Analysis
-
max time kernel
143s -
max time network
202s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
30-05-2024 17:49
Behavioral task
behavioral1
Sample
l.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
l.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
l1.exe
Resource
win7-20240220-en
Behavioral task
behavioral4
Sample
l1.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
l2.exe
Resource
win7-20240508-en
Behavioral task
behavioral6
Sample
l2.exe
Resource
win10v2004-20240426-en
General
-
Target
l1.exe
-
Size
145KB
-
MD5
05fa05bbba51c9fd5f2421f3fe2e2998
-
SHA1
e7fdbb0621abb858cdd31ad94118ca575aa8fe24
-
SHA256
b9d6537c7531a0592a4ec46a52c84108b9d5110ed947cec8ddb2fda4b771899b
-
SHA512
399004699bdacc815eeb5609fba3e81e3866c839766feb0fdd1aa8e1d7746405da2f90414deb17dc592982cf24c468c106d263bb167499c443bffe6ce357bd55
-
SSDEEP
1536:azICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xDtCYU0GsvgtwjECrozUYj3PeAU8:pqJogYkcSNm9V7DtCCGsg+AmYylQhTTJ
Malware Config
Signatures
-
Renames multiple (621) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
Processes:
l1.exedescription ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-1337824034-2731376981-3755436523-1000\desktop.ini l1.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1337824034-2731376981-3755436523-1000\desktop.ini l1.exe -
Modifies registry class 5 IoCs
Processes:
l1.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FihqnBxYm\DefaultIcon\ = "C:\\ProgramData\\FihqnBxYm.ico" l1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.FihqnBxYm l1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.FihqnBxYm\ = "FihqnBxYm" l1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FihqnBxYm\DefaultIcon l1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FihqnBxYm l1.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
l1.exepid Process 2200 l1.exe 2200 l1.exe 2200 l1.exe 2200 l1.exe 2200 l1.exe 2200 l1.exe 2200 l1.exe 2200 l1.exe 2200 l1.exe 2200 l1.exe 2200 l1.exe 2200 l1.exe 2200 l1.exe 2200 l1.exe 2200 l1.exe 2200 l1.exe 2200 l1.exe 2200 l1.exe 2200 l1.exe 2200 l1.exe 2200 l1.exe 2200 l1.exe 2200 l1.exe 2200 l1.exe 2200 l1.exe 2200 l1.exe 2200 l1.exe 2200 l1.exe 2200 l1.exe 2200 l1.exe 2200 l1.exe 2200 l1.exe 2200 l1.exe 2200 l1.exe 2200 l1.exe 2200 l1.exe 2200 l1.exe 2200 l1.exe 2200 l1.exe 2200 l1.exe 2200 l1.exe 2200 l1.exe 2200 l1.exe 2200 l1.exe 2200 l1.exe 2200 l1.exe 2200 l1.exe 2200 l1.exe 2200 l1.exe 2200 l1.exe 2200 l1.exe 2200 l1.exe 2200 l1.exe 2200 l1.exe 2200 l1.exe 2200 l1.exe 2200 l1.exe 2200 l1.exe 2200 l1.exe 2200 l1.exe 2200 l1.exe 2200 l1.exe 2200 l1.exe 2200 l1.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
l1.exedescription pid Process Token: SeAssignPrimaryTokenPrivilege 2200 l1.exe Token: SeBackupPrivilege 2200 l1.exe Token: SeDebugPrivilege 2200 l1.exe Token: 36 2200 l1.exe Token: SeImpersonatePrivilege 2200 l1.exe Token: SeIncBasePriorityPrivilege 2200 l1.exe Token: SeIncreaseQuotaPrivilege 2200 l1.exe Token: 33 2200 l1.exe Token: SeManageVolumePrivilege 2200 l1.exe Token: SeProfSingleProcessPrivilege 2200 l1.exe Token: SeRestorePrivilege 2200 l1.exe Token: SeSecurityPrivilege 2200 l1.exe Token: SeSystemProfilePrivilege 2200 l1.exe Token: SeTakeOwnershipPrivilege 2200 l1.exe Token: SeShutdownPrivilege 2200 l1.exe Token: SeDebugPrivilege 2200 l1.exe Token: SeBackupPrivilege 2200 l1.exe Token: SeBackupPrivilege 2200 l1.exe Token: SeSecurityPrivilege 2200 l1.exe Token: SeSecurityPrivilege 2200 l1.exe Token: SeBackupPrivilege 2200 l1.exe Token: SeBackupPrivilege 2200 l1.exe Token: SeSecurityPrivilege 2200 l1.exe Token: SeSecurityPrivilege 2200 l1.exe Token: SeBackupPrivilege 2200 l1.exe Token: SeBackupPrivilege 2200 l1.exe Token: SeSecurityPrivilege 2200 l1.exe Token: SeSecurityPrivilege 2200 l1.exe Token: SeBackupPrivilege 2200 l1.exe Token: SeBackupPrivilege 2200 l1.exe Token: SeSecurityPrivilege 2200 l1.exe Token: SeSecurityPrivilege 2200 l1.exe Token: SeBackupPrivilege 2200 l1.exe Token: SeBackupPrivilege 2200 l1.exe Token: SeSecurityPrivilege 2200 l1.exe Token: SeSecurityPrivilege 2200 l1.exe Token: SeBackupPrivilege 2200 l1.exe Token: SeBackupPrivilege 2200 l1.exe Token: SeSecurityPrivilege 2200 l1.exe Token: SeSecurityPrivilege 2200 l1.exe Token: SeBackupPrivilege 2200 l1.exe Token: SeBackupPrivilege 2200 l1.exe Token: SeSecurityPrivilege 2200 l1.exe Token: SeSecurityPrivilege 2200 l1.exe Token: SeBackupPrivilege 2200 l1.exe Token: SeBackupPrivilege 2200 l1.exe Token: SeSecurityPrivilege 2200 l1.exe Token: SeSecurityPrivilege 2200 l1.exe Token: SeBackupPrivilege 2200 l1.exe Token: SeBackupPrivilege 2200 l1.exe Token: SeSecurityPrivilege 2200 l1.exe Token: SeSecurityPrivilege 2200 l1.exe Token: SeBackupPrivilege 2200 l1.exe Token: SeBackupPrivilege 2200 l1.exe Token: SeSecurityPrivilege 2200 l1.exe Token: SeSecurityPrivilege 2200 l1.exe Token: SeBackupPrivilege 2200 l1.exe Token: SeBackupPrivilege 2200 l1.exe Token: SeSecurityPrivilege 2200 l1.exe Token: SeSecurityPrivilege 2200 l1.exe Token: SeBackupPrivilege 2200 l1.exe Token: SeBackupPrivilege 2200 l1.exe Token: SeSecurityPrivilege 2200 l1.exe Token: SeSecurityPrivilege 2200 l1.exe
Processes
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD5c3d61ce26597b835a057b041a1f9c477
SHA170eb155e1b8cfa30c7b4432985a41801be2af243
SHA256bb9a152b0194b77ee262d3655b2fa1db8c1cae9ed81199ac9ca251bfb3028e61
SHA512ae89d501bac7098ccda1a673d965ae4fd40ba07d08db2c7fe092e7109b385f640a347bc0b8ad4adbb20759e1ed175e5ce10c6bbfa69f4244636c621219e086e0
-
Filesize
129B
MD50d6d40f4abc25bf7141670302e969bf2
SHA1f4474246d2d515c704f955333cc869119ea072a1
SHA2562d1a87c59ea75a33510f8c0f035e9f45465fba92eedf07252accb0d740ad80fb
SHA512729b13ed2940362d7db0265183fe278b10e7951bdf8dd025d8e31663c7ab49ad0d36dfbc35975118d3734c1a271e7f7d53859fa8ff676214d871c079c642dec0