Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    21-02-2024 02:01

General

  • Target

    33c2a1189c2d5716f3e89f9ab0179675.exe

  • Size

    146KB

  • MD5

    33c2a1189c2d5716f3e89f9ab0179675

  • SHA1

    832cbb42ca2d3d772f5fc6836f98bb5b0059ee3b

  • SHA256

    f01909eee3dec5474a5a845deea3f8fb5502ac006f65060a7e945f91c966e266

  • SHA512

    530777cd0805f84b7831b193e8adec637877332b1ecf7005efc960e3fb2f5432b33c44ba758f853f364702e64d781330896fb6fc878314c0de926e547dc18d69

  • SSDEEP

    3072:9FqJogYkcSNm9V7DdOgrDx34Uuv5hQrfT:9Fq2kc4m9tDsIDx31d

Malware Config

Extracted

Path

C:\7fpKwvu5x.README.txt

Ransom Note
!!! ALL YOUR FILES ARE ENCRYPTED!!! All your files, documents, photos, databases and other important files are encrypted. The only way to recover your files is to use a decryptor. To get the decryptor, write to us by mail or telegram, specify the ID of the encrypted files in the letter: Email: [email protected] Telegram: https://t.me/bit_decryptor Warning. * Do not rename encrypted files. * Do not attempt to decrypt data using third party software as this may result in permanent data loss. * Do not contact other people, only we can help you and recover your data. Your personal decryption ID: 6D5636AB1EC8D8A257DEEB38DE03637A
URLs

https://t.me/bit_decryptor

Signatures

  • Renames multiple (330) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe
    "C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe"
    1⤵
    • Loads dropped DLL
    • Drops desktop.ini file(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2924
    • C:\ProgramData\21A4.tmp
      "C:\ProgramData\21A4.tmp"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:1412
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\21A4.tmp >> NUL
        3⤵
          PID:1652
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x14c
      1⤵
        PID:2292

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\$Recycle.Bin\S-1-5-21-2721934792-624042501-2768869379-1000\desktop.ini

        Filesize

        129B

        MD5

        93036b5f41d68246c7067613fd4a3ad7

        SHA1

        65c94c0b9bc76d0ebbb4f0bbbb18b02072cab309

        SHA256

        01610aee0e25177e757231fb0c2b31d1b440319d822f6ffe4475f2cf236bd8cf

        SHA512

        30a803f3ca9ef2708908ac9eb372cf35957d56217fdae84cd2629995f4ceb75d98c6a14d98b2217350fbe359485ca9b553eaf5a91ac142da8cd155de3a85a5f0

      • C:\7fpKwvu5x.README.txt

        Filesize

        659B

        MD5

        9a93bdac5989317ace2a796b8d273381

        SHA1

        9e3200d5d2a79004d062bd88c06e7742ab1474ce

        SHA256

        d5eb3f426eb64d366e9f17f1142b0289ae1550b19ddb9c5e5463472350aa2e4a

        SHA512

        4ccb42c9b7d60640ed083d096108856eaa88106a0b2af622b3e88cc85a9c57c4ca3e1f7579a42261b73e4045c811a28bb7412009e046ad267facfbc8312e2431

      • C:\ProgramData\21A4.tmp

        Filesize

        14KB

        MD5

        294e9f64cb1642dd89229fff0592856b

        SHA1

        97b148c27f3da29ba7b18d6aee8a0db9102f47c9

        SHA256

        917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

        SHA512

        b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

      • C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

        Filesize

        146KB

        MD5

        c06fe06d04ffd2a50e6ca3eb05d5b7d4

        SHA1

        2f16c6cbcc43a98937e8bab3c7d2a8559858f99d

        SHA256

        12a6f2f6c14a9c33b077ec5cba8db0cd022a4c787673cb0d42ba0e8fcdfea575

        SHA512

        1a902ba68525fdd668d6d0145d5747a724bd37a2949cf4bcf1ea4b0c085ffbf3d2796959eb80df371e6a3bbe4453cd7f61ea2e69504f5d1960ff5277901b8d77

      • F:\$RECYCLE.BIN\S-1-5-21-2721934792-624042501-2768869379-1000\DDDDDDDDDDD

        Filesize

        129B

        MD5

        73e7af74de8ff6a902ed34152be76ae4

        SHA1

        0d244ed7abefe89f7d35394100ae30547367f355

        SHA256

        87bdd48bd60515daf134d696585b041a1c6099c916cd20bca4ece1f0817bcd0e

        SHA512

        4616979294a83c606cd6be45a4f388679fe3f48c26c26c70f18307b575d1b80fb392febc0076896835f0bfc065a179691d888a1da0f86e5790fd2914e8076c25

      • memory/1412-853-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

        Filesize

        4KB

      • memory/1412-854-0x0000000002240000-0x0000000002280000-memory.dmp

        Filesize

        256KB

      • memory/1412-860-0x000000007EF80000-0x000000007EF81000-memory.dmp

        Filesize

        4KB

      • memory/1412-862-0x000000007EF20000-0x000000007EF21000-memory.dmp

        Filesize

        4KB

      • memory/1412-885-0x000000007EF40000-0x000000007EF41000-memory.dmp

        Filesize

        4KB

      • memory/1412-886-0x000000007EF60000-0x000000007EF61000-memory.dmp

        Filesize

        4KB

      • memory/2924-0-0x0000000000DE0000-0x0000000000E20000-memory.dmp

        Filesize

        256KB