5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7

Analysis

max time kernel
138s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
22-08-2023 08:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe
Size

4.4MB
MD5

0985085ac2b5c9f2c64d3603e0dc23b6
SHA1

236af16ac472f6bcd9c6d56b5c270a7527059f21
SHA256

5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7
SHA512

d5422987d369673373dbadbf1c5e559135b1f6f6e6f7f5144ba73371d045c4b160ac869e6489a76e550a59b522ad563e831fca09717aee3e35a5d8a599c3922c
SSDEEP

49152:t5L1XVcPYu8kgVwGv5rsa/uCPJnwC9GG5YbtRqRsV5lDbKfDyqSvC9+7WQ3WLFnp:t5L4Yu8kVGhrsaG2nw+f+q//Kp/LK

Score

9^/10

evasion ransomware spyware stealer

Malware Config

Signatures

Renames multiple (1481) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Disables RegEdit via registry modification 1 IoCs

evasion

Processes:

5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe

Disables Task Manager via registry modification
evasion
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 25 IoCs

Processes:

5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe

description	ioc	process
File created	C:\Users\Admin\Pictures\desktop.ini	5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe
File created	C:\Users\Public\Downloads\desktop.ini	5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe
File created	C:\Users\Public\Videos\desktop.ini	5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe
File created	C:\Users\Admin\3D Objects\desktop.ini	5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe
File created	C:\Users\Admin\Documents\desktop.ini	5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe
File created	C:\Users\Public\desktop.ini	5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe
File created	C:\Users\Public\AccountPictures\desktop.ini	5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe
File created	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe
File created	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe
File created	C:\Users\Admin\Music\desktop.ini	5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe
File created	C:\Users\Public\Desktop\desktop.ini	5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe
File created	C:\Users\Public\Documents\desktop.ini	5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe
File created	C:\Users\Public\Libraries\desktop.ini	5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe
File created	C:\Users\Public\Pictures\desktop.ini	5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe
File created	C:\Users\Admin\Desktop\desktop.ini	5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini	5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe
File created	C:\Users\Public\Music\desktop.ini	5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe
File created	C:\Users\Admin\Downloads\desktop.ini	5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2972 3460 WerFault.exe 5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe

pid	pid_target	process	target process
2972	3460	WerFault.exe	5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe

C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe
"C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe"
1⤵
- Disables RegEdit via registry modification
- Drops desktop.ini file(s)
PID:3460
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3460 -s 1008
  2⤵
  - Program crash
  PID:2972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3460 -ip 3460
1⤵
PID:4972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Comms\UnistoreDB\USStmp.jtx

Filesize
3.0MB

MD5
be68c73fc38ef64bc4b7adfc816c09f9

SHA1
b1894759e94bb014be9001fb6a2aa56fb8644e74

SHA256
8f851c346f8b84be97b3e3e7e7261ab2854168394737b30a9316c4f3775618bf

SHA512
cb389a74d71923437b110d1dba416d698399eb8e698d776b28b78bb411430fb0b3c0921c077d8680e142cd94ae30f8b397d7c3337a0127a87f8ddbffb7a65ba3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase\LOG

Filesize
16B

MD5
3251d405785846dd5e1ccb19a7bc62e5

SHA1
dc9d5d7e7e4eb51748189a47a73826d3e7f4f3cc

SHA256
70cf33b7546a38a6733bd31accf3e1b5e5dca85d9bae6eaa16618403747e1647

SHA512
4a851af3f27b4c01cdd8699c5d6c89ac1b05c4ad746dda9e7a3f6dd3ac1ede4ad5f14c1efe40489fb7e57cd4e1878efa20c78591a9542255b956fd9c4bb7abfe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\CURRENT

Filesize
32B

MD5
5cb66b04faf38b9f3fb4dd3cf4dc9a53

SHA1
ca91671fdbb84220447f0d61a186c8d89eabe779

SHA256
5123a7d4133ffea9ec8f668421e7a024a70b2ae63fa864cf80b8f1487fb1522c

SHA512
ec0c5c12157119358721607b17addce381722de21aeecf1de72a765a3872a496aa540311c2f0ec9c1b1fd07533f58e75173bddeb3ecbe8ece7a1e37e6e51e446

