Overview

overview

10

Static

static

10

f2198deecd...e4.exe

windows7-x64

9

f2198deecd...e4.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    142s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-04-2024 01:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe

  • Size

    194KB

  • MD5

    407ea767aa26ae13f9ff20d0999c8dda

  • SHA1

    07e615132ef78e827047ffc4cc6c9d44f5a976fd

  • SHA256

    f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4

  • SHA512

    6c14d07b497af375f2f4db4da321ed7e5fb60a6f26281bcdbfc513eb1033d98442ff83ee58849a721bd7e14a0b7094b98397923c35bd4b6ae91c179784de6b02

  • SSDEEP

    3072:L6glyuxE4GsUPnliByocWepVeKna4iJ0Cv+LmaGqsqRxB:L6gDBGpvEByocWePk4iJ0C2LYcx

Score
9/10
ransomwarespywarestealer

Malware Config

Signatures

  • Renames multiple (627) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 2 IoCs
  • Drops file in System32 directory 4 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe
    "C:\Users\Admin\AppData\Local\Temp\f2198deecddd5ae56620b594b6b20bf8a20f9c983d4c60144bc6007a53087ce4.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3508
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
      • Drops file in System32 directory
      PID:2008
    • C:\ProgramData\A489.tmp
      "C:\ProgramData\A489.tmp"
      2⤵
      • Checks computer location settings
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:4504
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\A489.tmp >> NUL
        3⤵
          PID:1600
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
      1⤵
        PID:4392
      • C:\Windows\system32\printfilterpipelinesvc.exe
        C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
        1⤵
        • Drops file in System32 directory
        • Suspicious use of WriteProcessMemory
        PID:3956
        • C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
          /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{20E73C22-723D-4E31-AAE5-8986845C736C}.xps" 133586557274550000
          2⤵
          • Checks processor information in registry
          • Enumerates system info in registry
          • Suspicious use of SetWindowsHookEx
          PID:1332
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4092 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:8
        1⤵
          PID:3552

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\$Recycle.Bin\S-1-5-21-3808065738-1666277613-1125846146-1000\desktop.ini
          Filesize

          129B

          MD5

          5ec7f24fd73f2879f2a667f160479885

          SHA1

          116b18f77870ed110589b15f5ce6f9c11c2f2afe

          SHA256

          0e031c18a0f53a3459699522e78d377b9f640b1a491ebcb4c4f3efed726c40d2

          SHA512

          6a3b13dc29307db1fe204f32f3b55ae2f4ff39d141130963fd6b24445c3198861cb3531dd837daadf888d87e89dcbc6f8a9ed4fd11bbc4b8be11226fc8e0eb58

          Download Submit

        • C:\ProgramData\A489.tmp
          Filesize

          14KB

          MD5

          294e9f64cb1642dd89229fff0592856b

          SHA1

          97b148c27f3da29ba7b18d6aee8a0db9102f47c9

          SHA256

          917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

          SHA512

          b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
          Filesize

          194KB

          MD5

          49859ed90c22a06d1c7cf5516537012b

          SHA1

          a09ab802c03b31fbbd6e0fb7fd1ddda33bd2cfb6

          SHA256

          792b588f6e11259dc265560c6848e3854e32f960b41b6742a2fc5071f791ccd7

          SHA512

          61edcfadddc6110976335d919dbbebc8394395088b5d2b67c4aa05a23fc63687157fba93e0c442c7ae00649c62b7eb68a2ea9a81245df84bbe0373805eb2a5e3

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\{EEBF1568-53F4-487C-B8EA-05D96EA2DBFA}
          Filesize

          4KB

          MD5

          3423d91ede142ecebcec2be60704a335

          SHA1

          ad952895bd7495cbfbe571e8eaf76a5cdb1be4f8

          SHA256

          6632ab7736c27c885889474f11de2abc391d375634d7daa58b67c5c625894e7c

          SHA512

          cef0aa62be64f6b2685bc512bb7de359e7eed2129e12708868ff0de8d88784656e9b695925009e802ac54f2f059302359acd2eb7b5fb54962c7e23f417d3be2f

          Download Submit

        • C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2
          Filesize

          4KB

          MD5

          eeb0d7dd0b9add0e0d312b75c1db9154

          SHA1

          71a376a0ddab278a32145228ede985de74a5250f

          SHA256

          97d7a4d617027ba626e750dfbf18adb2a134c0be71ee9fcec20c4200d2eb19e4

          SHA512

          eceb778ec330f51d6299425d39dc5e9e4f122dcd6b9606308c68f807244483bd37ed72a51128c6758fbd90420ec6359b888af3048deca208533b4f8f4a0963e8

          Download Submit

        • C:\Users\Admin\jC7CNxlVt.README.txt
          Filesize

          434B

          MD5

          ad29bd8c66e114ff57c943d16c78f72a

          SHA1

          5ab070ee89a36f38facae4dfc8ec5ce3e59af46e

          SHA256

          6fe668fe8bf69158d1fd08e90f3cff60c1df410bf752635bf152853b6112549c

          SHA512

          a53121e2379aa9c3bc52d073498a54f26383834f6d6636b4b3831010565c80bf0da07511907eab7bd92f9796e559958b1c0ebea4c4b0f0d869e95b7deb5da7f1

          Download Submit

        • F:\$RECYCLE.BIN\S-1-5-21-3808065738-1666277613-1125846146-1000\CCCCCCCCCCC
          Filesize

          129B

          MD5

          8f6285c40a546f51ae86793618b0f007

          SHA1

          56d57dd6bf2a33e883739caea4f22daed60911bd

          SHA256

          05a46cb474afb4dfe529124a24b0c74a4e1662dafff7a104b37b9ea5ebcb19bf

          SHA512

          0a74c11c42bd57e9c1561dce57060fbc8ae1613e7e6df078cb27cfebb1009b36ab867fd04e43521b72f84253454dfe3d58ee835f0138eb2b25937673301ad80f

          Download Submit

        • memory/1332-2816-0x00007FFE8B830000-0x00007FFE8B840000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1332-2818-0x00007FFE8B830000-0x00007FFE8B840000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1332-2817-0x00007FFE8B830000-0x00007FFE8B840000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1332-2819-0x00007FFE8B830000-0x00007FFE8B840000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1332-2820-0x00007FFE8B830000-0x00007FFE8B840000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1332-2853-0x00007FFE89080000-0x00007FFE89090000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1332-2854-0x00007FFE89080000-0x00007FFE89090000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3508-2803-0x00000000028E0000-0x00000000028F0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3508-2804-0x00000000028E0000-0x00000000028F0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3508-0-0x00000000028E0000-0x00000000028F0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3508-1-0x00000000028E0000-0x00000000028F0000-memory.dmp

          Filesize

          64KB

          Download