11ddebd9b22a3a21be11908feda0ea1e1aa97bc67b2dfefe766fcea467367394

Analysis

max time kernel
42s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
28/03/2023, 07:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

11ddebd9b22a3a21be11908feda0ea1e1aa97bc67b2dfefe766fcea467367394.exe
Size

1.3MB
MD5

df134a54ae5dca7963e49d97dd104660
SHA1

9bddcce91756469051f2385ef36ba8171d99686d
SHA256

11ddebd9b22a3a21be11908feda0ea1e1aa97bc67b2dfefe766fcea467367394
SHA512

9046be2d1af55141001c8f35b06af2607a329e3b4d97253972362ef4ffb61106be3bf6701cbcc36f1a39028c9f17d19b414f6ee63bc34e4622a5833752a17914
SSDEEP

24576:fsspRa70Hm5QQF0fTOOqs60utA+islfs/DHEj3TBi0mhwLlz2Ya60xchhH2yP1DF:f7W707QEpq3u+PkDHEj3TBi0mhwLlz2q

Score

8^/10

ransomware spyware stealer

Malware Config

Signatures

Modifies extensions of user files 6 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\NewInitialize.crw => C:\Users\Admin\Pictures\NewInitialize.crw.dark_power	11ddebd9b22a3a21be11908feda0ea1e1aa97bc67b2dfefe766fcea467367394.exe
File renamed	C:\Users\Admin\Pictures\SplitTest.png => C:\Users\Admin\Pictures\SplitTest.png.dark_power	11ddebd9b22a3a21be11908feda0ea1e1aa97bc67b2dfefe766fcea467367394.exe
File opened for modification	C:\Users\Admin\Pictures\CopyWrite.tiff	11ddebd9b22a3a21be11908feda0ea1e1aa97bc67b2dfefe766fcea467367394.exe
File renamed	C:\Users\Admin\Pictures\CopyWrite.tiff => C:\Users\Admin\Pictures\CopyWrite.tiff.dark_power	11ddebd9b22a3a21be11908feda0ea1e1aa97bc67b2dfefe766fcea467367394.exe
File renamed	C:\Users\Admin\Pictures\UninstallPing.tif => C:\Users\Admin\Pictures\UninstallPing.tif.dark_power	11ddebd9b22a3a21be11908feda0ea1e1aa97bc67b2dfefe766fcea467367394.exe
File renamed	C:\Users\Admin\Pictures\StartProtect.crw => C:\Users\Admin\Pictures\StartProtect.crw.dark_power	11ddebd9b22a3a21be11908feda0ea1e1aa97bc67b2dfefe766fcea467367394.exe

Deletes itself 1 IoCs

pid	Process
1680	11ddebd9b22a3a21be11908feda0ea1e1aa97bc67b2dfefe766fcea467367394.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1680	11ddebd9b22a3a21be11908feda0ea1e1aa97bc67b2dfefe766fcea467367394.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1680 wrote to memory of 976	1680	11ddebd9b22a3a21be11908feda0ea1e1aa97bc67b2dfefe766fcea467367394.exe	30
PID 1680 wrote to memory of 976	1680	11ddebd9b22a3a21be11908feda0ea1e1aa97bc67b2dfefe766fcea467367394.exe	30
PID 1680 wrote to memory of 976	1680	11ddebd9b22a3a21be11908feda0ea1e1aa97bc67b2dfefe766fcea467367394.exe	30

C:\Users\Admin\AppData\Local\Temp\11ddebd9b22a3a21be11908feda0ea1e1aa97bc67b2dfefe766fcea467367394.exe
"C:\Users\Admin\AppData\Local\Temp\11ddebd9b22a3a21be11908feda0ea1e1aa97bc67b2dfefe766fcea467367394.exe"
1⤵
- Modifies extensions of user files
- Deletes itself
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1680
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:976

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Libraries\readme.pdf

Filesize
529KB

MD5
e7a1ded35fa8603ad2d8ea413ed70822

SHA1
8e51bc110584663dc297af70b76173b9a05bb39e

SHA256
c14c8e924987138d0ec9c1a99dd5ac728ce102aa5c6b13829ec8d21ddb243f28

SHA512
e1122f6bf05dc22ed840ace88a6c3823db98fb05362e5cac3202bd49951593e562d57e3fe7cf05a1dfcf6b34c2e594f999287fb8ed973a3b870cce2a4e9955b4

Download Submit
memory/1680-54-0x000000013F9E0000-0x000000013FB0F000-memory.dmp

Filesize
1.2MB

Download
memory/1680-392-0x000000013F9E0000-0x000000013FB0F000-memory.dmp

Filesize
1.2MB

Download
memory/1680-393-0x000000013F9E0000-0x000000013FB0F000-memory.dmp

Filesize
1.2MB

Download