874d3f892c299a623746d6b0669298375af4bd0ea02f52ac424c579e57ab48fd

General

Target

Document.doc.scr
Size

194KB
MD5

407ea767aa26ae13f9ff20d0999c8dda
SHA1

07e615132ef78e827047ffc4cc6c9d44f5a976fd
SHA256

f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4
SHA512

6c14d07b497af375f2f4db4da321ed7e5fb60a6f26281bcdbfc513eb1033d98442ff83ee58849a721bd7e14a0b7094b98397923c35bd4b6ae91c179784de6b02
SSDEEP

3072:L6glyuxE4GsUPnliByocWepVeKna4iJ0Cv+LmaGqsqRxB:L6gDBGpvEByocWePk4iJ0C2LYcx

Score

9^/10

ransomware spyware stealer

Malware Config

Signatures

Renames multiple (310) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes itself 1 IoCs

Processes:

26D2.tmp

pid process

1648 26D2.tmp
Executes dropped EXE 1 IoCs

Processes:

26D2.tmp

pid process

1648 26D2.tmp
Loads dropped DLL 1 IoCs

Processes:

Document.doc.scr

pid process

2412 Document.doc.scr
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 2 IoCs

Processes:

Document.doc.scr

description	ioc	process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2297530677-1229052932-2803917579-1000\desktop.ini	Document.doc.scr
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-2297530677-1229052932-2803917579-1000\desktop.ini	Document.doc.scr

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

Document.doc.scr

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\jC7CNxlVt.bmp"	Document.doc.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\jC7CNxlVt.bmp"	Document.doc.scr

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

Document.doc.scr26D2.tmp

pid process

2412 Document.doc.scr
2412 Document.doc.scr
2412 Document.doc.scr
2412 Document.doc.scr
1648 26D2.tmp

Modifies Control Panel 2 IoCs

evasion

Processes:

Document.doc.scr

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Desktop	Document.doc.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Desktop\WallpaperStyle = "10"	Document.doc.scr

Modifies registry class 5 IoCs

Processes:

Document.doc.scr

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.jC7CNxlVt	Document.doc.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.jC7CNxlVt\ = "jC7CNxlVt"	Document.doc.scr
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\jC7CNxlVt\DefaultIcon	Document.doc.scr
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\jC7CNxlVt	Document.doc.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\jC7CNxlVt\DefaultIcon\ = "C:\\ProgramData\\jC7CNxlVt.ico"	Document.doc.scr

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

Document.doc.scr

pid	process
2412	Document.doc.scr
2412	Document.doc.scr
2412	Document.doc.scr
2412	Document.doc.scr
2412	Document.doc.scr
2412	Document.doc.scr
2412	Document.doc.scr
2412	Document.doc.scr
2412	Document.doc.scr
2412	Document.doc.scr
2412	Document.doc.scr
2412	Document.doc.scr
2412	Document.doc.scr
2412	Document.doc.scr

Suspicious behavior: RenamesItself 26 IoCs

Processes:

26D2.tmp

pid	process
1648	26D2.tmp
1648	26D2.tmp
1648	26D2.tmp
1648	26D2.tmp
1648	26D2.tmp
1648	26D2.tmp
1648	26D2.tmp
1648	26D2.tmp
1648	26D2.tmp
1648	26D2.tmp
1648	26D2.tmp
1648	26D2.tmp
1648	26D2.tmp
1648	26D2.tmp
1648	26D2.tmp
1648	26D2.tmp
1648	26D2.tmp
1648	26D2.tmp
1648	26D2.tmp
1648	26D2.tmp
1648	26D2.tmp
1648	26D2.tmp
1648	26D2.tmp
1648	26D2.tmp
1648	26D2.tmp
1648	26D2.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Document.doc.scr

