Overview

overview

10

Static

static

10

86e17aa882...98.exe

windows7-x64

9

86e17aa882...98.exe

windows10-2004-x64

9

Resubmissions

01-05-2024 08:19

240501-j78c1sdd24 10

25-04-2024 01:41

240425-b4jlgsdb8x 10

Analysis

  • max time kernel
    146s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-04-2024 01:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    86e17aa882c690ede284f3e445439dfe589d8f36e31cbc09d102305499d5c498.exe

  • Size

    194KB

  • MD5

    ae811bd6440b425e6777f0ca001a9743

  • SHA1

    70902540ead269971e149eaff568fb17d04156af

  • SHA256

    86e17aa882c690ede284f3e445439dfe589d8f36e31cbc09d102305499d5c498

  • SHA512

    3617d8e77c221525125778cf64f2525136f7958766f5bed0fd7bfe00e7f738017d2840972acc628e4c3471b93cf6d52ccd619f49bdbbcff824c12cac8e1ea88e

  • SSDEEP

    3072:a6glyuxE4GsUPnliByocWepiHkZmlkQIQP6fo:a6gDBGpvEByocWeQwLAPm

Score
9/10
ransomwarespywarestealer

Malware Config

Signatures

  • Renames multiple (609) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 2 IoCs
  • Drops file in System32 directory 4 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\86e17aa882c690ede284f3e445439dfe589d8f36e31cbc09d102305499d5c498.exe
    "C:\Users\Admin\AppData\Local\Temp\86e17aa882c690ede284f3e445439dfe589d8f36e31cbc09d102305499d5c498.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4248
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
      • Drops file in System32 directory
      PID:3524
    • C:\ProgramData\68F.tmp
      "C:\ProgramData\68F.tmp"
      2⤵
      • Checks computer location settings
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:4560
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\68F.tmp >> NUL
        3⤵
          PID:4252
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4032 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8
      1⤵
        PID:4928
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
        1⤵
          PID:3316
        • C:\Windows\system32\printfilterpipelinesvc.exe
          C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
          1⤵
          • Drops file in System32 directory
          • Suspicious use of WriteProcessMemory
          PID:2088
          • C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
            /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{07DB9741-13D4-444C-9AC1-98A04B1DCD88}.xps" 133584829795220000
            2⤵
            • Checks processor information in registry
            • Enumerates system info in registry
            • Suspicious use of SetWindowsHookEx
            PID:4460

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Initial Access

        Execution

        Persistence

        Privilege Escalation

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Unsecured Credentials

        1
        T1552

        Credentials In Files

        1
        T1552.001

        Discovery

        Query Registry

        3
        T1012

        System Information Discovery

        4
        T1082

        Lateral Movement

        Collection

        Data from Local System

        1
        T1005

        Exfiltration

        Command and Control

        Impact

        Defacement

        1
        T1491

        Resource Development

        Reconnaissance

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\$Recycle.Bin\S-1-5-21-3808065738-1666277613-1125846146-1000\IIIIIIIIIII
          Filesize

          129B

          MD5

          c8c146b463fc414d736ed114959c7efb

          SHA1

          d969ab8d1acddd7d9b311d45d1642b559ce9e6c5

          SHA256

          ca9c70ad822914e521e4b9ef3566d05e396e9edfbdb1d2706468fd77f3623804

          SHA512

          7cd4d15da8c806804f92efc78e291cc6be2875edc9b93e0c3f89821e2b5b20b9d258712b019323f84ff4377cd5a5e5f761efd7ad53f26cf3d38c7e9b89cf290b

          Download Submit
        • C:\ProgramData\68F.tmp
          Filesize

          14KB

          MD5

          294e9f64cb1642dd89229fff0592856b

          SHA1

          97b148c27f3da29ba7b18d6aee8a0db9102f47c9

          SHA256

          917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

          SHA512

          b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
          Filesize

          194KB

          MD5

          bca04d9ac2c8283209dabd8e9f9a8a65

          SHA1

          4727d847966c308b5d0255ac317f0da554dd4482

          SHA256

          a87a874595790f4f5c44d733220be5217542017e154e811ce3513325ac21c129

          SHA512

          b49262404440f85652536bbca9ece8154e9cabf236c60c4042cc368e2572b40045baed9dabd2c9a098d33488d6c20f433119f908cfe71108545200562cfba4ea

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\{4E20C97A-E37C-468A-B529-46465B968865}
          Filesize

          4KB

          MD5

          3f277cdcf800fa84348fdfb6ccb12c20

          SHA1

          9a9d8135fb732e8d5b0e312518e6fe7a47eb13f4

          SHA256

          9885a1aef1804446fc4f0096d34449859129193985e67cecdfe71179e7b9ec29

          SHA512

          8249a2c6a77c36cc7111f2b7b24ff729496874b37fc384b1567c981427c2150bee4006bc3efa7411dc3485a4123e409138875ba346c6a01b274c28f5eb1e880c

          Download Submit
        • C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2
          Filesize

          4KB

          MD5

          3a460c1b9bfcee0b31deb941abb240e7

          SHA1

          78da1a160fc8e04a0fd9feacc02b60e4849ecfa1

          SHA256

          c5ee6095014c710607bb46716984f092a2457e069ba20608e1fc9fe2d56abece

          SHA512

          b1ffd5d7ed00627fe311e61a358c9caf4133a224c7ca35b5d980b43b9b5aeeb106147339a28bfd2019b7b6dc8fc4e4a09aeede2df149e4abf253d33511c295d3

