Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
26-04-2024 07:47
Behavioral task
behavioral1
Sample
Document.doc.scr
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Document.doc.scr
Resource
win10v2004-20240412-en
General
-
Target
Document.doc.scr
-
Size
194KB
-
MD5
407ea767aa26ae13f9ff20d0999c8dda
-
SHA1
07e615132ef78e827047ffc4cc6c9d44f5a976fd
-
SHA256
f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4
-
SHA512
6c14d07b497af375f2f4db4da321ed7e5fb60a6f26281bcdbfc513eb1033d98442ff83ee58849a721bd7e14a0b7094b98397923c35bd4b6ae91c179784de6b02
-
SSDEEP
3072:L6glyuxE4GsUPnliByocWepVeKna4iJ0Cv+LmaGqsqRxB:L6gDBGpvEByocWePk4iJ0C2LYcx
Malware Config
Signatures
-
Renames multiple (310) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
Processes:
26D2.tmppid process 1648 26D2.tmp -
Executes dropped EXE 1 IoCs
Processes:
26D2.tmppid process 1648 26D2.tmp -
Loads dropped DLL 1 IoCs
Processes:
Document.doc.scrpid process 2412 Document.doc.scr -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
Processes:
Document.doc.scrdescription ioc process File opened for modification C:\$Recycle.Bin\S-1-5-21-2297530677-1229052932-2803917579-1000\desktop.ini Document.doc.scr File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2297530677-1229052932-2803917579-1000\desktop.ini Document.doc.scr -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
Document.doc.scrdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\jC7CNxlVt.bmp" Document.doc.scr Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\jC7CNxlVt.bmp" Document.doc.scr -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
Document.doc.scr26D2.tmppid process 2412 Document.doc.scr 2412 Document.doc.scr 2412 Document.doc.scr 2412 Document.doc.scr 1648 26D2.tmp -
Modifies Control Panel 2 IoCs
Processes:
Document.doc.scrdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Desktop Document.doc.scr Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Desktop\WallpaperStyle = "10" Document.doc.scr -
Modifies registry class 5 IoCs
Processes:
Document.doc.scrdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.jC7CNxlVt Document.doc.scr Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.jC7CNxlVt\ = "jC7CNxlVt" Document.doc.scr Key created \REGISTRY\MACHINE\SOFTWARE\Classes\jC7CNxlVt\DefaultIcon Document.doc.scr Key created \REGISTRY\MACHINE\SOFTWARE\Classes\jC7CNxlVt Document.doc.scr Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\jC7CNxlVt\DefaultIcon\ = "C:\\ProgramData\\jC7CNxlVt.ico" Document.doc.scr -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
Document.doc.scrpid process 2412 Document.doc.scr 2412 Document.doc.scr 2412 Document.doc.scr 2412 Document.doc.scr 2412 Document.doc.scr 2412 Document.doc.scr 2412 Document.doc.scr 2412 Document.doc.scr 2412 Document.doc.scr 2412 Document.doc.scr 2412 Document.doc.scr 2412 Document.doc.scr 2412 Document.doc.scr 2412 Document.doc.scr -
Suspicious behavior: RenamesItself 26 IoCs
Processes:
26D2.tmppid process 1648 26D2.tmp 1648 26D2.tmp 1648 26D2.tmp 1648 26D2.tmp 1648 26D2.tmp 1648 26D2.tmp 1648 26D2.tmp 1648 26D2.tmp 1648 26D2.tmp 1648 26D2.tmp 1648 26D2.tmp 1648 26D2.tmp 1648 26D2.tmp 1648 26D2.tmp 1648 26D2.tmp 1648 26D2.tmp 1648 26D2.tmp 1648 26D2.tmp 1648 26D2.tmp 1648 26D2.tmp 1648 26D2.tmp 1648 26D2.tmp 1648 26D2.tmp 1648 26D2.tmp 1648 26D2.tmp 1648 26D2.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Document.doc.scrdescription pid process Token: SeAssignPrimaryTokenPrivilege 2412 Document.doc.scr Token: SeBackupPrivilege 2412 Document.doc.scr Token: SeDebugPrivilege 2412 Document.doc.scr Token: 36 2412 Document.doc.scr Token: SeImpersonatePrivilege 2412 Document.doc.scr Token: SeIncBasePriorityPrivilege 2412 Document.doc.scr Token: SeIncreaseQuotaPrivilege 2412 Document.doc.scr Token: 33 2412 Document.doc.scr Token: SeManageVolumePrivilege 2412 Document.doc.scr Token: SeProfSingleProcessPrivilege 2412 Document.doc.scr Token: SeRestorePrivilege 2412 Document.doc.scr Token: SeSecurityPrivilege 2412 Document.doc.scr Token: SeSystemProfilePrivilege 2412 Document.doc.scr Token: SeTakeOwnershipPrivilege 2412 Document.doc.scr Token: SeShutdownPrivilege 2412 Document.doc.scr Token: SeDebugPrivilege 2412 Document.doc.scr Token: SeBackupPrivilege 2412 Document.doc.scr Token: SeBackupPrivilege 2412 Document.doc.scr Token: SeSecurityPrivilege 2412 Document.doc.scr Token: SeSecurityPrivilege 2412 Document.doc.scr Token: