Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
30-05-2024 17:49
Behavioral task
behavioral1
Sample
l.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
l.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
l1.exe
Resource
win7-20240220-en
Behavioral task
behavioral4
Sample
l1.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
l2.exe
Resource
win7-20240508-en
Behavioral task
behavioral6
Sample
l2.exe
Resource
win10v2004-20240426-en
General
-
Target
l.exe
-
Size
87KB
-
MD5
717e64d5a222ef9b379a59a01e877767
-
SHA1
7f9dd9771f3940773c150075cfc757865f1b2aea
-
SHA256
9777234d1da61e5688278b57971afb217ffd71eeb6bb41f65cc4cabc21ea0a51
-
SHA512
879b519da63dfaa5cc0f585d4858692e07a0dd6c128c88d9d252d4e2def8c3ae6249ed139abb671a0ea128261f8e445aec27b160f1bb67eee19d7af488f8b6e4
-
SSDEEP
1536:poxUsH1uwp6ISs9bFQ+pGfxtP8cY1AZUbhYnY4LY+De5F4rGxwG8JOKhnAjrhjyx:2UsVuc6I1bFZW7xxtnYoY+kKJOKdscg
Malware Config
Signatures
-
Renames multiple (316) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/2232-0-0x0000000000F90000-0x0000000000FBB000-memory.dmp upx behavioral1/memory/2232-401-0x0000000000F90000-0x0000000000FBB000-memory.dmp upx -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-3627615824-4061627003-3019543961-1000\desktop.ini l.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3627615824-4061627003-3019543961-1000\desktop.ini l.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.FihqnBxYm l.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.FihqnBxYm\ = "FihqnBxYm" l.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FihqnBxYm\DefaultIcon l.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FihqnBxYm l.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FihqnBxYm\DefaultIcon\ = "C:\\ProgramData\\FihqnBxYm.ico" l.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 2232 l.exe 2232 l.exe 2232 l.exe 2232 l.exe 2232 l.exe 2232 l.exe 2232 l.exe 2232 l.exe 2232 l.exe 2232 l.exe 2232 l.exe 2232 l.exe 2232 l.exe 2232 l.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeAssignPrimaryTokenPrivilege 2232 l.exe Token: SeBackupPrivilege 2232 l.exe Token: SeDebugPrivilege 2232 l.exe Token: 36 2232 l.exe Token: SeImpersonatePrivilege 2232 l.exe Token: SeIncBasePriorityPrivilege 2232 l.exe Token: SeIncreaseQuotaPrivilege 2232 l.exe Token: 33 2232 l.exe Token: SeManageVolumePrivilege 2232 l.exe Token: SeProfSingleProcessPrivilege 2232 l.exe Token: SeRestorePrivilege 2232 l.exe Token: SeSecurityPrivilege 2232 l.exe Token: SeSystemProfilePrivilege 2232 l.exe Token: SeTakeOwnershipPrivilege 2232 l.exe Token: SeShutdownPrivilege 2232 l.exe Token: SeDebugPrivilege 2232 l.exe Token: SeBackupPrivilege 2232 l.exe Token: SeBackupPrivilege 2232 l.exe Token: SeSecurityPrivilege 2232 l.exe Token: SeSecurityPrivilege 2232 l.exe Token: SeBackupPrivilege 2232 l.exe Token: SeBackupPrivilege 2232 l.exe Token: SeSecurityPrivilege 2232 l.exe Token: SeSecurityPrivilege 2232 l.exe Token: SeBackupPrivilege 2232 l.exe Token: SeBackupPrivilege 2232 l.exe Token: SeSecurityPrivilege 2232 l.exe Token: SeSecurityPrivilege 2232 l.exe Token: SeBackupPrivilege 2232 l.exe Token: SeBackupPrivilege 2232 l.exe Token: SeSecurityPrivilege 2232 l.exe Token: SeSecurityPrivilege 2232 l.exe Token: SeBackupPrivilege 2232 l.exe Token: SeBackupPrivilege 2232 l.exe Token: SeSecurityPrivilege 2232 l.exe Token: SeSecurityPrivilege 2232 l.exe Token: SeBackupPrivilege 2232 l.exe Token: SeBackupPrivilege 2232 l.exe Token: SeSecurityPrivilege 2232 l.exe Token: SeSecurityPrivilege 2232 l.exe Token: SeBackupPrivilege 2232 l.exe Token: SeBackupPrivilege 2232 l.exe Token: SeSecurityPrivilege 2232 l.exe Token: SeSecurityPrivilege 2232 l.exe Token: SeBackupPrivilege 2232 l.exe Token: SeBackupPrivilege 2232 l.exe Token: SeSecurityPrivilege 2232 l.exe Token: SeSecurityPrivilege 2232 l.exe Token: SeBackupPrivilege 2232 l.exe Token: SeBackupPrivilege 2232 l.exe Token: SeSecurityPrivilege 2232 l.exe Token: SeSecurityPrivilege 2232 l.exe Token: SeBackupPrivilege 2232 l.exe Token: SeBackupPrivilege 2232 l.exe Token: SeSecurityPrivilege 2232 l.exe Token: SeSecurityPrivilege 2232 l.exe Token: SeBackupPrivilege 2232 l.exe Token: SeBackupPrivilege 2232 l.exe Token: SeSecurityPrivilege 2232 l.exe Token: SeSecurityPrivilege 2232 l.exe Token: SeBackupPrivilege 2232 l.exe Token: SeBackupPrivilege 2232 l.exe Token: SeSecurityPrivilege 2232 l.exe Token: SeSecurityPrivilege 2232 l.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\l.exe"C:\Users\Admin\AppData\Local\Temp\l.exe"1⤵
- Drops desktop.ini file(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2232
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x14c1⤵PID:796
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD5a73744b3a1c53da24c228a2d562b8624
SHA12475f9cd8242b31a0743bb92b24a170a4568f4e2
SHA2568f25f53f4b23ef056fbe076f8cf9bd4c7c28823ffb8bd5af7f2576e2d4ca2ca4
SHA51200f1c52abcc6530eb602eb87efd9a36924f9ad68cd98c1d8fbc68ffae809b856df65afa3a033a3e0609ca67e0f679235aedf8aa2904783f1a5953fa98f6907ea
-
Filesize
129B
MD5090d6baa508f5e377c2666738eaf5934
SHA193bb1c403688ab2c87e25abdd2f414ccff3e86be
SHA2563a279bb7b084b1bf9822d36b1fb0c0607959e2e59ec6624399752b1d1a581106
SHA5124872a13f7ee541fd85cee6b1f1526f77366ee1baa3de977cd8ae4c9241c40d25eb2f181172054d7848cac7a84bdd641f4de0f504a557be0340c46930d0af8508