Analysis

  • max time kernel
    117s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    30-05-2024 18:00

General

  • Target

    l.exe

  • Size

    87KB

  • MD5

    717e64d5a222ef9b379a59a01e877767

  • SHA1

    7f9dd9771f3940773c150075cfc757865f1b2aea

  • SHA256

    9777234d1da61e5688278b57971afb217ffd71eeb6bb41f65cc4cabc21ea0a51

  • SHA512

    879b519da63dfaa5cc0f585d4858692e07a0dd6c128c88d9d252d4e2def8c3ae6249ed139abb671a0ea128261f8e445aec27b160f1bb67eee19d7af488f8b6e4

  • SSDEEP

    1536:poxUsH1uwp6ISs9bFQ+pGfxtP8cY1AZUbhYnY4LY+De5F4rGxwG8JOKhnAjrhjyx:2UsVuc6I1bFZW7xxtnYoY+kKJOKdscg

Malware Config

Signatures

  • Renames multiple (324) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops desktop.ini file(s) 2 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\l.exe
    "C:\Users\Admin\AppData\Local\Temp\l.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:3036
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x154
    1⤵
      PID:2816

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\$Recycle.Bin\S-1-5-21-330940541-141609230-1670313778-1000\desktop.ini

      Filesize

      129B

      MD5

      5a3b85eed8edb8a036db6852e08e3c3d

      SHA1

      2e73ff73f091082c779a7a8bba6c6769c2b1fb94

      SHA256

      3681d0e23fb5afcee6c85eb826a6a2b45d514f8d9a21670a5d588b1247a976c7

      SHA512

      dee15a01bb42241a3b49c06f647aa56cdaa0d354e7a3ba69721c98eeea4456904c71bedb9b11d623196bde0acdc960e872b756282d52d15eeb2ed7d3e3626482

    • F:\$RECYCLE.BIN\S-1-5-21-330940541-141609230-1670313778-1000\DDDDDDDDDDD

      Filesize

      129B

      MD5

      fc7fe1c313634ab845ce866157eb4d2c

      SHA1

      d0656442c90360376b0d9a8cf476d1f864ae3156

      SHA256

      361f0031a7828d65b8bb7778365ee2583f88ed042a6260fdcb1df9d1bad512a0

      SHA512

      d27dc4bdc58e689962d09b2b0d143403995f443e79b4948f8b1cb2e181818ff2df56f5dc2d82fbeedeb176a133d352560c712a5743212fdbb11a2ea34d1aedf8

    • memory/3036-0-0x0000000000CC0000-0x0000000000CEB000-memory.dmp

      Filesize

      172KB

    • memory/3036-1-0x0000000002270000-0x00000000022B0000-memory.dmp

      Filesize

      256KB

    • memory/3036-410-0x0000000000CC0000-0x0000000000CEB000-memory.dmp

      Filesize

      172KB