Analysis
-
max time kernel
166s -
max time network
176s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
14-03-2024 04:23
Behavioral task
behavioral1
Sample
de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe
Resource
win10v2004-20240226-en
General
-
Target
de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe
-
Size
146KB
-
MD5
8553d2d2c285b8c6d0710f1bdae1d0b4
-
SHA1
aaa7a2b1594291c12d9b438d8a07bf368f1262a9
-
SHA256
de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48
-
SHA512
c775ccb07fd6f90a366affc0d8c9b88c52bc58ae40a7784f7823cd3f327cc97ec8c6c47216fa6466f0a20cf81e05a33755d601d9fa1a50a4650178781946423c
-
SSDEEP
1536:ozICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xDjH+kxlmEoYMIcZwmirAkbI8O6C:3qJogYkcSNm9V7DL+EjoYEZL1i4T
Malware Config
Signatures
-
Renames multiple (594) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
Processes:
de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exedescription ioc process File opened for modification C:\$Recycle.Bin\S-1-5-21-1904519900-954640453-4250331663-1000\desktop.ini de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1904519900-954640453-4250331663-1000\desktop.ini de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exepid process 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exevssvc.exedescription pid process Token: SeAssignPrimaryTokenPrivilege 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeBackupPrivilege 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeDebugPrivilege 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: 36 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeImpersonatePrivilege 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeIncBasePriorityPrivilege 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeIncreaseQuotaPrivilege 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: 33 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeManageVolumePrivilege 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeProfSingleProcessPrivilege 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeRestorePrivilege 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeSecurityPrivilege 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeSystemProfilePrivilege 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeTakeOwnershipPrivilege 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeShutdownPrivilege 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeDebugPrivilege 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeBackupPrivilege 512 vssvc.exe Token: SeRestorePrivilege 512 vssvc.exe Token: SeAuditPrivilege 512 vssvc.exe Token: SeBackupPrivilege 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeBackupPrivilege 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeSecurityPrivilege 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeSecurityPrivilege 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeBackupPrivilege 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeBackupPrivilege 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeSecurityPrivilege 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeSecurityPrivilege 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeBackupPrivilege 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeBackupPrivilege 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeSecurityPrivilege 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeSecurityPrivilege 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeBackupPrivilege 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeBackupPrivilege 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeSecurityPrivilege 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeSecurityPrivilege 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeBackupPrivilege 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeBackupPrivilege 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeSecurityPrivilege 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeSecurityPrivilege 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeBackupPrivilege 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeBackupPrivilege 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeSecurityPrivilege 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeSecurityPrivilege 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeBackupPrivilege 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeBackupPrivilege 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeSecurityPrivilege 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeSecurityPrivilege 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeBackupPrivilege 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeBackupPrivilege 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeSecurityPrivilege 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeSecurityPrivilege 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeBackupPrivilege 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeBackupPrivilege 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeSecurityPrivilege 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeSecurityPrivilege 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeBackupPrivilege 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeBackupPrivilege 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeSecurityPrivilege 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeSecurityPrivilege 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeBackupPrivilege 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeBackupPrivilege 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeSecurityPrivilege 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeSecurityPrivilege 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe Token: SeBackupPrivilege 956 de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe"C:\Users\Admin\AppData\Local\Temp\de7f501e4a17898e85229b962e2f43b9a20d995c8a9fe0cad4536adc8fbd9f48.exe"1⤵
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:956
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:512
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3924 --field-trial-handle=2256,i,18272763564106695635,11201593968620719822,262144 --variations-seed-version /prefetch:81⤵PID:2464
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD580bf5be53d11f41bdd8014a4060a4be7
SHA199d13940c2a54dc297963c267a30a90ad528b812
SHA25615cc92498bbcea45820035923451203e6787c5773d1e249bf9ec135aa50ad26d
SHA512bf5d6cd26cc10471ed8f311bb6a0783f6dd0edf549a5e1c5a0778185de5330d7060e97f66ac00190f03bfca4f5dff8624ab9c46ed300defb3d0635e08204e1f7
-
Filesize
1KB
MD509e1680a7b7b2f24a426229f865b28df
SHA1b11cf264858b208cfa68a0cd954d7809019ebdca
SHA25664978f92ee086ffb0ccc65e85a1bfac035fc29d66d952c7b19fd13572622cfe9
SHA5129f7e605b257a33a3362103cc00338f4a80ab9b6b210e7bc49865f691534d66b6c89f66ed015f5dc1ff87278cabda37074d11951f790b1e11d5ecd036ab80e7d4
-
Filesize
129B
MD533a660f9ad1ec0f453a33a1663aed65d
SHA19743361686e1aa401ca1e6a573b1c78061815ea1
SHA2565f05a2177adaa239995391103c660a86b44707f4292a3291fdc3e54e1b1b5397
SHA51288ff33f9f2c27b41a35b5afabdbfc5c89247cfe2924ea834524a479aacc54131bc882a4e3bd1abcde6eecf54989ca9b28649f212aa97f6d956aadd793a4c7a48