Overview

overview

10

Static

static

10

d5d49fbe4f...18.exe

windows7-x64

9

d5d49fbe4f...18.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    148s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/04/2024, 12:48

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    d5d49fbe4f955416afe5db8c735638cedde326347757e8c57323305480568418.exe

  • Size

    146KB

  • MD5

    9a2e880c5c4fcbecf71014de4bbeb2db

  • SHA1

    173089f18ef521b89516319117bf545d33f2e657

  • SHA256

    d5d49fbe4f955416afe5db8c735638cedde326347757e8c57323305480568418

  • SHA512

    c01ee3e7898b6dda26aee4d04c4a345d2c36ba019bade775dd71330d96a37ed0594a496df18db3a2e593fd7e13f90de123f47ab33e3a8d4936501c69e7500a59

  • SSDEEP

    3072:m6glyuxE4GsUPnliByocWepc8HtoTc0U7DF:m6gDBGpvEByocWeFNh0GDF

Score
9/10
ransomwarespywarestealer

Malware Config

Signatures

  • Renames multiple (578) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 2 IoCs
  • Drops file in System32 directory 4 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d5d49fbe4f955416afe5db8c735638cedde326347757e8c57323305480568418.exe
    "C:\Users\Admin\AppData\Local\Temp\d5d49fbe4f955416afe5db8c735638cedde326347757e8c57323305480568418.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1752
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
      • Drops file in System32 directory
      PID:4636
    • C:\ProgramData\E62B.tmp
      "C:\ProgramData\E62B.tmp"
      2⤵
      • Checks computer location settings
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:1404
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\E62B.tmp >> NUL
        3⤵
          PID:2136
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
      1⤵
        PID:3492
      • C:\Windows\system32\printfilterpipelinesvc.exe
        C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
        1⤵
        • Drops file in System32 directory
        • Suspicious use of WriteProcessMemory
        PID:2908
        • C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
          /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{34FDE610-21E7-4322-B903-B1770CDB875F}.xps" 133578317173200000
          2⤵
          • Checks processor information in registry
          • Enumerates system info in registry
          • Suspicious use of SetWindowsHookEx
          PID:2680

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\$Recycle.Bin\S-1-5-21-4092317236-2027488869-1227795436-1000\desktop.ini
              Filesize

              129B

              MD5

              c66ba73809200df3907667334aa23aba

              SHA1

              8ee6b11f4a6433f51763d5674ff7951fd9702e6e

              SHA256

              b1e7ae1d566118d2faa471aa536b7ebf5a6eb750cde14a5d953afa97c6cfedbd

              SHA512

              26ad52e258f7d00230d99bef4b12fdb597f601fe7b93eb853fd36018af28a4ea1496217b359518f480fa6de63a3248fab1c8d26e0fc9e4d21feae5e2b68709f6

              Download Submit

            • C:\ETx6kDWq1.README.txt
              Filesize

              449B

              MD5

              766ef24b15ffcc364d7a2e8fbe56322a

              SHA1

              b333f4e3333fbd2a28b112e3854a083a161ab627

              SHA256

              fcd9314182e1d6ce85e724ed58f2add5993982f52459af9b0198095be137e0af

              SHA512

              9a0a23398ee072008bd7fd7ff31e3dc0b1737a0cd101da12e6879ed41fb9eba30829cbb52bd654c52aca2fe4afd01278da5f440da9b940e8a6775f25a01bd553

              Download Submit

            • C:\ProgramData\E62B.tmp
              Filesize

              14KB

              MD5

              294e9f64cb1642dd89229fff0592856b

              SHA1

              97b148c27f3da29ba7b18d6aee8a0db9102f47c9

              SHA256

              917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

              SHA512

              b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE
              Filesize

              146KB

              MD5

              65f93e64cd79f255cd7983272a92043c

              SHA1

              a353927bb6ff8b00e995b39ae52282850c8febf8

              SHA256

              2b68580b58fa179fac240869203b5b42383e157734034df554d172654625d5ee

              SHA512

              6ac22b39261a7e1852aecc384f939dd127e7a14e4c246b27ad4fa6a04ebc9d4a7198972ef4fb54cb611e6ba1a7a937d648713fbfc0013d57d3cb21fa818e025c

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\{9AF543E7-7AAC-4C21-AFF3-54BB26E75D8E}
              Filesize

