Analysis
-
max time kernel
92s -
max time network
203s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
30-05-2024 17:49
Behavioral task
behavioral1
Sample
l.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
l.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
l1.exe
Resource
win7-20240220-en
Behavioral task
behavioral4
Sample
l1.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
l2.exe
Resource
win7-20240508-en
Behavioral task
behavioral6
Sample
l2.exe
Resource
win10v2004-20240426-en
General
-
Target
l2.exe
-
Size
145KB
-
MD5
76b23dd72a883d8b1302bb4a514b7967
-
SHA1
338e19e8a3615c29d8a825ebba66cf55fa0caa2c
-
SHA256
311edf744c2e90d7bfc550c893478f43d1d7977694d5dcecf219795f3eb99b86
-
SHA512
39d98f914ec9d8551a894306163bc726f035f9228f3f198de78555988cea5a7b423be8c2a19913c76b996220a81a9b3a257b7f0af67913aa8a50b77321b17735
-
SSDEEP
1536:azICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xDtCYU0GsvgtwjECrozUYj3PeAU2:pqJogYkcSNm9V7DtCCGsg+AmYylQhTT
Malware Config
Signatures
-
Renames multiple (620) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
Processes:
l2.exedescription ioc Process File opened for modification F:\$RECYCLE.BIN\S-1-5-21-540404634-651139247-2967210625-1000\desktop.ini l2.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-540404634-651139247-2967210625-1000\desktop.ini l2.exe -
Modifies registry class 5 IoCs
Processes:
l2.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.FihqnBxYm l2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.FihqnBxYm\ = "FihqnBxYm" l2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FihqnBxYm\DefaultIcon l2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FihqnBxYm l2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FihqnBxYm\DefaultIcon\ = "C:\\ProgramData\\FihqnBxYm.ico" l2.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
l2.exepid Process 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
l2.exedescription pid Process Token: SeAssignPrimaryTokenPrivilege 5104 l2.exe Token: SeBackupPrivilege 5104 l2.exe Token: SeDebugPrivilege 5104 l2.exe Token: 36 5104 l2.exe Token: SeImpersonatePrivilege 5104 l2.exe Token: SeIncBasePriorityPrivilege 5104 l2.exe Token: SeIncreaseQuotaPrivilege 5104 l2.exe Token: 33 5104 l2.exe Token: SeManageVolumePrivilege 5104 l2.exe Token: SeProfSingleProcessPrivilege 5104 l2.exe Token: SeRestorePrivilege 5104 l2.exe Token: SeSecurityPrivilege 5104 l2.exe Token: SeSystemProfilePrivilege 5104 l2.exe Token: SeTakeOwnershipPrivilege 5104 l2.exe Token: SeShutdownPrivilege 5104 l2.exe Token: SeDebugPrivilege 5104 l2.exe Token: SeBackupPrivilege 5104 l2.exe Token: SeBackupPrivilege 5104 l2.exe Token: SeSecurityPrivilege 5104 l2.exe Token: SeSecurityPrivilege 5104 l2.exe Token: SeBackupPrivilege 5104 l2.exe Token: SeBackupPrivilege 5104 l2.exe Token: SeSecurityPrivilege 5104 l2.exe Token: SeSecurityPrivilege 5104 l2.exe Token: SeBackupPrivilege 5104 l2.exe Token: SeBackupPrivilege 5104 l2.exe Token: SeSecurityPrivilege 5104 l2.exe Token: SeSecurityPrivilege 5104 l2.exe Token: SeBackupPrivilege 5104 l2.exe Token: SeBackupPrivilege 5104 l2.exe Token: SeSecurityPrivilege 5104 l2.exe Token: SeSecurityPrivilege 5104 l2.exe Token: SeBackupPrivilege 5104 l2.exe Token: SeBackupPrivilege 5104 l2.exe Token: SeSecurityPrivilege 5104 l2.exe Token: SeSecurityPrivilege 5104 l2.exe Token: SeBackupPrivilege 5104 l2.exe Token: SeBackupPrivilege 5104 l2.exe Token: SeSecurityPrivilege 5104 l2.exe Token: SeSecurityPrivilege 5104 l2.exe Token: SeBackupPrivilege 5104 l2.exe Token: SeBackupPrivilege 5104 l2.exe Token: SeSecurityPrivilege 5104 l2.exe Token: SeSecurityPrivilege 5104 l2.exe Token: SeBackupPrivilege 5104 l2.exe Token: SeBackupPrivilege 5104 l2.exe Token: SeSecurityPrivilege 5104 l2.exe Token: SeSecurityPrivilege 5104 l2.exe Token: SeBackupPrivilege 5104 l2.exe Token: SeBackupPrivilege 5104 l2.exe Token: SeSecurityPrivilege 5104 l2.exe Token: SeSecurityPrivilege 5104 l2.exe Token: SeBackupPrivilege 5104 l2.exe Token: SeBackupPrivilege 5104 l2.exe Token: SeSecurityPrivilege 5104 l2.exe Token: SeSecurityPrivilege 5104 l2.exe Token: SeBackupPrivilege 5104 l2.exe Token: SeBackupPrivilege 5104 l2.exe Token: SeSecurityPrivilege 5104 l2.exe Token: SeSecurityPrivilege 5104 l2.exe Token: SeBackupPrivilege 5104 l2.exe Token: SeBackupPrivilege 5104 l2.exe Token: SeSecurityPrivilege 5104 l2.exe Token: SeSecurityPrivilege 5104 l2.exe
Processes
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD5c878351aadf1c384aac687fc724eb6b8
SHA118de4ace7056d9e1e06c78f9f81b5e05ddfaf55c
SHA25688d0fca113bca7d1d7bc347c2d612b31f64250a7a1fd6dcfa900dce15db6ab08
SHA512bdb49098dc22ec722639df4dbfd92c372e40a0ae49c276a59cf356a3a225f9fb35859548c713cdd9d2313e821078e5654946e01eabc43789e1964401149b593d
-
Filesize
129B
MD5b83b8e39aaa06156af1d07214d9608d3
SHA1480f44193864f123ca82b4e22dc348742d5a8144
SHA256dc372d853eca56995898bb2694bc1e659121cb11717c2a2afc94e745af5ebb56
SHA512db381df0223c57a82dc5cfd9ef265eb96a1b7b8bd93ec3da6754d188cdbb038bf73d3c9f615a0c8d6f1d4ac3cf5136e7300c04597130533bb60f5ca3d302b225