Analysis
-
max time kernel
120s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
14-03-2024 04:23
Behavioral task
behavioral1
Sample
de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe
Resource
win10v2004-20240226-en
General
-
Target
de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe
-
Size
146KB
-
MD5
8553d2d2c285b8c6d0710f1bdae1d0b4
-
SHA1
aaa7a2b1594291c12d9b438d8a07bf368f1262a9
-
SHA256
de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48
-
SHA512
c775ccb07fd6f90a366affc0d8c9b88c52bc58ae40a7784f7823cd3f327cc97ec8c6c47216fa6466f0a20cf81e05a33755d601d9fa1a50a4650178781946423c
-
SSDEEP
1536:ozICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xDjH+kxlmEoYMIcZwmirAkbI8O6C:3qJogYkcSNm9V7DL+EjoYEZL1i4T
Malware Config
Signatures
-
Renames multiple (307) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
Processes:
AD6F.tmppid process 1180 AD6F.tmp -
Executes dropped EXE 1 IoCs
Processes:
AD6F.tmppid process 1180 AD6F.tmp -
Loads dropped DLL 1 IoCs
Processes:
de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exepid process 2940 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
Processes:
de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exedescription ioc process File opened for modification C:\$Recycle.Bin\S-1-5-21-1658372521-4246568289-2509113762-1000\desktop.ini de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1658372521-4246568289-2509113762-1000\desktop.ini de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
AD6F.tmppid process 1180 AD6F.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exepid process 2940 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe 2940 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe 2940 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe 2940 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe 2940 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe 2940 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe 2940 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe 2940 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe -
Suspicious behavior: RenamesItself 26 IoCs
Processes:
AD6F.tmppid process 1180 AD6F.tmp 1180 AD6F.tmp 1180 AD6F.tmp 1180 AD6F.tmp 1180 AD6F.tmp 1180 AD6F.tmp 1180 AD6F.tmp 1180 AD6F.tmp 1180 AD6F.tmp 1180 AD6F.tmp 1180 AD6F.tmp 1180 AD6F.tmp 1180 AD6F.tmp 1180 AD6F.tmp 1180 AD6F.tmp 1180 AD6F.tmp 1180 AD6F.tmp 1180 AD6F.tmp 1180 AD6F.tmp 1180 AD6F.tmp 1180 AD6F.tmp 1180 AD6F.tmp 1180 AD6F.tmp 1180 AD6F.tmp 1180 AD6F.tmp 1180 AD6F.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exevssvc.exedescription pid process Token: SeAssignPrimaryTokenPrivilege 2940 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeBackupPrivilege 2940 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeDebugPrivilege 2940 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: 36 2940 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeImpersonatePrivilege 2940 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeIncBasePriorityPrivilege 2940 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeIncreaseQuotaPrivilege 2940 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: 33 2940 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeManageVolumePrivilege 2940 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeProfSingleProcessPrivilege 2940 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeRestorePrivilege 2940 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeSecurityPrivilege 2940 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeSystemProfilePrivilege 2940 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeTakeOwnershipPrivilege 2940 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeShutdownPrivilege 2940 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeDebugPrivilege 2940 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeBackupPrivilege 2144 vssvc.exe Token: SeRestorePrivilege 2144 vssvc.exe Token: SeAuditPrivilege 2144 vssvc.exe Token: SeBackupPrivilege 2940 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeBackupPrivilege 2940 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeSecurityPrivilege 2940 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeSecurityPrivilege 2940 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeBackupPrivilege 2940 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeBackupPrivilege 2940 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeSecurityPrivilege 2940 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeSecurityPrivilege 2940 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeBackupPrivilege 2940 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeBackupPrivilege 2940 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeSecurityPrivilege 2940 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeSecurityPrivilege 2940 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeBackupPrivilege 2940 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeBackupPrivilege 2940 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeSecurityPrivilege 