Analysis

  • max time kernel
    118s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    30-05-2024 17:49

General

  • Target

    l.exe

  • Size

    87KB

  • MD5

    717e64d5a222ef9b379a59a01e877767

  • SHA1

    7f9dd9771f3940773c150075cfc757865f1b2aea

  • SHA256

    9777234d1da61e5688278b57971afb217ffd71eeb6bb41f65cc4cabc21ea0a51

  • SHA512

    879b519da63dfaa5cc0f585d4858692e07a0dd6c128c88d9d252d4e2def8c3ae6249ed139abb671a0ea128261f8e445aec27b160f1bb67eee19d7af488f8b6e4

  • SSDEEP

    1536:poxUsH1uwp6ISs9bFQ+pGfxtP8cY1AZUbhYnY4LY+De5F4rGxwG8JOKhnAjrhjyx:2UsVuc6I1bFZW7xxtnYoY+kKJOKdscg

Malware Config

Signatures

  • Renames multiple (316) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops desktop.ini file(s) 2 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\l.exe
    "C:\Users\Admin\AppData\Local\Temp\l.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2232
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x14c
    1⤵
      PID:796

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\$Recycle.Bin\S-1-5-21-3627615824-4061627003-3019543961-1000\desktop.ini

      Filesize

      129B

      MD5

      a73744b3a1c53da24c228a2d562b8624

      SHA1

      2475f9cd8242b31a0743bb92b24a170a4568f4e2

      SHA256

      8f25f53f4b23ef056fbe076f8cf9bd4c7c28823ffb8bd5af7f2576e2d4ca2ca4

      SHA512

      00f1c52abcc6530eb602eb87efd9a36924f9ad68cd98c1d8fbc68ffae809b856df65afa3a033a3e0609ca67e0f679235aedf8aa2904783f1a5953fa98f6907ea

    • F:\$RECYCLE.BIN\S-1-5-21-3627615824-4061627003-3019543961-1000\DDDDDDDDDDD

      Filesize

      129B

      MD5

      090d6baa508f5e377c2666738eaf5934

      SHA1

      93bb1c403688ab2c87e25abdd2f414ccff3e86be

      SHA256

      3a279bb7b084b1bf9822d36b1fb0c0607959e2e59ec6624399752b1d1a581106

      SHA512

      4872a13f7ee541fd85cee6b1f1526f77366ee1baa3de977cd8ae4c9241c40d25eb2f181172054d7848cac7a84bdd641f4de0f504a557be0340c46930d0af8508

    • memory/2232-0-0x0000000000F90000-0x0000000000FBB000-memory.dmp

      Filesize

      172KB

    • memory/2232-1-0x00000000008D0000-0x0000000000910000-memory.dmp

      Filesize

      256KB

    • memory/2232-401-0x0000000000F90000-0x0000000000FBB000-memory.dmp

      Filesize

      172KB