Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    30-05-2024 17:49

General

  • Target

    l1.exe

  • Size

    145KB

  • MD5

    05fa05bbba51c9fd5f2421f3fe2e2998

  • SHA1

    e7fdbb0621abb858cdd31ad94118ca575aa8fe24

  • SHA256

    b9d6537c7531a0592a4ec46a52c84108b9d5110ed947cec8ddb2fda4b771899b

  • SHA512

    399004699bdacc815eeb5609fba3e81e3866c839766feb0fdd1aa8e1d7746405da2f90414deb17dc592982cf24c468c106d263bb167499c443bffe6ce357bd55

  • SSDEEP

    1536:azICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xDtCYU0GsvgtwjECrozUYj3PeAU8:pqJogYkcSNm9V7DtCCGsg+AmYylQhTTJ

Malware Config

Signatures

  • Renames multiple (324) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 2 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\l1.exe
    "C:\Users\Admin\AppData\Local\Temp\l1.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:840
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x14c
    1⤵
      PID:1496

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\$Recycle.Bin\S-1-5-21-2721934792-624042501-2768869379-1000\desktop.ini

      Filesize

      129B

      MD5

      b3cbabb30f61d3e3e728b28b310dfa9b

      SHA1

      85282b6011a4b2b955c41afee65de7fedd205fdc

      SHA256

      5974a67d1b3cda8940bace22c4d04c32a8636148ac9b71f6ae60b4b3c835b07c

      SHA512

      951f365567e59451808aa8975c8a75b5e42eea403859e7ddbb844a4aae76524ca53cdd4ed93cc2f8b7db8de8441011ef6c44205c8dbd82fc632e1df685880cac

    • F:\$RECYCLE.BIN\S-1-5-21-2721934792-624042501-2768869379-1000\GGGGGGGGGGG

      Filesize

      129B

      MD5

      5a2237adb02884543be92498d164cb48

      SHA1

      bbfbcf5c29a03d55d674e5a4d66daca40bb5bb1a

      SHA256

      11c3b0444c512ae4af86a95e3d3da9b3425f6b4cdf2660ced83123348193db6a

      SHA512

      6c4ec497387da94834568a5ed930ae1da8d800c885ff97b3c8dbdbe95800374b85bc6d687246787b627edda444bdc3c08fa142ef130d2c160f4501f06abbf00a

    • memory/840-0-0x00000000000E0000-0x0000000000120000-memory.dmp

      Filesize

      256KB