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\MANIFEST-000001

Filesize
48B

MD5
94ee23444499fd9c687d1c7f6ad51b7c

SHA1
1663e0e6316a4a7ea3b4adfa16b3f2a648c45e2c

SHA256
f7619d8bc06fb7d9119bdee640e7092536e3c6f2e9dfc329cdb275060d9c707a

SHA512
fc60c600c52d299b79c18135ad1571664be0e4406b5a8eec0b264c3196eb3681292faa3e2296d8976bb8a5f9686e1db3bbf4d7e88fc0d636e05bcc7d148909be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_2

Filesize
8KB

MD5
ecad63cd99ae6bb3afd9a68ade67f22c

SHA1
37bb0dc258cefbd78a2a2dc2231eef9475cfe33a

SHA256
db53b66f705a2c62198ba3b7905a3b6dcb4eecb6a11cd9972b1219fac01c3e2d

SHA512
33b1ae732f7354977c0cd23c94f88b6f85cb3e7ccc5291c780885eaf116e95245b8eb5e5dae3f3dd953c336893348bfb09c700f2613d0312b4e1be72fe0a51c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js\index

Filesize
32B

MD5
85f75126d5d4ea64ac4fe33935914fcd

SHA1
8f089645fd181336617135d408740b8cb47d51b0

SHA256
06f7e824d77e98b4356c6d31eeae730f593ef7bc0c13499e48f54dfbad43efad

SHA512
3165d4eaa93dbf7855c8ddf48d97fc3acf462f0fc84aecaa7a42bd10f63984f7f8384dd22091468066859c0993bf06403a59aa09081b4582bea49eecf592e255

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnCache\data_0

Filesize
8KB

MD5
8c7c3168bf73e9c2be08688e29168c5d

SHA1
3165515141c47d5a5d73eefca498daf83d9eaeff

SHA256
e0304ef4174ce08a0640ef3781df86208a13fb3a943c1a7fe8ee8ed5a61b796b

SHA512
60705fbbaaa103ca4b4b3e2e97d2d28d67cc795e1ea2d127cf13a5decc386548e6f127024b49c9cad79a20fc927796e6dcfbdbf05b44ccee3f7c258de986f75f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnCache\data_1

Filesize
264KB

MD5
1c52c95924dea0076d6585f2bffd834a

SHA1
c881799ce4bc1d9f7ab095eaeb25166c618350f5

SHA256
d94ca395cd274947a8b0593d33008bb72087825d3b911b54e9685b58666c8053

SHA512
55db4292cb6ce7f0115abc26671d65ea6bca065434b156d132f8f8e572f030aee9ed8fd15362e50a07d7d8efb4b3cfe9b0fdae713845fcb62b28115964cc7968

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnCache\data_3

Filesize
8KB

MD5
ab2b0734b510f7ebd52abc0f9e24d792

SHA1
89d339f9ac9bdaafbb2be5a1be900ba21fa8062f

SHA256
8958f018c3a7a6b2e330bd4a7dd8f158de0aeb2db60ee0c4fef504242c05698d

SHA512
720e21456884b3d66d248c5620adf202ce88bf4a06b4284ddc765b79d9c36cdf3b2b05f4acec8f23808a48fe85be55b6ee585ee72496474a1643f43a32efd0d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\winword.exe_Rules.xml

Filesize
329KB

MD5
2a87b7b1145cd44d7ead26a791779ad9

SHA1
fd5299f3dc08021f86046e7e47de30a6c9a91e29

SHA256
31b03708fa443134a29fc36976b02d72300f2f23b07d8eca00240b04fbbddeab

SHA512
4cbece9757e869d354836ecaa30b9900a9d28a02607e89f65689c1f8d6cd8ca2a39861c084236ffb7f6f822add810b44380da3d162f7552385e2c836d6563967

Download Submit
C:\Users\Admin\Desktop\Pay2Decrypt5.txt

Filesize
568B

MD5
e33e276ab1c537935a9877dce15067b7

SHA1
763df7feef8c38e0bd92faceccec4433ee354a3b

SHA256
d4793dd96db466ce43966b2466bccb8c97eea15425a66d5085bed66557676bee

SHA512
d4c3dde842cc57d3a927f35d282d2856d43e36415c96c5fe5db7bff03e8eedbc214819a6a556b09a8b61e07b0385b4ea7eef4c131f6f9b3d59b796e18ae5baf9

Download Submit