Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
14-03-2024 04:11
Behavioral task
behavioral1
Sample
4cefaa9c547f282b73828d5330a47d774fbf23e9cdafe1e4dc7507e9415ddb3e.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
4cefaa9c547f282b73828d5330a47d774fbf23e9cdafe1e4dc7507e9415ddb3e.exe
Resource
win10v2004-20240226-en
General
-
Target
4cefaa9c547f282b73828d5330a47d774fbf23e9cdafe1e4dc7507e9415ddb3e.exe
-
Size
145KB
-
MD5
34e55b241ba3693f35112330357a8edf
-
SHA1
5fb869a2d2f3de24e756c576f022781c4b74598e
-
SHA256
4cefaa9c547f282b73828d5330a47d774fbf23e9cdafe1e4dc7507e9415ddb3e
-
SHA512
d3014fb73ad252eb94fd514a3b8e897eb3df93dfc217f8ee21c0e7d038fd98702005ea0edb849987ff271472fa5ea2d655176acb3e059325f268bb8ca76a7053
-
SSDEEP
3072:u6glyuxE4GsUPnliByocWepfVxexiPIIV:u6gDBGpvEByocWepeYV
Malware Config
Signatures
-
Renames multiple (356) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
Processes:
4cefaa9c547f282b73828d5330a47d774fbf23e9cdafe1e4dc7507e9415ddb3e.exedescription ioc process File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3452737119-3959686427-228443150-1000\desktop.ini 4cefaa9c547f282b73828d5330a47d774fbf23e9cdafe1e4dc7507e9415ddb3e.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-3452737119-3959686427-228443150-1000\desktop.ini 4cefaa9c547f282b73828d5330a47d774fbf23e9cdafe1e4dc7507e9415ddb3e.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
4cefaa9c547f282b73828d5330a47d774fbf23e9cdafe1e4dc7507e9415ddb3e.exepid process 2160 4cefaa9c547f282b73828d5330a47d774fbf23e9cdafe1e4dc7507e9415ddb3e.exe 2160 4cefaa9c547f282b73828d5330a47d774fbf23e9cdafe1e4dc7507e9415ddb3e.exe 2160 4cefaa9c547f282b73828d5330a47d774fbf23e9cdafe1e4dc7507e9415ddb3e.exe 2160 4cefaa9c547f282b73828d5330a47d774fbf23e9cdafe1e4dc7507e9415ddb3e.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
4cefaa9c547f282b73828d5330a47d774fbf23e9cdafe1e4dc7507e9415ddb3e.exepid process 2160 4cefaa9c547f282b73828d5330a47d774fbf23e9cdafe1e4dc7507e9415ddb3e.exe 2160 4cefaa9c547f282b73828d5330a47d774fbf23e9cdafe1e4dc7507e9415ddb3e.exe 2160 4cefaa9c547f282b73828d5330a47d774fbf23e9cdafe1e4dc7507e9415ddb3e.exe 2160 4cefaa9c547f282b73828d5330a47d774fbf23e9cdafe1e4dc7507e9415ddb3e.exe 2160 4cefaa9c547f282b73828d5330a47d774fbf23e9cdafe1e4dc7507e9415ddb3e.exe 2160 4cefaa9c547f282b73828d5330a47d774fbf23e9cdafe1e4dc7507e9415ddb3e.exe 2160 4cefaa9c547f282b73828d5330a47d774fbf23e9cdafe1e4dc7507e9415ddb3e.exe 2160 4cefaa9c547f282b73828d5330a47d774fbf23e9cdafe1e4dc7507e9415ddb3e.exe 2160 4cefaa9c547f282b73828d5330a47d774fbf23e9cdafe1e4dc7507e9415ddb3e.exe 2160 4cefaa9c547f282b73828d5330a47d774fbf23e9cdafe1e4dc7507e9415ddb3e.exe 2160 4cefaa9c547f282b73828d5330a47d774fbf23e9cdafe1e4dc7507e9415ddb3e.exe 2160 4cefaa9c547f282b73828d5330a47d774fbf23e9cdafe1e4dc7507e9415ddb3e.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
