData\Local\Temp\q.exe"
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\DECRYPT.TXT
Network
Files
memory/1940-54-0x0000000001360000-0x000000000136C000-memory.dmp
memory/1940-55-0x000000001B110000-0x000000001B190000-memory.dmp
memory/1940-84-0x000000001B110000-0x000000001B190000-memory.dmp
C:\Users\Admin\Desktop\DECRYPT_ReadMe1.TXT.ReadMe
| MD5 | 0e7f3fcea239c2d0c77f1e6bb486846e |
| SHA1 | ac08c9f4ddd880cc50ee822efeea255cbf9e4bf0 |
| SHA256 | 7080c28f01d0faadd652ad863fc9fdaeda478d18c8ad29754cc54006e5889dd6 |
| SHA512 | d3a694689bae1a7e6efb1b5b59be7d6b87819008dda5d8c97fc3df38c09e08266314d3dbbec065a68fe2033084c3c1618cee975f726449e38fe3927b188ac82a |
C:\vcredist2010_x86.log.html
| MD5 | 8e429bed7b6b10a2af9971bd25744f35 |
| SHA1 | e10658497f31e73e83c5c19e66f2a364154fb380 |
| SHA256 | 0124bc0dbea6b2faae49f01f35985648f566257e45123bce44b9bca0cd4f3b09 |
| SHA512 | d98a320c2ecc96f535e83120ac2abeb4aca6e0792b1e3a34ac6e03d5d93d5163c07382f3f510770b5407a0944e54685e290790d5578b6e9634d7cbac1a29df9c |
memory/240-838-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/240-839-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/1940-840-0x000000001B110000-0x000000001B190000-memory.dmp
C:\Users\Admin\Desktop\DECRYPT.TXT
| MD5 | e357eb9271c77460d19016b793125c53 |
| SHA1 | d0c6ac79c3b2c8eb911592eb3f84d354cc5bebbb |
| SHA256 | f87cc0f1caded84e06027100472052da0b32ea9bc75f2f87da18e6b28a4f2789 |
| SHA512 | 6d46988485a4b9204fb87a08db0a7cfc3dfaf5ad661ba5c3b62e9722c72a4b95b1bdc190383220030ba32cef662cbec1ab9f6a9bad2b2da6adf8dc5d3755cef4 |