description	pid	process
Token: SeAssignPrimaryTokenPrivilege	2412	Document.doc.scr
Token: SeBackupPrivilege	2412	Document.doc.scr
Token: SeDebugPrivilege	2412	Document.doc.scr
Token: 36	2412	Document.doc.scr
Token: SeImpersonatePrivilege	2412	Document.doc.scr
Token: SeIncBasePriorityPrivilege	2412	Document.doc.scr
Token: SeIncreaseQuotaPrivilege	2412	Document.doc.scr
Token: 33	2412	Document.doc.scr
Token: SeManageVolumePrivilege	2412	Document.doc.scr
Token: SeProfSingleProcessPrivilege	2412	Document.doc.scr
Token: SeRestorePrivilege	2412	Document.doc.scr
Token: SeSecurityPrivilege	2412	Document.doc.scr
Token: SeSystemProfilePrivilege	2412	Document.doc.scr
Token: SeTakeOwnershipPrivilege	2412	Document.doc.scr
Token: SeShutdownPrivilege	2412	Document.doc.scr
Token: SeDebugPrivilege	2412	Document.doc.scr
Token: SeBackupPrivilege	2412	Document.doc.scr
Token: SeBackupPrivilege	2412	Document.doc.scr
Token: SeSecurityPrivilege	2412	Document.doc.scr
Token: SeSecurityPrivilege	2412	Document.doc.scr
Token: SeBackupPrivilege	2412	Document.doc.scr
Token: SeBackupPrivilege	2412	Document.doc.scr
Token: SeSecurityPrivilege	2412	Document.doc.scr
Token: SeSecurityPrivilege	2412	Document.doc.scr
Token: SeBackupPrivilege	2412	Document.doc.scr
Token: SeBackupPrivilege	2412	Document.doc.scr
Token: SeSecurityPrivilege	2412	Document.doc.scr
Token: SeSecurityPrivilege	2412	Document.doc.scr
Token: SeBackupPrivilege	2412	Document.doc.scr
Token: SeBackupPrivilege	2412	Document.doc.scr
Token: SeSecurityPrivilege	2412	Document.doc.scr
Token: SeSecurityPrivilege	2412	Document.doc.scr
Token: SeBackupPrivilege	2412	Document.doc.scr
Token: SeBackupPrivilege	2412	Document.doc.scr
Token: SeSecurityPrivilege	2412	Document.doc.scr
Token: SeSecurityPrivilege	2412	Document.doc.scr
Token: SeBackupPrivilege	2412	Document.doc.scr
Token: SeBackupPrivilege	2412	Document.doc.scr
Token: SeSecurityPrivilege	2412	Document.doc.scr
Token: SeSecurityPrivilege	2412	Document.doc.scr
Token: SeBackupPrivilege	2412	Document.doc.scr
Token: SeBackupPrivilege	2412	Document.doc.scr
Token: SeSecurityPrivilege	2412	Document.doc.scr
Token: SeSecurityPrivilege	2412	Document.doc.scr
Token: SeBackupPrivilege	2412	Document.doc.scr
Token: SeBackupPrivilege	2412	Document.doc.scr
Token: SeSecurityPrivilege	2412	Document.doc.scr
Token: SeSecurityPrivilege	2412	Document.doc.scr
Token: SeBackupPrivilege	2412	Document.doc.scr
Token: SeBackupPrivilege	2412	Document.doc.scr
Token: SeSecurityPrivilege	2412	Document.doc.scr
Token: SeSecurityPrivilege	2412	Document.doc.scr
Token: SeBackupPrivilege	2412	Document.doc.scr
Token: SeBackupPrivilege	2412	Document.doc.scr
Token: SeSecurityPrivilege	2412	Document.doc.scr
Token: SeSecurityPrivilege	2412	Document.doc.scr
Token: SeBackupPrivilege	2412	Document.doc.scr
Token: SeBackupPrivilege	2412	Document.doc.scr
Token: SeSecurityPrivilege	2412	Document.doc.scr
Token: SeSecurityPrivilege	2412	Document.doc.scr
Token: SeBackupPrivilege	2412	Document.doc.scr
Token: SeBackupPrivilege	2412	Document.doc.scr
Token: SeSecurityPrivilege	2412	Document.doc.scr
Token: SeSecurityPrivilege	2412	Document.doc.scr

