Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    14-03-2024 04:11

General

  • Target

    4cefaa9c547f282b73828d5330a47d774fbf23e9cdafe1e4dc7507e9415ddb3e.exe

  • Size

    145KB

  • MD5

    34e55b241ba3693f35112330357a8edf

  • SHA1

    5fb869a2d2f3de24e756c576f022781c4b74598e

  • SHA256

    4cefaa9c547f282b73828d5330a47d774fbf23e9cdafe1e4dc7507e9415ddb3e

  • SHA512

    d3014fb73ad252eb94fd514a3b8e897eb3df93dfc217f8ee21c0e7d038fd98702005ea0edb849987ff271472fa5ea2d655176acb3e059325f268bb8ca76a7053

  • SSDEEP

    3072:u6glyuxE4GsUPnliByocWepfVxexiPIIV:u6gDBGpvEByocWepeYV

Malware Config

Signatures

  • Renames multiple (356) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4cefaa9c547f282b73828d5330a47d774fbf23e9cdafe1e4dc7507e9415ddb3e.exe
    "C:\Users\Admin\AppData\Local\Temp\4cefaa9c547f282b73828d5330a47d774fbf23e9cdafe1e4dc7507e9415ddb3e.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2160
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x14c
    1⤵
      PID:2756

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\$Recycle.Bin\S-1-5-21-3452737119-3959686427-228443150-1000\desktop.ini

      Filesize

      129B

      MD5

      4984c45b20796a3ed9e782d8da1223f6

      SHA1

      055c01ce85e1bed499a19468bbc8119e62ac4e46

      SHA256

      ae2f7466183e803efd7af83dcf58181ef684d005fcc80038b579277f6cea4719

      SHA512

      c4860d8bfd738aee708510f3dee79584f46f4da020b012637ce2f4bb6b676ac85f1473b2dece200c750debecc7cf36cb2dae8bc50f3acb42093b95a0c5bf459a

    • C:\CHR4bQVWh.README.txt

      Filesize

      122B

      MD5

      1cd2c508680a93907346e98d6a1677e6

      SHA1

      42ab98d499046fe5477610f5c256aff0b0f5be5e

      SHA256

      f722457807534d1c563d6cfaa43e3a8b90d721dcef1d48c0a3921b4025cd6bda

      SHA512

      2757aeab0f7c2703e0dfb095b37aada25d2947d21c7c988e4dc4b842d07741f34e4f35447694bae5a60de374f6812c511fd912177c81f37a3efd578848ae574c

    • F:\$RECYCLE.BIN\S-1-5-21-3452737119-3959686427-228443150-1000\DDDDDDDDDDD

      Filesize

      129B

      MD5

      ca5560d8dd6fc077d91c6138ccae3f6a

      SHA1

      d98d0184b722fb2c33712d5e3d7a365bd98b954f

      SHA256

      dc80b9ccb0ab22b859d8492cb73ff04ad61005bb24766d868b15067c4044b437

      SHA512

      673aa9014e0fca354424c6304c7116c2e641ce9bf52a2d4ae1d49dc8c6b3d8d09ed46a0ec57e064aeda9cd34d494cc53751f1a1deeab8b27f699e3977b34e063

    • memory/2160-0-0x0000000000170000-0x00000000001B0000-memory.dmp

      Filesize

      256KB