Analysis

  • max time kernel
    159s
  • max time network
    168s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-03-2024 04:12

General

  • Target

    588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exe

  • Size

    146KB

  • MD5

    003031ca225b277654d0ab190e689657

  • SHA1

    1ae8d950533be741d2a32852b730aea3fe822b8f

  • SHA256

    588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845

  • SHA512

    d42c673279b3684c98f9040ba864a0d34de870706065922f6450f6fb22ea9c5295cf377f72a221b14baf8144ea3bc161ed40f645330f5b0d087d44374a86381d

  • SSDEEP

    3072:5qQmy9NTrVnlaSRCNacp6dJywiLD4mdzSQBG:5qJ8TrBESRCNaab

Malware Config

Signatures

  • Renames multiple (616) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 2 IoCs
  • Drops file in System32 directory 4 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Control Panel 2 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exe
    "C:\Users\Admin\AppData\Local\Temp\588dfcd0e8ebc570eaba342d6d220528a722be93a46c2dfa2306a7b662b25845.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5064
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
      • Drops file in System32 directory
      PID:712
    • C:\ProgramData\1FFE.tmp
      "C:\ProgramData\1FFE.tmp"
      2⤵
      • Checks computer location settings
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:4380
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\1FFE.tmp >> NUL
        3⤵
          PID:4548
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4140 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8
      1⤵
        PID:4528
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
        1⤵
          PID:4256
        • C:\Windows\system32\printfilterpipelinesvc.exe
          C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
          1⤵
          • Drops file in System32 directory
          • Suspicious use of WriteProcessMemory
          PID:3288
          • C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
            /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{23EBEB34-C5FF-47A8-9A1C-6509EAB60C1F}.xps" 133548632906600000
            2⤵
            • Checks processor information in registry
            • Enumerates system info in registry
            • Suspicious use of SetWindowsHookEx
            PID:4908

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\$Recycle.Bin\S-1-5-21-3808065738-1666277613-1125846146-1000\FFFFFFFFFFF

          Filesize

          129B

          MD5

          06154bf3084d156e70b6569a115094f8

          SHA1

          03a411813ae3cbbf689a199a499f2c6c3943b6b0

          SHA256

          06a914c558badf0414a0527dbb480ccc378d674d989e7c3a2f4355c155fa5ec4

          SHA512

          f916fa847d9f980f6a042071c755c89172f4f540e28f1504f860a2800c22c623666c668352f10697a990e8f3055c95797cb2c4414277bbb28146a637c25895e7

        • C:\BR6hZGUB2.README.txt

          Filesize

          422B

          MD5

          ac20ec8df145e03672c7aceea15fd00d

          SHA1

          7b1b94dacc53f753301f2fb05075c94847b5ef51

          SHA256

          3a077461e18bdef692b5bb6aaa4dca98d511670f3aec3e4fac8902ee73d2d0a2

          SHA512

          3a1751ebfe8bb845b769b0039ccc878602f47685324d9e838fb130db8947feb3ce0459eda0d7a2ff16a96deb740b5b9aaa0a22c1089c587a132ba3b9b27ea3fd

        • C:\ProgramData\1FFE.tmp

          Filesize

          14KB

          MD5

          294e9f64cb1642dd89229fff0592856b

          SHA1

          97b148c27f3da29ba7b18d6aee8a0db9102f47c9

          SHA256

          917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

          SHA512

          b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

        • C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

          Filesize

          146KB

          MD5

          bcf22f571cbb659b425b8cd702f6101e

          SHA1

          0795d2a1ed0e5d0d1b132394dc778d50b221bc51

          SHA256

          9964ad845df38f078c66afcdcb8c6d886a190062bed4e3ec806e1f1ed4548f4b

          SHA512

          82aa398fe0c8e784df07475a943b244aff69aaf8eae242e978cbad0a3829c513fc7435ced785a4c7d6a6cd35069deeb3ffc573401df9d3b44bf65499f72b0d68

        • C:\Users\Admin\AppData\Local\Temp\{0B70F720-DDF6-4EC6-BF8B-DAA5A239820D}

          Filesize

          4KB

          MD5

          a4b1b1cd4723f1ae1745fa6e81f09681

          SHA1

          3b1ea5baffa653fe0b0692b69ff819642eb9231a

          SHA256

          f019e8c7be6edc144ee49e9e1d758f3187b49a7b53facbac8742c4a5cd966b99

          SHA512

          0c574dce212494cdf6e36f42763bf569a7ec33697d52035bd34ce9af54f9f6c6d3f688227ebea47c20f5fc19b0f545d33f1b2f51f200f271a976de488124aaa8

        • C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2

          Filesize

          4KB

          MD5

          c0a102d1ec55fbac2ad95b8953884653

          SHA1

          ea8ec0998c3dea92877c0f7330627ed9269837d4

          SHA256

          1e5129bd909d60c80afcf1fa900de59e7dda9acda0745b3330bc5b650bc6444a

          SHA512

          24594ca7141bc5dabf707ef9317f7cac68729446a01a9cb779b175de33d022ab22553ab531b2764aeb59bd805af7328140ce3d77e3d1a5e8328eccaa7b67c824

        • F:\$RECYCLE.BIN\S-1-5-21-3808065738-1666277613-1125846146-1000\BBBBBBBBBBB

          Filesize

          129B

          MD5

          b020012c39bc6834d865699f9e583acd

          SHA1

          8a0446264acc65800948aac7aa144c6e2c8b6acd

          SHA256

          e685b44f708c651bf8d45d7ade7945a8027de4706c42485172bf27b6a70bf1a3

          SHA512

          7178cb8d0ad7a29811eb3bedec68925d3230f79552c61093098f6bbedb3b02875a1a841d4dc007de7c3813e88e2e33c221aefa9c077912c893c09083bb16f9b6

        • memory/4380-2856-0x000000007FDE0000-0x000000007FDE1000-memory.dmp

          Filesize

          4KB

        • memory/4380-2857-0x000000007FE00000-0x000000007FE01000-memory.dmp

          Filesize

          4KB

        • memory/4380-2823-0x000000007FE40000-0x000000007FE41000-memory.dmp

          Filesize

          4KB

        • memory/4380-2824-0x00000000023E0000-0x00000000023F0000-memory.dmp

          Filesize

          64KB

        • memory/4380-2825-0x00000000023E0000-0x00000000023F0000-memory.dmp

          Filesize

          64KB

        • memory/4380-2826-0x000000007FE20000-0x000000007FE21000-memory.dmp

          Filesize

          4KB

        • memory/4380-2827-0x000000007FDC0000-0x000000007FDC1000-memory.dmp

          Filesize

          4KB

        • memory/4908-2797-0x00007FFEB60F0000-0x00007FFEB6100000-memory.dmp

          Filesize

          64KB

        • memory/4908-2800-0x00007FFEB60F0000-0x00007FFEB6100000-memory.dmp

          Filesize

          64KB

        • memory/4908-2799-0x00007FFEF6070000-0x00007FFEF6265000-memory.dmp

          Filesize

          2.0MB

        • memory/4908-2806-0x00007FFEF6070000-0x00007FFEF6265000-memory.dmp

          Filesize

          2.0MB

        • memory/4908-2805-0x00007FFEB60F0000-0x00007FFEB6100000-memory.dmp

          Filesize

          64KB

        • memory/4908-2816-0x00007FFEF6070000-0x00007FFEF6265000-memory.dmp

          Filesize

          2.0MB

        • memory/4908-2817-0x00007FFEF6070000-0x00007FFEF6265000-memory.dmp

          Filesize

          2.0MB

        • memory/4908-2818-0x00007FFEF6070000-0x00007FFEF6265000-memory.dmp

          Filesize

          2.0MB

        • memory/4908-2803-0x00007FFEF6070000-0x00007FFEF6265000-memory.dmp

          Filesize

          2.0MB

        • memory/4908-2802-0x00007FFEB60F0000-0x00007FFEB6100000-memory.dmp

          Filesize

          64KB

        • memory/4908-2801-0x00007FFEF6070000-0x00007FFEF6265000-memory.dmp

          Filesize

          2.0MB

        • memory/4908-2804-0x00007FFEF6070000-0x00007FFEF6265000-memory.dmp

          Filesize

          2.0MB

        • memory/4908-2798-0x00007FFEB60F0000-0x00007FFEB6100000-memory.dmp

          Filesize

          64KB

        • memory/4908-2867-0x00007FFEF6070000-0x00007FFEF6265000-memory.dmp

          Filesize

          2.0MB

        • memory/4908-2866-0x00007FFEF6070000-0x00007FFEF6265000-memory.dmp

          Filesize

          2.0MB

        • memory/4908-2859-0x00007FFEB3C20000-0x00007FFEB3C30000-memory.dmp

          Filesize

          64KB

        • memory/4908-2858-0x00007FFEB3C20000-0x00007FFEB3C30000-memory.dmp

          Filesize

          64KB

        • memory/5064-791-0x0000000003280000-0x0000000003290000-memory.dmp

          Filesize

          64KB

        • memory/5064-792-0x0000000003280000-0x0000000003290000-memory.dmp

          Filesize

          64KB

        • memory/5064-793-0x0000000003280000-0x0000000003290000-memory.dmp

          Filesize

          64KB

        • memory/5064-0-0x0000000003280000-0x0000000003290000-memory.dmp

          Filesize

          64KB

        • memory/5064-2-0x0000000003280000-0x0000000003290000-memory.dmp

          Filesize

          64KB

        • memory/5064-1-0x0000000003280000-0x0000000003290000-memory.dmp

          Filesize

          64KB