Analysis

  • max time kernel
    290s
  • max time network
    282s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-05-2024 17:49

General

  • Target

    l.exe

  • Size

    87KB

  • MD5

    717e64d5a222ef9b379a59a01e877767

  • SHA1

    7f9dd9771f3940773c150075cfc757865f1b2aea

  • SHA256

    9777234d1da61e5688278b57971afb217ffd71eeb6bb41f65cc4cabc21ea0a51

  • SHA512

    879b519da63dfaa5cc0f585d4858692e07a0dd6c128c88d9d252d4e2def8c3ae6249ed139abb671a0ea128261f8e445aec27b160f1bb67eee19d7af488f8b6e4

  • SSDEEP

    1536:poxUsH1uwp6ISs9bFQ+pGfxtP8cY1AZUbhYnY4LY+De5F4rGxwG8JOKhnAjrhjyx:2UsVuc6I1bFZW7xxtnYoY+kKJOKdscg

Malware Config

Signatures

  • Renames multiple (619) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops desktop.ini file(s) 2 IoCs
  • Modifies registry class 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\l.exe
    "C:\Users\Admin\AppData\Local\Temp\l.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:4656
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:1840

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-1337824034-2731376981-3755436523-1000\HHHHHHHHHHH

    Filesize

    129B

    MD5

    b9c886280f8540f2ca84aed7d3535fcd

    SHA1

    9c658306f5e5507cafd9ac73ca36319cb6a741be

    SHA256

    deeeec8b30c834d4ea9cf47c497df729aa574162fd3c057c0d6cc3c28bbd72eb

    SHA512

    3c0669ebd4e22b4b3cbac4ec5f167d52fa024bc46a6f8d3e4e129814ab9e1eacf0d0cf96ce670f8f6ea9d4869022f4664c56adee3dcf66726ffdb8fe85d0a2a4

  • F:\$RECYCLE.BIN\S-1-5-21-1337824034-2731376981-3755436523-1000\DDDDDDDDDDD

    Filesize

    129B

    MD5

    7efe5e6584ebe79c2e33a144a0aa64f9

    SHA1

    f10277fc684e03a49306701a2d33e67661cf8bf6

    SHA256

    c1c7dd27fc2502360cdc3e4ff0971dbd18a282386b67b3b8413342576eaa2fd1

    SHA512

    cbc8171d9e0f6515a2d15d5854de9e2e9d427723c86e6a7a9c8bd7d829a222cd04933af3095db62f40ce19c4d80b28c26c76b5504f598dfca1003db9bfdce0ab

  • memory/4656-0-0x0000000000070000-0x000000000009B000-memory.dmp

    Filesize

    172KB

  • memory/4656-1-0x0000000000A90000-0x0000000000AA0000-memory.dmp

    Filesize

    64KB

  • memory/4656-2-0x0000000000A90000-0x0000000000AA0000-memory.dmp

    Filesize

    64KB

  • memory/4656-3-0x0000000000A90000-0x0000000000AA0000-memory.dmp

    Filesize

    64KB

  • memory/4656-706-0x0000000000070000-0x000000000009B000-memory.dmp

    Filesize

    172KB