Analysis

  • max time kernel
    83s
  • max time network
    37s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    31/03/2023, 17:30

General

  • Target

    11ddebd9b22a3a21be11908feda0ea1e1aa97bc67b2dfefe766fcea467367394.exe

  • Size

    1.3MB

  • MD5

    df134a54ae5dca7963e49d97dd104660

  • SHA1

    9bddcce91756469051f2385ef36ba8171d99686d

  • SHA256

    11ddebd9b22a3a21be11908feda0ea1e1aa97bc67b2dfefe766fcea467367394

  • SHA512

    9046be2d1af55141001c8f35b06af2607a329e3b4d97253972362ef4ffb61106be3bf6701cbcc36f1a39028c9f17d19b414f6ee63bc34e4622a5833752a17914

  • SSDEEP

    24576:fsspRa70Hm5QQF0fTOOqs60utA+islfs/DHEj3TBi0mhwLlz2Ya60xchhH2yP1DF:f7W707QEpq3u+PkDHEj3TBi0mhwLlz2q

Malware Config

Signatures

  • Modifies extensions of user files 8 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Deletes itself 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\11ddebd9b22a3a21be11908feda0ea1e1aa97bc67b2dfefe766fcea467367394.exe
    "C:\Users\Admin\AppData\Local\Temp\11ddebd9b22a3a21be11908feda0ea1e1aa97bc67b2dfefe766fcea467367394.exe"
    1⤵
    • Modifies extensions of user files
    • Deletes itself
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:1092
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      2⤵
        PID:1388
    • C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      1⤵
        PID:1316
      • C:\Windows\system32\AUDIODG.EXE
        C:\Windows\system32\AUDIODG.EXE 0x520
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1760
      • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\Desktop\readme.pdf"
        1⤵
        • Suspicious use of SetWindowsHookEx
        PID:820
      • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\Desktop\readme.pdf"
        1⤵
          PID:300
        • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
          "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\Desktop\readme.pdf"
          1⤵
            PID:428
          • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
            "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\Desktop\readme.pdf"
            1⤵
              PID:1792

            Network

                  MITRE ATT&CK Enterprise v6

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\Desktop\readme.pdf

                    Filesize

                    529KB

                    MD5

                    e7a1ded35fa8603ad2d8ea413ed70822

                    SHA1

                    8e51bc110584663dc297af70b76173b9a05bb39e

                    SHA256

                    c14c8e924987138d0ec9c1a99dd5ac728ce102aa5c6b13829ec8d21ddb243f28

                    SHA512

                    e1122f6bf05dc22ed840ace88a6c3823db98fb05362e5cac3202bd49951593e562d57e3fe7cf05a1dfcf6b34c2e594f999287fb8ed973a3b870cce2a4e9955b4

                  • C:\Users\Public\Libraries\readme.pdf

                    Filesize

                    529KB

                    MD5

                    e7a1ded35fa8603ad2d8ea413ed70822

                    SHA1

                    8e51bc110584663dc297af70b76173b9a05bb39e

                    SHA256

                    c14c8e924987138d0ec9c1a99dd5ac728ce102aa5c6b13829ec8d21ddb243f28

                    SHA512

                    e1122f6bf05dc22ed840ace88a6c3823db98fb05362e5cac3202bd49951593e562d57e3fe7cf05a1dfcf6b34c2e594f999287fb8ed973a3b870cce2a4e9955b4

                  • memory/1092-54-0x000000013FA50000-0x000000013FB7F000-memory.dmp

                    Filesize

                    1.2MB

                  • memory/1092-376-0x000000013FA50000-0x000000013FB7F000-memory.dmp

                    Filesize

                    1.2MB

                  • memory/1092-381-0x000000013FA50000-0x000000013FB7F000-memory.dmp

                    Filesize

                    1.2MB