Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    26-04-2024 07:47

General

  • Target

    Document.doc.scr

  • Size

    194KB

  • MD5

    407ea767aa26ae13f9ff20d0999c8dda

  • SHA1

    07e615132ef78e827047ffc4cc6c9d44f5a976fd

  • SHA256

    f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4

  • SHA512

    6c14d07b497af375f2f4db4da321ed7e5fb60a6f26281bcdbfc513eb1033d98442ff83ee58849a721bd7e14a0b7094b98397923c35bd4b6ae91c179784de6b02

  • SSDEEP

    3072:L6glyuxE4GsUPnliByocWepVeKna4iJ0Cv+LmaGqsqRxB:L6gDBGpvEByocWePk4iJ0C2LYcx

Malware Config

Signatures

  • Renames multiple (310) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 2 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Modifies Control Panel 2 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Document.doc.scr
    "C:\Users\Admin\AppData\Local\Temp\Document.doc.scr" /S
    1⤵
    • Loads dropped DLL
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2412
    • C:\ProgramData\26D2.tmp
      "C:\ProgramData\26D2.tmp"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:1648
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\26D2.tmp >> NUL
        3⤵
          PID:2128
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x14c
      1⤵
        PID:276

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\$Recycle.Bin\S-1-5-21-2297530677-1229052932-2803917579-1000\desktop.ini

        Filesize

        129B

        MD5

        51031886034d891708013072a2fefa05

        SHA1

        f36a278dde8d9bb058fa51c1aff361b54f3361b1

        SHA256

        82a779d77939f21510b904b403807806c083f44e6ee79eaf10f2fbfe2d3e985b

        SHA512

        9fb2632e742317371632f93924779c8fef5d171db93f7b83204a649fd5b989949a0a85932664e4be5fba8233bc14c8509f7d22e014f1cf61e87efe7b516619ad

      • C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDD

        Filesize

        194KB

        MD5

        5d340b73c3e034109f3eed4e51ad2bcd

        SHA1

        ad094889ca08a3f01162cca81ed095159ed48459

        SHA256

        cd84cc6b730022af2101c14178c3ca591b506dc19c1cc4ec54a6b70d0db70514

        SHA512

        de23e6f7ce66816df5f2098b45c12f523031c4db8f3c3572ccceeaf48821eaba87159c0501af3ff20a2f869999a95e73b004257aed72ff6ca32710dbe82aa471

      • C:\jC7CNxlVt.README.txt

        Filesize

        434B

        MD5

        ad29bd8c66e114ff57c943d16c78f72a

        SHA1

        5ab070ee89a36f38facae4dfc8ec5ce3e59af46e

        SHA256

        6fe668fe8bf69158d1fd08e90f3cff60c1df410bf752635bf152853b6112549c

        SHA512

        a53121e2379aa9c3bc52d073498a54f26383834f6d6636b4b3831010565c80bf0da07511907eab7bd92f9796e559958b1c0ebea4c4b0f0d869e95b7deb5da7f1

      • F:\$RECYCLE.BIN\S-1-5-21-2297530677-1229052932-2803917579-1000\DDDDDDDDDDD

        Filesize

        129B

        MD5

        d9d5575b4826efb38f9b1a854da33839

        SHA1

        f2e31035b8d94d4032d57109daa0dd3b743a68ec

        SHA256

        8de1a6d7dd2135455c3218ffea759fb346e6f61c2b02a88edd38232a5d83eaec

        SHA512

        a17dccce400ab6059e579145480b327bc6d449c48bd3a0eff92dc1994993d200a61ca057c045acd9af6f6a9938c7034363ebe7961a2b43861bc970d7827c7a75

      • \ProgramData\26D2.tmp

        Filesize

        14KB

        MD5

        294e9f64cb1642dd89229fff0592856b

        SHA1

        97b148c27f3da29ba7b18d6aee8a0db9102f47c9

        SHA256

        917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

        SHA512

        b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

      • memory/1648-837-0x0000000002180000-0x00000000021C0000-memory.dmp

        Filesize

        256KB

      • memory/1648-838-0x0000000002180000-0x00000000021C0000-memory.dmp

        Filesize

        256KB

      • memory/1648-841-0x000000007EF80000-0x000000007EF81000-memory.dmp

        Filesize

        4KB

      • memory/1648-842-0x000000007EF20000-0x000000007EF21000-memory.dmp

        Filesize

        4KB

      • memory/1648-836-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

        Filesize

        4KB

      • memory/1648-869-0x000000007EF40000-0x000000007EF41000-memory.dmp

        Filesize

        4KB

      • memory/1648-870-0x000000007EF60000-0x000000007EF61000-memory.dmp

        Filesize

        4KB

      • memory/2412-0-0x0000000000C80000-0x0000000000CC0000-memory.dmp

        Filesize

        256KB