4cefaa9c547f282b73828d5330a47d774fbf23e9cdafe1e4dc7507e9415ddb3e.exedescription pid process Token: SeAssignPrimaryTokenPrivilege 2160 4cefaa9c547f282b73828d5330a47d774fbf23e9cdafe1e4dc7507e9415ddb3e.exe Token: SeBackupPrivilege 2160 4cefaa9c547f282b73828d5330a47d774fbf23e9cdafe1e4dc7507e9415ddb3e.exe Token: SeDebugPrivilege 2160 4cefaa9c547f282b73828d5330a47d774fbf23e9cdafe1e4dc7507e9415ddb3e.exe Token: 36 2160 4cefaa9c547f282b73828d5330a47d774fbf23e9cdafe1e4dc7507e9415ddb3e.exe Token: SeImpersonatePrivilege 2160 4cefaa9c547f282b73828d5330a47d774fbf23e9cdafe1e4dc7507e9415ddb3e.exe Token: SeIncBasePriorityPrivilege 2160 4cefaa9c547f282b73828d5330a47d774fbf23e9cdafe1e4dc7507e9415ddb3e.exe Token: SeIncreaseQuotaPrivilege 2160 4cefaa9c547f282b73828d5330a47d774fbf23e9cdafe1e4dc7507e9415ddb3e.exe Token: 33 2160 4cefaa9c547f282b73828d5330a47d774fbf23e9cdafe1e4dc7507e9415ddb3e.exe Token: SeManageVolumePrivilege 2160 4cefaa9c547f282b73828d5330a47d774fbf23e9cdafe1e4dc7507e9415ddb3e.exe Token: SeProfSingleProcessPrivilege 2160 4cefaa9c547f282b73828d5330a47d774fbf23e9cdafe1e4dc7507e9415ddb3e.exe Token: SeRestorePrivilege 2160 4cefaa9c547f282b73828d5330a47d774fbf23e9cdafe1e4dc7507e9415ddb3e.exe Token: SeSecurityPrivilege 2160 4cefaa9c547f282b73828d5330a47d774fbf23e9cdafe1e4dc7507e9415ddb3e.exe Token: SeSystemProfilePrivilege 2160 4cefaa9c547f282b73828d5330a47d774fbf23e9cdafe1e4dc7507e9415ddb3e.exe Token: SeTakeOwnershipPrivilege 2160 4cefaa9c547f282b73828d5330a47d774fbf23e9cdafe1e4dc7507e9415ddb3e.exe Token: SeShutdownPrivilege 2160 4cefaa9c547f282b73828d5330a47d774fbf23e9cdafe1e4dc7507e9415ddb3e.exe Token: SeDebugPrivilege 2160 4cefaa9c547f282b73828d5330a47d774fbf23e9cdafe1e4dc7507e9415ddb3e.exe Token: SeBackupPrivilege 2160 4cefaa9c547f282b73828d5330a47d774fbf23e9cdafe1e4dc7507e9415ddb3e.exe Token: SeBackupPrivilege 2160 4cefaa9c547f282b73828d5330a47d774fbf23e9cdafe1e4dc7507e9415ddb3e.exe Token: SeSecurityPrivilege 2160 4cefaa9c547f282b73828d5330a47d774fbf23e9cdafe1e4dc7507e9415ddb3e.exe Token: SeSecurityPrivilege 2160 4cefaa9c547f282b73828d5330a47d774fbf23e9cdafe1e4dc7507e9415ddb3e.exe Token: SeBackupPrivilege 2160 4cefaa9c547f282b73828d5330a47d774fbf23e9cdafe1e4dc7507e9415ddb3e.exe Token: SeBackupPrivilege 2160 4cefaa9c547f282b73828d5330a47d774fbf23e9cdafe1e4dc7507e9415ddb3e.exe Token: SeSecurityPrivilege 2160 4cefaa9c547f282b73828d5330a47d774fbf23e9cdafe1e4dc7507e9415ddb3e.exe Token: SeSecurityPrivilege 2160 4cefaa9c547f282b73828d5330a47d774fbf23e9cdafe1e4dc7507e9415ddb3e.exe