Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
30-05-2024 18:00
Behavioral task
behavioral1
Sample
l.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
l.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
l1.exe
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
l1.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
l2.exe
Resource
win7-20240220-en
Behavioral task
behavioral6
Sample
l2.exe
Resource
win10v2004-20240508-en
General
-
Target
l1.exe
-
Size
145KB
-
MD5
05fa05bbba51c9fd5f2421f3fe2e2998
-
SHA1
e7fdbb0621abb858cdd31ad94118ca575aa8fe24
-
SHA256
b9d6537c7531a0592a4ec46a52c84108b9d5110ed947cec8ddb2fda4b771899b
-
SHA512
399004699bdacc815eeb5609fba3e81e3866c839766feb0fdd1aa8e1d7746405da2f90414deb17dc592982cf24c468c106d263bb167499c443bffe6ce357bd55
-
SSDEEP
1536:azICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xDtCYU0GsvgtwjECrozUYj3PeAU8:pqJogYkcSNm9V7DtCCGsg+AmYylQhTTJ
Malware Config
Signatures
-
Renames multiple (351) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
Processes:
l1.exedescription ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-3691908287-3775019229-3534252667-1000\desktop.ini l1.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3691908287-3775019229-3534252667-1000\desktop.ini l1.exe -
Modifies registry class 5 IoCs
Processes:
l1.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FihqnBxYm l1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FihqnBxYm\DefaultIcon\ = "C:\\ProgramData\\FihqnBxYm.ico" l1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.FihqnBxYm l1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.FihqnBxYm\ = "FihqnBxYm" l1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FihqnBxYm\DefaultIcon l1.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
l1.exepid Process 1904 l1.exe 1904 l1.exe 1904 l1.exe 1904 l1.exe 1904 l1.exe 1904 l1.exe 1904 l1.exe 1904 l1.exe 1904 l1.exe 1904 l1.exe 1904 l1.exe 1904 l1.exe 1904 l1.exe 1904 l1.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
l1.exedescription pid Process Token: SeAssignPrimaryTokenPrivilege 1904 l1.exe Token: SeBackupPrivilege 1904 l1.exe Token: SeDebugPrivilege 1904 l1.exe Token: 36 1904 l1.exe Token: SeImpersonatePrivilege 1904 l1.exe Token: SeIncBasePriorityPrivilege 1904 l1.exe Token: SeIncreaseQuotaPrivilege 1904 l1.exe Token: 33 1904 l1.exe Token: SeManageVolumePrivilege 1904 l1.exe Token: SeProfSingleProcessPrivilege 1904 l1.exe Token: SeRestorePrivilege 1904 l1.exe Token: SeSecurityPrivilege 1904 l1.exe Token: SeSystemProfilePrivilege 1904 l1.exe Token: SeTakeOwnershipPrivilege 1904 l1.exe Token: SeShutdownPrivilege 1904 l1.exe Token: SeDebugPrivilege 1904 l1.exe Token: SeBackupPrivilege 1904 l1.exe Token: SeBackupPrivilege 1904 l1.exe Token: SeSecurityPrivilege 1904 l1.exe Token: SeSecurityPrivilege 1904 l1.exe Token: SeBackupPrivilege 1904 l1.exe Token: SeBackupPrivilege 1904 l1.exe Token: SeSecurityPrivilege 1904 l1.exe Token: SeSecurityPrivilege 1904 l1.exe Token: SeBackupPrivilege 1904 l1.exe Token: SeBackupPrivilege 1904 l1.exe Token: SeSecurityPrivilege 1904 l1.exe Token: SeSecurityPrivilege 1904 l1.exe Token: SeBackupPrivilege 1904 l1.exe Token: SeBackupPrivilege 1904 l1.exe Token: SeSecurityPrivilege 1904 l1.exe Token: SeSecurityPrivilege 1904 l1.exe Token: SeBackupPrivilege 1904 l1.exe Token: SeBackupPrivilege 1904 l1.exe Token: SeSecurityPrivilege 1904 l1.exe Token: SeSecurityPrivilege 1904 l1.exe Token: SeBackupPrivilege 1904 l1.exe Token: SeBackupPrivilege 1904 l1.exe Token: SeSecurityPrivilege 1904 l1.exe Token: SeSecurityPrivilege 1904 l1.exe Token: SeBackupPrivilege 1904 l1.exe Token: SeBackupPrivilege 1904 l1.exe Token: SeSecurityPrivilege 1904 l1.exe Token: SeSecurityPrivilege 1904 l1.exe Token: SeBackupPrivilege 1904 l1.exe Token: SeBackupPrivilege 1904 l1.exe Token: SeSecurityPrivilege 1904 l1.exe Token: SeSecurityPrivilege 1904 l1.exe Token: SeBackupPrivilege 1904 l1.exe Token: SeBackupPrivilege 1904 l1.exe Token: SeSecurityPrivilege 1904 l1.exe Token: SeSecurityPrivilege 1904 l1.exe Token: SeBackupPrivilege 1904 l1.exe Token: SeBackupPrivilege 1904 l1.exe Token: SeSecurityPrivilege 1904 l1.exe Token: SeSecurityPrivilege 1904 l1.exe Token: SeBackupPrivilege 1904 l1.exe Token: SeBackupPrivilege 1904 l1.exe Token: SeSecurityPrivilege 1904 l1.exe Token: SeSecurityPrivilege 1904 l1.exe Token: SeBackupPrivilege 1904 l1.exe Token: SeBackupPrivilege 1904 l1.exe Token: SeSecurityPrivilege 1904 l1.exe Token: SeSecurityPrivilege 1904 l1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\l1.exe"C:\Users\Admin\AppData\Local\Temp\l1.exe"1⤵
- Drops desktop.ini file(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1904
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x1481⤵PID:2632
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD58c71d33816803f7fa0ba14962b436c06
SHA1f88802d0da83029880135191ebff4df4df9e7703
SHA256bb61e23e40f5fda5d784f7b5e2a6cf8dd6fbafef062093cadcb08bc481caf06c
SHA5127f067ed23164159f4a9578f5b25405ca1fbd1d8d58b7247e858e9a3b7b63cd2638c7751aa6b875e98d4337ad820fa377cceb80c66a637fc9f4366aec0e47b9f0
-
Filesize
129B
MD51d32649828285400e34ff22624df4767
SHA1c6eb6da2acb49eedc804d14b7ddb79aa88ed2f02
SHA256b01f04ef4f009133abd7d3aef041d98cd34c2b6525beed443a5decb0ee316c3d
SHA5122d0170baca05fc9b222613f362df48f46d6f70e11ef6e0f4436669b6771a1490f66f09e9b704804ac8d655bdb088135d9938394d291482b7db0ff48f98804118