Analysis
-
max time kernel
117s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
30-05-2024 18:00
Behavioral task
behavioral1
Sample
l.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
l.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
l1.exe
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
l1.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
l2.exe
Resource
win7-20240220-en
Behavioral task
behavioral6
Sample
l2.exe
Resource
win10v2004-20240508-en
General
-
Target
l.exe
-
Size
87KB
-
MD5
717e64d5a222ef9b379a59a01e877767
-
SHA1
7f9dd9771f3940773c150075cfc757865f1b2aea
-
SHA256
9777234d1da61e5688278b57971afb217ffd71eeb6bb41f65cc4cabc21ea0a51
-
SHA512
879b519da63dfaa5cc0f585d4858692e07a0dd6c128c88d9d252d4e2def8c3ae6249ed139abb671a0ea128261f8e445aec27b160f1bb67eee19d7af488f8b6e4
-
SSDEEP
1536:poxUsH1uwp6ISs9bFQ+pGfxtP8cY1AZUbhYnY4LY+De5F4rGxwG8JOKhnAjrhjyx:2UsVuc6I1bFZW7xxtnYoY+kKJOKdscg
Malware Config
Signatures
-
Renames multiple (324) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral1/memory/3036-0-0x0000000000CC0000-0x0000000000CEB000-memory.dmp upx behavioral1/memory/3036-410-0x0000000000CC0000-0x0000000000CEB000-memory.dmp upx -
Drops desktop.ini file(s) 2 IoCs
Processes:
l.exedescription ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-330940541-141609230-1670313778-1000\desktop.ini l.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-330940541-141609230-1670313778-1000\desktop.ini l.exe -
Modifies registry class 5 IoCs
Processes:
l.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FihqnBxYm l.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FihqnBxYm\DefaultIcon\ = "C:\\ProgramData\\FihqnBxYm.ico" l.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.FihqnBxYm l.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.FihqnBxYm\ = "FihqnBxYm" l.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FihqnBxYm\DefaultIcon l.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
l.exepid Process 3036 l.exe 3036 l.exe 3036 l.exe 3036 l.exe 3036 l.exe 3036 l.exe 3036 l.exe 3036 l.exe 3036 l.exe 3036 l.exe 3036 l.exe 3036 l.exe 3036 l.exe 3036 l.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
l.exedescription pid Process Token: SeAssignPrimaryTokenPrivilege 3036 l.exe Token: SeBackupPrivilege 3036 l.exe Token: SeDebugPrivilege 3036 l.exe Token: 36 3036 l.exe Token: SeImpersonatePrivilege 3036 l.exe Token: SeIncBasePriorityPrivilege 3036 l.exe Token: SeIncreaseQuotaPrivilege 3036 l.exe Token: 33 3036 l.exe Token: SeManageVolumePrivilege 3036 l.exe Token: SeProfSingleProcessPrivilege 3036 l.exe Token: SeRestorePrivilege 3036 l.exe Token: SeSecurityPrivilege 3036 l.exe Token: SeSystemProfilePrivilege 3036 l.exe Token: SeTakeOwnershipPrivilege 3036 l.exe Token: SeShutdownPrivilege 3036 l.exe Token: SeDebugPrivilege 3036 l.exe Token: SeBackupPrivilege 3036 l.exe Token: SeBackupPrivilege 3036 l.exe Token: SeSecurityPrivilege 3036 l.exe Token: SeSecurityPrivilege 3036 l.exe Token: SeBackupPrivilege 3036 l.exe Token: SeBackupPrivilege 3036 l.exe Token: SeSecurityPrivilege 3036 l.exe Token: SeSecurityPrivilege 3036 l.exe Token: SeBackupPrivilege 3036 l.exe Token: SeBackupPrivilege 3036 l.exe Token: SeSecurityPrivilege 3036 l.exe Token: SeSecurityPrivilege 3036 l.exe Token: SeBackupPrivilege 3036 l.exe Token: SeBackupPrivilege 3036 l.exe Token: SeSecurityPrivilege 3036 l.exe Token: SeSecurityPrivilege 3036 l.exe Token: SeBackupPrivilege 3036 l.exe Token: SeBackupPrivilege 3036 l.exe Token: SeSecurityPrivilege 3036 l.exe Token: SeSecurityPrivilege 3036 l.exe Token: SeBackupPrivilege 3036 l.exe Token: SeBackupPrivilege 3036 l.exe Token: SeSecurityPrivilege 3036 l.exe Token: SeSecurityPrivilege 3036 l.exe Token: SeBackupPrivilege 3036 l.exe Token: SeBackupPrivilege 3036 l.exe Token: SeSecurityPrivilege 3036 l.exe Token: SeSecurityPrivilege 3036 l.exe Token: SeBackupPrivilege 3036 l.exe Token: SeBackupPrivilege 3036 l.exe Token: SeSecurityPrivilege 3036 l.exe Token: SeSecurityPrivilege 3036 l.exe Token: SeBackupPrivilege 3036 l.exe Token: SeBackupPrivilege 3036 l.exe Token: SeSecurityPrivilege 3036 l.exe Token: SeSecurityPrivilege 3036 l.exe Token: SeBackupPrivilege 3036 l.exe Token: SeBackupPrivilege 3036 l.exe Token: SeSecurityPrivilege 3036 l.exe Token: SeSecurityPrivilege 3036 l.exe Token: SeBackupPrivilege 3036 l.exe Token: SeBackupPrivilege 3036 l.exe Token: SeSecurityPrivilege 3036 l.exe Token: SeSecurityPrivilege 3036 l.exe Token: SeBackupPrivilege 3036 l.exe Token: SeBackupPrivilege 3036 l.exe Token: SeSecurityPrivilege 3036 l.exe Token: SeSecurityPrivilege 3036 l.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\l.exe"C:\Users\Admin\AppData\Local\Temp\l.exe"1⤵
- Drops desktop.ini file(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3036
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x1541⤵PID:2816
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD55a3b85eed8edb8a036db6852e08e3c3d
SHA12e73ff73f091082c779a7a8bba6c6769c2b1fb94
SHA2563681d0e23fb5afcee6c85eb826a6a2b45d514f8d9a21670a5d588b1247a976c7
SHA512dee15a01bb42241a3b49c06f647aa56cdaa0d354e7a3ba69721c98eeea4456904c71bedb9b11d623196bde0acdc960e872b756282d52d15eeb2ed7d3e3626482
-
Filesize
129B
MD5fc7fe1c313634ab845ce866157eb4d2c
SHA1d0656442c90360376b0d9a8cf476d1f864ae3156
SHA256361f0031a7828d65b8bb7778365ee2583f88ed042a6260fdcb1df9d1bad512a0
SHA512d27dc4bdc58e689962d09b2b0d143403995f443e79b4948f8b1cb2e181818ff2df56f5dc2d82fbeedeb176a133d352560c712a5743212fdbb11a2ea34d1aedf8