Analysis
-
max time kernel
142s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
21-02-2024 02:01
Behavioral task
behavioral1
Sample
33c2a1189c2d5716f3e89f9ab0179675.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
33c2a1189c2d5716f3e89f9ab0179675.exe
Resource
win10v2004-20231215-en
General
-
Target
33c2a1189c2d5716f3e89f9ab0179675.exe
-
Size
146KB
-
MD5
33c2a1189c2d5716f3e89f9ab0179675
-
SHA1
832cbb42ca2d3d772f5fc6836f98bb5b0059ee3b
-
SHA256
f01909eee3dec5474a5a845deea3f8fb5502ac006f65060a7e945f91c966e266
-
SHA512
530777cd0805f84b7831b193e8adec637877332b1ecf7005efc960e3fb2f5432b33c44ba758f853f364702e64d781330896fb6fc878314c0de926e547dc18d69
-
SSDEEP
3072:9FqJogYkcSNm9V7DdOgrDx34Uuv5hQrfT:9Fq2kc4m9tDsIDx31d
Malware Config
Extracted
C:\7fpKwvu5x.README.txt
https://t.me/bit_decryptor
Signatures
-
Renames multiple (584) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
EB1B.tmpdescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation EB1B.tmp -
Deletes itself 1 IoCs
Processes:
EB1B.tmppid Process 4164 EB1B.tmp -
Executes dropped EXE 1 IoCs
Processes:
EB1B.tmppid Process 4164 EB1B.tmp -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
Processes:
33c2a1189c2d5716f3e89f9ab0179675.exedescription ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-983843758-932321429-1636175382-1000\desktop.ini 33c2a1189c2d5716f3e89f9ab0179675.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-983843758-932321429-1636175382-1000\desktop.ini 33c2a1189c2d5716f3e89f9ab0179675.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
EB1B.tmppid Process 4164 EB1B.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
33c2a1189c2d5716f3e89f9ab0179675.exepid Process 936 33c2a1189c2d5716f3e89f9ab0179675.exe 936 33c2a1189c2d5716f3e89f9ab0179675.exe 936 33c2a1189c2d5716f3e89f9ab0179675.exe 936 33c2a1189c2d5716f3e89f9ab0179675.exe 936 33c2a1189c2d5716f3e89f9ab0179675.exe 936 33c2a1189c2d5716f3e89f9ab0179675.exe 936 33c2a1189c2d5716f3e89f9ab0179675.exe 936 33c2a1189c2d5716f3e89f9ab0179675.exe 936 33c2a1189c2d5716f3e89f9ab0179675.exe 936 33c2a1189c2d5716f3e89f9ab0179675.exe 936 33c2a1189c2d5716f3e89f9ab0179675.exe 936 33c2a1189c2d5716f3e89f9ab0179675.exe 936 33c2a1189c2d5716f3e89f9ab0179675.exe 936 33c2a1189c2d5716f3e89f9ab0179675.exe 936 33c2a1189c2d5716f3e89f9ab0179675.exe 936 33c2a1189c2d5716f3e89f9ab0179675.exe 936 33c2a1189c2d5716f3e89f9ab0179675.exe 936 33c2a1189c2d5716f3e89f9ab0179675.exe 936 33c2a1189c2d5716f3e89f9ab0179675.exe 936 33c2a1189c2d5716f3e89f9ab0179675.exe 936 33c2a1189c2d5716f3e89f9ab0179675.exe 936 33c2a1189c2d5716f3e89f9ab0179675.exe 936 33c2a1189c2d5716f3e89f9ab0179675.exe 936 33c2a1189c2d5716f3e89f9ab0179675.exe 936 33c2a1189c2d5716f3e89f9ab0179675.exe 936 33c2a1189c2d5716f3e89f9ab0179675.exe 936 33c2a1189c2d5716f3e89f9ab0179675.exe 936 33c2a1189c2d5716f3e89f9ab0179675.exe 936 33c2a1189c2d5716f3e89f9ab0179675.exe 936 33c2a1189c2d5716f3e89f9ab0179675.exe 936 33c2a1189c2d5716f3e89f9ab0179675.exe 936 33c2a1189c2d5716f3e89f9ab0179675.exe 936 33c2a1189c2d5716f3e89f9ab0179675.exe 936 33c2a1189c2d5716f3e89f9ab0179675.exe 936 33c2a1189c2d5716f3e89f9ab0179675.exe 936 33c2a1189c2d5716f3e89f9ab0179675.exe 936 33c2a1189c2d5716f3e89f9ab0179675.exe 936 33c2a1189c2d5716f3e89f9ab0179675.exe 936 33c2a1189c2d5716f3e89f9ab0179675.exe 936 33c2a1189c2d5716f3e89f9ab0179675.exe 936 33c2a1189c2d5716f3e89f9ab0179675.exe 936 33c2a1189c2d5716f3e89f9ab0179675.exe 936 33c2a1189c2d5716f3e89f9ab0179675.exe 936 33c2a1189c2d5716f3e89f9ab0179675.exe 936 33c2a1189c2d5716f3e89f9ab0179675.exe 936 33c2a1189c2d5716f3e89f9ab0179675.exe 936 33c2a1189c2d5716f3e89f9ab0179675.exe 936 33c2a1189c2d5716f3e89f9ab0179675.exe 936 33c2a1189c2d5716f3e89f9ab0179675.exe 936 33c2a1189c2d5716f3e89f9ab0179675.exe 936 33c2a1189c2d5716f3e89f9ab0179675.exe 936 33c2a1189c2d5716f3e89f9ab0179675.exe 936 33c2a1189c2d5716f3e89f9ab0179675.exe 936 33c2a1189c2d5716f3e89f9ab0179675.exe 936 33c2a1189c2d5716f3e89f9ab0179675.exe 936 33c2a1189c2d5716f3e89f9ab0179675.exe 936 33c2a1189c2d5716f3e89f9ab0179675.exe 936 33c2a1189c2d5716f3e89f9ab0179675.exe 936 33c2a1189c2d5716f3e89f9ab0179675.exe 936 33c2a1189c2d5716f3e89f9ab0179675.exe 936 33c2a1189c2d5716f3e89f9ab0179675.exe 936 33c2a1189c2d5716f3e89f9ab0179675.exe 936 33c2a1189c2d5716f3e89f9ab0179675.exe 936 33c2a1189c2d5716f3e89f9ab0179675.exe -