Token: SeBackupPrivilege 2160 4cefaa9c547f282b73828d5330a47d774fbf23e9cdafe1e4dc7507e9415ddb3e.exe Token: SeBackupPrivilege 2160 4cefaa9c547f282b73828d5330a47d774fbf23e9cdafe1e4dc7507e9415ddb3e.exe Token: SeSecurityPrivilege 2160 4cefaa9c547f282b73828d5330a47d774fbf23e9cdafe1e4dc7507e9415ddb3e.exe Token: SeSecurityPrivilege 2160 4cefaa9c547f282b73828d5330a47d774fbf23e9cdafe1e4dc7507e9415ddb3e.exe Token: SeBackupPrivilege 2160 4cefaa9c547f282b73828d5330a47d774fbf23e9cdafe1e4dc7507e9415ddb3e.exe Token: SeBackupPrivilege 2160 4cefaa9c547f282b73828d5330a47d774fbf23e9cdafe1e4dc7507e9415ddb3e.exe Token: SeSecurityPrivilege 2160 4cefaa9c547f282b73828d5330a47d774fbf23e9cdafe1e4dc7507e9415ddb3e.exe Token: SeSecurityPrivilege 2160 4cefaa9c547f282b73828d5330a47d774fbf23e9cdafe1e4dc7507e9415ddb3e.exe Token: SeBackupPrivilege 2160 4cefaa9c547f282b73828d5330a47d774fbf23e9cdafe1e4dc7507e9415ddb3e.exe Token: SeBackupPrivilege 2160 4cefaa9c547f282b73828d5330a47d774fbf23e9cdafe1e4dc7507e9415ddb3e.exe Token: SeSecurityPrivilege 2160 4cefaa9c547f282b73828d5330a47d774fbf23e9cdafe1e4dc7507e9415ddb3e.exe Token: SeSecurityPrivilege 2160 4cefaa9c547f282b73828d5330a47d774fbf23e9cdafe1e4dc7507e9415ddb3e.exe Token: SeBackupPrivilege 2160 4cefaa9c547f282b73828d5330a47d774fbf23e9cdafe1e4dc7507e9415ddb3e.exe Token: SeBackupPrivilege 2160 4cefaa9c547f282b73828d5330a47d774fbf23e9cdafe1e4dc7507e9415ddb3e.exe Token: SeSecurityPrivilege 2160 4cefaa9c547f282b73828d5330a47d774fbf23e9cdafe1e4dc7507e9415ddb3e.exe Token: SeSecurityPrivilege 2160 4cefaa9c547f282b73828d5330a47d774fbf23e9cdafe1e4dc7507e9415ddb3e.exe Token: SeBackupPrivilege 2160 4cefaa9c547f282b73828d5330a47d774fbf23e9cdafe1e4dc7507e9415ddb3e.exe Token: SeBackupPrivilege 2160 4cefaa9c547f282b73828d5330a47d774fbf23e9cdafe1e4dc7507e9415ddb3e.exe Token: SeSecurityPrivilege 2160 4cefaa9c547f282b73828d5330a47d774fbf23e9cdafe1e4dc7507e9415ddb3e.exe Token: SeSecurityPrivilege 2160 4cefaa9c547f282b73828d5330a47d774fbf23e9cdafe1e4dc7507e9415ddb3e.exe Token: SeBackupPrivilege 2160 4cefaa9c547f282b73828d5330a47d774fbf23e9cdafe1e4dc7507e9415ddb3e.exe Token: SeBackupPrivilege 2160 4cefaa9c547f282b73828d5330a47d774fbf23e9cdafe1e4dc7507e9415ddb3e.exe Token: SeSecurityPrivilege 2160 4cefaa9c547f282b73828d5330a47d774fbf23e9cdafe1e4dc7507e9415ddb3e.exe Token: SeSecurityPrivilege 2160 4cefaa9c547f282b73828d5330a47d774fbf23e9cdafe1e4dc7507e9415ddb3e.exe Token: SeBackupPrivilege 2160 4cefaa9c547f282b73828d5330a47d774fbf23e9cdafe1e4dc7507e9415ddb3e.exe Token: SeBackupPrivilege 2160 4cefaa9c547f282b73828d5330a47d774fbf23e9cdafe1e4dc7507e9415ddb3e.exe Token: SeSecurityPrivilege 2160 