Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
30-05-2024 17:49
Behavioral task
behavioral1
Sample
l.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
l.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
l1.exe
Resource
win7-20240220-en
Behavioral task
behavioral4
Sample
l1.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
l2.exe
Resource
win7-20240508-en
Behavioral task
behavioral6
Sample
l2.exe
Resource
win10v2004-20240426-en
General
-
Target
l1.exe
-
Size
145KB
-
MD5
05fa05bbba51c9fd5f2421f3fe2e2998
-
SHA1
e7fdbb0621abb858cdd31ad94118ca575aa8fe24
-
SHA256
b9d6537c7531a0592a4ec46a52c84108b9d5110ed947cec8ddb2fda4b771899b
-
SHA512
399004699bdacc815eeb5609fba3e81e3866c839766feb0fdd1aa8e1d7746405da2f90414deb17dc592982cf24c468c106d263bb167499c443bffe6ce357bd55
-
SSDEEP
1536:azICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xDtCYU0GsvgtwjECrozUYj3PeAU8:pqJogYkcSNm9V7DtCCGsg+AmYylQhTTJ
Malware Config
Signatures
-
Renames multiple (324) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-2721934792-624042501-2768869379-1000\desktop.ini l1.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2721934792-624042501-2768869379-1000\desktop.ini l1.exe -
Modifies registry class 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FihqnBxYm\DefaultIcon\ = "C:\\ProgramData\\FihqnBxYm.ico" l1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.FihqnBxYm l1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.FihqnBxYm\ = "FihqnBxYm" l1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FihqnBxYm\DefaultIcon l1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FihqnBxYm l1.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 840 l1.exe 840 l1.exe 840 l1.exe 840 l1.exe 840 l1.exe 840 l1.exe 840 l1.exe 840 l1.exe 840 l1.exe 840 l1.exe 840 l1.exe 840 l1.exe 840 l1.exe 840 l1.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeAssignPrimaryTokenPrivilege 840 l1.exe Token: SeBackupPrivilege 840 l1.exe Token: SeDebugPrivilege 840 l1.exe Token: 36 840 l1.exe Token: SeImpersonatePrivilege 840 l1.exe Token: SeIncBasePriorityPrivilege 840 l1.exe Token: SeIncreaseQuotaPrivilege 840 l1.exe Token: 33 840 l1.exe Token: SeManageVolumePrivilege 840 l1.exe Token: SeProfSingleProcessPrivilege 840 l1.exe Token: SeRestorePrivilege 840 l1.exe Token: SeSecurityPrivilege 840 l1.exe Token: SeSystemProfilePrivilege 840 l1.exe Token: SeTakeOwnershipPrivilege 840 l1.exe Token: SeShutdownPrivilege 840 l1.exe Token: SeDebugPrivilege 840 l1.exe Token: SeBackupPrivilege 840 l1.exe Token: SeBackupPrivilege 840 l1.exe Token: SeSecurityPrivilege 840 l1.exe Token: SeSecurityPrivilege 840 l1.exe Token: SeBackupPrivilege 840 l1.exe Token: SeBackupPrivilege 840 l1.exe Token: SeSecurityPrivilege 840 l1.exe Token: SeSecurityPrivilege 840 l1.exe Token: SeBackupPrivilege 840 l1.exe Token: SeBackupPrivilege 840 l1.exe Token: SeSecurityPrivilege 840 l1.exe Token: SeSecurityPrivilege 840 l1.exe Token: SeBackupPrivilege 840 l1.exe Token: SeBackupPrivilege 840 l1.exe Token: SeSecurityPrivilege 840 l1.exe Token: SeSecurityPrivilege 840 l1.exe Token: SeBackupPrivilege 840 l1.exe Token: SeBackupPrivilege 840 l1.exe Token: SeSecurityPrivilege 840 l1.exe Token: SeSecurityPrivilege 840 l1.exe Token: SeBackupPrivilege 840 l1.exe Token: SeBackupPrivilege 840 l1.exe Token: SeSecurityPrivilege 840 l1.exe Token: SeSecurityPrivilege 840 l1.exe Token: SeBackupPrivilege 840 l1.exe Token: SeBackupPrivilege 840 l1.exe Token: SeSecurityPrivilege 840 l1.exe Token: SeSecurityPrivilege 840 l1.exe Token: SeBackupPrivilege 840 l1.exe Token: SeBackupPrivilege 840 l1.exe Token: SeSecurityPrivilege 840 l1.exe Token: SeSecurityPrivilege 840 l1.exe Token: SeBackupPrivilege 840 l1.exe Token: SeBackupPrivilege 840 l1.exe Token: SeSecurityPrivilege 840 l1.exe Token: SeSecurityPrivilege 840 l1.exe Token: SeBackupPrivilege 840 l1.exe Token: SeBackupPrivilege 840 l1.exe Token: SeSecurityPrivilege 840 l1.exe Token: SeSecurityPrivilege 840 l1.exe Token: SeBackupPrivilege 840 l1.exe Token: SeBackupPrivilege 840 l1.exe Token: SeSecurityPrivilege 840 l1.exe Token: SeSecurityPrivilege 840 l1.exe Token: SeBackupPrivilege 840 l1.exe Token: SeBackupPrivilege 840 l1.exe Token: SeSecurityPrivilege 840 l1.exe Token: SeSecurityPrivilege 840 l1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\l1.exe"C:\Users\Admin\AppData\Local\Temp\l1.exe"1⤵
- Drops desktop.ini file(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:840
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x14c1⤵PID:1496
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD5b3cbabb30f61d3e3e728b28b310dfa9b
SHA185282b6011a4b2b955c41afee65de7fedd205fdc
SHA2565974a67d1b3cda8940bace22c4d04c32a8636148ac9b71f6ae60b4b3c835b07c
SHA512951f365567e59451808aa8975c8a75b5e42eea403859e7ddbb844a4aae76524ca53cdd4ed93cc2f8b7db8de8441011ef6c44205c8dbd82fc632e1df685880cac
-
Filesize
129B
MD55a2237adb02884543be92498d164cb48
SHA1bbfbcf5c29a03d55d674e5a4d66daca40bb5bb1a
SHA25611c3b0444c512ae4af86a95e3d3da9b3425f6b4cdf2660ced83123348193db6a
SHA5126c4ec497387da94834568a5ed930ae1da8d800c885ff97b3c8dbdbe95800374b85bc6d687246787b627edda444bdc3c08fa142ef130d2c160f4501f06abbf00a