Analysis
-
max time kernel
117s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
30-05-2024 18:00
Behavioral task
behavioral1
Sample
l.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
l.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
l1.exe
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
l1.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
l2.exe
Resource
win7-20240220-en
Behavioral task
behavioral6
Sample
l2.exe
Resource
win10v2004-20240508-en
General
-
Target
l.exe
-
Size
87KB
-
MD5
717e64d5a222ef9b379a59a01e877767
-
SHA1
7f9dd9771f3940773c150075cfc757865f1b2aea
-
SHA256
9777234d1da61e5688278b57971afb217ffd71eeb6bb41f65cc4cabc21ea0a51
-
SHA512
879b519da63dfaa5cc0f585d4858692e07a0dd6c128c88d9d252d4e2def8c3ae6249ed139abb671a0ea128261f8e445aec27b160f1bb67eee19d7af488f8b6e4
-
SSDEEP
1536:poxUsH1uwp6ISs9bFQ+pGfxtP8cY1AZUbhYnY4LY+De5F4rGxwG8JOKhnAjrhjyx:2UsVuc6I1bFZW7xxtnYoY+kKJOKdscg
Malware Config
Signatures
-
Renames multiple (324) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/3036-0-0x0000000000CC0000-0x0000000000CEB000-memory.dmp upx behavioral1/memory/3036-410-0x0000000000CC0000-0x0000000000CEB000-memory.dmp upx -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-330940541-141609230-1670313778-1000\desktop.ini l.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-330940541-141609230-1670313778-1000\desktop.ini l.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FihqnBxYm l.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FihqnBxYm\DefaultIcon\ = "C:\\ProgramData\\FihqnBxYm.ico" l.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.FihqnBxYm l.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.FihqnBxYm\ = "FihqnBxYm" l.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FihqnBxYm\DefaultIcon l.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 3036 l.exe 3036 l.exe 3036 l.exe 3036 l.exe 3036 l.exe 3036 l.exe 3036 l.exe 3036 l.exe 3036 l.exe 3036 l.exe 3036 l.exe 3036 l.exe 3036 l.exe 3036 l.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeAssignPrimaryTokenPrivilege 3036 l.exe Token: SeBackupPrivilege 3036 l.exe Token: SeDebugPrivilege 3036 l.exe Token: 36 3036 l.exe Token: SeImpersonatePrivilege 3036 l.exe Token: SeIncBasePriorityPrivilege 3036 l.exe Token: SeIncreaseQuotaPrivilege 3036 l.exe Token: 33 3036 l.exe Token: SeManageVolumePrivilege 3036 l.exe Token: SeProfSingleProcessPrivilege 3036 l.exe Token: SeRestorePrivilege 3036 l.exe Token: SeSecurityPrivilege 3036 l.exe Token: SeSystemProfilePrivilege 3036 l.exe Token: SeTakeOwnershipPrivilege 3036 l.exe Token: SeShutdownPrivilege 3036 l.exe Token: SeDebugPrivilege 3036 l.exe Token: SeBackupPrivilege 3036 l.exe Token: SeBackupPrivilege 3036 l.exe Token: SeSecurityPrivilege 3036 l.exe Token: SeSecurityPrivilege 3036 l.exe Token: SeBackupPrivilege 3036 l.exe Token: SeBackupPrivilege 3036 l.exe Token: SeSecurityPrivilege 3036 l.exe Token: SeSecurityPrivilege 3036 l.exe Token: SeBackupPrivilege 3036 l.exe Token: SeBackupPrivilege 3036 l.exe Token: SeSecurityPrivilege 3036 l.exe Token: SeSecurityPrivilege 3036 l.exe Token: SeBackupPrivilege 3036 l.exe Token: SeBackupPrivilege 3036 l.exe Token: SeSecurityPrivilege 3036 l.exe Token: SeSecurityPrivilege 3036 l.exe Token: SeBackupPrivilege 3036 l.exe Token: SeBackupPrivilege 3036 l.exe Token: SeSecurityPrivilege 3036 l.exe Token: SeSecurityPrivilege 3036 l.exe Token: SeBackupPrivilege 3036 l.exe Token: SeBackupPrivilege 3036 l.exe Token: SeSecurityPrivilege 3036 l.exe Token: SeSecurityPrivilege 3036 l.exe Token: SeBackupPrivilege 3036 l.exe Token: SeBackupPrivilege 3036 l.exe Token: SeSecurityPrivilege 3036 l.exe Token: SeSecurityPrivilege 3036 l.exe Token: SeBackupPrivilege 3036 l.exe Token: SeBackupPrivilege 3036 l.exe Token: SeSecurityPrivilege 3036 l.exe Token: SeSecurityPrivilege 3036 l.exe Token: SeBackupPrivilege 3036 l.exe Token: SeBackupPrivilege 3036 l.exe Token: SeSecurityPrivilege 3036 l.exe Token: SeSecurityPrivilege 3036 l.exe Token: SeBackupPrivilege 3036 l.exe Token: SeBackupPrivilege 3036 l.exe Token: SeSecurityPrivilege 3036 l.exe Token: SeSecurityPrivilege 3036 l.exe Token: SeBackupPrivilege 3036 l.exe Token: SeBackupPrivilege 3036 l.exe Token: SeSecurityPrivilege 3036 l.exe Token: SeSecurityPrivilege 3036 l.exe Token: SeBackupPrivilege 3036 l.exe Token: SeBackupPrivilege 3036 l.exe Token: SeSecurityPrivilege 3036 l.exe Token: SeSecurityPrivilege 3036 l.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\l.exe"C:\Users\Admin\AppData\Local\Temp\l.exe"1⤵
- Drops desktop.ini file(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3036
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x1541⤵PID:2816
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD55a3b85eed8edb8a036db6852e08e3c3d
SHA12e73ff73f091082c779a7a8bba6c6769c2b1fb94
SHA2563681d0e23fb5afcee6c85eb826a6a2b45d514f8d9a21670a5d588b1247a976c7
SHA512dee15a01bb42241a3b49c06f647aa56cdaa0d354e7a3ba69721c98eeea4456904c71bedb9b11d623196bde0acdc960e872b756282d52d15eeb2ed7d3e3626482
-
Filesize
129B
MD5fc7fe1c313634ab845ce866157eb4d2c
SHA1d0656442c90360376b0d9a8cf476d1f864ae3156
SHA256361f0031a7828d65b8bb7778365ee2583f88ed042a6260fdcb1df9d1bad512a0
SHA512d27dc4bdc58e689962d09b2b0d143403995f443e79b4948f8b1cb2e181818ff2df56f5dc2d82fbeedeb176a133d352560c712a5743212fdbb11a2ea34d1aedf8