Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
21-02-2024 02:01
Behavioral task
behavioral1
Sample
33c2a1189c2d5716f3e89f9ab0179675.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
33c2a1189c2d5716f3e89f9ab0179675.exe
Resource
win10v2004-20231215-en
General
-
Target
33c2a1189c2d5716f3e89f9ab0179675.exe
-
Size
146KB
-
MD5
33c2a1189c2d5716f3e89f9ab0179675
-
SHA1
832cbb42ca2d3d772f5fc6836f98bb5b0059ee3b
-
SHA256
f01909eee3dec5474a5a845deea3f8fb5502ac006f65060a7e945f91c966e266
-
SHA512
530777cd0805f84b7831b193e8adec637877332b1ecf7005efc960e3fb2f5432b33c44ba758f853f364702e64d781330896fb6fc878314c0de926e547dc18d69
-
SSDEEP
3072:9FqJogYkcSNm9V7DdOgrDx34Uuv5hQrfT:9Fq2kc4m9tDsIDx31d
Malware Config
Extracted
C:\7fpKwvu5x.README.txt
https://t.me/bit_decryptor
Signatures
-
Renames multiple (330) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
Processes:
21A4.tmppid Process 1412 21A4.tmp -
Executes dropped EXE 1 IoCs
Processes:
21A4.tmppid Process 1412 21A4.tmp -
Loads dropped DLL 1 IoCs
Processes:
33c2a1189c2d5716f3e89f9ab0179675.exepid Process 2924 33c2a1189c2d5716f3e89f9ab0179675.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
Processes:
33c2a1189c2d5716f3e89f9ab0179675.exedescription ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-2721934792-624042501-2768869379-1000\desktop.ini 33c2a1189c2d5716f3e89f9ab0179675.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2721934792-624042501-2768869379-1000\desktop.ini 33c2a1189c2d5716f3e89f9ab0179675.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
21A4.tmppid Process 1412 21A4.tmp -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
33c2a1189c2d5716f3e89f9ab0179675.exepid Process 2924 33c2a1189c2d5716f3e89f9ab0179675.exe 2924 33c2a1189c2d5716f3e89f9ab0179675.exe 2924 33c2a1189c2d5716f3e89f9ab0179675.exe 2924 33c2a1189c2d5716f3e89f9ab0179675.exe 2924 33c2a1189c2d5716f3e89f9ab0179675.exe 2924 33c2a1189c2d5716f3e89f9ab0179675.exe 2924 33c2a1189c2d5716f3e89f9ab0179675.exe 2924 33c2a1189c2d5716f3e89f9ab0179675.exe 2924 33c2a1189c2d5716f3e89f9ab0179675.exe 2924 33c2a1189c2d5716f3e89f9ab0179675.exe 2924 33c2a1189c2d5716f3e89f9ab0179675.exe 2924 33c2a1189c2d5716f3e89f9ab0179675.exe -
Suspicious behavior: RenamesItself 26 IoCs
Processes:
21A4.tmppid Process 1412 21A4.tmp 1412 21A4.tmp 1412 21A4.tmp 1412 21A4.tmp 1412 21A4.tmp 1412 21A4.tmp 1412 21A4.tmp 1412 21A4.tmp 1412 21A4.tmp 1412 21A4.tmp 1412 21A4.tmp 1412 21A4.tmp 1412 21A4.tmp 1412 21A4.tmp 1412 21A4.tmp 1412 21A4.tmp 1412 21A4.tmp 1412 21A4.tmp 1412 21A4.tmp 1412 21A4.tmp 1412 21A4.tmp 1412 21A4.tmp 1412 21A4.tmp 1412 21A4.tmp 1412 21A4.tmp 1412 21A4.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
33c2a1189c2d5716f3e89f9ab0179675.exedescription pid Process Token: SeAssignPrimaryTokenPrivilege 2924 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeBackupPrivilege 2924 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeDebugPrivilege 2924 33c2a1189c2d5716f3e89f9ab0179675.exe Token: 36 2924 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeImpersonatePrivilege 2924 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeIncBasePriorityPrivilege 2924 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeIncreaseQuotaPrivilege 2924 33c2a1189c2d5716f3e89f9ab0179675.exe Token: 33 2924 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeManageVolumePrivilege 2924 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeProfSingleProcessPrivilege 2924 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeRestorePrivilege 2924 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeSecurityPrivilege 2924 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeSystemProfilePrivilege 2924 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeTakeOwnershipPrivilege 2924 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeShutdownPrivilege 2924 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeDebugPrivilege 2924 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeBackupPrivilege 2924 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeBackupPrivilege 2924 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeSecurityPrivilege 2924 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeSecurityPrivilege 2924 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeBackupPrivilege 2924 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeBackupPrivilege 2924 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeSecurityPrivilege 2924 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeSecurityPrivilege 2924 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeBackupPrivilege 2924 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeBackupPrivilege 2924 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeSecurityPrivilege 2924 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeSecurityPrivilege 2924 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeBackupPrivilege 2924 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeBackupPrivilege 2924 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeSecurityPrivilege 