hxxp://www[.]coopsantodomingo[.]com/wp-content/uploads/2023/MDTlmmACMtoTgAwcewt233[.]bin

Resubmissions

01/01/2024, 20:41

240101-zgwvasacdl 1

31/12/2023, 01:27

30/12/2023, 18:44

29/12/2023, 19:32

19/12/2023, 06:04

19/12/2023, 05:54

Analysis

max time kernel
299s
max time network
249s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
19/12/2023, 05:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://www.coopsantodomingo.com/wp-content/uploads/2023/MDTlmmACMtoTgAwcewt233.bin

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133474388932816787"	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings	OpenWith.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4972	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
764	chrome.exe
764	chrome.exe
2368	chrome.exe
2368	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3716	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
764	chrome.exe
764	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	764	chrome.exe
Token: SeCreatePagefilePrivilege	764	chrome.exe
Token: SeShutdownPrivilege	764	chrome.exe
Token: SeCreatePagefilePrivilege	764	chrome.exe
Token: SeShutdownPrivilege	764	chrome.exe
Token: SeCreatePagefilePrivilege	764	chrome.exe
Token: SeShutdownPrivilege	764	chrome.exe
Token: SeCreatePagefilePrivilege	764	chrome.exe
Token: SeShutdownPrivilege	764	chrome.exe
Token: SeCreatePagefilePrivilege	764	chrome.exe
Token: SeShutdownPrivilege	764	chrome.exe
Token: SeCreatePagefilePrivilege	764	chrome.exe
Token: SeShutdownPrivilege	764	chrome.exe
Token: SeCreatePagefilePrivilege	764	chrome.exe
Token: SeShutdownPrivilege	764	chrome.exe
Token: SeCreatePagefilePrivilege	764	chrome.exe
Token: SeShutdownPrivilege	764	chrome.exe
Token: SeCreatePagefilePrivilege	764	chrome.exe
Token: SeShutdownPrivilege	764	chrome.exe
Token: SeCreatePagefilePrivilege	764	chrome.exe
Token: SeShutdownPrivilege	764	chrome.exe
Token: SeCreatePagefilePrivilege	764	chrome.exe
Token: SeShutdownPrivilege	764	chrome.exe
Token: SeCreatePagefilePrivilege	764	chrome.exe
Token: SeShutdownPrivilege	764	chrome.exe
Token: SeCreatePagefilePrivilege	764	chrome.exe
Token: SeShutdownPrivilege	764	chrome.exe
Token: SeCreatePagefilePrivilege	764	chrome.exe
Token: SeShutdownPrivilege	764	chrome.exe
Token: SeCreatePagefilePrivilege	764	chrome.exe
Token: SeShutdownPrivilege	764	chrome.exe
Token: SeCreatePagefilePrivilege	764	chrome.exe
Token: SeShutdownPrivilege	764	chrome.exe
Token: SeCreatePagefilePrivilege	764	chrome.exe
Token: SeShutdownPrivilege	764	chrome.exe
Token: SeCreatePagefilePrivilege	764	chrome.exe
Token: SeShutdownPrivilege	764	chrome.exe
Token: SeCreatePagefilePrivilege	764	chrome.exe
Token: SeShutdownPrivilege	764	chrome.exe
Token: SeCreatePagefilePrivilege	764	chrome.exe
Token: SeShutdownPrivilege	764	chrome.exe
Token: SeCreatePagefilePrivilege	764	chrome.exe
Token: SeShutdownPrivilege	764	chrome.exe
Token: SeCreatePagefilePrivilege	764	chrome.exe
Token: SeShutdownPrivilege	764	chrome.exe
Token: SeCreatePagefilePrivilege	764	chrome.exe
Token: SeShutdownPrivilege	764	chrome.exe
Token: SeCreatePagefilePrivilege	764	chrome.exe
Token: SeShutdownPrivilege	764	chrome.exe
Token: SeCreatePagefilePrivilege	764	chrome.exe
Token: SeShutdownPrivilege	764	chrome.exe
Token: SeCreatePagefilePrivilege	764	chrome.exe
Token: SeShutdownPrivilege	764	chrome.exe
Token: SeCreatePagefilePrivilege	764	chrome.exe
Token: SeShutdownPrivilege	764	chrome.exe
Token: SeCreatePagefilePrivilege	764	chrome.exe
Token: SeShutdownPrivilege	764	chrome.exe
Token: SeCreatePagefilePrivilege	764	chrome.exe
Token: SeShutdownPrivilege	764	chrome.exe
Token: SeCreatePagefilePrivilege	764	chrome.exe
Token: SeShutdownPrivilege	764	chrome.exe
Token: SeCreatePagefilePrivilege	764	chrome.exe
Token: SeShutdownPrivilege	764	chrome.exe
Token: SeCreatePagefilePrivilege	764	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
764	chrome.exe
764	chrome.exe
764	chrome.exe
764	chrome.exe
764	chrome.exe
764	chrome.exe
764	chrome.exe
764	chrome.exe
764	chrome.exe
764	chrome.exe
764	chrome.exe
764	chrome.exe
764	chrome.exe
764	chrome.exe
764	chrome.exe
764	chrome.exe
764	chrome.exe
764	chrome.exe
764	chrome.exe
764	chrome.exe
764	chrome.exe
764	chrome.exe
764	chrome.exe
764	chrome.exe
764	chrome.exe
764	chrome.exe
764	chrome.exe
764	chrome.exe
764	chrome.exe
764	chrome.exe
764	chrome.exe
764	chrome.exe
764	chrome.exe
764	chrome.exe
3084	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
764	chrome.exe
764	chrome.exe
764	chrome.exe
764	chrome.exe
764	chrome.exe
764	chrome.exe
764	chrome.exe
764	chrome.exe
764	chrome.exe
764	chrome.exe
764	chrome.exe
764	chrome.exe
764	chrome.exe
764	chrome.exe
764	chrome.exe
764	chrome.exe
764	chrome.exe
764	chrome.exe
764	chrome.exe
764	chrome.exe
764	chrome.exe
764	chrome.exe
764	chrome.exe
764	chrome.exe