2940 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeSecurityPrivilege 2940 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeBackupPrivilege 2940 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeBackupPrivilege 2940 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeSecurityPrivilege 2940 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeSecurityPrivilege 2940 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeBackupPrivilege 2940 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeBackupPrivilege 2940 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeSecurityPrivilege 2940 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeSecurityPrivilege 2940 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeBackupPrivilege 2940 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeBackupPrivilege 2940 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeSecurityPrivilege 2940 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeSecurityPrivilege 2940 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeBackupPrivilege 2940 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeBackupPrivilege 2940 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeSecurityPrivilege 2940 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeSecurityPrivilege 2940 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeBackupPrivilege 2940 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeBackupPrivilege 2940 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeSecurityPrivilege 2940 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeSecurityPrivilege 2940 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeBackupPrivilege 2940 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeBackupPrivilege 2940 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeSecurityPrivilege 2940 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeSecurityPrivilege 2940 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeBackupPrivilege 2940 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeBackupPrivilege 2940 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeSecurityPrivilege 2940 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeSecurityPrivilege 2940 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeBackupPrivilege 2940 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exeAD6F.tmpdescription pid process target process PID 2940 wrote to memory of 1180 2940 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe AD6F.tmp PID 2940 wrote to memory of 1180 2940 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe AD6F.tmp PID 2940 wrote to memory of 1180 2940 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe AD6F.tmp PID 2940 wrote to memory of 1180 2940 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe AD6F.tmp PID 2940 wrote to memory of 1180 2940 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe AD6F.tmp PID 1180 wrote to memory of 3004 1180 AD6F.tmp cmd.exe PID 1180 wrote to memory of 3004 1180 AD6F.tmp cmd.exe PID 1180 wrote to memory of 3004 1180 AD6F.tmp cmd.exe PID 1180 wrote to memory of 3004 1180 AD6F.tmp cmd.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe"C:\Users\Admin\AppData\Local\Temp\de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe"1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\ProgramData\AD6F.tmp"C:\ProgramData\AD6F.tmp"2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1180 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\AD6F.tmp >> NUL3⤵PID:3004
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2144
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x1541⤵PID:1260
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD5f8f03b3e7841cb871368eb65a2e67e22
SHA1ea73a83c8853b1af3c056ccd9effc3aa65cd29eb
SHA256a58771bd78b7632937020d659e05a6f2df7e07f0fc04521e53696bca42a4b922
SHA5123f8105bc6bbe748e27c0d8556773fb210a1bac19d15379b0367567525410492a02f4422f7fe1515e1e501f504d66ba861fece8fdf73c76dbe1543fb57dd1f6f9
-
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
Filesize146KB
MD5a6076504313fd806f1a9728f78ee4375
SHA1bad537002a1a0605fbed47de38df7205e21b7fbd
SHA256101a637facbedc8f7d6470751ba2d2dcf2cfdc843b37fca6a4ac57afcc295147
SHA51209c07b3302f0e30ceeb1645dbfa124f963c775bb59685ae4fae2f3854427c9ce3377a67b56a83926bd6d0aea806e40f161690b0df2e2117eb8f795b9ff6338df
-
Filesize
1KB
MD509e1680a7b7b2f24a426229f865b28df
SHA1b11cf264858b208cfa68a0cd954d7809019ebdca
SHA25664978f92ee086ffb0ccc65e85a1bfac035fc29d66d952c7b19fd13572622cfe9
SHA5129f7e605b257a33a3362103cc00338f4a80ab9b6b210e7bc49865f691534d66b6c89f66ed015f5dc1ff87278cabda37074d11951f790b1e11d5ecd036ab80e7d4
-
Filesize
129B
MD50074327ffbaf4ddf6bad1241638d9428
SHA118346f794860e365a5a95c5c302a1bcce18641a1
SHA2567102a09b196917849f321fd0666ee48314f2f3593e99551a20db63fb55ab2b9a
SHA512041f976fe611142828e5830a66b31e77007780f7c5b6dd3561e158dfc3c78a46880033d803c2c21c7be439d430be561ebb0d5a1b08b8f72b13c08f199c032bf2
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf