Analysis
-
max time kernel
93s -
max time network
99s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
30-05-2024 18:00
Behavioral task
behavioral1
Sample
l.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
l.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
l1.exe
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
l1.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
l2.exe
Resource
win7-20240220-en
Behavioral task
behavioral6
Sample
l2.exe
Resource
win10v2004-20240508-en
General
-
Target
l.exe
-
Size
87KB
-
MD5
717e64d5a222ef9b379a59a01e877767
-
SHA1
7f9dd9771f3940773c150075cfc757865f1b2aea
-
SHA256
9777234d1da61e5688278b57971afb217ffd71eeb6bb41f65cc4cabc21ea0a51
-
SHA512
879b519da63dfaa5cc0f585d4858692e07a0dd6c128c88d9d252d4e2def8c3ae6249ed139abb671a0ea128261f8e445aec27b160f1bb67eee19d7af488f8b6e4
-
SSDEEP
1536:poxUsH1uwp6ISs9bFQ+pGfxtP8cY1AZUbhYnY4LY+De5F4rGxwG8JOKhnAjrhjyx:2UsVuc6I1bFZW7xxtnYoY+kKJOKdscg
Malware Config
Signatures
-
Renames multiple (592) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral2/memory/4776-0-0x0000000000060000-0x000000000008B000-memory.dmp upx behavioral2/memory/4776-679-0x0000000000060000-0x000000000008B000-memory.dmp upx -
Drops desktop.ini file(s) 2 IoCs
Processes:
l.exedescription ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-3571316656-3665257725-2415531812-1000\desktop.ini l.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3571316656-3665257725-2415531812-1000\desktop.ini l.exe -
Modifies registry class 5 IoCs
Processes:
l.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FihqnBxYm\DefaultIcon\ = "C:\\ProgramData\\FihqnBxYm.ico" l.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.FihqnBxYm l.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.FihqnBxYm\ = "FihqnBxYm" l.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FihqnBxYm\DefaultIcon l.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FihqnBxYm l.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
l.exepid Process 4776 l.exe 4776 l.exe 4776 l.exe 4776 l.exe 4776 l.exe 4776 l.exe 4776 l.exe 4776 l.exe 4776 l.exe 4776 l.exe 4776 l.exe 4776 l.exe 4776 l.exe 4776 l.exe 4776 l.exe 4776 l.exe 4776 l.exe 4776 l.exe 4776 l.exe 4776 l.exe 4776 l.exe 4776 l.exe 4776 l.exe 4776 l.exe 4776 l.exe 4776 l.exe 4776 l.exe 4776 l.exe 4776 l.exe 4776 l.exe 4776 l.exe 4776 l.exe 4776 l.exe 4776 l.exe 4776 l.exe 4776 l.exe 4776 l.exe 4776 l.exe 4776 l.exe 4776 l.exe 4776 l.exe 4776 l.exe 4776 l.exe 4776 l.exe 4776 l.exe 4776 l.exe 4776 l.exe 4776 l.exe 4776 l.exe 4776 l.exe 4776 l.exe 4776 l.exe 4776 l.exe 4776 l.exe 4776 l.exe 4776 l.exe 4776 l.exe 4776 l.exe 4776 l.exe 4776 l.exe 4776 l.exe 4776 l.exe 4776 l.exe 4776 l.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
