Analysis
-
max time kernel
169s -
max time network
205s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
31/03/2023, 17:30
Static task
static1
Behavioral task
behavioral1
Sample
11ddebd9b22a3a21be11908feda0ea1e1aa97bc67b2dfefe766fcea467367394.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
11ddebd9b22a3a21be11908feda0ea1e1aa97bc67b2dfefe766fcea467367394.exe
Resource
win10v2004-20230221-en
Behavioral task
behavioral3
Sample
33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389.exe
Resource
win7-20230220-en
Behavioral task
behavioral4
Sample
33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389.exe
Resource
win10v2004-20230220-en
General
-
Target
11ddebd9b22a3a21be11908feda0ea1e1aa97bc67b2dfefe766fcea467367394.exe
-
Size
1.3MB
-
MD5
df134a54ae5dca7963e49d97dd104660
-
SHA1
9bddcce91756469051f2385ef36ba8171d99686d
-
SHA256
11ddebd9b22a3a21be11908feda0ea1e1aa97bc67b2dfefe766fcea467367394
-
SHA512
9046be2d1af55141001c8f35b06af2607a329e3b4d97253972362ef4ffb61106be3bf6701cbcc36f1a39028c9f17d19b414f6ee63bc34e4622a5833752a17914
-
SSDEEP
24576:fsspRa70Hm5QQF0fTOOqs60utA+islfs/DHEj3TBi0mhwLlz2Ya60xchhH2yP1DF:f7W707QEpq3u+PkDHEj3TBi0mhwLlz2q
Malware Config
Signatures
-
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\ExportRepair.png => C:\Users\Admin\Pictures\ExportRepair.png.dark_power 11ddebd9b22a3a21be11908feda0ea1e1aa97bc67b2dfefe766fcea467367394.exe File renamed C:\Users\Admin\Pictures\DebugClose.tif => C:\Users\Admin\Pictures\DebugClose.tif.dark_power 11ddebd9b22a3a21be11908feda0ea1e1aa97bc67b2dfefe766fcea467367394.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 1636 wrote to memory of 212 1636 11ddebd9b22a3a21be11908feda0ea1e1aa97bc67b2dfefe766fcea467367394.exe 80 PID 1636 wrote to memory of 212 1636 11ddebd9b22a3a21be11908feda0ea1e1aa97bc67b2dfefe766fcea467367394.exe 80
Processes
-
C:\Users\Admin\AppData\Local\Temp\11ddebd9b22a3a21be11908feda0ea1e1aa97bc67b2dfefe766fcea467367394.exe"C:\Users\Admin\AppData\Local\Temp\11ddebd9b22a3a21be11908feda0ea1e1aa97bc67b2dfefe766fcea467367394.exe"1⤵
- Modifies extensions of user files
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:212
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
529KB
MD5e7a1ded35fa8603ad2d8ea413ed70822
SHA18e51bc110584663dc297af70b76173b9a05bb39e
SHA256c14c8e924987138d0ec9c1a99dd5ac728ce102aa5c6b13829ec8d21ddb243f28
SHA512e1122f6bf05dc22ed840ace88a6c3823db98fb05362e5cac3202bd49951593e562d57e3fe7cf05a1dfcf6b34c2e594f999287fb8ed973a3b870cce2a4e9955b4