Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
14-03-2024 04:12
Behavioral task
behavioral1
Sample
588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exe
Resource
win10v2004-20240226-en
General
-
Target
588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exe
-
Size
146KB
-
MD5
003031ca225b277654d0ab190e689657
-
SHA1
1ae8d950533be741d2a32852b730aea3fe822b8f
-
SHA256
588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845
-
SHA512
d42c673279b3684c98f9040ba864a0d34de870706065922f6450f6fb22ea9c5295cf377f72a221b14baf8144ea3bc161ed40f645330f5b0d087d44374a86381d
-
SSDEEP
3072:5qQmy9NTrVnlaSRCNacp6dJywiLD4mdzSQBG:5qJ8TrBESRCNaab
Malware Config
Signatures
-
Renames multiple (354) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
Processes:
4588.tmppid process 2264 4588.tmp -
Executes dropped EXE 1 IoCs
Processes:
4588.tmppid process 2264 4588.tmp -
Loads dropped DLL 1 IoCs
Processes:
588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exepid process 2192 588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
Processes:
588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exedescription ioc process File opened for modification C:\$Recycle.Bin\S-1-5-21-1298544033-3225604241-2703760938-1000\desktop.ini 588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1298544033-3225604241-2703760938-1000\desktop.ini 588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\BR6hZGUB2.bmp" 588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\BR6hZGUB2.bmp" 588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exe4588.tmppid process 2192 588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exe 2192 588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exe 2192 588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exe 2192 588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exe 2264 4588.tmp -
Modifies Control Panel 2 IoCs
Processes:
588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop 588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\WallpaperStyle = "10" 588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exe -
Modifies registry class 5 IoCs
Processes:
588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.BR6hZGUB2 588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.BR6hZGUB2\ = "BR6hZGUB2" 588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BR6hZGUB2\DefaultIcon 588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BR6hZGUB2 588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BR6hZGUB2\DefaultIcon\ = "C:\\ProgramData\\BR6hZGUB2.ico" 588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exepid process 2192 588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exe 2192 588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exe 2192 588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exe 2192 588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exe 2192 588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exe 2192 588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exe 2192 588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exe 2192 588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exe 2192 588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exe 2192 588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exe 2192 588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exe 2192 588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exe 2192 588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exe 2192 588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exe -
Suspicious behavior: RenamesItself 26 IoCs
Processes:
4588.tmppid process 2264 4588.tmp 2264 4588.tmp 2264 4588.tmp 2264 4588.tmp 2264 4588.tmp 2264 4588.tmp 2264 4588.tmp 2264 4588.tmp 2264 4588.tmp 2264 4588.tmp 2264 4588.tmp 2264 4588.tmp 2264 4588.tmp 2264 4588.tmp 2264 4588.tmp 2264 4588.tmp 2264 4588.tmp 2264 4588.tmp 2264 4588.tmp 2264 4588.tmp 2264 4588.tmp 2264 4588.tmp 2264 4588.tmp 2264 4588.tmp 2264 4588.tmp 2264 4588.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exedescription pid process Token: SeAssignPrimaryTokenPrivilege 2192 588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exe Token: SeBackupPrivilege 2192 588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exe Token: SeDebugPrivilege 2192 588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exe Token: 36 2192 588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exe Token: SeImpersonatePrivilege 2192 588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exe Token: SeIncBasePriorityPrivilege 2192 588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exe Token: SeIncreaseQuotaPrivilege 2192 588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exe Token: 33 2192 588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exe Token: SeManageVolumePrivilege 2192 588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exe Token: SeProfSingleProcessPrivilege 2192 588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exe Token: SeRestorePrivilege 2192 588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exe Token: SeSecurityPrivilege 2192 588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exe Token: SeSystemProfilePrivilege 2192 588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exe Token: SeTakeOwnershipPrivilege 2192 588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exe Token: SeShutdownPrivilege 2192 588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exe Token: SeDebugPrivilege 2192 588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exe Token: SeBackupPrivilege 2192 588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exe Token: SeBackupPrivilege 2192 588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exe Token: SeSecurityPrivilege 2192 588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exe Token: SeSecurityPrivilege 2192 588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exe Token: SeBackupPrivilege 2192 588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exe Token: SeBackupPrivilege 2192 588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exe Token: SeSecurityPrivilege 2192 588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exe Token: SeSecurityPrivilege 2192 588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exe