Suspicious behavior: RenamesItself 26 IoCs
Processes:
EB1B.tmppid Process 4164 EB1B.tmp 4164 EB1B.tmp 4164 EB1B.tmp 4164 EB1B.tmp 4164 EB1B.tmp 4164 EB1B.tmp 4164 EB1B.tmp 4164 EB1B.tmp 4164 EB1B.tmp 4164 EB1B.tmp 4164 EB1B.tmp 4164 EB1B.tmp 4164 EB1B.tmp 4164 EB1B.tmp 4164 EB1B.tmp 4164 EB1B.tmp 4164 EB1B.tmp 4164 EB1B.tmp 4164 EB1B.tmp 4164 EB1B.tmp 4164 EB1B.tmp 4164 EB1B.tmp 4164 EB1B.tmp 4164 EB1B.tmp 4164 EB1B.tmp 4164 EB1B.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
33c2a1189c2d5716f3e89f9ab0179675.exedescription pid Process Token: SeAssignPrimaryTokenPrivilege 936 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeBackupPrivilege 936 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeDebugPrivilege 936 33c2a1189c2d5716f3e89f9ab0179675.exe Token: 36 936 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeImpersonatePrivilege 936 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeIncBasePriorityPrivilege 936 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeIncreaseQuotaPrivilege 936 33c2a1189c2d5716f3e89f9ab0179675.exe Token: 33 936 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeManageVolumePrivilege 936 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeProfSingleProcessPrivilege 936 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeRestorePrivilege 936 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeSecurityPrivilege 936 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeSystemProfilePrivilege 936 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeTakeOwnershipPrivilege 936 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeShutdownPrivilege 936 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeDebugPrivilege 936 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeBackupPrivilege 936 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeBackupPrivilege 936 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeSecurityPrivilege 936 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeSecurityPrivilege 936 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeBackupPrivilege 936 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeBackupPrivilege 936 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeSecurityPrivilege 936 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeSecurityPrivilege 936 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeBackupPrivilege 936 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeBackupPrivilege 936 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeSecurityPrivilege 936 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeSecurityPrivilege 936 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeBackupPrivilege 936 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeBackupPrivilege 936 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeSecurityPrivilege 936 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeSecurityPrivilege 936 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeBackupPrivilege 936 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeBackupPrivilege 936 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeSecurityPrivilege 936 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeSecurityPrivilege 936 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeBackupPrivilege 936 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeBackupPrivilege 936 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeSecurityPrivilege 936 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeSecurityPrivilege 936 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeBackupPrivilege 936 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeBackupPrivilege 936 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeSecurityPrivilege 936 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeSecurityPrivilege 936 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeBackupPrivilege 936 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeBackupPrivilege 936 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeSecurityPrivilege 936 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeSecurityPrivilege 936 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeBackupPrivilege 936 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeBackupPrivilege 936 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeSecurityPrivilege 936 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeSecurityPrivilege 936 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeBackupPrivilege 936 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeBackupPrivilege 936 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeSecurityPrivilege 936 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeSecurityPrivilege 936 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeBackupPrivilege 936 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeBackupPrivilege 936 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeSecurityPrivilege 936 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeSecurityPrivilege 936 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeBackupPrivilege 936 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeBackupPrivilege 936 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeSecurityPrivilege 936 33c2a1189c2d5716f3e89f9ab0179675.exe Token: SeSecurityPrivilege 936 33c2a1189c2d5716f3e89f9ab0179675.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
33c2a1189c2d5716f3e89f9ab0179675.exeEB1B.tmpdescription pid Process procid_target PID 936 wrote to memory of 4164 936 33c2a1189c2d5716f3e89f9ab0179675.exe 92 PID 936 wrote to memory of 4164 936 33c2a1189c2d5716f3e89f9ab0179675.exe 92 PID 936 wrote to memory of 4164 936 33c2a1189c2d5716f3e89f9ab0179675.exe 92 PID 936 wrote to memory of 4164 936 33c2a1189c2d5716f3e89f9ab0179675.exe 92 PID 4164 wrote to memory of 3124 4164 EB1B.tmp 93 PID 4164 wrote to memory of 3124 4164 EB1B.tmp 93 PID 4164 wrote to memory of 3124 4164 EB1B.tmp 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe"C:\Users\Admin\AppData\Local\Temp\33c2a1189c2d5716f3e89f9ab0179675.exe"1⤵
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:936 -
C:\ProgramData\EB1B.tmp"C:\ProgramData\EB1B.tmp"2⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4164 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\EB1B.tmp >> NUL3⤵PID:3124
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD52b3383785a4ef1245ce991281a438e61
SHA18ea88436e47e0374206aa6c288d188054b99fe9f
SHA256a2a1a6fed7a888df8279a7dffa5d142e779cf14d697169ad6d57daa9eaa2673c
SHA5120c5eba30b60bcad2d622520d080db834b21266f9869dc23c4336acb008320b240ef60a82cc285fb7a6365b0def69ba21d4f5a6452d3538641905f5bf1c97be3a
-
Filesize
659B
MD585c38f851b1ebf97450897d2cee1bf1f
SHA1007a09cd283bb17b6a45b1de3977c08b5f177b03
SHA2561300bd82b3b745791a623c1736e7e1213ae23d9994f4a624400dc516ad261bda
SHA51291fa87894f7329c683e987536df6fea5c9314b6b0e149eb3c8db837258cbd3dc635ff286f15a02948bf685ba1ac720167d0b8547d739b4349142b766a13781f5
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
Filesize
146KB
MD57eabd8cb3b55a65d31c4d856163d2755
SHA1cc7be339482c9e37420dfc35cef440294731c754
SHA25673fd51365a07852a2d44c66875f9f830291300b9d6fdd47bd966d9b1ce125d6b
SHA5127cda2dae46aa139f315a1fc525b5133c81568ec4a6f031455981f61868cfef3bcf770f63cfd9ff825956478cfb7d3b49f81c870b9656e3e9d58b5bf54217feea
-
Filesize
129B
MD53cace86baac07f0c659f93db5ce68fa5
SHA1b8132fe187fb92db024a250bff408c9f29619c36
SHA2565b5e44369fad56089c170a95e9335ed7f073c6461ceed3c87b6bf63cfb98e106
SHA512772874ad392d8cce7d71593fc98020f2fe1db5451028ee103e975d0503b3f342628e3a36013aeaba06efb093e4aad3f66b66ff87c7e4a3331054d12cc50fe8b5