f4d054949f5c075827e9e9d1ad82231adc9f0af9e64637927e967ffddf1116cc

Analysis

max time kernel
91s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
31/03/2023, 17:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Test.exe
Size

563KB
MD5

fb8898216510c6af50a7aa81e23c35cb
SHA1

41d42f120ba66bc69efb3a2e1af47e197242f3a2
SHA256

c3f3659442a27afa1a9e8cbc18479f9c88e209b0429b30b695085746f1edb39e
SHA512

bd91d17213daa08918998e1352893cf94e36e1c2d7e6008b59c71bbdcbd7b7b58c1c8accc7b561c0e9421c0fe133fa3af131bc2f9ccbc411c38a7c4680851402
SSDEEP

12288:jXLRoysOFO0XmyVNpCwSnDTWm2kqvqSfyqMFIoiBrRR0GPJT1QxC:jXLRhFC8m2v5GIoiVRRnuxC

Score

10^/10

persistence ransomware spyware stealer upx

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\Low\!_INFO.txt

Ransom Note

WARNING! YOUR FILES ARE ENCRYPTED! Don’t worry, your files are safe, provided that you are willing to pay the ransom. Any forced shutdown or attempts to restore your files with the thrid-party software will be damage your files permanently! Do not rename your files. It will damage it. The only way to decrypt your files safely is to buy the special decryption software from us. Before paying you can send us up to 2 files for free decryption as guarantee. No database files for test. Send pictures, text, doc files. (files no more than 1mb) You can contact us with the following email [email protected] [email protected] Send us this ID or this file in first email ID: AofaYFgwqL47fiBUHhw1VRNqJ3afpMuBUVzfVr+0/Ww=:b169ebacc1fdf8cb1c9ed4d8f083b48dc29218ea8c94090465563c3d36c3600f

Emails

[email protected]

Signatures

Modifies extensions of user files 16 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\UnregisterComplete.tiff => C:\Users\Admin\Pictures\UnregisterComplete.tiff.360	Test.exe
File renamed	C:\Users\Admin\Pictures\AddUninstall.raw => C:\Users\Admin\Pictures\AddUninstall.raw.360	Test.exe
File renamed	C:\Users\Admin\Pictures\MeasureGrant.raw => C:\Users\Admin\Pictures\MeasureGrant.raw.360	Test.exe
File opened for modification	C:\Users\Admin\Pictures\RestoreExit.tiff.360	Test.exe
File renamed	C:\Users\Admin\Pictures\UnprotectClose.raw => C:\Users\Admin\Pictures\UnprotectClose.raw.360	Test.exe
File opened for modification	C:\Users\Admin\Pictures\UnprotectClose.raw.360	Test.exe
File opened for modification	C:\Users\Admin\Pictures\UnregisterComplete.tiff.360	Test.exe
File opened for modification	C:\Users\Admin\Pictures\AddUninstall.raw.360	Test.exe
File opened for modification	C:\Users\Admin\Pictures\ApproveNew.png.360	Test.exe
File renamed	C:\Users\Admin\Pictures\GetAssert.tif => C:\Users\Admin\Pictures\GetAssert.tif.360	Test.exe
File renamed	C:\Users\Admin\Pictures\ApproveNew.png => C:\Users\Admin\Pictures\ApproveNew.png.360	Test.exe
File renamed	C:\Users\Admin\Pictures\ConfirmRead.tiff => C:\Users\Admin\Pictures\ConfirmRead.tiff.360	Test.exe
File opened for modification	C:\Users\Admin\Pictures\ConfirmRead.tiff.360	Test.exe
File opened for modification	C:\Users\Admin\Pictures\GetAssert.tif.360	Test.exe
File opened for modification	C:\Users\Admin\Pictures\MeasureGrant.raw.360	Test.exe
File renamed	C:\Users\Admin\Pictures\RestoreExit.tiff => C:\Users\Admin\Pictures\RestoreExit.tiff.360	Test.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/836-334-0x00000000011F0000-0x0000000001387000-memory.dmp	upx
behavioral1/memory/836-1631-0x00000000011F0000-0x0000000001387000-memory.dmp	upx
behavioral1/memory/836-1651-0x00000000011F0000-0x0000000001387000-memory.dmp	upx
behavioral1/memory/836-1657-0x00000000011F0000-0x0000000001387000-memory.dmp	upx
behavioral1/memory/836-2988-0x00000000011F0000-0x0000000001387000-memory.dmp	upx
behavioral1/memory/836-5127-0x00000000011F0000-0x0000000001387000-memory.dmp	upx
behavioral1/memory/836-8270-0x00000000011F0000-0x0000000001387000-memory.dmp	upx
behavioral1/memory/836-10443-0x00000000011F0000-0x0000000001387000-memory.dmp	upx
behavioral1/memory/836-12054-0x00000000011F0000-0x0000000001387000-memory.dmp	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	Test.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\e075e974dbe5337acff06c176e5fd387015fe485a357a6b4f89f9910931c63bc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Test.exe\" b169ebacc1fdf8cb1c9ed4d8f083b48dc29218ea8c94090465563c3d36c3600f"	Test.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows\CurrentVersion\Run	Test.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows\CurrentVersion\Run\e075e974dbe5337acff06c176e5fd387015fe485a357a6b4f89f9910931c63bc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Test.exe\" b169ebacc1fdf8cb1c9ed4d8f083b48dc29218ea8c94090465563c3d36c3600f"	Test.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\GrayCheck\HEADER.GIF.360	Test.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\STS2\TAB_OFF.GIF.360	Test.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN00218_.WMF.360	Test.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PSRCHKEY.DAT.360	Test.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\!_INFO.txt	Test.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\MCIMPP.mpp.360	Test.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00161_.GIF.360	Test.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.IT.XML.360	Test.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\info.gif.360	Test.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH02298_.WMF.360	Test.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Flow.eftx.360	Test.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21322_.GIF.360	Test.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01630_.WMF.360	Test.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02617_.WMF.360	Test.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02097_.GIF.360	Test.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\POWERPNT_F_COL.HXK.360	Test.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\__lock_XXX__	Test.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightOrange\button.gif.360	Test.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL012.XML.360	Test.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341653.JPG.360	Test.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15276_.GIF.360	Test.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR5F.GIF.360	Test.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\ManagedObjects\!_INFO.txt	Test.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Concourse.thmx.360	Test.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\WINWORD.DEV_COL.HXC.360	Test.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\rtf_center.gif.360	Test.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\LTHD98SP.POC.360	Test.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00985_.WMF.360	Test.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00068_.WMF.360	Test.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00798_.WMF.360	Test.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02417_.WMF.360	Test.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\Servers\RELAY.CER.360	Test.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\__lock_XXX__	Test.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0281640.WMF.360	Test.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PARNT_08.MID.360	Test.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\!_INFO.txt	Test.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR12F.GIF.360	Test.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239057.WMF.360	Test.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Welcome Tool\IconImages.jpg.360	Test.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.JP.XML.360	Test.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGAD.XML.360	Test.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0195248.WMF.360	Test.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Pushpin.eftx.360	Test.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18203_.WMF.360	Test.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL078.XML.360	Test.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGNAVBAR.DPV.360	Test.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\LTHD11.POC.360	Test.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO01805_.WMF.360	Test.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18250_.WMF.360	Test.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\VIEW.ICO.360	Test.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_OFF.GIF.360	Test.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\!_INFO.txt	Test.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Computers\__lock_XXX__	Test.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\rtf_decreaseindent.gif.360	Test.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\__lock_XXX__	Test.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00382_.WMF.360	Test.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN00231_.WMF.360	Test.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14583_.GIF.360	Test.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\WINWORD_COL.HXC.360	Test.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\__lock_XXX__	Test.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN00965_.WMF.360	Test.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099175.WMF.360	Test.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0318448.WMF.360	Test.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\EADOCUMENTAPPROVAL_INIT.XSN.360	Test.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
836	Test.exe
836	Test.exe
836	Test.exe
836	Test.exe
836	Test.exe
836	Test.exe
836	Test.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1588	NOTEPAD.EXE

