Analysis
-
max time kernel
91s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
-
submitted
31-03-2023 17:35
General
-
Target
Test.exe
-
Size
563KB
-
MD5
fb8898216510c6af50a7aa81e23c35cb
-
SHA1
41d42f120ba66bc69efb3a2e1af47e197242f3a2
-
SHA256
c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e
-
SHA512
bd91d17213daa08918998e1352893cf94e36e1c2d7e6008b59c71bbdcbd7b7b58c1c8accc7b561c0e9421c0fe133fa3af131bc2f9ccbc411c38a7c4680851402
-
SSDEEP
12288:jXLRoysOFO0XmyVNpCwSnDTWm2kqvqSfyqMFIoiBrRR0GPJT1QxC:jXLRhFC8m2v5GIoiVRRnuxC
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\Low\!_INFO.txt
360recover@gmail.com
360support@cock.li
Signatures
-
Modifies extensions of user files 16 IoCs
Ransomware generally changes the extension on encrypted files.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file 9 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Test.exe"C:\Users\Admin\AppData\Local\Temp\Test.exe"1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\!_INFO.txt1⤵
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1171276415\__lock_XXX__Filesize
176B
MD50fe574c7aaf126977323a73183012fa8
SHA1138fcba62dc8902129d0c3b7396d2473fff29a28
SHA2568e24af35368534edf3b55de27c9720493f0d308a5b0bdb65cafdaaee046e1631
SHA512e732c977fc43fcaa63e4b2b841670af0d6559161a9f4b029d5b93a45c3a06f08370e232c9097c147d42af8e01a0cc829a7d51c6f5500d63f4a470039e2b58377
-
C:\Users\Admin\AppData\Local\Temp\Low\!_INFO.txtFilesize
810B
MD5022853382d3ae1aa270f0b1d180576e1
SHA1ce52abfa258f53bef2947c1706f1e7777e11b4f2
SHA256ba2ed3168905ea029f913b63d30f38afc2813ec08c744c6f164ee01ad4e9e38d
SHA51287801a6db330981d1172ed66cda9a16bc05729614ecc826f334bb67e82dd399bc8c7f361ce52a973d8290588cffb6a9b88948132aa9a942761bfbb8944753228
-
C:\Users\Admin\Desktop\!_INFO.txtFilesize
810B
MD5022853382d3ae1aa270f0b1d180576e1
SHA1ce52abfa258f53bef2947c1706f1e7777e11b4f2
SHA256ba2ed3168905ea029f913b63d30f38afc2813ec08c744c6f164ee01ad4e9e38d
SHA51287801a6db330981d1172ed66cda9a16bc05729614ecc826f334bb67e82dd399bc8c7f361ce52a973d8290588cffb6a9b88948132aa9a942761bfbb8944753228
-
memory/836-334-0x00000000011F0000-0x0000000001387000-memory.dmpFilesize
1.6MB
-
memory/836-1631-0x00000000011F0000-0x0000000001387000-memory.dmpFilesize
1.6MB
-
memory/836-1651-0x00000000011F0000-0x0000000001387000-memory.dmpFilesize
1.6MB
-
memory/836-1657-0x00000000011F0000-0x0000000001387000-memory.dmpFilesize
1.6MB
-
memory/836-2988-0x00000000011F0000-0x0000000001387000-memory.dmpFilesize
1.6MB
-
memory/836-5127-0x00000000011F0000-0x0000000001387000-memory.dmpFilesize
1.6MB
-
memory/836-8270-0x00000000011F0000-0x0000000001387000-memory.dmpFilesize
1.6MB
-
memory/836-10443-0x00000000011F0000-0x0000000001387000-memory.dmpFilesize
1.6MB
-
memory/836-12054-0x00000000011F0000-0x0000000001387000-memory.dmpFilesize
1.6MB