Analysis
-
max time kernel
44s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
31/03/2023, 17:30
Static task
static1
Behavioral task
behavioral1
Sample
11ddebd9b22a3a21be11908feda0ea1e1aa97bc67b2dfefe766fcea467367394.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
11ddebd9b22a3a21be11908feda0ea1e1aa97bc67b2dfefe766fcea467367394.exe
Resource
win10v2004-20230221-en
Behavioral task
behavioral3
Sample
33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389.exe
Resource
win7-20230220-en
Behavioral task
behavioral4
Sample
33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389.exe
Resource
win10v2004-20230220-en
General
-
Target
33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389.exe
-
Size
1.1MB
-
MD5
5e55339ce16c718983c435f51967153b
-
SHA1
2e72fe42f572d0ed93ac74063877ff6e4e1fa33d
-
SHA256
33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389
-
SHA512
6b122e6a4e7570c271f47b139ac62280afbb03306a8202dd60fd9775d41d83661e3036ea9aafa1b7ac31df4366ffaeb98910efd2fbd2c334c7ef71ca33e3a081
-
SSDEEP
24576:G1/uUXmxZLauIytkH+Yz/nchhH2yvrchhH2y+/0mhwLlz2Ya6sncEPyiZtm:euU2LtenrnchhH2yvrchhH2y+/0mhwL7
Malware Config
Signatures
-
Modifies extensions of user files 9 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File opened for modification C:\Users\Admin\Pictures\BlockImport.tiff 33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389.exe File renamed C:\Users\Admin\Pictures\BlockImport.tiff => C:\Users\Admin\Pictures\BlockImport.tiff.dark_power 33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389.exe File renamed C:\Users\Admin\Pictures\MoveRepair.png => C:\Users\Admin\Pictures\MoveRepair.png.dark_power 33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389.exe File renamed C:\Users\Admin\Pictures\SkipDisable.tiff => C:\Users\Admin\Pictures\SkipDisable.tiff.dark_power 33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389.exe File renamed C:\Users\Admin\Pictures\SearchMount.tif => C:\Users\Admin\Pictures\SearchMount.tif.dark_power 33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389.exe File renamed C:\Users\Admin\Pictures\BlockSearch.tif => C:\Users\Admin\Pictures\BlockSearch.tif.dark_power 33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389.exe File renamed C:\Users\Admin\Pictures\ConfirmSend.raw => C:\Users\Admin\Pictures\ConfirmSend.raw.dark_power 33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389.exe File opened for modification C:\Users\Admin\Pictures\SkipDisable.tiff 33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389.exe File renamed C:\Users\Admin\Pictures\ConnectSave.crw => C:\Users\Admin\Pictures\ConnectSave.crw.dark_power 33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389.exe -
Deletes itself 1 IoCs
pid Process 1744 33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1744 33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1744 wrote to memory of 1532 1744 33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389.exe 30 PID 1744 wrote to memory of 1532 1744 33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389.exe 30 PID 1744 wrote to memory of 1532 1744 33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389.exe"C:\Users\Admin\AppData\Local\Temp\33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389.exe"1⤵
- Modifies extensions of user files
- Deletes itself
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:1532
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
368KB
MD5ea36e01b49cf28d5983a9a0248832906
SHA1a9aa07e277a1ad65b0b57f7336f391bc81a7cc84
SHA256086dbf48629378a584486e69147777562f0a7f2acab56ab998ce2f3846b43e2e
SHA51233050edf8b47acc269078a99080314baab74e2342c6b33e5ef46db5bbadb0dc86459b0e4be6c07be9fd99991b1bfcf1bec879834acb227cdfbeda041a92441f1