Analysis
-
max time kernel
83s -
max time network
37s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
31/03/2023, 17:30
Static task
static1
Behavioral task
behavioral1
Sample
11ddebd9b22a3a21be11908feda0ea1e1aa97bc67b2dfefe766fcea467367394.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
11ddebd9b22a3a21be11908feda0ea1e1aa97bc67b2dfefe766fcea467367394.exe
Resource
win10v2004-20230221-en
Behavioral task
behavioral3
Sample
33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389.exe
Resource
win7-20230220-en
Behavioral task
behavioral4
Sample
33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389.exe
Resource
win10v2004-20230220-en
General
-
Target
11ddebd9b22a3a21be11908feda0ea1e1aa97bc67b2dfefe766fcea467367394.exe
-
Size
1.3MB
-
MD5
df134a54ae5dca7963e49d97dd104660
-
SHA1
9bddcce91756469051f2385ef36ba8171d99686d
-
SHA256
11ddebd9b22a3a21be11908feda0ea1e1aa97bc67b2dfefe766fcea467367394
-
SHA512
9046be2d1af55141001c8f35b06af2607a329e3b4d97253972362ef4ffb61106be3bf6701cbcc36f1a39028c9f17d19b414f6ee63bc34e4622a5833752a17914
-
SSDEEP
24576:fsspRa70Hm5QQF0fTOOqs60utA+islfs/DHEj3TBi0mhwLlz2Ya60xchhH2yP1DF:f7W707QEpq3u+PkDHEj3TBi0mhwLlz2q
Malware Config
Signatures
-
Modifies extensions of user files 8 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File opened for modification C:\Users\Admin\Pictures\WriteSubmit.tiff 11ddebd9b22a3a21be11908feda0ea1e1aa97bc67b2dfefe766fcea467367394.exe File renamed C:\Users\Admin\Pictures\WriteSubmit.tiff => C:\Users\Admin\Pictures\WriteSubmit.tiff.dark_power 11ddebd9b22a3a21be11908feda0ea1e1aa97bc67b2dfefe766fcea467367394.exe File renamed C:\Users\Admin\Pictures\InstallUnprotect.png => C:\Users\Admin\Pictures\InstallUnprotect.png.dark_power 11ddebd9b22a3a21be11908feda0ea1e1aa97bc67b2dfefe766fcea467367394.exe File renamed C:\Users\Admin\Pictures\DenyProtect.png => C:\Users\Admin\Pictures\DenyProtect.png.dark_power 11ddebd9b22a3a21be11908feda0ea1e1aa97bc67b2dfefe766fcea467367394.exe File renamed C:\Users\Admin\Pictures\OpenConnect.raw => C:\Users\Admin\Pictures\OpenConnect.raw.dark_power 11ddebd9b22a3a21be11908feda0ea1e1aa97bc67b2dfefe766fcea467367394.exe File renamed C:\Users\Admin\Pictures\StepEdit.tif => C:\Users\Admin\Pictures\StepEdit.tif.dark_power 11ddebd9b22a3a21be11908feda0ea1e1aa97bc67b2dfefe766fcea467367394.exe File renamed C:\Users\Admin\Pictures\UnblockOut.raw => C:\Users\Admin\Pictures\UnblockOut.raw.dark_power 11ddebd9b22a3a21be11908feda0ea1e1aa97bc67b2dfefe766fcea467367394.exe File renamed C:\Users\Admin\Pictures\StartSet.raw => C:\Users\Admin\Pictures\StartSet.raw.dark_power 11ddebd9b22a3a21be11908feda0ea1e1aa97bc67b2dfefe766fcea467367394.exe -
Deletes itself 1 IoCs
pid Process 1092 11ddebd9b22a3a21be11908feda0ea1e1aa97bc67b2dfefe766fcea467367394.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1092 11ddebd9b22a3a21be11908feda0ea1e1aa97bc67b2dfefe766fcea467367394.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: 33 1760 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1760 AUDIODG.EXE Token: 33 1760 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1760 AUDIODG.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 820 AcroRd32.exe 820 AcroRd32.exe 820 AcroRd32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1092 wrote to memory of 1388 1092 11ddebd9b22a3a21be11908feda0ea1e1aa97bc67b2dfefe766fcea467367394.exe 32 PID 1092 wrote to memory of 1388 1092 11ddebd9b22a3a21be11908feda0ea1e1aa97bc67b2dfefe766fcea467367394.exe 32 PID 1092 wrote to memory of 1388 1092 11ddebd9b22a3a21be11908feda0ea1e1aa97bc67b2dfefe766fcea467367394.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\11ddebd9b22a3a21be11908feda0ea1e1aa97bc67b2dfefe766fcea467367394.exe"C:\Users\Admin\AppData\Local\Temp\11ddebd9b22a3a21be11908feda0ea1e1aa97bc67b2dfefe766fcea467367394.exe"1⤵
- Modifies extensions of user files
- Deletes itself
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1092 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:1388
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:1316
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5201⤵
- Suspicious use of AdjustPrivilegeToken
PID:1760
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\Desktop\readme.pdf"1⤵
- Suspicious use of SetWindowsHookEx
PID:820
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\Desktop\readme.pdf"1⤵PID:300
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\Desktop\readme.pdf"1⤵PID:428
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\Desktop\readme.pdf"1⤵PID:1792
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
529KB
MD5e7a1ded35fa8603ad2d8ea413ed70822
SHA18e51bc110584663dc297af70b76173b9a05bb39e
SHA256c14c8e924987138d0ec9c1a99dd5ac728ce102aa5c6b13829ec8d21ddb243f28
SHA512e1122f6bf05dc22ed840ace88a6c3823db98fb05362e5cac3202bd49951593e562d57e3fe7cf05a1dfcf6b34c2e594f999287fb8ed973a3b870cce2a4e9955b4
-
Filesize
529KB
MD5e7a1ded35fa8603ad2d8ea413ed70822
SHA18e51bc110584663dc297af70b76173b9a05bb39e
SHA256c14c8e924987138d0ec9c1a99dd5ac728ce102aa5c6b13829ec8d21ddb243f28
SHA512e1122f6bf05dc22ed840ace88a6c3823db98fb05362e5cac3202bd49951593e562d57e3fe7cf05a1dfcf6b34c2e594f999287fb8ed973a3b870cce2a4e9955b4