SeBackupPrivilege 2412 Document.doc.scr Token: SeBackupPrivilege 2412 Document.doc.scr Token: SeSecurityPrivilege 2412 Document.doc.scr Token: SeSecurityPrivilege 2412 Document.doc.scr Token: SeBackupPrivilege 2412 Document.doc.scr Token: SeBackupPrivilege 2412 Document.doc.scr Token: SeSecurityPrivilege 2412 Document.doc.scr Token: SeSecurityPrivilege 2412 Document.doc.scr Token: SeBackupPrivilege 2412 Document.doc.scr Token: SeBackupPrivilege 2412 Document.doc.scr Token: SeSecurityPrivilege 2412 Document.doc.scr Token: SeSecurityPrivilege 2412 Document.doc.scr Token: SeBackupPrivilege 2412 Document.doc.scr Token: SeBackupPrivilege 2412 Document.doc.scr Token: SeSecurityPrivilege 2412 Document.doc.scr Token: SeSecurityPrivilege 2412 Document.doc.scr Token: SeBackupPrivilege 2412 Document.doc.scr Token: SeBackupPrivilege 2412 Document.doc.scr Token: SeSecurityPrivilege 2412 Document.doc.scr Token: SeSecurityPrivilege 2412 Document.doc.scr Token: SeBackupPrivilege 2412 Document.doc.scr Token: SeBackupPrivilege 2412 Document.doc.scr Token: SeSecurityPrivilege 2412 Document.doc.scr Token: SeSecurityPrivilege 2412 Document.doc.scr Token: SeBackupPrivilege 2412 Document.doc.scr Token: SeBackupPrivilege 2412 Document.doc.scr Token: SeSecurityPrivilege 2412 Document.doc.scr Token: SeSecurityPrivilege 2412 Document.doc.scr Token: SeBackupPrivilege 2412 Document.doc.scr Token: SeBackupPrivilege 2412 Document.doc.scr Token: SeSecurityPrivilege 2412 Document.doc.scr Token: SeSecurityPrivilege 2412 Document.doc.scr Token: SeBackupPrivilege 2412 Document.doc.scr Token: SeBackupPrivilege 2412 Document.doc.scr Token: SeSecurityPrivilege 2412 Document.doc.scr Token: SeSecurityPrivilege 2412 Document.doc.scr Token: SeBackupPrivilege 2412 Document.doc.scr Token: SeBackupPrivilege 2412 Document.doc.scr Token: SeSecurityPrivilege 2412 Document.doc.scr Token: SeSecurityPrivilege 2412 Document.doc.scr Token: SeBackupPrivilege 2412 Document.doc.scr Token: SeBackupPrivilege 2412 Document.doc.scr Token: SeSecurityPrivilege 2412 Document.doc.scr Token: SeSecurityPrivilege 2412 Document.doc.scr -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
Document.doc.scr26D2.tmpdescription pid process target process PID 2412 wrote to memory of 1648 2412 Document.doc.scr 26D2.tmp PID 2412 wrote to memory of 1648 2412 Document.doc.scr 26D2.tmp PID 2412 wrote to memory of 1648 2412 Document.doc.scr 26D2.tmp PID 2412 wrote to memory of 1648 2412 Document.doc.scr 26D2.tmp PID 2412 wrote to memory of 1648 2412 Document.doc.scr 26D2.tmp PID 1648 wrote to memory of 2128 1648 26D2.tmp cmd.exe PID 1648 wrote to memory of 2128 1648 26D2.tmp cmd.exe PID 1648 wrote to memory of 2128 1648 26D2.tmp cmd.exe PID 1648 wrote to memory of 2128 1648 26D2.tmp cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Document.doc.scr"C:\Users\Admin\AppData\Local\Temp\Document.doc.scr" /S1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\ProgramData\26D2.tmp"C:\ProgramData\26D2.tmp"2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\26D2.tmp >> NUL3⤵PID:2128
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x14c1⤵PID:276
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD551031886034d891708013072a2fefa05
SHA1f36a278dde8d9bb058fa51c1aff361b54f3361b1
SHA25682a779d77939f21510b904b403807806c083f44e6ee79eaf10f2fbfe2d3e985b
SHA5129fb2632e742317371632f93924779c8fef5d171db93f7b83204a649fd5b989949a0a85932664e4be5fba8233bc14c8509f7d22e014f1cf61e87efe7b516619ad
-
Filesize
194KB
MD55d340b73c3e034109f3eed4e51ad2bcd
SHA1ad094889ca08a3f01162cca81ed095159ed48459
SHA256cd84cc6b730022af2101c14178c3ca591b506dc19c1cc4ec54a6b70d0db70514
SHA512de23e6f7ce66816df5f2098b45c12f523031c4db8f3c3572ccceeaf48821eaba87159c0501af3ff20a2f869999a95e73b004257aed72ff6ca32710dbe82aa471
-
Filesize
434B
MD5ad29bd8c66e114ff57c943d16c78f72a
SHA15ab070ee89a36f38facae4dfc8ec5ce3e59af46e
SHA2566fe668fe8bf69158d1fd08e90f3cff60c1df410bf752635bf152853b6112549c
SHA512a53121e2379aa9c3bc52d073498a54f26383834f6d6636b4b3831010565c80bf0da07511907eab7bd92f9796e559958b1c0ebea4c4b0f0d869e95b7deb5da7f1
-
Filesize
129B
MD5d9d5575b4826efb38f9b1a854da33839
SHA1f2e31035b8d94d4032d57109daa0dd3b743a68ec
SHA2568de1a6d7dd2135455c3218ffea759fb346e6f61c2b02a88edd38232a5d83eaec
SHA512a17dccce400ab6059e579145480b327bc6d449c48bd3a0eff92dc1994993d200a61ca057c045acd9af6f6a9938c7034363ebe7961a2b43861bc970d7827c7a75
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf