Analysis
-
max time kernel
61s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
31/03/2023, 17:30
Static task
static1
Behavioral task
behavioral1
Sample
11ddebd9b22a3a21be11908feda0ea1e1aa97bc67b2dfefe766fcea467367394.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
11ddebd9b22a3a21be11908feda0ea1e1aa97bc67b2dfefe766fcea467367394.exe
Resource
win10v2004-20230221-en
Behavioral task
behavioral3
Sample
33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389.exe
Resource
win7-20230220-en
Behavioral task
behavioral4
Sample
33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389.exe
Resource
win10v2004-20230220-en
General
-
Target
33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389.exe
-
Size
1.1MB
-
MD5
5e55339ce16c718983c435f51967153b
-
SHA1
2e72fe42f572d0ed93ac74063877ff6e4e1fa33d
-
SHA256
33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389
-
SHA512
6b122e6a4e7570c271f47b139ac62280afbb03306a8202dd60fd9775d41d83661e3036ea9aafa1b7ac31df4366ffaeb98910efd2fbd2c334c7ef71ca33e3a081
-
SSDEEP
24576:G1/uUXmxZLauIytkH+Yz/nchhH2yvrchhH2y+/0mhwLlz2Ya6sncEPyiZtm:euU2LtenrnchhH2yvrchhH2y+/0mhwL7
Malware Config
Signatures
-
Modifies extensions of user files 13 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\UnlockNew.tif => C:\Users\Admin\Pictures\UnlockNew.tif.dark_power 33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389.exe File renamed C:\Users\Admin\Pictures\DisconnectBackup.tif => C:\Users\Admin\Pictures\DisconnectBackup.tif.dark_power 33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389.exe File renamed C:\Users\Admin\Pictures\PingTest.tiff => C:\Users\Admin\Pictures\PingTest.tiff.dark_power 33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389.exe File renamed C:\Users\Admin\Pictures\StopConvert.crw => C:\Users\Admin\Pictures\StopConvert.crw.dark_power 33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389.exe File renamed C:\Users\Admin\Pictures\SaveOptimize.tiff => C:\Users\Admin\Pictures\SaveOptimize.tiff.dark_power 33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389.exe File opened for modification C:\Users\Admin\Pictures\UnpublishConfirm.tiff 33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389.exe File opened for modification C:\Users\Admin\Pictures\OptimizePop.tiff 33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389.exe File renamed C:\Users\Admin\Pictures\OptimizePop.tiff => C:\Users\Admin\Pictures\OptimizePop.tiff.dark_power 33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389.exe File opened for modification C:\Users\Admin\Pictures\PingTest.tiff 33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389.exe File opened for modification C:\Users\Admin\Pictures\SaveOptimize.tiff 33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389.exe File renamed C:\Users\Admin\Pictures\UnpublishConfirm.tiff => C:\Users\Admin\Pictures\UnpublishConfirm.tiff.dark_power 33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389.exe File opened for modification C:\Users\Admin\Pictures\CopyUpdate.tiff 33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389.exe File renamed C:\Users\Admin\Pictures\CopyUpdate.tiff => C:\Users\Admin\Pictures\CopyUpdate.tiff.dark_power 33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389.exe -
Deletes itself 1 IoCs
pid Process 4228 33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious behavior: RenamesItself 1 IoCs
pid Process 4228 33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 4228 wrote to memory of 4036 4228 33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389.exe 91 PID 4228 wrote to memory of 4036 4228 33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389.exe"C:\Users\Admin\AppData\Local\Temp\33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389.exe"1⤵
- Modifies extensions of user files
- Deletes itself
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4228 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:4036
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
368KB
MD5ea36e01b49cf28d5983a9a0248832906
SHA1a9aa07e277a1ad65b0b57f7336f391bc81a7cc84
SHA256086dbf48629378a584486e69147777562f0a7f2acab56ab998ce2f3846b43e2e
SHA51233050edf8b47acc269078a99080314baab74e2342c6b33e5ef46db5bbadb0dc86459b0e4be6c07be9fd99991b1bfcf1bec879834acb227cdfbeda041a92441f1