Analysis

  • max time kernel
    93s
  • max time network
    99s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-05-2024 18:00

General

  • Target

    l.exe

  • Size

    87KB

  • MD5

    717e64d5a222ef9b379a59a01e877767

  • SHA1

    7f9dd9771f3940773c150075cfc757865f1b2aea

  • SHA256

    9777234d1da61e5688278b57971afb217ffd71eeb6bb41f65cc4cabc21ea0a51

  • SHA512

    879b519da63dfaa5cc0f585d4858692e07a0dd6c128c88d9d252d4e2def8c3ae6249ed139abb671a0ea128261f8e445aec27b160f1bb67eee19d7af488f8b6e4

  • SSDEEP

    1536:poxUsH1uwp6ISs9bFQ+pGfxtP8cY1AZUbhYnY4LY+De5F4rGxwG8JOKhnAjrhjyx:2UsVuc6I1bFZW7xxtnYoY+kKJOKdscg

Malware Config

Signatures

  • Renames multiple (592) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops desktop.ini file(s) 2 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\l.exe
    "C:\Users\Admin\AppData\Local\Temp\l.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:4776

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-3571316656-3665257725-2415531812-1000\IIIIIIIIIII

    Filesize

    129B

    MD5

    c370b5272b745f1b3d3a1eb96c046127

    SHA1

    e5d6a1b6d86b1fc90c2bd676cce63354d3c2cba6

    SHA256

    26fe840e541a64bca205f6d45c623d48adbce9828b5d705c9592c1a480ffd53b

    SHA512

    6f19422b76a7d453a86b8cf153cae4673b6d0b1c22b13238aece363a9d31c0ceae9625a3d2e85db0b2ffa183fd58d5fae01af77177e6356212fa70c6fd3aacf7

  • F:\$RECYCLE.BIN\S-1-5-21-3571316656-3665257725-2415531812-1000\DDDDDDDDDDD

    Filesize

    129B

    MD5

    f41e25b12e9ef1fc499a61cd1e7f6b43

    SHA1

    b5f5a0e2d06c2eab20f9879588f8f21e6e3dd7ce

    SHA256

    054bb010ef0fce9c45f4b491adf29000bca0bb455f48ae7196bb8df1eec2d04c

    SHA512

    4c2e92313a53f211bb99dafefbcd0f627fb050fd62daa74b2ef1e06879f3b1db51e2d46023159ed1234724414e55a6d3decce5ae9dc852434918fd79b28cfaa2

  • memory/4776-0-0x0000000000060000-0x000000000008B000-memory.dmp

    Filesize

    172KB

  • memory/4776-1-0x0000000002790000-0x00000000027A0000-memory.dmp

    Filesize

    64KB

  • memory/4776-2-0x0000000002790000-0x00000000027A0000-memory.dmp

    Filesize

    64KB

  • memory/4776-3-0x0000000002790000-0x00000000027A0000-memory.dmp

    Filesize

    64KB

  • memory/4776-679-0x0000000000060000-0x000000000008B000-memory.dmp

    Filesize

    172KB