Overview

overview

10

Static

static

10

00260c390f...f8.exe

windows7-x64

10

00260c390f...f8.exe

windows10-2004-x64

10

01bf78841b...16.exe

windows7-x64

9

01bf78841b...16.exe

windows10-2004-x64

9

0545f842ca...49.exe

windows7-x64

10

0545f842ca...49.exe

windows10-2004-x64

10

068ca3e92c...fd.exe

windows7-x64

10

068ca3e92c...fd.exe

windows10-2004-x64

10

0b856337d9...c9.exe

windows7-x64

10

0b856337d9...c9.exe

windows10-2004-x64

10

0d38f8bf83...09.exe

windows7-x64

10

0d38f8bf83...09.exe

windows10-2004-x64

10

0e35a681fc...5e.exe

windows7-x64

10

0e35a681fc...5e.exe

windows10-2004-x64

10

0f178bc093...35.exe

windows7-x64

10

0f178bc093...35.exe

windows10-2004-x64

10

10306702a1...dd.dll

windows7-x64

10

10306702a1...dd.dll

windows10-2004-x64

10

160c972897...21.exe

windows7-x64

10

160c972897...21.exe

windows10-2004-x64

10

19f7d53c4a...a0.exe

windows7-x64

10

19f7d53c4a...a0.exe

windows10-2004-x64

10

1b109db549...18.exe

windows7-x64

10

1b109db549...18.exe

windows10-2004-x64

10

1e10e08cda...18.dll

windows7-x64

10

1e10e08cda...18.dll

windows10-2004-x64

10

1eb0b48ca7...1d.dll

windows7-x64

1

1eb0b48ca7...1d.dll

windows10-2004-x64

1

1f0e4cbc1a...7d.exe

windows7-x64

10

1f0e4cbc1a...7d.exe

windows10-2004-x64

10

239c9969fd...90.exe

windows7-x64

10

239c9969fd...90.exe

windows10-2004-x64

10

Resubmissions

20-03-2024 09:55

240320-lxzn8sdh94 10

20-03-2024 09:53

240320-lwzb3sef3x 10

18-03-2024 09:01

240318-ky38dadf6s 10

Analysis

  • max time kernel
    122s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    18-03-2024 09:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    01bf78841b63bcdd8280157c486b45ad74811c0251140a054de81a925ce7f716.exe

  • Size

    145KB

  • MD5

    7966a61801e560b0031ba0e7d5864456

  • SHA1

    bb737041b092879f10e400a599e5301d186bb6d9

  • SHA256

    01bf78841b63bcdd8280157c486b45ad74811c0251140a054de81a925ce7f716

  • SHA512

    475f41efdafcb2a19e3d0c47b824f13f7ad609412d5d99bd08346795e3f98a14c96ab62f1ff0305a9fffc8d6c025f7c4c2e8a1502bfdb17484add606539f94d6

  • SSDEEP

    3072:pqJogYkcSNm9V7DF78cwcmphqvbAw/rKfGT:pq2kc4m9tDp7wxhqnm

Score
9/10
ransomwarespywarestealer

Malware Config

Signatures

  • Renames multiple (455) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\01bf78841b63bcdd8280157c486b45ad74811c0251140a054de81a925ce7f716.exe
    "C:\Users\Admin\AppData\Local\Temp\01bf78841b63bcdd8280157c486b45ad74811c0251140a054de81a925ce7f716.exe"
    1⤵
    • Loads dropped DLL
    • Drops desktop.ini file(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2240
    • C:\ProgramData\340B.tmp
      "C:\ProgramData\340B.tmp"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:748
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\340B.tmp >> NUL
        3⤵
          PID:2068
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2096
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x14c
      1⤵
        PID:2512

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\$Recycle.Bin\S-1-5-21-3452737119-3959686427-228443150-1000\desktop.ini
        Filesize

        129B

        MD5

        ecba07bea6a2a33c55f767bc77419b09

        SHA1

        0992a7fb77f9586ef560550fe2cb9dc51262f084

        SHA256

        17324ec59d87bcf02328446774b6029fd75b3e9d8417f04425ac3d03f7ae8033

        SHA512

        624c7ea09165b95e4e4878b668a9e38e5af5a0b96889d4c4bac321b85a182431f47ba54ebce7379541ecf477d75db2ec3ef24496547052645ac765893cc8c9f9

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
        Filesize

        145KB

        MD5

        e1df215ac5db033f182b903749819111

        SHA1

        07032961f15f6d6f0c0eaea6ec01fcac3c9bf45b

        SHA256

        12362827ff7d39c2efcb27bcea4364e67d5530934ed58f5e3ed2aa66a3a21e04

        SHA512

        6bd88481d54af4dad60fdaa28c01afd046b477ed55c4aae9db1e715336d520f3b827e0b1eaf8674634811eaf3649db943a99a9fd5da9a71f9631898403e95660

        Download Submit

      • C:\fKwlk4hj5.README.txt
        Filesize

        629B

        MD5

        6773e35f848ca075a81e3eeb19221820

        SHA1

        e3ba485887c73a7f2b6e278e8cc376b323502596

        SHA256

        5b1cd3fb03117987e4c51a67cd101796451f15babfacb9c9c2832908229d358c

        SHA512

        88e27da84241b5a98e85d9ca7dc9eaae755401e899157676ee8dcccae023452f2a42a18c74ff8357eedf08836e930da4045a3dd7060cfaa992503d04852b8ec2

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-3452737119-3959686427-228443150-1000\CCCCCCCCCCC
        Filesize

        129B

        MD5

        3eed67b9b8b7938dd04318d8cfe63d86

        SHA1

        096fe1eeb0f6636cfc656ad1cad53447c9ea4079

        SHA256

        f32aa0ae54f79887534d7209683f42c925bfde9528a82303960f5bfc1521c30a

        SHA512

        b577a79cd4cdcb47f2fe27b3057b8fb9c96cb85fdf36a436932942530fd73cf5c4676678c5172a31896e579540d4339adbaeb820bed26d526112e9ba5f35f79e

        Download Submit

      • \ProgramData\340B.tmp
        Filesize

        14KB

        MD5

        294e9f64cb1642dd89229fff0592856b

        SHA1

        97b148c27f3da29ba7b18d6aee8a0db9102f47c9

        SHA256

        917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

        SHA512

        b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

        Download Submit

      • memory/748-970-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/748-971-0x00000000002A0000-0x00000000002E0000-memory.dmp

        Filesize

        256KB

        Download

      • memory/748-973-0x000000007EF80000-0x000000007EF81000-memory.dmp

        Filesize

        4KB

        Download

      • memory/748-974-0x000000007EF20000-0x000000007EF21000-memory.dmp

        Filesize

        4KB

        Download

      • memory/748-1002-0x000000007EF40000-0x000000007EF41000-memory.dmp

        Filesize

        4KB

        Download

      • memory/748-1005-0x000000007EF40000-0x000000007EF41000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2240-0-0x00000000003A0000-0x00000000003E0000-memory.dmp

        Filesize

        256KB

        Download