Overview

overview

10

Static

static

10

winprofile

windows7-x64

10

winprofile

windows10-1703-x64

10

Analysis

  • max time kernel
    193s
  • max time network
    287s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    18-04-2024 22:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    01648bd95ce5d66d76d5c292ce639f0b4371402f9730b5067804ff0d3389d3b8.exe

  • Size

    148KB

  • MD5

    8f44723c6243b90795c93b6653ba9735

  • SHA1

    34270e442f37cd46db49d6896a8f154980af855f

  • SHA256

    01648bd95ce5d66d76d5c292ce639f0b4371402f9730b5067804ff0d3389d3b8

  • SHA512

    116b564fbf858c41a257fd9166631c25c3d59f476220d02e11793cab6f6412d8caa819c7e56720c8f2248ee5315cbcc905d11667b209ee5e7b3e8fc5cbe25438

  • SSDEEP

    3072:+qJogYkcSNm9V7DcaDtRx+roDNO1NZiQtu6E+TbT:+q2kc4m9tDVt3+041NZXtu6Z

Score
10/10
ransomwarespywarestealer

Malware Config

Extracted

Path

C:\i0BQZsoDj.README.txt

Ransom Note
.+####*=: -+=*=-++*=::+-:++*::@@= @@#+#@*+==-=-+- :=---:::::---::-:-====*+#@@ @@@=+---===-====-:+=-=::: -=--:::-:::: +::::=:=.:=#@ @#+#+-==---+:----------:-.::: ::+.:-:::--:-:--.-=+-**+-=@##*###*+=:=--:::-=-:--=:.=:- --::-==---:-----=-=#*+-==*##*++=:--=--==:-=-::-:-: =.:::.:----------+=+=+*-++*@ @@**+:=*#*#--=-----:--:-=-:+: .::::------=-=.=++-++++##@ @@ @@ @=*+*+=**=:-:=----::::: ::-:--:--==-++=+====+@@ @@#@@@@@@ @=+++=++==-:::--:-::: ::----=-==-*++=+==*==# +@:@@@@@@@@@ =++====+++=+::--:: :----+==-:+==+==++*=-*+:@@@@@@@#*+---+*+=+=+==--::. :--=*+-=:=:=*:==-+++=-#**@+*#@@@+*#*++=++=*-=-===+=:=: .-++=--::=-==+=-=++*:*--+-*:#@@*-=+=+=--::-==== +:....::--=----=+++::=#**=@#+@*=-+=:*===-::.:::= :::-==--::-:.@@@@@#*==+==---:. ---=++---+.-@#@@+#*===-===++.. -+====:--:-+=+@*=**=*+===: ---==-@+::=:###*-+-. -*:*=*#@@@@##=-=+- @@@--#=**@*-*-:+@@ :#==-*. Hi. All your files are encrypted. For decryption contact us on Session messenger. You can get it from https://getsession.org Our Session ID: 050877486f869a0ca3c28c831576801d63e522afba3adfe310c443f9e7da124001 [+] Do not rename encrypted files. [+] Do not try to decrypt your data using third party software, it may cause permanent data loss. [+] You have 72 hours to get the key.
URLs

https://getsession.org

Signatures

  • Renames multiple (477) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 2 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Control Panel 2 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\01648bd95ce5d66d76d5c292ce639f0b4371402f9730b5067804ff0d3389d3b8.exe
    "C:\Users\Admin\AppData\Local\Temp\01648bd95ce5d66d76d5c292ce639f0b4371402f9730b5067804ff0d3389d3b8.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Modifies Control Panel
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3608
    • C:\ProgramData\83C6.tmp
      "C:\ProgramData\83C6.tmp"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:3676
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\83C6.tmp >> NUL
        3⤵
          PID:3980
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc
      1⤵
      • Drops file in Windows directory
      PID:1380