Token: SeBackupPrivilege 2192 588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exe Token: SeBackupPrivilege 2192 588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exe Token: SeSecurityPrivilege 2192 588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exe Token: SeSecurityPrivilege 2192 588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exe Token: SeBackupPrivilege 2192 588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exe Token: SeBackupPrivilege 2192 588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exe Token: SeSecurityPrivilege 2192 588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exe Token: SeSecurityPrivilege 2192 588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exe Token: SeBackupPrivilege 2192 588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exe Token: SeBackupPrivilege 2192 588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exe Token: SeSecurityPrivilege 2192 588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exe Token: SeSecurityPrivilege 2192 588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exe Token: SeBackupPrivilege 2192 588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exe Token: SeBackupPrivilege 2192 588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exe Token: SeSecurityPrivilege 2192 588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exe Token: SeSecurityPrivilege 2192 588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exe Token: SeBackupPrivilege 2192 588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exe Token: SeBackupPrivilege 2192 588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exe Token: SeSecurityPrivilege 2192 588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exe Token: SeSecurityPrivilege 2192 588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exe Token: SeBackupPrivilege 2192 588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exe Token: SeBackupPrivilege 2192 588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exe Token: SeSecurityPrivilege 2192 588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exe Token: SeSecurityPrivilege 2192 588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exe Token: SeBackupPrivilege 2192 588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exe Token: SeBackupPrivilege 2192 588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exe Token: SeSecurityPrivilege 2192 588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exe Token: SeSecurityPrivilege 2192 588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exe Token: SeBackupPrivilege 2192 588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exe Token: SeBackupPrivilege 2192 588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exe Token: SeSecurityPrivilege 2192 588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exe Token: SeSecurityPrivilege 2192 588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exe Token: SeBackupPrivilege 2192 588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exe Token: SeBackupPrivilege 2192 588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exe Token: SeSecurityPrivilege 2192 588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exe Token: SeSecurityPrivilege 2192 588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exe Token: SeBackupPrivilege 2192 588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exe Token: SeBackupPrivilege 2192 588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exe Token: SeSecurityPrivilege 2192 588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exe Token: SeSecurityPrivilege 2192 588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exe4588.tmpdescription pid process target process PID 2192 wrote to memory of 2264 2192 588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exe 4588.tmp PID 2192 wrote to memory of 2264 2192 588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exe 4588.tmp PID 2192 wrote to memory of 2264 2192 588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exe 4588.tmp PID 2192 wrote to memory of 2264 2192 588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exe 4588.tmp PID 2192 wrote to memory of 2264 2192 588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exe 4588.tmp PID 2264 wrote to memory of 2284 2264 4588.tmp cmd.exe PID 2264 wrote to memory of 2284 2264 4588.tmp cmd.exe PID 2264 wrote to memory of 2284 2264 4588.tmp cmd.exe PID 2264 wrote to memory of 2284 2264 4588.tmp cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exe"C:\Users\Admin\AppData\Local\Temp\588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exe"1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\ProgramData\4588.tmp"C:\ProgramData\4588.tmp"2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\4588.tmp >> NUL3⤵PID:2284
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x1481⤵PID:3000
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD5da874c79516e02e1f86ff950a8f51ddc
SHA10fe40957f81b91af161e901835352430849b9ec2
SHA2562a133a5136a4005006630da88b73c1e7bc901ba32e19ae7af88fc82c2be1b28e
SHA51280a5bc832166af515cacc722251edc2b6c7acc6054c278f25bdbb436e230756d70b3a0f4638a859d4f27be086b56828bc8082cf15e26e932d6ad5a89079fdd20
-
Filesize
422B
MD5ac20ec8df145e03672c7aceea15fd00d
SHA17b1b94dacc53f753301f2fb05075c94847b5ef51
SHA2563a077461e18bdef692b5bb6aaa4dca98d511670f3aec3e4fac8902ee73d2d0a2
SHA5123a1751ebfe8bb845b769b0039ccc878602f47685324d9e838fb130db8947feb3ce0459eda0d7a2ff16a96deb740b5b9aaa0a22c1089c587a132ba3b9b27ea3fd
-
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
Filesize146KB
MD588b6651fb5067b789a6fed114ba7f8f5
SHA15559d833f3f4082ca86feff6f4acc812f6462efc
SHA2569dd2f28c2199a084528ea29addf3de796f257a31704e56f853c6938b04dae9d4
SHA512adbcb2735ae3aebc4ea1e23cd5d8ddfb911b8d44d1ff9b43161a3c76b58d169834a371378c1822c3319297195f6c88d64362319d3c7eb1b1fb11ffff548506d7
-
Filesize
129B
MD54ec40c1c2ce321b0623c5a24d09599b3
SHA1d2d42f9543af181bfec7848b895d7c3eadce62a6
SHA256fe10f8008a169e41b3a4aaf3ae7fedae0e90c8f534858a51d64b4c4937802b5c
SHA5127818984abc94d763988f25e61c5d3e2e553015f3d0deed17cb4b09fc617ce60f0df541d8c87f4caf217981a328c3ef9dfe3f29be0fff1025639d35bedcd35c19
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf