c8b41de669363ff7fecae244b46fcc2455cf09c10fd783815094659f912ee326

Resubmissions

28-03-2024 15:06

240328-sgx9sshb9x 10

28-03-2024 14:55

240328-sar47sha3x 10

Analysis

max time kernel
93s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28-03-2024 14:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f8da280bb9f81028c14d1e156d6685cdb5f75219a60f645f72e520fb5e388712.exe
Size

15KB
MD5

aedb1ad5304921ac3883570ebb647a29
SHA1

eb91ca0baf1e7be6b538871714c727232a981acf
SHA256

f8da280bb9f81028c14d1e156d6685cdb5f75219a60f645f72e520fb5e388712
SHA512

6bbe14d668223b1b43e4ce9f7a75eb5892a2cd917b9e725edfda490113860a2ba8971cdbdef33e60a473fd0f831af1812ee6c4671f64be2c45958fa68fe4e88c
SSDEEP

384:nl+IiU+Xh2GFstXnzVmzN/Gv2utvWmIptYcFwVc03K:ox2GGtpG6NfctYcFwVc6K

Score

10^/10

persistence ransomware

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "empty"	f8da280bb9f81028c14d1e156d6685cdb5f75219a60f645f72e520fb5e388712.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Alo Minegames ransomware.exe	f8da280bb9f81028c14d1e156d6685cdb5f75219a60f645f72e520fb5e388712.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Desktop\Wallpaper	f8da280bb9f81028c14d1e156d6685cdb5f75219a60f645f72e520fb5e388712.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	876	f8da280bb9f81028c14d1e156d6685cdb5f75219a60f645f72e520fb5e388712.exe

C:\Users\Admin\AppData\Local\Temp\f8da280bb9f81028c14d1e156d6685cdb5f75219a60f645f72e520fb5e388712.exe
"C:\Users\Admin\AppData\Local\Temp\f8da280bb9f81028c14d1e156d6685cdb5f75219a60f645f72e520fb5e388712.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Suspicious use of AdjustPrivilegeToken
PID:876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

memory/876-0-0x0000000000830000-0x000000000083A000-memory.dmp

Filesize
40KB

Download
memory/876-1-0x0000000074EC0000-0x0000000075670000-memory.dmp

Filesize
7.7MB

Download
memory/876-2-0x0000000005720000-0x0000000005CC4000-memory.dmp

Filesize
5.6MB

Download
memory/876-3-0x0000000005250000-0x00000000052E2000-memory.dmp

Filesize
584KB

Download
memory/876-4-0x00000000054C0000-0x00000000054D0000-memory.dmp

Filesize
64KB

Download
memory/876-5-0x0000000005230000-0x000000000523A000-memory.dmp

Filesize
40KB

Download
memory/876-6-0x00000000054C0000-0x00000000054D0000-memory.dmp

Filesize
64KB

Download
memory/876-7-0x0000000074EC0000-0x0000000075670000-memory.dmp

Filesize
7.7MB

Download
memory/876-8-0x00000000054C0000-0x00000000054D0000-memory.dmp

Filesize
64KB

Download
memory/876-9-0x00000000054C0000-0x00000000054D0000-memory.dmp

Filesize
64KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads