Overview

overview

10

Static

static

10

86e17aa882...98.exe

windows7-x64

9

86e17aa882...98.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    147s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-04-2024 16:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    86e17aa882c690ede284f3e445439dfe589d8f36e31cbc09d102305499d5c498.exe

  • Size

    194KB

  • MD5

    ae811bd6440b425e6777f0ca001a9743

  • SHA1

    70902540ead269971e149eaff568fb17d04156af

  • SHA256

    86e17aa882c690ede284f3e445439dfe589d8f36e31cbc09d102305499d5c498

  • SHA512

    3617d8e77c221525125778cf64f2525136f7958766f5bed0fd7bfe00e7f738017d2840972acc628e4c3471b93cf6d52ccd619f49bdbbcff824c12cac8e1ea88e

  • SSDEEP

    3072:a6glyuxE4GsUPnliByocWepiHkZmlkQIQP6fo:a6gDBGpvEByocWeQwLAPm

Score
9/10
ransomwarespywarestealer

Malware Config

Signatures

  • Renames multiple (614) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 2 IoCs
  • Drops file in System32 directory 4 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\86e17aa882c690ede284f3e445439dfe589d8f36e31cbc09d102305499d5c498.exe
    "C:\Users\Admin\AppData\Local\Temp\86e17aa882c690ede284f3e445439dfe589d8f36e31cbc09d102305499d5c498.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2412
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
      • Drops file in System32 directory
      PID:3944
    • C:\ProgramData\75F2.tmp
      "C:\ProgramData\75F2.tmp"
      2⤵
      • Checks computer location settings
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:4600
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\75F2.tmp >> NUL
        3⤵
          PID:2256
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4136 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8
      1⤵
        PID:3204
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
        1⤵
          PID:4208
        • C:\Windows\system32\printfilterpipelinesvc.exe
          C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
          1⤵
          • Drops file in System32 directory
          • Suspicious use of WriteProcessMemory
          PID:4144
          • C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
            /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{707755BB-BF7A-4763-BB0E-65C5C3C0DD7B}.xps" 133585368699180000
            2⤵
            • Checks processor information in registry
            • Enumerates system info in registry
            • Suspicious use of SetWindowsHookEx
            PID:2436

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\$Recycle.Bin\S-1-5-21-3808065738-1666277613-1125846146-1000\desktop.ini
          Filesize

          129B

          MD5

          d49c5efa7e725dbe23908843ef747870

          SHA1

          7947bb56633d7aba82bec93cd054e48fdb7ed5d7

          SHA256

          e5000a0c70ab9c82667841f844bdcf862fe3c9e93308207fd0a173ccb77bed35

          SHA512

          ef46d83ce7cffae9731b577ce014fdfc719ad87a127b606b4b32ec881e61b4c32ed52742948617a2f58a5a4f77c7ee606a53578e24c7b146312c81d69421d7e3

          Download Submit

        • C:\ProgramData\75F2.tmp
          Filesize

          14KB

          MD5

          294e9f64cb1642dd89229fff0592856b

          SHA1

          97b148c27f3da29ba7b18d6aee8a0db9102f47c9

          SHA256

          917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

          SHA512

          b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
          Filesize

          194KB

          MD5

          5e320ecf66d54f4b5ae310c70c1c5dcc

          SHA1

          c6f9f78441bec137264e1970d4333a14458e6e00

          SHA256

          d643c64a2b711bb96216a7198b3c4c241da5de6d54a737f60c93b5087acbbcaf

          SHA512

          03bcd503cd6786e1fe7dcdcfa159c321e0e6e944aa0e2f2312b7f6f03cdd10e06182115a5b53af8308e5c85ab83f13ce74fbcc44b7ecdf2738f9773cdf9cdd02

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\{3C3684DC-140F-4F6E-99E6-92EDEA712AF8}
          Filesize

          4KB

          MD5

          cf87b8b2a17c381ba3bab29f94549ef6

          SHA1

          405e76f9ff716d424f1212248702ea7a20b70ed7

          SHA256

          17ea7b85a42db1bb34d16856d8dae42391f742240dcb7730dae230aef1397690

          SHA512

          b02a285c963c31bc5af0633c5fc42aa175115fff7a9eedb52a2e83304297eb29576c1d5d8214d40d2da82cd333298fd1f5f8b77f2f30c110c69dd4248aabc818