l.exedescription pid Process Token: SeAssignPrimaryTokenPrivilege 4776 l.exe Token: SeBackupPrivilege 4776 l.exe Token: SeDebugPrivilege 4776 l.exe Token: 36 4776 l.exe Token: SeImpersonatePrivilege 4776 l.exe Token: SeIncBasePriorityPrivilege 4776 l.exe Token: SeIncreaseQuotaPrivilege 4776 l.exe Token: 33 4776 l.exe Token: SeManageVolumePrivilege 4776 l.exe Token: SeProfSingleProcessPrivilege 4776 l.exe Token: SeRestorePrivilege 4776 l.exe Token: SeSecurityPrivilege 4776 l.exe Token: SeSystemProfilePrivilege 4776 l.exe Token: SeTakeOwnershipPrivilege 4776 l.exe Token: SeShutdownPrivilege 4776 l.exe Token: SeDebugPrivilege 4776 l.exe Token: SeBackupPrivilege 4776 l.exe Token: SeBackupPrivilege 4776 l.exe Token: SeSecurityPrivilege 4776 l.exe Token: SeSecurityPrivilege 4776 l.exe Token: SeBackupPrivilege 4776 l.exe Token: SeBackupPrivilege 4776 l.exe Token: SeSecurityPrivilege 4776 l.exe Token: SeSecurityPrivilege 4776 l.exe Token: SeBackupPrivilege 4776 l.exe Token: SeBackupPrivilege 4776 l.exe Token: SeSecurityPrivilege 4776 l.exe Token: SeSecurityPrivilege 4776 l.exe Token: SeBackupPrivilege 4776 l.exe Token: SeBackupPrivilege 4776 l.exe Token: SeSecurityPrivilege 4776 l.exe Token: SeSecurityPrivilege 4776 l.exe Token: SeBackupPrivilege 4776 l.exe Token: SeBackupPrivilege 4776 l.exe Token: SeSecurityPrivilege 4776 l.exe Token: SeSecurityPrivilege 4776 l.exe Token: SeBackupPrivilege 4776 l.exe Token: SeBackupPrivilege 4776 l.exe Token: SeSecurityPrivilege 4776 l.exe Token: SeSecurityPrivilege 4776 l.exe Token: SeBackupPrivilege 4776 l.exe Token: SeBackupPrivilege 4776 l.exe Token: SeSecurityPrivilege 4776 l.exe Token: SeSecurityPrivilege 4776 l.exe Token: SeBackupPrivilege 4776 l.exe Token: SeBackupPrivilege 4776 l.exe Token: SeSecurityPrivilege 4776 l.exe Token: SeSecurityPrivilege 4776 l.exe Token: SeBackupPrivilege 4776 l.exe Token: SeBackupPrivilege 4776 l.exe Token: SeSecurityPrivilege 4776 l.exe Token: SeSecurityPrivilege 4776 l.exe Token: SeBackupPrivilege 4776 l.exe Token: SeBackupPrivilege 4776 l.exe Token: SeSecurityPrivilege 4776 l.exe Token: SeSecurityPrivilege 4776 l.exe Token: SeBackupPrivilege 4776 l.exe Token: SeBackupPrivilege 4776 l.exe Token: SeSecurityPrivilege 4776 l.exe Token: SeSecurityPrivilege 4776 l.exe Token: SeBackupPrivilege 4776 l.exe Token: SeBackupPrivilege 4776 l.exe Token: SeSecurityPrivilege 4776 l.exe Token: SeSecurityPrivilege 4776 l.exe
Processes
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD5c370b5272b745f1b3d3a1eb96c046127
SHA1e5d6a1b6d86b1fc90c2bd676cce63354d3c2cba6
SHA25626fe840e541a64bca205f6d45c623d48adbce9828b5d705c9592c1a480ffd53b
SHA5126f19422b76a7d453a86b8cf153cae4673b6d0b1c22b13238aece363a9d31c0ceae9625a3d2e85db0b2ffa183fd58d5fae01af77177e6356212fa70c6fd3aacf7
-
Filesize
129B
MD5f41e25b12e9ef1fc499a61cd1e7f6b43
SHA1b5f5a0e2d06c2eab20f9879588f8f21e6e3dd7ce
SHA256054bb010ef0fce9c45f4b491adf29000bca0bb455f48ae7196bb8df1eec2d04c
SHA5124c2e92313a53f211bb99dafefbcd0f627fb050fd62daa74b2ef1e06879f3b1db51e2d46023159ed1234724414e55a6d3decce5ae9dc852434918fd79b28cfaa2