C:\Users\Admin\AppData\Local\Temp\Test.exe
"C:\Users\Admin\AppData\Local\Temp\Test.exe"
1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:836

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\!_INFO.txt
1⤵
- Suspicious use of FindShellTrayWindow
PID:1588

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1171276415\__lock_XXX__

Filesize
176B

MD5
0fe574c7aaf126977323a73183012fa8

SHA1
138fcba62dc8902129d0c3b7396d2473fff29a28

SHA256
8e24af35368534edf3b55de27c9720493f0d308a5b0bdb65cafdaaee046e1631

SHA512
e732c977fc43fcaa63e4b2b841670af0d6559161a9f4b029d5b93a45c3a06f08370e232c9097c147d42af8e01a0cc829a7d51c6f5500d63f4a470039e2b58377

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\!_INFO.txt

Filesize
810B

MD5
022853382d3ae1aa270f0b1d180576e1

SHA1
ce52abfa258f53bef2947c1706f1e7777e11b4f2

SHA256
ba2ed3168905ea029f913b63d30f38afc2813ec08c744c6f164ee01ad4e9e38d

SHA512
87801a6db330981d1172ed66cda9a16bc05729614ecc826f334bb67e82dd399bc8c7f361ce52a973d8290588cffb6a9b88948132aa9a942761bfbb8944753228

Download Submit
C:\Users\Admin\Desktop\!_INFO.txt

Filesize
810B

MD5
022853382d3ae1aa270f0b1d180576e1

SHA1
ce52abfa258f53bef2947c1706f1e7777e11b4f2

SHA256
ba2ed3168905ea029f913b63d30f38afc2813ec08c744c6f164ee01ad4e9e38d

SHA512
87801a6db330981d1172ed66cda9a16bc05729614ecc826f334bb67e82dd399bc8c7f361ce52a973d8290588cffb6a9b88948132aa9a942761bfbb8944753228

Download Submit
memory/836-334-0x00000000011F0000-0x0000000001387000-memory.dmp

Filesize
1.6MB

Download
memory/836-1631-0x00000000011F0000-0x0000000001387000-memory.dmp

Filesize
1.6MB

Download
memory/836-1651-0x00000000011F0000-0x0000000001387000-memory.dmp

Filesize
1.6MB

Download
memory/836-1657-0x00000000011F0000-0x0000000001387000-memory.dmp

Filesize
1.6MB

Download
memory/836-2988-0x00000000011F0000-0x0000000001387000-memory.dmp

Filesize
1.6MB

Download
memory/836-5127-0x00000000011F0000-0x0000000001387000-memory.dmp

Filesize
1.6MB

Download
memory/836-8270-0x00000000011F0000-0x0000000001387000-memory.dmp

Filesize
1.6MB

Download
memory/836-10443-0x00000000011F0000-0x0000000001387000-memory.dmp

Filesize
1.6MB

Download
memory/836-12054-0x00000000011F0000-0x0000000001387000-memory.dmp

Filesize
1.6MB

Download