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Unsecured Credentials

    1
    T1552

    Credentials In Files

    1
    T1552.001

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Defacement

    1
    T1491

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\$Recycle.Bin\S-1-5-21-3968772205-1713802336-1776639840-1000\AAAAAAAAAAA
      Filesize

      129B

      MD5

      3c5947cc4137aca70c63707057420bda

      SHA1

      6456b87536b0b3a50240083cbbf72fafb26d7ed8

      SHA256

      6eec9bbf4b40c8e4c0d80a85f74eb2f0cd464dc1bd3575f01b6abfa396a9a523

      SHA512

      f9a41639bf0b505d9813c56ee0dd00b46b0590796a3bb152211ea0cf4224f5bda713f6d752b293e52006fb0998fe12b0533697befe95cd738a32925576fbc2b3

      Download Submit
    • C:\ProgramData\83C6.tmp
      Filesize

      14KB

      MD5

      294e9f64cb1642dd89229fff0592856b

      SHA1

      97b148c27f3da29ba7b18d6aee8a0db9102f47c9

      SHA256

      917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

      SHA512

      b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
      Filesize

      148KB

      MD5

      60b9f349577c778dd4e047c1edba65b3

      SHA1

      230a5604e99f738fd2fcee41e88df350e140f9ca

      SHA256

      81f339be0e86f9b89ec7200c9253b8ed6e67a8399fcd9156507e3094cd32c221

      SHA512

      b0e4c91a85227b034571f136c085baeb7aa24206ceb22aa0c8508c3fd6b35715ac09526217a50c76c68a56611bb779d50fb86b58e7978ec70fdbf86b2c13a175

      Download Submit
    • C:\i0BQZsoDj.README.txt
      Filesize

      2KB

      MD5

      7c3d34a06bb11ab8383e8afa4c60434d

      SHA1

      f87e16c6e6d36e70f436228aa3244dfb76f7fc2c

      SHA256

      2639d017985bafc4a1b213f5b9cf9409a16bc4b01ece1952bc4360a03bf3066a

      SHA512

      7969f6b2b9b5586fedbda52b895704fe2ba31bf7914a04dea790d2787326c66cfb644baf4c913adad22929d4a1e1f3e5d17fc369672f411d857aa456c3ab57bb

      Download Submit
    • F:\$RECYCLE.BIN\S-1-5-21-3968772205-1713802336-1776639840-1000\EEEEEEEEEEE
      Filesize

      129B

      MD5

      c4055b9c322ea7fb1713d175730cf625

      SHA1

      ccc26674330b337383663ca1fdebab6e9b7a7f55

      SHA256

      1d9b535a767967c1dc78599a8ca4a59468485ad7160d127edc7eb1c97571901b

      SHA512

      26b5928455e11fb12fae56c2afd1d7ab402d3758a1a1f613a23912676ca3e008a63e44855d533985bfcdb53341955042e165e31ee10dbf5f491d7391840bca25

      Download Submit
    • memory/1380-2626-0x000001F04F360000-0x000001F04F361000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1380-2610-0x000001F04A4A0000-0x000001F04A4B0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1380-2614-0x000001F04A6C0000-0x000001F04A6D0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1380-2621-0x000001F04A7A0000-0x000001F04A7A1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1380-2623-0x000001F04ACC0000-0x000001F04ACC1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1380-2625-0x000001F04F340000-0x000001F04F341000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3608-2-0x00000000023D0000-0x00000000023E0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3608-0-0x00000000023D0000-0x00000000023E0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3608-1-0x00000000023D0000-0x00000000023E0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3676-2633-0x00000000024C0000-0x00000000024D0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3676-2632-0x000000007FEA0000-0x000000007FEA1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3676-2634-0x00000000024C0000-0x00000000024D0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3676-2663-0x000000007FE80000-0x000000007FE81000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3676-2664-0x000000007FE20000-0x000000007FE21000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3676-2665-0x000000007FE40000-0x000000007FE41000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3676-2666-0x000000007FE60000-0x000000007FE61000-memory.dmp
      Filesize

      4KB

      Download