Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
30-05-2024 17:49
Behavioral task
behavioral1
Sample
l.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
l.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
l1.exe
Resource
win7-20240220-en
Behavioral task
behavioral4
Sample
l1.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
l2.exe
Resource
win7-20240508-en
Behavioral task
behavioral6
Sample
l2.exe
Resource
win10v2004-20240426-en
General
-
Target
l.exe
-
Size
87KB
-
MD5
717e64d5a222ef9b379a59a01e877767
-
SHA1
7f9dd9771f3940773c150075cfc757865f1b2aea
-
SHA256
9777234d1da61e5688278b57971afb217ffd71eeb6bb41f65cc4cabc21ea0a51
-
SHA512
879b519da63dfaa5cc0f585d4858692e07a0dd6c128c88d9d252d4e2def8c3ae6249ed139abb671a0ea128261f8e445aec27b160f1bb67eee19d7af488f8b6e4
-
SSDEEP
1536:poxUsH1uwp6ISs9bFQ+pGfxtP8cY1AZUbhYnY4LY+De5F4rGxwG8JOKhnAjrhjyx:2UsVuc6I1bFZW7xxtnYoY+kKJOKdscg
Malware Config
Signatures
-
Renames multiple (316) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral1/memory/2232-0-0x0000000000F90000-0x0000000000FBB000-memory.dmp upx behavioral1/memory/2232-401-0x0000000000F90000-0x0000000000FBB000-memory.dmp upx -
Drops desktop.ini file(s) 2 IoCs
Processes:
l.exedescription ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-3627615824-4061627003-3019543961-1000\desktop.ini l.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3627615824-4061627003-3019543961-1000\desktop.ini l.exe -
Modifies registry class 5 IoCs
Processes:
l.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.FihqnBxYm l.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.FihqnBxYm\ = "FihqnBxYm" l.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FihqnBxYm\DefaultIcon l.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FihqnBxYm l.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FihqnBxYm\DefaultIcon\ = "C:\\ProgramData\\FihqnBxYm.ico" l.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
l.exepid Process 2232 l.exe 2232 l.exe 2232 l.exe 2232 l.exe 2232 l.exe 2232 l.exe 2232 l.exe 2232 l.exe 2232 l.exe 2232 l.exe 2232 l.exe 2232 l.exe 2232 l.exe 2232 l.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
l.exedescription pid Process Token: SeAssignPrimaryTokenPrivilege 2232 l.exe Token: SeBackupPrivilege 2232 l.exe Token: SeDebugPrivilege 2232 l.exe Token: 36 2232 l.exe Token: SeImpersonatePrivilege 2232 l.exe Token: SeIncBasePriorityPrivilege 2232 l.exe Token: SeIncreaseQuotaPrivilege 2232 l.exe Token: 33 2232 l.exe Token: SeManageVolumePrivilege 2232 l.exe Token: SeProfSingleProcessPrivilege 2232 l.exe Token: SeRestorePrivilege 2232 l.exe Token: SeSecurityPrivilege 2232 l.exe Token: SeSystemProfilePrivilege 2232 l.exe Token: SeTakeOwnershipPrivilege 2232 l.exe Token: SeShutdownPrivilege 2232 l.exe Token: SeDebugPrivilege 2232 l.exe Token: SeBackupPrivilege 2232 l.exe Token: SeBackupPrivilege 2232 l.exe Token: SeSecurityPrivilege 2232 l.exe Token: SeSecurityPrivilege 2232 l.exe Token: SeBackupPrivilege 2232 l.exe Token: SeBackupPrivilege 2232 l.exe Token: SeSecurityPrivilege 2232 l.exe Token: SeSecurityPrivilege 2232 l.exe Token: SeBackupPrivilege 2232 l.exe Token: SeBackupPrivilege 2232 l.exe Token: SeSecurityPrivilege 2232 l.exe Token: SeSecurityPrivilege 2232 l.exe Token: SeBackupPrivilege 2232 l.exe Token: SeBackupPrivilege 2232 l.exe Token: SeSecurityPrivilege 2232 l.exe Token: SeSecurityPrivilege 2232 l.exe Token: SeBackupPrivilege 2232 l.exe Token: SeBackupPrivilege 2232 l.exe Token: SeSecurityPrivilege 2232 l.exe Token: SeSecurityPrivilege 2232 l.exe Token: SeBackupPrivilege 2232 l.exe Token: SeBackupPrivilege 2232 l.exe Token: SeSecurityPrivilege 2232 l.exe Token: SeSecurityPrivilege 2232 l.exe Token: SeBackupPrivilege 2232 l.exe Token: SeBackupPrivilege 2232 l.exe Token: SeSecurityPrivilege 2232 l.exe Token: SeSecurityPrivilege 2232 l.exe Token: SeBackupPrivilege 2232 l.exe Token: SeBackupPrivilege 2232 l.exe Token: SeSecurityPrivilege 2232 l.exe Token: SeSecurityPrivilege 2232 l.exe Token: SeBackupPrivilege 2232 l.exe Token: SeBackupPrivilege 2232 l.exe Token: SeSecurityPrivilege 2232 l.exe Token: SeSecurityPrivilege 2232 l.exe Token: SeBackupPrivilege 2232 l.exe Token: SeBackupPrivilege 2232 l.exe Token: SeSecurityPrivilege 2232 l.exe Token: SeSecurityPrivilege 2232 l.exe Token: SeBackupPrivilege 2232 l.exe Token: SeBackupPrivilege 2232 l.exe Token: SeSecurityPrivilege 2232 l.exe Token: SeSecurityPrivilege 2232 l.exe Token: SeBackupPrivilege 2232 l.exe Token: SeBackupPrivilege 2232 l.exe Token: SeSecurityPrivilege 2232 l.exe Token: SeSecurityPrivilege 2232 l.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\l.exe"C:\Users\Admin\AppData\Local\Temp\l.exe"1⤵
- Drops desktop.ini file(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2232
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x14c1⤵PID:796
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD5a73744b3a1c53da24c228a2d562b8624
SHA12475f9cd8242b31a0743bb92b24a170a4568f4e2
SHA2568f25f53f4b23ef056fbe076f8cf9bd4c7c28823ffb8bd5af7f2576e2d4ca2ca4
SHA51200f1c52abcc6530eb602eb87efd9a36924f9ad68cd98c1d8fbc68ffae809b856df65afa3a033a3e0609ca67e0f679235aedf8aa2904783f1a5953fa98f6907ea
-
Filesize
129B
MD5090d6baa508f5e377c2666738eaf5934
SHA193bb1c403688ab2c87e25abdd2f414ccff3e86be
SHA2563a279bb7b084b1bf9822d36b1fb0c0607959e2e59ec6624399752b1d1a581106
SHA5124872a13f7ee541fd85cee6b1f1526f77366ee1baa3de977cd8ae4c9241c40d25eb2f181172054d7848cac7a84bdd641f4de0f504a557be0340c46930d0af8508