Analysis
-
max time kernel
290s -
max time network
282s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
30-05-2024 17:49
Behavioral task
behavioral1
Sample
l.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
l.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
l1.exe
Resource
win7-20240220-en
Behavioral task
behavioral4
Sample
l1.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
l2.exe
Resource
win7-20240508-en
Behavioral task
behavioral6
Sample
l2.exe
Resource
win10v2004-20240426-en
General
-
Target
l.exe
-
Size
87KB
-
MD5
717e64d5a222ef9b379a59a01e877767
-
SHA1
7f9dd9771f3940773c150075cfc757865f1b2aea
-
SHA256
9777234d1da61e5688278b57971afb217ffd71eeb6bb41f65cc4cabc21ea0a51
-
SHA512
879b519da63dfaa5cc0f585d4858692e07a0dd6c128c88d9d252d4e2def8c3ae6249ed139abb671a0ea128261f8e445aec27b160f1bb67eee19d7af488f8b6e4
-
SSDEEP
1536:poxUsH1uwp6ISs9bFQ+pGfxtP8cY1AZUbhYnY4LY+De5F4rGxwG8JOKhnAjrhjyx:2UsVuc6I1bFZW7xxtnYoY+kKJOKdscg
Malware Config
Signatures
-
Renames multiple (619) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral2/memory/4656-0-0x0000000000070000-0x000000000009B000-memory.dmp upx behavioral2/memory/4656-706-0x0000000000070000-0x000000000009B000-memory.dmp upx -
Drops desktop.ini file(s) 2 IoCs
Processes:
l.exedescription ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-1337824034-2731376981-3755436523-1000\desktop.ini l.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1337824034-2731376981-3755436523-1000\desktop.ini l.exe -
Modifies registry class 6 IoCs
Processes:
OpenWith.exel.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.FihqnBxYm l.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.FihqnBxYm\ = "FihqnBxYm" l.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FihqnBxYm\DefaultIcon l.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FihqnBxYm l.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FihqnBxYm\DefaultIcon\ = "C:\\ProgramData\\FihqnBxYm.ico" l.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
l.exepid Process 4656 l.exe 4656 l.exe 4656 l.exe 4656 l.exe 4656 l.exe 4656 l.exe 4656 l.exe 4656 l.exe 4656 l.exe 4656 l.exe 4656 l.exe 4656 l.exe 4656 l.exe 4656 l.exe 4656 l.exe 4656 l.exe 4656 l.exe 4656 l.exe 4656 l.exe 4656 l.exe 4656 l.exe 4656 l.exe 4656 l.exe 4656 l.exe 4656 l.exe 4656 l.exe 4656 l.exe 4656 l.exe 4656 l.exe 4656 l.exe 4656 l.exe 4656 l.exe 4656 l.exe 4656 l.exe 4656 l.exe 4656 l.exe 4656 l.exe 4656 l.exe 4656 l.exe 4656 l.exe 4656 l.exe 4656 l.exe 4656 l.exe 4656 l.exe 4656 l.exe 4656 l.exe 4656 l.exe 4656 l.exe 4656 l.exe 4656 l.exe 4656 l.exe 4656 l.exe 4656 l.exe 4656 l.exe 4656 l.exe 4656 l.exe 4656 l.exe 4656 l.exe 4656 l.exe 4656 l.exe 4656 l.exe 4656 l.exe 4656 l.exe 4656 l.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