4cefaa9c547f282b73828d5330a47d774fbf23e9cdafe1e4dc7507e9415ddb3e.exe Token: SeSecurityPrivilege 2160 4cefaa9c547f282b73828d5330a47d774fbf23e9cdafe1e4dc7507e9415ddb3e.exe Token: SeBackupPrivilege 2160 4cefaa9c547f282b73828d5330a47d774fbf23e9cdafe1e4dc7507e9415ddb3e.exe Token: SeBackupPrivilege 2160 4cefaa9c547f282b73828d5330a47d774fbf23e9cdafe1e4dc7507e9415ddb3e.exe Token: SeSecurityPrivilege 2160 4cefaa9c547f282b73828d5330a47d774fbf23e9cdafe1e4dc7507e9415ddb3e.exe Token: SeSecurityPrivilege 2160 4cefaa9c547f282b73828d5330a47d774fbf23e9cdafe1e4dc7507e9415ddb3e.exe Token: SeBackupPrivilege 2160 4cefaa9c547f282b73828d5330a47d774fbf23e9cdafe1e4dc7507e9415ddb3e.exe Token: SeBackupPrivilege 2160 4cefaa9c547f282b73828d5330a47d774fbf23e9cdafe1e4dc7507e9415ddb3e.exe Token: SeSecurityPrivilege 2160 4cefaa9c547f282b73828d5330a47d774fbf23e9cdafe1e4dc7507e9415ddb3e.exe Token: SeSecurityPrivilege 2160 4cefaa9c547f282b73828d5330a47d774fbf23e9cdafe1e4dc7507e9415ddb3e.exe Token: SeBackupPrivilege 2160 4cefaa9c547f282b73828d5330a47d774fbf23e9cdafe1e4dc7507e9415ddb3e.exe Token: SeBackupPrivilege 2160 4cefaa9c547f282b73828d5330a47d774fbf23e9cdafe1e4dc7507e9415ddb3e.exe Token: SeSecurityPrivilege 2160 4cefaa9c547f282b73828d5330a47d774fbf23e9cdafe1e4dc7507e9415ddb3e.exe Token: SeSecurityPrivilege 2160 4cefaa9c547f282b73828d5330a47d774fbf23e9cdafe1e4dc7507e9415ddb3e.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4cefaa9c547f282b73828d5330a47d774fbf23e9cdafe1e4dc7507e9415ddb3e.exe"C:\Users\Admin\AppData\Local\Temp\4cefaa9c547f282b73828d5330a47d774fbf23e9cdafe1e4dc7507e9415ddb3e.exe"1⤵
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2160
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x14c1⤵PID:2756
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD54984c45b20796a3ed9e782d8da1223f6
SHA1055c01ce85e1bed499a19468bbc8119e62ac4e46
SHA256ae2f7466183e803efd7af83dcf58181ef684d005fcc80038b579277f6cea4719
SHA512c4860d8bfd738aee708510f3dee79584f46f4da020b012637ce2f4bb6b676ac85f1473b2dece200c750debecc7cf36cb2dae8bc50f3acb42093b95a0c5bf459a
-
Filesize
122B
MD51cd2c508680a93907346e98d6a1677e6
SHA142ab98d499046fe5477610f5c256aff0b0f5be5e
SHA256f722457807534d1c563d6cfaa43e3a8b90d721dcef1d48c0a3921b4025cd6bda
SHA5122757aeab0f7c2703e0dfb095b37aada25d2947d21c7c988e4dc4b842d07741f34e4f35447694bae5a60de374f6812c511fd912177c81f37a3efd578848ae574c
-
Filesize
129B
MD5ca5560d8dd6fc077d91c6138ccae3f6a
SHA1d98d0184b722fb2c33712d5e3d7a365bd98b954f
SHA256dc80b9ccb0ab22b859d8492cb73ff04ad61005bb24766d868b15067c4044b437
SHA512673aa9014e0fca354424c6304c7116c2e641ce9bf52a2d4ae1d49dc8c6b3d8d09ed46a0ec57e064aeda9cd34d494cc53751f1a1deeab8b27f699e3977b34e063