Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
30-05-2024 17:49
Behavioral task
behavioral1
Sample
l.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
l.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
l1.exe
Resource
win7-20240220-en
Behavioral task
behavioral4
Sample
l1.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
l2.exe
Resource
win7-20240508-en
Behavioral task
behavioral6
Sample
l2.exe
Resource
win10v2004-20240426-en
General
-
Target
l1.exe
-
Size
145KB
-
MD5
05fa05bbba51c9fd5f2421f3fe2e2998
-
SHA1
e7fdbb0621abb858cdd31ad94118ca575aa8fe24
-
SHA256
b9d6537c7531a0592a4ec46a52c84108b9d5110ed947cec8ddb2fda4b771899b
-
SHA512
399004699bdacc815eeb5609fba3e81e3866c839766feb0fdd1aa8e1d7746405da2f90414deb17dc592982cf24c468c106d263bb167499c443bffe6ce357bd55
-
SSDEEP
1536:azICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xDtCYU0GsvgtwjECrozUYj3PeAU8:pqJogYkcSNm9V7DtCCGsg+AmYylQhTTJ
Malware Config
Signatures
-
Renames multiple (324) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
Processes:
l1.exedescription ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-2721934792-624042501-2768869379-1000\desktop.ini l1.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2721934792-624042501-2768869379-1000\desktop.ini l1.exe -
Modifies registry class 5 IoCs
Processes:
l1.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FihqnBxYm\DefaultIcon\ = "C:\\ProgramData\\FihqnBxYm.ico" l1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.FihqnBxYm l1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.FihqnBxYm\ = "FihqnBxYm" l1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FihqnBxYm\DefaultIcon l1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FihqnBxYm l1.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
l1.exepid Process 840 l1.exe 840 l1.exe 840 l1.exe 840 l1.exe 840 l1.exe 840 l1.exe 840 l1.exe 840 l1.exe 840 l1.exe 840 l1.exe 840 l1.exe 840 l1.exe 840 l1.exe 840 l1.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
l1.exedescription pid Process Token: SeAssignPrimaryTokenPrivilege 840 l1.exe Token: SeBackupPrivilege 840 l1.exe Token: SeDebugPrivilege 840 l1.exe Token: 36 840 l1.exe Token: SeImpersonatePrivilege 840 l1.exe Token: SeIncBasePriorityPrivilege 840 l1.exe Token: SeIncreaseQuotaPrivilege 840 l1.exe Token: 33 840 l1.exe Token: SeManageVolumePrivilege 840 l1.exe Token: SeProfSingleProcessPrivilege 840 l1.exe Token: SeRestorePrivilege 840 l1.exe Token: SeSecurityPrivilege 840 l1.exe Token: SeSystemProfilePrivilege 840 l1.exe Token: SeTakeOwnershipPrivilege 840 l1.exe Token: SeShutdownPrivilege 840 l1.exe Token: SeDebugPrivilege 840 l1.exe Token: SeBackupPrivilege 840 l1.exe Token: SeBackupPrivilege 840 l1.exe Token: SeSecurityPrivilege 840 l1.exe Token: SeSecurityPrivilege 840 l1.exe Token: SeBackupPrivilege 840 l1.exe Token: SeBackupPrivilege 840 l1.exe Token: SeSecurityPrivilege 840 l1.exe Token: SeSecurityPrivilege 840 l1.exe Token: SeBackupPrivilege 840 l1.exe Token: SeBackupPrivilege 840 l1.exe Token: SeSecurityPrivilege 840 l1.exe Token: SeSecurityPrivilege 840 l1.exe Token: SeBackupPrivilege 840 l1.exe Token: SeBackupPrivilege 840 l1.exe Token: SeSecurityPrivilege 840 l1.exe Token: SeSecurityPrivilege 840 l1.exe Token: SeBackupPrivilege 840 l1.exe Token: SeBackupPrivilege 840 l1.exe Token: SeSecurityPrivilege 840 l1.exe Token: SeSecurityPrivilege 840 l1.exe Token: SeBackupPrivilege 840 l1.exe Token: SeBackupPrivilege 840 l1.exe Token: SeSecurityPrivilege 840 l1.exe Token: SeSecurityPrivilege 840 l1.exe Token: SeBackupPrivilege 840 l1.exe Token: SeBackupPrivilege 840 l1.exe Token: SeSecurityPrivilege 840 l1.exe Token: SeSecurityPrivilege 840 l1.exe Token: SeBackupPrivilege 840 l1.exe Token: SeBackupPrivilege 840 l1.exe Token: SeSecurityPrivilege 840 l1.exe Token: SeSecurityPrivilege 840 l1.exe Token: SeBackupPrivilege 840 l1.exe Token: SeBackupPrivilege 840 l1.exe Token: SeSecurityPrivilege 840 l1.exe Token: SeSecurityPrivilege 840 l1.exe Token: SeBackupPrivilege 840 l1.exe Token: SeBackupPrivilege 840 l1.exe Token: SeSecurityPrivilege 840 l1.exe Token: SeSecurityPrivilege 840 l1.exe Token: SeBackupPrivilege 840 l1.exe Token: SeBackupPrivilege 840 l1.exe Token: SeSecurityPrivilege 840 l1.exe Token: SeSecurityPrivilege 840 l1.exe Token: SeBackupPrivilege 840 l1.exe Token: SeBackupPrivilege 840 l1.exe Token: SeSecurityPrivilege 840 l1.exe Token: SeSecurityPrivilege 840 l1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\l1.exe"C:\Users\Admin\AppData\Local\Temp\l1.exe"1⤵
- Drops desktop.ini file(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:840
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x14c1⤵PID:1496
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD5b3cbabb30f61d3e3e728b28b310dfa9b
SHA185282b6011a4b2b955c41afee65de7fedd205fdc
SHA2565974a67d1b3cda8940bace22c4d04c32a8636148ac9b71f6ae60b4b3c835b07c
SHA512951f365567e59451808aa8975c8a75b5e42eea403859e7ddbb844a4aae76524ca53cdd4ed93cc2f8b7db8de8441011ef6c44205c8dbd82fc632e1df685880cac
-
Filesize
129B
MD55a2237adb02884543be92498d164cb48
SHA1bbfbcf5c29a03d55d674e5a4d66daca40bb5bb1a
SHA25611c3b0444c512ae4af86a95e3d3da9b3425f6b4cdf2660ced83123348193db6a
SHA5126c4ec497387da94834568a5ed930ae1da8d800c885ff97b3c8dbdbe95800374b85bc6d687246787b627edda444bdc3c08fa142ef130d2c160f4501f06abbf00a