Analysis
-
max time kernel
42s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
28/03/2023, 02:18
Static task
static1
Behavioral task
behavioral1
Sample
425c0e99221b064d1577ac907a4803d14f4e67a305742aa2c1e80382b967831b.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
425c0e99221b064d1577ac907a4803d14f4e67a305742aa2c1e80382b967831b.exe
Resource
win10v2004-20230220-en
General
-
Target
425c0e99221b064d1577ac907a4803d14f4e67a305742aa2c1e80382b967831b.exe
-
Size
1.4MB
-
MD5
c25637fbfe2385e67f42378ccbd68474
-
SHA1
b6821b4141131e428f8c54c1f5e2d840724569ff
-
SHA256
425c0e99221b064d1577ac907a4803d14f4e67a305742aa2c1e80382b967831b
-
SHA512
78f69ef78ec40fb712a93e62722868dd78b5bf2c3a42add5a336e77bff4678a0e7b20c6d80e06a6b3d80f45a8de4d8ab363be3975d5d19be6cff8312b3424fe5
-
SSDEEP
24576:GZ0deUIxg6AZLNsVHdGujJKX1uH9cBaGn6iMNo/FDHEj3TBechhH2y5DHEj3TB4o:65UIdwLNsV9G+KXhT9FDHEj3TBechhH0
Malware Config
Signatures
-
Modifies extensions of user files 15 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\CopyReceive.png => C:\Users\Admin\Pictures\CopyReceive.png.dark_power 425c0e99221b064d1577ac907a4803d14f4e67a305742aa2c1e80382b967831b.exe File renamed C:\Users\Admin\Pictures\RenameUnprotect.tiff => C:\Users\Admin\Pictures\RenameUnprotect.tiff.dark_power 425c0e99221b064d1577ac907a4803d14f4e67a305742aa2c1e80382b967831b.exe File opened for modification C:\Users\Admin\Pictures\SuspendOpen.tiff 425c0e99221b064d1577ac907a4803d14f4e67a305742aa2c1e80382b967831b.exe File renamed C:\Users\Admin\Pictures\GroupUndo.raw => C:\Users\Admin\Pictures\GroupUndo.raw.dark_power 425c0e99221b064d1577ac907a4803d14f4e67a305742aa2c1e80382b967831b.exe File renamed C:\Users\Admin\Pictures\RegisterApprove.crw => C:\Users\Admin\Pictures\RegisterApprove.crw.dark_power 425c0e99221b064d1577ac907a4803d14f4e67a305742aa2c1e80382b967831b.exe File renamed C:\Users\Admin\Pictures\SyncSplit.tiff => C:\Users\Admin\Pictures\SyncSplit.tiff.dark_power 425c0e99221b064d1577ac907a4803d14f4e67a305742aa2c1e80382b967831b.exe File renamed C:\Users\Admin\Pictures\SuspendOpen.tiff => C:\Users\Admin\Pictures\SuspendOpen.tiff.dark_power 425c0e99221b064d1577ac907a4803d14f4e67a305742aa2c1e80382b967831b.exe File renamed C:\Users\Admin\Pictures\ClearInitialize.raw => C:\Users\Admin\Pictures\ClearInitialize.raw.dark_power 425c0e99221b064d1577ac907a4803d14f4e67a305742aa2c1e80382b967831b.exe File renamed C:\Users\Admin\Pictures\UninstallCopy.png => C:\Users\Admin\Pictures\UninstallCopy.png.dark_power 425c0e99221b064d1577ac907a4803d14f4e67a305742aa2c1e80382b967831b.exe File renamed C:\Users\Admin\Pictures\UnregisterEnable.tiff => C:\Users\Admin\Pictures\UnregisterEnable.tiff.dark_power 425c0e99221b064d1577ac907a4803d14f4e67a305742aa2c1e80382b967831b.exe File opened for modification C:\Users\Admin\Pictures\RenameUnprotect.tiff 425c0e99221b064d1577ac907a4803d14f4e67a305742aa2c1e80382b967831b.exe File opened for modification C:\Users\Admin\Pictures\UnregisterEnable.tiff 425c0e99221b064d1577ac907a4803d14f4e67a305742aa2c1e80382b967831b.exe File renamed C:\Users\Admin\Pictures\StepRestore.raw => C:\Users\Admin\Pictures\StepRestore.raw.dark_power 425c0e99221b064d1577ac907a4803d14f4e67a305742aa2c1e80382b967831b.exe File renamed C:\Users\Admin\Pictures\ShowUninstall.tif => C:\Users\Admin\Pictures\ShowUninstall.tif.dark_power 425c0e99221b064d1577ac907a4803d14f4e67a305742aa2c1e80382b967831b.exe File opened for modification C:\Users\Admin\Pictures\SyncSplit.tiff 425c0e99221b064d1577ac907a4803d14f4e67a305742aa2c1e80382b967831b.exe -
Deletes itself 1 IoCs
pid Process 1380 425c0e99221b064d1577ac907a4803d14f4e67a305742aa2c1e80382b967831b.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1380 425c0e99221b064d1577ac907a4803d14f4e67a305742aa2c1e80382b967831b.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1380 wrote to memory of 1644 1380 425c0e99221b064d1577ac907a4803d14f4e67a305742aa2c1e80382b967831b.exe 30 PID 1380 wrote to memory of 1644 1380 425c0e99221b064d1577ac907a4803d14f4e67a305742aa2c1e80382b967831b.exe 30 PID 1380 wrote to memory of 1644 1380 425c0e99221b064d1577ac907a4803d14f4e67a305742aa2c1e80382b967831b.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\425c0e99221b064d1577ac907a4803d14f4e67a305742aa2c1e80382b967831b.exe"C:\Users\Admin\AppData\Local\Temp\425c0e99221b064d1577ac907a4803d14f4e67a305742aa2c1e80382b967831b.exe"1⤵
- Modifies extensions of user files
- Deletes itself
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:1644
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
605KB
MD536e8331744711a54ca02a0e89f01fcb6
SHA1cdca324c47a540df16f9fb620e0474feae524a85
SHA256d253b10f3de3c9f6bb2b4f7f88a0591c0f85633323d72a6e5e5f4179b2446429
SHA512e67e90ca398d18775c43a2a42a1c201930e93800f3afca159510a8f6b3fd18cf3c48c1570704f19a82bb9c4f3bf6b75d8e30057bbcac923ae30b33d6e4e83358