          Download Submit
        • C:\kZd6jLIwz.README.txt
          Filesize

          449B

          MD5

          c2f46db865b0ba6ef8f9385cf458a56e

          SHA1

          0b2f94fcf38ef15f59bb86a3296b7da514b4ac4e

          SHA256

          c25759e6083dd4bf592a6da2063c45def5adc9a6ef2ed15820128a0d838f70fe

          SHA512

          9927b209ca26e3243fac9f003c6af7663ba84405346fbdb66c6f401387cd20ea3f99d63d0858ebdc76f2e6bc722d41e2a1f599bc6f7d97b0687dba95dea31b39

          Download Submit
        • F:\$RECYCLE.BIN\S-1-5-21-3808065738-1666277613-1125846146-1000\DDDDDDDDDDD
          Filesize

          129B

          MD5

          291a1bf51f1d29d8af53d375b39de224

          SHA1

          b2e5db80ce2d7743ecec42f64f4fb83186e5e79d

          SHA256

          d5dcead8c233665924ac9bd22bc2a0748f98b29b3c9588f2cdd3c48c598b3f87

          SHA512

          218346d9d882f644885f6181265a315456adaaec9f885b724e4856795ba33027da9197e6070ba9994634a6b426d5ca51ed07590ace72e4438855d96932544906

          Download Submit
        • memory/4248-1230-0x0000000002CC0000-0x0000000002CD0000-memory.dmp
          Filesize

          64KB

          Download
        • memory/4248-1231-0x0000000002CC0000-0x0000000002CD0000-memory.dmp
          Filesize

          64KB

          Download
        • memory/4248-1229-0x0000000002CC0000-0x0000000002CD0000-memory.dmp
          Filesize

          64KB

          Download
        • memory/4248-0-0x0000000002CC0000-0x0000000002CD0000-memory.dmp
          Filesize

          64KB

          Download
        • memory/4248-2-0x0000000002CC0000-0x0000000002CD0000-memory.dmp
          Filesize

          64KB

          Download
        • memory/4248-1-0x0000000002CC0000-0x0000000002CD0000-memory.dmp
          Filesize

          64KB

          Download
        • memory/4460-2848-0x00007FFEAA610000-0x00007FFEAA805000-memory.dmp
          Filesize

          2.0MB

          Download
        • memory/4460-2803-0x00007FFE6A690000-0x00007FFE6A6A0000-memory.dmp
          Filesize

          64KB

          Download
        • memory/4460-2817-0x00007FFEAA610000-0x00007FFEAA805000-memory.dmp
          Filesize

          2.0MB

          Download
        • memory/4460-2834-0x00007FFEAA610000-0x00007FFEAA805000-memory.dmp
          Filesize

          2.0MB

          Download
        • memory/4460-2847-0x00007FFEAA610000-0x00007FFEAA805000-memory.dmp
          Filesize

          2.0MB

          Download
        • memory/4460-2813-0x00007FFEAA610000-0x00007FFEAA805000-memory.dmp
          Filesize

          2.0MB

          Download
        • memory/4460-2879-0x00007FFEAA610000-0x00007FFEAA805000-memory.dmp
          Filesize

          2.0MB

          Download
        • memory/4460-2804-0x00007FFE6A690000-0x00007FFE6A6A0000-memory.dmp
          Filesize

          64KB

          Download
        • memory/4460-2806-0x00007FFEAA610000-0x00007FFEAA805000-memory.dmp
          Filesize

          2.0MB

          Download
        • memory/4460-2857-0x00007FFE68110000-0x00007FFE68120000-memory.dmp
          Filesize

          64KB

          Download
        • memory/4460-2802-0x00007FFE6A690000-0x00007FFE6A6A0000-memory.dmp
          Filesize

          64KB

          Download
        • memory/4460-2815-0x00007FFEAA610000-0x00007FFEAA805000-memory.dmp
          Filesize

          2.0MB

          Download
        • memory/4460-2805-0x00007FFEAA610000-0x00007FFEAA805000-memory.dmp
          Filesize

          2.0MB

          Download
        • memory/4460-2807-0x00007FFE6A690000-0x00007FFE6A6A0000-memory.dmp
          Filesize

          64KB

          Download
        • memory/4460-2816-0x00007FFEAA610000-0x00007FFEAA805000-memory.dmp
          Filesize

          2.0MB

          Download
        • memory/4460-2856-0x00007FFE68110000-0x00007FFE68120000-memory.dmp
          Filesize

          64KB

          Download
        • memory/4460-2814-0x00007FFE6A690000-0x00007FFE6A6A0000-memory.dmp
          Filesize

          64KB

          Download
        • memory/4460-2810-0x00007FFEAA610000-0x00007FFEAA805000-memory.dmp
          Filesize

          2.0MB

          Download
        • memory/4560-2849-0x000000007FE40000-0x000000007FE41000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4560-2850-0x00000000024C0000-0x00000000024D0000-memory.dmp
          Filesize

          64KB

          Download
        • memory/4560-2851-0x00000000024C0000-0x00000000024D0000-memory.dmp
          Filesize

          64KB

          Download
        • memory/4560-2852-0x000000007FE20000-0x000000007FE21000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4560-2853-0x000000007FDC0000-0x000000007FDC1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4560-2855-0x000000007FE00000-0x000000007FE01000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4560-2854-0x000000007FDE0000-0x000000007FDE1000-memory.dmp
          Filesize

          4KB

          Download