Suspicious use of SetWindowsHookEx 21 IoCs

pid	Process
3716	OpenWith.exe
3716	OpenWith.exe
3716	OpenWith.exe
3716	OpenWith.exe
3716	OpenWith.exe
3716	OpenWith.exe
3716	OpenWith.exe
3716	OpenWith.exe
3716	OpenWith.exe
3716	OpenWith.exe
3716	OpenWith.exe
3716	OpenWith.exe
3716	OpenWith.exe
3716	OpenWith.exe
3716	OpenWith.exe
3716	OpenWith.exe
3716	OpenWith.exe
3716	OpenWith.exe
3716	OpenWith.exe
3716	OpenWith.exe
3716	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 764 wrote to memory of 952	764	chrome.exe	87
PID 764 wrote to memory of 952	764	chrome.exe	87
PID 764 wrote to memory of 2904	764	chrome.exe	89
PID 764 wrote to memory of 2904	764	chrome.exe	89
PID 764 wrote to memory of 2904	764	chrome.exe	89
PID 764 wrote to memory of 2904	764	chrome.exe	89
PID 764 wrote to memory of 2904	764	chrome.exe	89
PID 764 wrote to memory of 2904	764	chrome.exe	89
PID 764 wrote to memory of 2904	764	chrome.exe	89
PID 764 wrote to memory of 2904	764	chrome.exe	89
PID 764 wrote to memory of 2904	764	chrome.exe	89
PID 764 wrote to memory of 2904	764	chrome.exe	89
PID 764 wrote to memory of 2904	764	chrome.exe	89
PID 764 wrote to memory of 2904	764	chrome.exe	89
PID 764 wrote to memory of 2904	764	chrome.exe	89
PID 764 wrote to memory of 2904	764	chrome.exe	89
PID 764 wrote to memory of 2904	764	chrome.exe	89
PID 764 wrote to memory of 2904	764	chrome.exe	89
PID 764 wrote to memory of 2904	764	chrome.exe	89
PID 764 wrote to memory of 2904	764	chrome.exe	89
PID 764 wrote to memory of 2904	764	chrome.exe	89
PID 764 wrote to memory of 2904	764	chrome.exe	89
PID 764 wrote to memory of 2904	764	chrome.exe	89
PID 764 wrote to memory of 2904	764	chrome.exe	89
PID 764 wrote to memory of 2904	764	chrome.exe	89
PID 764 wrote to memory of 2904	764	chrome.exe	89
PID 764 wrote to memory of 2904	764	chrome.exe	89
PID 764 wrote to memory of 2904	764	chrome.exe	89
PID 764 wrote to memory of 2904	764	chrome.exe	89
PID 764 wrote to memory of 2904	764	chrome.exe	89
PID 764 wrote to memory of 2904	764	chrome.exe	89
PID 764 wrote to memory of 2904	764	chrome.exe	89
PID 764 wrote to memory of 2904	764	chrome.exe	89
PID 764 wrote to memory of 2904	764	chrome.exe	89
PID 764 wrote to memory of 2904	764	chrome.exe	89
PID 764 wrote to memory of 2904	764	chrome.exe	89
PID 764 wrote to memory of 2904	764	chrome.exe	89
PID 764 wrote to memory of 2904	764	chrome.exe	89
PID 764 wrote to memory of 2904	764	chrome.exe	89
PID 764 wrote to memory of 2904	764	chrome.exe	89
PID 764 wrote to memory of 3980	764	chrome.exe	91
PID 764 wrote to memory of 3980	764	chrome.exe	91
PID 764 wrote to memory of 2884	764	chrome.exe	90
PID 764 wrote to memory of 2884	764	chrome.exe	90
PID 764 wrote to memory of 2884	764	chrome.exe	90
PID 764 wrote to memory of 2884	764	chrome.exe	90
PID 764 wrote to memory of 2884	764	chrome.exe	90
PID 764 wrote to memory of 2884	764	chrome.exe	90
PID 764 wrote to memory of 2884	764	chrome.exe	90
PID 764 wrote to memory of 2884	764	chrome.exe	90
PID 764 wrote to memory of 2884	764	chrome.exe	90
PID 764 wrote to memory of 2884	764	chrome.exe	90
PID 764 wrote to memory of 2884	764	chrome.exe	90
PID 764 wrote to memory of 2884	764	chrome.exe	90
PID 764 wrote to memory of 2884	764	chrome.exe	90
PID 764 wrote to memory of 2884	764	chrome.exe	90
PID 764 wrote to memory of 2884	764	chrome.exe	90
PID 764 wrote to memory of 2884	764	chrome.exe	90
PID 764 wrote to memory of 2884	764	chrome.exe	90
PID 764 wrote to memory of 2884	764	chrome.exe	90
PID 764 wrote to memory of 2884	764	chrome.exe	90
PID 764 wrote to memory of 2884	764	chrome.exe	90
PID 764 wrote to memory of 2884	764	chrome.exe	90
PID 764 wrote to memory of 2884	764	chrome.exe	90

