Analysis
-
max time kernel
49s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
28-03-2024 15:06
Static task
static1
Behavioral task
behavioral1
Sample
215c37360388d16653ffc1740c639d486753a9db69a8ad4f3e1b172b1b712df4.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
5e902a138174c34e5445685c82b2044e0b35565854471aaccef0315c77288dc9.exe
Resource
win7-20240220-en
Behavioral task
behavioral3
Sample
8d2f2ee24882afe11f50e3d6d9400e35fa66724b321cb9f5a246baf63cbc1788.exe
Resource
win7-20231129-en
Behavioral task
behavioral4
Sample
d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9.exe
Resource
win7-20240215-en
Behavioral task
behavioral5
Sample
f8da280bb9f81028c14d1e156d6685cdb5f75219a60f645f72e520fb5e388712.exe
Resource
win7-20240221-en
General
-
Target
f8da280bb9f81028c14d1e156d6685cdb5f75219a60f645f72e520fb5e388712.exe
-
Size
15KB
-
MD5
aedb1ad5304921ac3883570ebb647a29
-
SHA1
eb91ca0baf1e7be6b538871714c727232a981acf
-
SHA256
f8da280bb9f81028c14d1e156d6685cdb5f75219a60f645f72e520fb5e388712
-
SHA512
6bbe14d668223b1b43e4ce9f7a75eb5892a2cd917b9e725edfda490113860a2ba8971cdbdef33e60a473fd0f831af1812ee6c4671f64be2c45958fa68fe4e88c
-
SSDEEP
384:nl+IiU+Xh2GFstXnzVmzN/Gv2utvWmIptYcFwVc03K:ox2GGtpG6NfctYcFwVc6K
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "empty" f8da280bb9f81028c14d1e156d6685cdb5f75219a60f645f72e520fb5e388712.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\Alo Minegames ransomware.exe f8da280bb9f81028c14d1e156d6685cdb5f75219a60f645f72e520fb5e388712.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Desktop\Wallpaper f8da280bb9f81028c14d1e156d6685cdb5f75219a60f645f72e520fb5e388712.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2928 f8da280bb9f81028c14d1e156d6685cdb5f75219a60f645f72e520fb5e388712.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f8da280bb9f81028c14d1e156d6685cdb5f75219a60f645f72e520fb5e388712.exe"C:\Users\Admin\AppData\Local\Temp\f8da280bb9f81028c14d1e156d6685cdb5f75219a60f645f72e520fb5e388712.exe"1⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Suspicious use of AdjustPrivilegeToken
PID:2928
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
Filesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a