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

Document.doc.scr26D2.tmp

description	pid	process	target process
PID 2412 wrote to memory of 1648	2412	Document.doc.scr	26D2.tmp
PID 2412 wrote to memory of 1648	2412	Document.doc.scr	26D2.tmp
PID 2412 wrote to memory of 1648	2412	Document.doc.scr	26D2.tmp
PID 2412 wrote to memory of 1648	2412	Document.doc.scr	26D2.tmp
PID 2412 wrote to memory of 1648	2412	Document.doc.scr	26D2.tmp
PID 1648 wrote to memory of 2128	1648	26D2.tmp	cmd.exe
PID 1648 wrote to memory of 2128	1648	26D2.tmp	cmd.exe
PID 1648 wrote to memory of 2128	1648	26D2.tmp	cmd.exe
PID 1648 wrote to memory of 2128	1648	26D2.tmp	cmd.exe

C:\Users\Admin\AppData\Local\Temp\Document.doc.scr
"C:\Users\Admin\AppData\Local\Temp\Document.doc.scr" /S
1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2412

C:\ProgramData\26D2.tmp
"C:\ProgramData\26D2.tmp"
2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1648

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\26D2.tmp >> NUL
3⤵
PID:2128

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x14c
1⤵
PID:276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2297530677-1229052932-2803917579-1000\desktop.ini

Filesize
129B

MD5
51031886034d891708013072a2fefa05

SHA1
f36a278dde8d9bb058fa51c1aff361b54f3361b1

SHA256
82a779d77939f21510b904b403807806c083f44e6ee79eaf10f2fbfe2d3e985b

SHA512
9fb2632e742317371632f93924779c8fef5d171db93f7b83204a649fd5b989949a0a85932664e4be5fba8233bc14c8509f7d22e014f1cf61e87efe7b516619ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDD

Filesize
194KB

MD5
5d340b73c3e034109f3eed4e51ad2bcd

SHA1
ad094889ca08a3f01162cca81ed095159ed48459

SHA256
cd84cc6b730022af2101c14178c3ca591b506dc19c1cc4ec54a6b70d0db70514

SHA512
de23e6f7ce66816df5f2098b45c12f523031c4db8f3c3572ccceeaf48821eaba87159c0501af3ff20a2f869999a95e73b004257aed72ff6ca32710dbe82aa471

Download Submit
C:\jC7CNxlVt.README.txt

Filesize
434B

MD5
ad29bd8c66e114ff57c943d16c78f72a

SHA1
5ab070ee89a36f38facae4dfc8ec5ce3e59af46e

SHA256
6fe668fe8bf69158d1fd08e90f3cff60c1df410bf752635bf152853b6112549c

SHA512
a53121e2379aa9c3bc52d073498a54f26383834f6d6636b4b3831010565c80bf0da07511907eab7bd92f9796e559958b1c0ebea4c4b0f0d869e95b7deb5da7f1

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2297530677-1229052932-2803917579-1000\DDDDDDDDDDD

Filesize
129B

MD5
d9d5575b4826efb38f9b1a854da33839

SHA1
f2e31035b8d94d4032d57109daa0dd3b743a68ec

SHA256
8de1a6d7dd2135455c3218ffea759fb346e6f61c2b02a88edd38232a5d83eaec

SHA512
a17dccce400ab6059e579145480b327bc6d449c48bd3a0eff92dc1994993d200a61ca057c045acd9af6f6a9938c7034363ebe7961a2b43861bc970d7827c7a75

Download Submit
\ProgramData\26D2.tmp

Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
memory/1648-837-0x0000000002180000-0x00000000021C0000-memory.dmp

Filesize
256KB

Download
memory/1648-838-0x0000000002180000-0x00000000021C0000-memory.dmp

Filesize
256KB

Download
memory/1648-841-0x000000007EF80000-0x000000007EF81000-memory.dmp

Filesize
4KB

Download
memory/1648-842-0x000000007EF20000-0x000000007EF21000-memory.dmp

Filesize
4KB

Download
memory/1648-836-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

Filesize
4KB

Download
memory/1648-869-0x000000007EF40000-0x000000007EF41000-memory.dmp

Filesize
4KB

Download
memory/1648-870-0x000000007EF60000-0x000000007EF61000-memory.dmp

Filesize
4KB

Download
memory/2412-0-0x0000000000C80000-0x0000000000CC0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads