Analysis

  • max time kernel
    120s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    14-03-2024 04:23

General

  • Target

    de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe

  • Size

    146KB

  • MD5

    8553d2d2c285b8c6d0710f1bdae1d0b4

  • SHA1

    aaa7a2b1594291c12d9b438d8a07bf368f1262a9

  • SHA256

    de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48

  • SHA512

    c775ccb07fd6f90a366affc0d8c9b88c52bc58ae40a7784f7823cd3f327cc97ec8c6c47216fa6466f0a20cf81e05a33755d601d9fa1a50a4650178781946423c

  • SSDEEP

    1536:ozICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xDjH+kxlmEoYMIcZwmirAkbI8O6C:3qJogYkcSNm9V7DL+EjoYEZL1i4T

Malware Config

Signatures

  • Renames multiple (307) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe
    "C:\Users\Admin\AppData\Local\Temp\de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe"
    1⤵
    • Loads dropped DLL
    • Drops desktop.ini file(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2940
    • C:\ProgramData\AD6F.tmp
      "C:\ProgramData\AD6F.tmp"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:1180
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\AD6F.tmp >> NUL
        3⤵
          PID:3004
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2144
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x154
      1⤵
        PID:1260

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\$Recycle.Bin\S-1-5-21-1658372521-4246568289-2509113762-1000\desktop.ini

        Filesize

        129B

        MD5

        f8f03b3e7841cb871368eb65a2e67e22

        SHA1

        ea73a83c8853b1af3c056ccd9effc3aa65cd29eb

        SHA256

        a58771bd78b7632937020d659e05a6f2df7e07f0fc04521e53696bca42a4b922

        SHA512

        3f8105bc6bbe748e27c0d8556773fb210a1bac19d15379b0367567525410492a02f4422f7fe1515e1e501f504d66ba861fece8fdf73c76dbe1543fb57dd1f6f9

      • C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

        Filesize

        146KB

        MD5

        a6076504313fd806f1a9728f78ee4375

        SHA1

        bad537002a1a0605fbed47de38df7205e21b7fbd

        SHA256

        101a637facbedc8f7d6470751ba2d2dcf2cfdc843b37fca6a4ac57afcc295147

        SHA512

        09c07b3302f0e30ceeb1645dbfa124f963c775bb59685ae4fae2f3854427c9ce3377a67b56a83926bd6d0aea806e40f161690b0df2e2117eb8f795b9ff6338df

      • C:\Users\Admin\JoJLDTofE.README.txt

        Filesize

        1KB

        MD5

        09e1680a7b7b2f24a426229f865b28df

        SHA1

        b11cf264858b208cfa68a0cd954d7809019ebdca

        SHA256

        64978f92ee086ffb0ccc65e85a1bfac035fc29d66d952c7b19fd13572622cfe9

        SHA512

        9f7e605b257a33a3362103cc00338f4a80ab9b6b210e7bc49865f691534d66b6c89f66ed015f5dc1ff87278cabda37074d11951f790b1e11d5ecd036ab80e7d4

      • F:\$RECYCLE.BIN\S-1-5-21-1658372521-4246568289-2509113762-1000\OOOOOOOOOOO

        Filesize

        129B

        MD5

        0074327ffbaf4ddf6bad1241638d9428

        SHA1

        18346f794860e365a5a95c5c302a1bcce18641a1

        SHA256

        7102a09b196917849f321fd0666ee48314f2f3593e99551a20db63fb55ab2b9a

        SHA512

        041f976fe611142828e5830a66b31e77007780f7c5b6dd3561e158dfc3c78a46880033d803c2c21c7be439d430be561ebb0d5a1b08b8f72b13c08f199c032bf2

      • \ProgramData\AD6F.tmp

        Filesize

        14KB

        MD5

        294e9f64cb1642dd89229fff0592856b

        SHA1

        97b148c27f3da29ba7b18d6aee8a0db9102f47c9

        SHA256

        917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

        SHA512

        b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

      • memory/1180-822-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

        Filesize

        4KB

      • memory/1180-824-0x0000000000250000-0x0000000000290000-memory.dmp

        Filesize

        256KB

      • memory/1180-827-0x000000007EF80000-0x000000007EF81000-memory.dmp

        Filesize

        4KB

      • memory/1180-828-0x000000007EF20000-0x000000007EF21000-memory.dmp

        Filesize

        4KB

      • memory/1180-854-0x000000007EF40000-0x000000007EF41000-memory.dmp

        Filesize

        4KB

      • memory/1180-855-0x000000007EF60000-0x000000007EF61000-memory.dmp

        Filesize

        4KB

      • memory/2940-0-0x0000000000CA0000-0x0000000000CE0000-memory.dmp

        Filesize

        256KB