              4KB

              MD5

              f58179a5575d6e2b5f9cd43866fd5e7a

              SHA1

              610980d67f2e5f48fbbf69c366fbf03886782e1d

              SHA256

              71cce039ee9c454300bc22628cfdc1db571086f4bda8af312ee6f44cb05c0976

              SHA512

              e7be542cc5d736828ddbea3daaac75f30063c15f23df5f709f331d131855663595e74b9f74580affe8b7d78b236bb88422196642d640a65b613d40acc41dcf6c

              Download Submit

            • F:\$RECYCLE.BIN\S-1-5-21-4092317236-2027488869-1227795436-1000\DDDDDDDDDDD
              Filesize

              129B

              MD5

              42389d43c377e104c66cbd7eb6377e8b

              SHA1

              52c488468a379c0824c278ad4c5c372f5f14a791

              SHA256

              51b03b67acc16b04cc8656e8661d8b3ce90f6d71f8e4e3007217d3ed5ffdcd7d

              SHA512

              1a2a87daf0dd0a3001cdf3ef1f668cb1937b010429f4db3df02be48630249c6fedc441d9ec504ffc6adfa920005863432e358abf397bb6ff248d7380adc8d3c0

              Download Submit

            • memory/1752-1-0x0000000002C00000-0x0000000002C10000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1752-2-0x0000000002C00000-0x0000000002C10000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1752-2691-0x0000000002C00000-0x0000000002C10000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1752-2692-0x0000000002C00000-0x0000000002C10000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1752-0-0x0000000002C00000-0x0000000002C10000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2680-2709-0x00007FF9338D0000-0x00007FF9338E0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2680-2751-0x00007FF973850000-0x00007FF973A45000-memory.dmp

              Filesize

              2.0MB

              Download

            • memory/2680-2740-0x00007FF973850000-0x00007FF973A45000-memory.dmp

              Filesize

              2.0MB

              Download

            • memory/2680-2742-0x00007FF973850000-0x00007FF973A45000-memory.dmp

              Filesize

              2.0MB

              Download

            • memory/2680-2743-0x00007FF9338D0000-0x00007FF9338E0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2680-2744-0x00007FF973850000-0x00007FF973A45000-memory.dmp

              Filesize

              2.0MB

              Download

            • memory/2680-2741-0x00007FF9338D0000-0x00007FF9338E0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2680-2710-0x00007FF973850000-0x00007FF973A45000-memory.dmp

              Filesize

              2.0MB

              Download

            • memory/2680-2745-0x00007FF973850000-0x00007FF973A45000-memory.dmp

              Filesize

              2.0MB

              Download

            • memory/2680-2746-0x00007FF973850000-0x00007FF973A45000-memory.dmp

              Filesize

              2.0MB

              Download

            • memory/2680-2747-0x00007FF973850000-0x00007FF973A45000-memory.dmp

              Filesize

              2.0MB

              Download

            • memory/2680-2748-0x00007FF973850000-0x00007FF973A45000-memory.dmp

              Filesize

              2.0MB

              Download

            • memory/2680-2750-0x00007FF973850000-0x00007FF973A45000-memory.dmp

              Filesize

              2.0MB

              Download

            • memory/2680-2711-0x00007FF9338D0000-0x00007FF9338E0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2680-2749-0x00007FF931870000-0x00007FF931880000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2680-2752-0x00007FF931870000-0x00007FF931880000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2680-2754-0x00007FF973850000-0x00007FF973A45000-memory.dmp

              Filesize

              2.0MB

              Download

            • memory/2680-2755-0x00007FF973850000-0x00007FF973A45000-memory.dmp

              Filesize

              2.0MB

              Download

            • memory/2680-2756-0x00007FF973850000-0x00007FF973A45000-memory.dmp

              Filesize

              2.0MB

              Download

            • memory/2680-2757-0x00007FF973850000-0x00007FF973A45000-memory.dmp

              Filesize

              2.0MB

              Download

            • memory/2680-2758-0x00007FF973850000-0x00007FF973A45000-memory.dmp

              Filesize

              2.0MB

              Download

            • memory/2680-2759-0x00007FF973850000-0x00007FF973A45000-memory.dmp

              Filesize

              2.0MB

              Download

            • memory/2680-2708-0x00007FF9338D0000-0x00007FF9338E0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2680-2776-0x00007FF973850000-0x00007FF973A45000-memory.dmp

              Filesize

              2.0MB

              Download

            • memory/2680-2777-0x00007FF973850000-0x00007FF973A45000-memory.dmp

              Filesize

              2.0MB

              Download