l.exedescription pid Process Token: SeAssignPrimaryTokenPrivilege 4656 l.exe Token: SeBackupPrivilege 4656 l.exe Token: SeDebugPrivilege 4656 l.exe Token: 36 4656 l.exe Token: SeImpersonatePrivilege 4656 l.exe Token: SeIncBasePriorityPrivilege 4656 l.exe Token: SeIncreaseQuotaPrivilege 4656 l.exe Token: 33 4656 l.exe Token: SeManageVolumePrivilege 4656 l.exe Token: SeProfSingleProcessPrivilege 4656 l.exe Token: SeRestorePrivilege 4656 l.exe Token: SeSecurityPrivilege 4656 l.exe Token: SeSystemProfilePrivilege 4656 l.exe Token: SeTakeOwnershipPrivilege 4656 l.exe Token: SeShutdownPrivilege 4656 l.exe Token: SeDebugPrivilege 4656 l.exe Token: SeBackupPrivilege 4656 l.exe Token: SeBackupPrivilege 4656 l.exe Token: SeSecurityPrivilege 4656 l.exe Token: SeSecurityPrivilege 4656 l.exe Token: SeBackupPrivilege 4656 l.exe Token: SeBackupPrivilege 4656 l.exe Token: SeSecurityPrivilege 4656 l.exe Token: SeSecurityPrivilege 4656 l.exe Token: SeBackupPrivilege 4656 l.exe Token: SeBackupPrivilege 4656 l.exe Token: SeSecurityPrivilege 4656 l.exe Token: SeSecurityPrivilege 4656 l.exe Token: SeBackupPrivilege 4656 l.exe Token: SeBackupPrivilege 4656 l.exe Token: SeSecurityPrivilege 4656 l.exe Token: SeSecurityPrivilege 4656 l.exe Token: SeBackupPrivilege 4656 l.exe Token: SeBackupPrivilege 4656 l.exe Token: SeSecurityPrivilege 4656 l.exe Token: SeSecurityPrivilege 4656 l.exe Token: SeBackupPrivilege 4656 l.exe Token: SeBackupPrivilege 4656 l.exe Token: SeSecurityPrivilege 4656 l.exe Token: SeSecurityPrivilege 4656 l.exe Token: SeBackupPrivilege 4656 l.exe Token: SeBackupPrivilege 4656 l.exe Token: SeSecurityPrivilege 4656 l.exe Token: SeSecurityPrivilege 4656 l.exe Token: SeBackupPrivilege 4656 l.exe Token: SeBackupPrivilege 4656 l.exe Token: SeSecurityPrivilege 4656 l.exe Token: SeSecurityPrivilege 4656 l.exe Token: SeBackupPrivilege 4656 l.exe Token: SeBackupPrivilege 4656 l.exe Token: SeSecurityPrivilege 4656 l.exe Token: SeSecurityPrivilege 4656 l.exe Token: SeBackupPrivilege 4656 l.exe Token: SeBackupPrivilege 4656 l.exe Token: SeSecurityPrivilege 4656 l.exe Token: SeSecurityPrivilege 4656 l.exe Token: SeBackupPrivilege 4656 l.exe Token: SeBackupPrivilege 4656 l.exe Token: SeSecurityPrivilege 4656 l.exe Token: SeSecurityPrivilege 4656 l.exe Token: SeBackupPrivilege 4656 l.exe Token: SeBackupPrivilege 4656 l.exe Token: SeSecurityPrivilege 4656 l.exe Token: SeSecurityPrivilege 4656 l.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
OpenWith.exepid Process 1840 OpenWith.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\l.exe"C:\Users\Admin\AppData\Local\Temp\l.exe"1⤵
- Drops desktop.ini file(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4656
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1840
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD5b9c886280f8540f2ca84aed7d3535fcd
SHA19c658306f5e5507cafd9ac73ca36319cb6a741be
SHA256deeeec8b30c834d4ea9cf47c497df729aa574162fd3c057c0d6cc3c28bbd72eb
SHA5123c0669ebd4e22b4b3cbac4ec5f167d52fa024bc46a6f8d3e4e129814ab9e1eacf0d0cf96ce670f8f6ea9d4869022f4664c56adee3dcf66726ffdb8fe85d0a2a4
-
Filesize
129B
MD57efe5e6584ebe79c2e33a144a0aa64f9
SHA1f10277fc684e03a49306701a2d33e67661cf8bf6
SHA256c1c7dd27fc2502360cdc3e4ff0971dbd18a282386b67b3b8413342576eaa2fd1
SHA512cbc8171d9e0f6515a2d15d5854de9e2e9d427723c86e6a7a9c8bd7d829a222cd04933af3095db62f40ce19c4d80b28c26c76b5504f598dfca1003db9bfdce0ab