0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31

General

Target

0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Size

146KB
MD5

668e75099ba454fa1cca10da33a9684a
SHA1

0adeef58c872f8fd1143070cff8fb2415a258189
SHA256

0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31
SHA512

bbc5a1e3bb0b64b4ae646e0d6dd1651ffa7258db87fe07e365a4cbff09a54cbbf9ee21ea4cf05b9f8e34ea122af85f4fb4b434da38705bee8b8ec9afd0f1b323
SSDEEP

1536:rzICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xDRM8o9cH789xVqw9sdFoEAUyz:UqJogYkcSNm9V7D/oSHQ9xVqw9sdjAT

Score

10^/10

ransomware spyware stealer

Malware Config

Extracted

Path

C:\QFXlqRR7Y.README.txt

Ransom Note

>>>> Your data are stolen and encrypted >>>> Your personal DECRYPTION ID: 39919F8926ED7E7CCE0E4EBB39158AED >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems! >>>> Warning! If you do not pay the ransom we will attack your company repeatedly again! >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. Life is too short to be sad. Be not sad, money, it is only paper. If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future. Therefore to us our reputation is very important. We attack the companies worldwide and there is no dissatisfied victim after payment. >>>> You need contact us and decrypt one file for free with your personal DECRYPTION ID message us for decrypt https://getsession.org/ 05b8d7bdf4c2b1a832b2256eb562f51ad69f2f9d8d274c6dc269cb9be5449fa84c

URLs

https://getsession.org/

Signatures

Renames multiple (361) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 2 IoCs

Processes:

0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe

description	ioc	process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2737914667-933161113-3798636211-1000\desktop.ini	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-2737914667-933161113-3798636211-1000\desktop.ini	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe

Modifies registry class 5 IoCs

Processes:

0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.QFXlqRR7Y\ = "QFXlqRR7Y"	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QFXlqRR7Y\DefaultIcon	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QFXlqRR7Y	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QFXlqRR7Y\DefaultIcon\ = "C:\\ProgramData\\QFXlqRR7Y.ico"	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.QFXlqRR7Y	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe

pid	process
2100	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
2100	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
2100	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
2100	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
2100	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
2100	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
2100	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
2100	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
2100	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
2100	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
2100	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
2100	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
2100	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
2100	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe

description	pid	process
Token: SeAssignPrimaryTokenPrivilege	2100	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeBackupPrivilege	2100	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeDebugPrivilege	2100	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: 36	2100	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeImpersonatePrivilege	2100	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeIncBasePriorityPrivilege	2100	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeIncreaseQuotaPrivilege	2100	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: 33	2100	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeManageVolumePrivilege	2100	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeProfSingleProcessPrivilege	2100	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeRestorePrivilege	2100	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeSecurityPrivilege	2100	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeSystemProfilePrivilege	2100	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeTakeOwnershipPrivilege	2100	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeShutdownPrivilege	2100	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeDebugPrivilege	2100	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeBackupPrivilege	2100	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeBackupPrivilege	2100	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeSecurityPrivilege	2100	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeSecurityPrivilege	2100	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeBackupPrivilege	2100	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeBackupPrivilege	2100	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeSecurityPrivilege	2100	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeSecurityPrivilege	2100	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeBackupPrivilege	2100	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeBackupPrivilege	2100	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeSecurityPrivilege	2100	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeSecurityPrivilege	2100	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeBackupPrivilege	2100	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeBackupPrivilege	2100	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeSecurityPrivilege	2100	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeSecurityPrivilege	2100	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeBackupPrivilege	2100	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeBackupPrivilege	2100	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeSecurityPrivilege	2100	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeSecurityPrivilege	2100	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeBackupPrivilege	2100	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeBackupPrivilege	2100	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeSecurityPrivilege	2100	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeSecurityPrivilege	2100	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeBackupPrivilege	2100	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeBackupPrivilege	2100	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeSecurityPrivilege	2100	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeSecurityPrivilege	2100	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeBackupPrivilege	2100	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeBackupPrivilege	2100	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeSecurityPrivilege	2100	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeSecurityPrivilege	2100	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeBackupPrivilege	2100	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeBackupPrivilege	2100	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeSecurityPrivilege	2100	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeSecurityPrivilege	2100	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeBackupPrivilege	2100	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeBackupPrivilege	2100	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeSecurityPrivilege	2100	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeSecurityPrivilege	2100	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeBackupPrivilege	2100	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeBackupPrivilege	2100	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeSecurityPrivilege	2100	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeSecurityPrivilege	2100	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeBackupPrivilege	2100	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeBackupPrivilege	2100	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeSecurityPrivilege	2100	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
Token: SeSecurityPrivilege	2100	0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe

C:\Users\Admin\AppData\Local\Temp\0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe
"C:\Users\Admin\AppData\Local\Temp\0ea60d1ef2e6e5cff1e312e7ecd9df3146ddb87a81ede58fc74987df93288b31.exe"
1⤵
- Drops desktop.ini file(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2100

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x148
1⤵
PID:1724

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2737914667-933161113-3798636211-1000\desktop.ini
Filesize
129B

MD5
835595b1cda5efb7f1c3ca5669139964

SHA1
82d1cbc1e2691ed5223dc0460d559f1f5e8e92cc

SHA256
c2773a06128bc4e6f6e9956720aef0eb9802d59bb4ba45aa4b859b3bd3f14e72

SHA512
b4deee2cc91386a97ddd855ab96f232318d4bacb3793425d9ef871ab358e1199b94696daf94be0cfc447b462da6a777c62af99d0c75ac5460ea58b351855da4e

Download Submit
C:\QFXlqRR7Y.README.txt
Filesize
1KB

MD5
6e22daee58eba6034610a2b9c4dc2487

SHA1
fae6829d3e29e71583236bccb9aba185653d34b2

SHA256
5800a5c671ba84d15efdadecb187e91571ae602e54be3e224f64cd974af64d44

SHA512
3d9ef3392792fabaa3831d9f2f140be66b471b2bb59ea9fa672eb4638e8383328fb801d58d5a18f4dd8bdb6edafebb20f7852e0058da6baee1997390a632bed0

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2737914667-933161113-3798636211-1000\HHHHHHHHHHH
Filesize
129B

MD5
2110843e1c3b9153fd87230b57db7268

SHA1
18f1f5caa3cfd22175046987e393a8572f97f95b

SHA256
3ef9f15b206a9910f0e0bc43a9ba89f08ef0e7a668177faad1805e71536d6eed

SHA512
275530891ce886ca51ed84d5f0c76f62414323a6a6f19ca4415928ff6ed0951e79eab0c45a19589329e075b7f7c858f4c3aa92af26d97ae49b0475fc72123be8

Download Submit
memory/2100-0-0x0000000000DA0000-0x0000000000DE0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads