0f808fd3ecf9d722aafeee46b57aad4d07f39c98be6f6148be979ed470cf0a99

Resubmissions

27/01/2024, 19:37

240127-yb5pksafd3 10

27/01/2024, 19:36

240127-ybqwesafc2 10

12/05/2021, 15:56

210512-db4t7vmwas 10

Analysis

max time kernel
118s
max time network
122s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
27/01/2024, 19:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

27214dcb04310040c38f8d6a65fe03c14b18d4171390da271855fdd02e06768f.exe
Size

59KB
MD5

3fd9b0117a0e79191859630148dcdc6d
SHA1

cf04fa736baf22a2ca4e67f1c7723f1776267e28
SHA256

27214dcb04310040c38f8d6a65fe03c14b18d4171390da271855fdd02e06768f
SHA512

c5175720f432c157eb34da92b29a15f1d7cee77240be12289d5cdb52419dd448b2081a579f783fd48d6226d49057eb3e79f38d85d335761089386a621d1419de
SSDEEP

768:vjjmbIax7F3DS4/S9NbnASghx2/ZGNePXPz+3+sT9BmXkY23W58:0x7Fu4/iNbASw2xGNaXrtsp2/Z58

Score

9^/10

ransomware spyware stealer

Malware Config

Signatures

Renames multiple (187) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\21af4d10.BMP"	27214dcb04310040c38f8d6a65fe03c14b18d4171390da271855fdd02e06768f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\21af4d10.BMP"	27214dcb04310040c38f8d6a65fe03c14b18d4171390da271855fdd02e06768f.exe

Modifies Control Panel 1 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Control Panel\Desktop\WallpaperStyle = "10"	27214dcb04310040c38f8d6a65fe03c14b18d4171390da271855fdd02e06768f.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\21af4d10	27214dcb04310040c38f8d6a65fe03c14b18d4171390da271855fdd02e06768f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\21af4d10\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\21af4d10.ico"	27214dcb04310040c38f8d6a65fe03c14b18d4171390da271855fdd02e06768f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.21af4d10	27214dcb04310040c38f8d6a65fe03c14b18d4171390da271855fdd02e06768f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.21af4d10\ = "21af4d10"	27214dcb04310040c38f8d6a65fe03c14b18d4171390da271855fdd02e06768f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\21af4d10\DefaultIcon	27214dcb04310040c38f8d6a65fe03c14b18d4171390da271855fdd02e06768f.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2020	27214dcb04310040c38f8d6a65fe03c14b18d4171390da271855fdd02e06768f.exe
2020	27214dcb04310040c38f8d6a65fe03c14b18d4171390da271855fdd02e06768f.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2020	27214dcb04310040c38f8d6a65fe03c14b18d4171390da271855fdd02e06768f.exe
Token: SeSecurityPrivilege	2020	27214dcb04310040c38f8d6a65fe03c14b18d4171390da271855fdd02e06768f.exe
Token: SeTakeOwnershipPrivilege	2020	27214dcb04310040c38f8d6a65fe03c14b18d4171390da271855fdd02e06768f.exe
Token: SeLoadDriverPrivilege	2020	27214dcb04310040c38f8d6a65fe03c14b18d4171390da271855fdd02e06768f.exe
Token: SeSystemProfilePrivilege	2020	27214dcb04310040c38f8d6a65fe03c14b18d4171390da271855fdd02e06768f.exe
Token: SeSystemtimePrivilege	2020	27214dcb04310040c38f8d6a65fe03c14b18d4171390da271855fdd02e06768f.exe
Token: SeProfSingleProcessPrivilege	2020	27214dcb04310040c38f8d6a65fe03c14b18d4171390da271855fdd02e06768f.exe
Token: SeIncBasePriorityPrivilege	2020	27214dcb04310040c38f8d6a65fe03c14b18d4171390da271855fdd02e06768f.exe
Token: SeCreatePagefilePrivilege	2020	27214dcb04310040c38f8d6a65fe03c14b18d4171390da271855fdd02e06768f.exe
Token: SeBackupPrivilege	2020	27214dcb04310040c38f8d6a65fe03c14b18d4171390da271855fdd02e06768f.exe
Token: SeRestorePrivilege	2020	27214dcb04310040c38f8d6a65fe03c14b18d4171390da271855fdd02e06768f.exe
Token: SeShutdownPrivilege	2020	27214dcb04310040c38f8d6a65fe03c14b18d4171390da271855fdd02e06768f.exe
Token: SeDebugPrivilege	2020	27214dcb04310040c38f8d6a65fe03c14b18d4171390da271855fdd02e06768f.exe
Token: SeSystemEnvironmentPrivilege	2020	27214dcb04310040c38f8d6a65fe03c14b18d4171390da271855fdd02e06768f.exe
Token: SeRemoteShutdownPrivilege	2020	27214dcb04310040c38f8d6a65fe03c14b18d4171390da271855fdd02e06768f.exe
Token: SeUndockPrivilege	2020	27214dcb04310040c38f8d6a65fe03c14b18d4171390da271855fdd02e06768f.exe
Token: SeManageVolumePrivilege	2020	27214dcb04310040c38f8d6a65fe03c14b18d4171390da271855fdd02e06768f.exe
Token: 33	2020	27214dcb04310040c38f8d6a65fe03c14b18d4171390da271855fdd02e06768f.exe
Token: 34	2020	27214dcb04310040c38f8d6a65fe03c14b18d4171390da271855fdd02e06768f.exe
Token: 35	2020	27214dcb04310040c38f8d6a65fe03c14b18d4171390da271855fdd02e06768f.exe

C:\Users\Admin\AppData\Local\Temp\27214dcb04310040c38f8d6a65fe03c14b18d4171390da271855fdd02e06768f.exe
"C:\Users\Admin\AppData\Local\Temp\27214dcb04310040c38f8d6a65fe03c14b18d4171390da271855fdd02e06768f.exe"
1⤵
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
17KB

MD5
852ad81348de26bb5980a281b2d040e6

SHA1
2e6e7d431c2fd9c59cf3a5b21115da1946bc7587

SHA256
4eda6aee59bc6098643dbc164d29d7fbb0c377349e494c014144c1d1c3afd4e2

SHA512
13d8c8a94e1e7b633d214bbb1f41159f87e878197d002ff452d3f448418bc7052fb322aa7ba4f4263dee4ff374dd0920816b3a7710a7af29a5502c6c4413ac9a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
00dfcede93e66b869f9983f1dad60261

SHA1
e5d6162dd717e0b8b1b8390e5ece02c9cd7ac02b

SHA256
fb7f68aa89364143d5d56d8dd0b6f47c84f7b8337ff89b7644dcb4ffdea928cf

SHA512
8dbd41420290ce018a9f1359b6ead95b1408489ddddcf94c5b5f6fb2fcb81f52a7d1457e900c10efb7b92af5fcc06b6cae308444b79dee1421ddc4a890884f94

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar22A3.tmp

Filesize
31KB

MD5
cd36aecc4562a499de8080616e1c3675

SHA1
861ca9ee569ebd4759a0f7ba7f7796381aa0f72e

SHA256
ac46d26f5f25ed205bd2a8d876b70a6eaaf87361a917f0b3bf75ff9889c1f72b

SHA512
9641b2d4919048ecb72fb39a90fb3ae3d884fd1803f28576be6ded0334638f4dc36328bee0f2ce9ff12517093c19d3df192f1c9db572334c6b9e2b136e0497d9

Download Submit