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://www.coopsantodomingo.com/wp-content/uploads/2023/MDTlmmACMtoTgAwcewt233.bin
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc1de79758,0x7ffc1de79768,0x7ffc1de79778
  2⤵
  PID:952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=276 --field-trial-handle=1808,i,14425750036221882146,5266888567994689780,131072 /prefetch:2
  2⤵
  PID:2904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2224 --field-trial-handle=1808,i,14425750036221882146,5266888567994689780,131072 /prefetch:8
  2⤵
  PID:2884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1736 --field-trial-handle=1808,i,14425750036221882146,5266888567994689780,131072 /prefetch:8
  2⤵
  PID:3980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3032 --field-trial-handle=1808,i,14425750036221882146,5266888567994689780,131072 /prefetch:1
  2⤵
  PID:4032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3044 --field-trial-handle=1808,i,14425750036221882146,5266888567994689780,131072 /prefetch:1
  2⤵
  PID:2408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4928 --field-trial-handle=1808,i,14425750036221882146,5266888567994689780,131072 /prefetch:8
  2⤵
  PID:1596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5172 --field-trial-handle=1808,i,14425750036221882146,5266888567994689780,131072 /prefetch:8
  2⤵
  PID:5016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5216 --field-trial-handle=1808,i,14425750036221882146,5266888567994689780,131072 /prefetch:8
  2⤵
  PID:3984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4408 --field-trial-handle=1808,i,14425750036221882146,5266888567994689780,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2368

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3180

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:748

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3716
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\MDTlmmACMtoTgAwcewt233.bin
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:4972

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\MDTlmmACMtoTgAwcewt233\" -spe -an -ai#7zMap27001:106:7zEvent3416
1⤵
- Suspicious use of FindShellTrayWindow
PID:3084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
163ef7b5623b4abf447795c6942736bb

SHA1
207a2acd70b5b5758a464111a2c8502ee8abbe1e

SHA256
918836f900123bef804ed8a3b138af6e354e5014ac256c8eb0b9ba3b29d9d787

SHA512
6abdfa340daf5f560d4fed7279b3a1a47b25be892c6279874015c1429471cecc8d7b5da825c1abf03d0b2201aa884a2506d7e1a4a9e4cb697be7a00677a966f0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
903efc7f4c22125294bcbdf33fa47c8a

SHA1
16039d9996401f847dd6ee9fb1fd84bc8026562e

SHA256
ea64150d39349e236b04ea0eba2dea2f8545c626834c982967badb9f0bee124a

SHA512
90076a8e7a63c80c1fe34c0b55284502aeb87a1196eaf721398b4c6a7059869f83be582d11aa687b4686f4cf4831d644f32283ade82af6e4f5ec877d5e1fd43e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
114KB

MD5
1423519c8dea3f5a5d30bc43f10abe83

SHA1
12c2e8bf79f0bcd7dec947ba3fd2a3bab8030c47

SHA256
6e87995c278e65079685dc9c0448df78c64198ed0f018b3687404baa20a8699b

SHA512
eb7d3c8836fa2b95c9bb9dc3a3a18868d73e52ba220c160045e7e7fafe67692d6891336fe3a692a1d8426da022d09370a8d63cd4bdc11d8787d65855ea5776b7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\Downloads\MDTlmmACMtoTgAwcewt233.bin.crdownload

Filesize
240KB

MD5
faa2c3d1b2487aad5a70f2d8e755cb3d

SHA1
f858420103305f3ffa8cd3447aa69e253c7f364b

SHA256
4c53d4b424851b03ee9178d45fbb79047cc71d183ce0b6c878d5eb896fe32834

SHA512
a91ef4314e58b738f666812cf0355d029c591986b26aa9907b9bce2b8b00aef0ff5d8f212af8474e22ce6141673efcb33f7363f3d6f27f2bb15c866405077ea8

Download Submit