          Download Submit

        • C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2
          Filesize

          4KB

          MD5

          b5c03a031a7a49b5e7180ec6a2106958

          SHA1

          f013d9676442e8f498ac49fd49652490eca2c687

          SHA256

          8310a25d554e125d60c28a8dfa32b5676329d675e3f3cf339b1bdf500c6f3c1c

          SHA512

          b080834d617963ed80bf1952a0aa79c3ef571082adadd10330783c275ef641458e7823196bc91bb8fa391ccd45b5db7b684aec80ad9c5cbde0b8673d54cdc5f9

          Download Submit

        • C:\kZd6jLIwz.README.txt
          Filesize

          449B

          MD5

          c2f46db865b0ba6ef8f9385cf458a56e

          SHA1

          0b2f94fcf38ef15f59bb86a3296b7da514b4ac4e

          SHA256

          c25759e6083dd4bf592a6da2063c45def5adc9a6ef2ed15820128a0d838f70fe

          SHA512

          9927b209ca26e3243fac9f003c6af7663ba84405346fbdb66c6f401387cd20ea3f99d63d0858ebdc76f2e6bc722d41e2a1f599bc6f7d97b0687dba95dea31b39

          Download Submit

        • F:\$RECYCLE.BIN\S-1-5-21-3808065738-1666277613-1125846146-1000\CCCCCCCCCCC
          Filesize

          129B

          MD5

          d39f1a7c601f34bf1618e473dad0d600

          SHA1

          7b0b1168f560d2ab2505ca4543bcd51e905ac214

          SHA256

          173470c8be3b5c590d0ccdc486108b667ccd6a93e3ccadfd612d6e963b241e20

          SHA512

          238ce5f8dc06b527522e01b7a4cde13f0afb1dec3a3dd61881a2fabb7545704ac3497e974a91b6b437cb5152d6f5d918142cb57b70e8f9fe6a08124d551148fe

          Download Submit

        • memory/2412-1235-0x0000000002950000-0x0000000002960000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2412-1236-0x0000000002950000-0x0000000002960000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2412-1237-0x0000000002950000-0x0000000002960000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2412-2-0x0000000002950000-0x0000000002960000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2412-0-0x0000000002950000-0x0000000002960000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2412-1-0x0000000002950000-0x0000000002960000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2436-2813-0x00007FFEF6070000-0x00007FFEF6265000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2436-2810-0x00007FFEF6070000-0x00007FFEF6265000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2436-2812-0x00007FFEF6070000-0x00007FFEF6265000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2436-2809-0x00007FFEB60F0000-0x00007FFEB6100000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2436-2814-0x00007FFEF6070000-0x00007FFEF6265000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2436-2815-0x00007FFEF6070000-0x00007FFEF6265000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2436-2817-0x00007FFEF6070000-0x00007FFEF6265000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2436-2856-0x00007FFEB3C20000-0x00007FFEB3C30000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2436-2806-0x00007FFEB60F0000-0x00007FFEB6100000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2436-2807-0x00007FFEB60F0000-0x00007FFEB6100000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2436-2869-0x00007FFEF6070000-0x00007FFEF6265000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2436-2811-0x00007FFEB60F0000-0x00007FFEB6100000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2436-2868-0x00007FFEF6070000-0x00007FFEF6265000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2436-2808-0x00007FFEB60F0000-0x00007FFEB6100000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2436-2858-0x00007FFEB3C20000-0x00007FFEB3C30000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4600-2825-0x000000007FDC0000-0x000000007FDC1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4600-2857-0x000000007FE00000-0x000000007FE01000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4600-2855-0x000000007FDE0000-0x000000007FDE1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4600-2822-0x000000007FE40000-0x000000007FE41000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4600-2826-0x000000007FE20000-0x000000007FE21000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4600-2823-0x0000000000590000-0x00000000005A0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4600-2824-0x0000000000590000-0x00000000005A0000-memory.dmp

          Filesize

          64KB

          Download