2924 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeSecurityPrivilege 2924 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeBackupPrivilege 2924 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeBackupPrivilege 2924 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeSecurityPrivilege 2924 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeSecurityPrivilege 2924 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeBackupPrivilege 2924 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeBackupPrivilege 2924 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeSecurityPrivilege 2924 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeSecurityPrivilege 2924 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeBackupPrivilege 2924 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeBackupPrivilege 2924 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeSecurityPrivilege 2924 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeSecurityPrivilege 2924 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeBackupPrivilege 2924 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeBackupPrivilege 2924 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeSecurityPrivilege 2924 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeSecurityPrivilege 2924 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeBackupPrivilege 2924 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeBackupPrivilege 2924 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeSecurityPrivilege 2924 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeSecurityPrivilege 2924 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeBackupPrivilege 2924 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeBackupPrivilege 2924 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeSecurityPrivilege 2924 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeSecurityPrivilege 2924 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeBackupPrivilege 2924 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeBackupPrivilege 2924 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeSecurityPrivilege 2924 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeSecurityPrivilege 2924 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeBackupPrivilege 2924 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeBackupPrivilege 2924 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeSecurityPrivilege 2924 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeSecurityPrivilege 2924 33c2a1189c2d5716f3e89f9ab0179675.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
33c2a1189c2d5716f3e89f9ab0179675.exe21A4.tmpdescription pid Process procid_target PID 2924 wrote to memory of 1412 2924 33c2a1189c2d5716f3e89f9ab0179675.exe 30 PID 2924 wrote to memory of 1412 2924 33c2a1189c2d5716f3e89f9ab0179675.exe 30 PID 2924 wrote to memory of 1412 2924 33c2a1189c2d5716f3e89f9ab0179675.exe 30 PID 2924 wrote to memory of 1412 2924 33c2a1189c2d5716f3e89f9ab0179675.exe 30 PID 2924 wrote to memory of 1412 2924 33c2a1189c2d5716f3e89f9ab0179675.exe 30 PID 1412 wrote to memory of 1652 1412 21A4.tmp 31 PID 1412 wrote to memory of 1652 1412 21A4.tmp 31 PID 1412 wrote to memory of 1652 1412 21A4.tmp 31 PID 1412 wrote to memory of 1652 1412 21A4.tmp 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe"C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe"1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\ProgramData\21A4.tmp"C:\ProgramData\21A4.tmp"2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1412 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\21A4.tmp >> NUL3⤵PID:1652
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x14c1⤵PID:2292
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD593036b5f41d68246c7067613fd4a3ad7
SHA165c94c0b9bc76d0ebbb4f0bbbb18b02072cab309
SHA25601610aee0e25177e757231fb0c2b31d1b440319d822f6ffe4475f2cf236bd8cf
SHA51230a803f3ca9ef2708908ac9eb372cf35957d56217fdae84cd2629995f4ceb75d98c6a14d98b2217350fbe359485ca9b553eaf5a91ac142da8cd155de3a85a5f0
-
Filesize
659B
MD59a93bdac5989317ace2a796b8d273381
SHA19e3200d5d2a79004d062bd88c06e7742ab1474ce
SHA256d5eb3f426eb64d366e9f17f1142b0289ae1550b19ddb9c5e5463472350aa2e4a
SHA5124ccb42c9b7d60640ed083d096108856eaa88106a0b2af622b3e88cc85a9c57c4ca3e1f7579a42261b73e4045c811a28bb7412009e046ad267facfbc8312e2431
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
Filesize
146KB
MD5c06fe06d04ffd2a50e6ca3eb05d5b7d4
SHA12f16c6cbcc43a98937e8bab3c7d2a8559858f99d
SHA25612a6f2f6c14a9c33b077ec5cba8db0cd022a4c787673cb0d42ba0e8fcdfea575
SHA5121a902ba68525fdd668d6d0145d5747a724bd37a2949cf4bcf1ea4b0c085ffbf3d2796959eb80df371e6a3bbe4453cd7f61ea2e69504f5d1960ff5277901b8d77
-
Filesize
129B
MD573e7af74de8ff6a902ed34152be76ae4
SHA10d244ed7abefe89f7d35394100ae30547367f355
SHA25687bdd48bd60515daf134d696585b041a1c6099c916cd20bca4ece1f0817bcd0e
SHA5124616979294a83c606cd6be45a4f388679fe3f48c26c26c70f18307b575d1b80fb392febc0076896835f0bfc065a179691d888a1da0f86e5790fd2914e8076c25