Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    14-03-2024 04:12

General

  • Target

    588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exe

  • Size

    146KB

  • MD5

    003031ca225b277654d0ab190e689657

  • SHA1

    1ae8d950533be741d2a32852b730aea3fe822b8f

  • SHA256

    588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845

  • SHA512

    d42c673279b3684c98f9040ba864a0d34de870706065922f6450f6fb22ea9c5295cf377f72a221b14baf8144ea3bc161ed40f645330f5b0d087d44374a86381d

  • SSDEEP

    3072:5qQmy9NTrVnlaSRCNacp6dJywiLD4mdzSQBG:5qJ8TrBESRCNaab

Malware Config

Signatures

  • Renames multiple (354) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 2 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Modifies Control Panel 2 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exe
    "C:\Users\Admin\AppData\Local\Temp\588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exe"
    1⤵
    • Loads dropped DLL
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2192
    • C:\ProgramData\4588.tmp
      "C:\ProgramData\4588.tmp"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:2264
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\4588.tmp >> NUL
        3⤵
          PID:2284
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x148
      1⤵
        PID:3000

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\$Recycle.Bin\S-1-5-21-1298544033-3225604241-2703760938-1000\desktop.ini

        Filesize

        129B

        MD5

        da874c79516e02e1f86ff950a8f51ddc

        SHA1

        0fe40957f81b91af161e901835352430849b9ec2

        SHA256

        2a133a5136a4005006630da88b73c1e7bc901ba32e19ae7af88fc82c2be1b28e

        SHA512

        80a5bc832166af515cacc722251edc2b6c7acc6054c278f25bdbb436e230756d70b3a0f4638a859d4f27be086b56828bc8082cf15e26e932d6ad5a89079fdd20

      • C:\BR6hZGUB2.README.txt

        Filesize

        422B

        MD5

        ac20ec8df145e03672c7aceea15fd00d

        SHA1

        7b1b94dacc53f753301f2fb05075c94847b5ef51

        SHA256

        3a077461e18bdef692b5bb6aaa4dca98d511670f3aec3e4fac8902ee73d2d0a2

        SHA512

        3a1751ebfe8bb845b769b0039ccc878602f47685324d9e838fb130db8947feb3ce0459eda0d7a2ff16a96deb740b5b9aaa0a22c1089c587a132ba3b9b27ea3fd

      • C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

        Filesize

        146KB

        MD5

        88b6651fb5067b789a6fed114ba7f8f5

        SHA1

        5559d833f3f4082ca86feff6f4acc812f6462efc

        SHA256

        9dd2f28c2199a084528ea29addf3de796f257a31704e56f853c6938b04dae9d4

        SHA512

        adbcb2735ae3aebc4ea1e23cd5d8ddfb911b8d44d1ff9b43161a3c76b58d169834a371378c1822c3319297195f6c88d64362319d3c7eb1b1fb11ffff548506d7

      • F:\$RECYCLE.BIN\S-1-5-21-1298544033-3225604241-2703760938-1000\DDDDDDDDDDD

        Filesize

        129B

        MD5

        4ec40c1c2ce321b0623c5a24d09599b3

        SHA1

        d2d42f9543af181bfec7848b895d7c3eadce62a6

        SHA256

        fe10f8008a169e41b3a4aaf3ae7fedae0e90c8f534858a51d64b4c4937802b5c

        SHA512

        7818984abc94d763988f25e61c5d3e2e553015f3d0deed17cb4b09fc617ce60f0df541d8c87f4caf217981a328c3ef9dfe3f29be0fff1025639d35bedcd35c19

      • \ProgramData\4588.tmp

        Filesize

        14KB

        MD5

        294e9f64cb1642dd89229fff0592856b

        SHA1

        97b148c27f3da29ba7b18d6aee8a0db9102f47c9

        SHA256

        917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

        SHA512

        b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

      • memory/2192-0-0x0000000000AF0000-0x0000000000B30000-memory.dmp

        Filesize

        256KB

      • memory/2264-880-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

        Filesize

        4KB

      • memory/2264-883-0x00000000003B0000-0x00000000003F0000-memory.dmp

        Filesize

        256KB

      • memory/2264-889-0x000000007EF80000-0x000000007EF81000-memory.dmp

        Filesize

        4KB

      • memory/2264-891-0x000000007EF20000-0x000000007EF21000-memory.dmp

        Filesize

        4KB

      • memory/2264-912-0x000000007EF40000-0x000000007EF41000-memory.dmp

        Filesize

        4KB

      • memory/2264-913-0x000000007EF40000-0x000000007EF41000-memory.dmp

        Filesize

        4KB