Overview

overview

10

Static

static

10

f2198deecd...e4.exe

windows7-x64

9

f2198deecd...e4.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    27-04-2024 01:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe

  • Size

    194KB

  • MD5

    407ea767aa26ae13f9ff20d0999c8dda

  • SHA1

    07e615132ef78e827047ffc4cc6c9d44f5a976fd

  • SHA256

    f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4

  • SHA512

    6c14d07b497af375f2f4db4da321ed7e5fb60a6f26281bcdbfc513eb1033d98442ff83ee58849a721bd7e14a0b7094b98397923c35bd4b6ae91c179784de6b02

  • SSDEEP

    3072:L6glyuxE4GsUPnliByocWepVeKna4iJ0Cv+LmaGqsqRxB:L6gDBGpvEByocWePk4iJ0C2LYcx

Score
9/10
ransomwarespywarestealer

Malware Config

Signatures

  • Renames multiple (319) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 2 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
    "C:\Users\Admin\AppData\Local\Temp\f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe"
    1⤵
    • Loads dropped DLL
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2192
    • C:\ProgramData\2240.tmp
      "C:\ProgramData\2240.tmp"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:2764
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\2240.tmp >> NUL
        3⤵
          PID:2876
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x148
      1⤵
        PID:1272

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Unsecured Credentials

      1
      T1552

      Credentials In Files

      1
      T1552.001

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Exfiltration

      Command and Control

      Impact

      Defacement

      1
      T1491

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\$Recycle.Bin\S-1-5-21-2721934792-624042501-2768869379-1000\desktop.ini
        Filesize

        129B

        MD5

        26b8da4d9c26094277b622ab50a1f366

        SHA1

        2cd7ba2c60db61774f20c586ac303684fc6696a4

        SHA256

        a0622959cc844fa9cee7ef493b65f93e4922e56ae49f951ae4575489615d8998

        SHA512

        17ec2b1e4b09ddd63a1f5fd3f43db04c48db842e91662a45cae56597874b9dafd08bdff20233089e645a1b75f3da7c3923f1431b114a2caa9c8e4f384ed4fb99

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
        Filesize

        194KB

        MD5

        1c2098ea60085297d0318efe99fd485b

        SHA1

        e56742398bf923b17541d071d9b2c2133a4b1851

        SHA256

        a1b2284423e5e16937427499bcc330b611c4dea3a526aa62b855cada750c2849

        SHA512

        8d7107ce7ddb05c1403fef8fb344916742d26281af1d17cf5bb1fab4afc35cf76083e3f86690b766939f79c9b7aa7033965591822efa5d7ebc2e674ea93c9907

        Download Submit
      • C:\jC7CNxlVt.README.txt
        Filesize

        434B

        MD5

        ad29bd8c66e114ff57c943d16c78f72a

        SHA1

        5ab070ee89a36f38facae4dfc8ec5ce3e59af46e

        SHA256

        6fe668fe8bf69158d1fd08e90f3cff60c1df410bf752635bf152853b6112549c

        SHA512

        a53121e2379aa9c3bc52d073498a54f26383834f6d6636b4b3831010565c80bf0da07511907eab7bd92f9796e559958b1c0ebea4c4b0f0d869e95b7deb5da7f1

        Download Submit
      • F:\$RECYCLE.BIN\S-1-5-21-2721934792-624042501-2768869379-1000\DDDDDDDDDDD
        Filesize

        129B

        MD5

        682ec2fdd3c82f3f4ac929535abf32e4

        SHA1

        f3c77b605553fec86bfd13be2913b23a481eba3e

        SHA256

        cce01b03cdd7e74a8149a07975ef3f40ae91376d0807dfafff12f29004e2b0a7

        SHA512

        ccd8402e9d07e7169a4696b7e5d0a36a540620455d8997a00ab55948f2620850df1d48b950eba11eb73d53db4e0387b0c80bc3e74ee27a502e9025d6cc93c13d

        Download Submit
      • \ProgramData\2240.tmp
        Filesize

        14KB

        MD5

        294e9f64cb1642dd89229fff0592856b

        SHA1

        97b148c27f3da29ba7b18d6aee8a0db9102f47c9

        SHA256

        917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

        SHA512

        b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

        Download Submit
      • memory/2192-0-0x00000000007A0000-0x00000000007E0000-memory.dmp
        Filesize

        256KB

        Download
      • memory/2764-845-0x000000007EFA0000-0x000000007EFA1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2764-846-0x0000000002180000-0x00000000021C0000-memory.dmp
        Filesize

        256KB

        Download
      • memory/2764-848-0x000000007EF20000-0x000000007EF21000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2764-847-0x000000007EF80000-0x000000007EF81000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2764-878-0x000000007EF60000-0x000000007EF61000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2764-877-0x000000007EF40000-0x000000007EF41000-memory.dmp
        Filesize

        4KB

        Download