Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
30-05-2024 18:00
Behavioral task
behavioral1
Sample
l.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
l.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
l1.exe
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
l1.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
l2.exe
Resource
win7-20240220-en
Behavioral task
behavioral6
Sample
l2.exe
Resource
win10v2004-20240508-en
General
-
Target
l1.exe
-
Size
145KB
-
MD5
05fa05bbba51c9fd5f2421f3fe2e2998
-
SHA1
e7fdbb0621abb858cdd31ad94118ca575aa8fe24
-
SHA256
b9d6537c7531a0592a4ec46a52c84108b9d5110ed947cec8ddb2fda4b771899b
-
SHA512
399004699bdacc815eeb5609fba3e81e3866c839766feb0fdd1aa8e1d7746405da2f90414deb17dc592982cf24c468c106d263bb167499c443bffe6ce357bd55
-
SSDEEP
1536:azICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xDtCYU0GsvgtwjECrozUYj3PeAU8:pqJogYkcSNm9V7DtCCGsg+AmYylQhTTJ
Malware Config
Signatures
-
Renames multiple (351) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-3691908287-3775019229-3534252667-1000\desktop.ini l1.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3691908287-3775019229-3534252667-1000\desktop.ini l1.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FihqnBxYm l1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FihqnBxYm\DefaultIcon\ = "C:\\ProgramData\\FihqnBxYm.ico" l1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.FihqnBxYm l1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.FihqnBxYm\ = "FihqnBxYm" l1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FihqnBxYm\DefaultIcon l1.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 1904 l1.exe 1904 l1.exe 1904 l1.exe 1904 l1.exe 1904 l1.exe 1904 l1.exe 1904 l1.exe 1904 l1.exe 1904 l1.exe 1904 l1.exe 1904 l1.exe 1904 l1.exe 1904 l1.exe 1904 l1.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeAssignPrimaryTokenPrivilege 1904 l1.exe Token: SeBackupPrivilege 1904 l1.exe Token: SeDebugPrivilege 1904 l1.exe Token: 36 1904 l1.exe Token: SeImpersonatePrivilege 1904 l1.exe Token: SeIncBasePriorityPrivilege 1904 l1.exe Token: SeIncreaseQuotaPrivilege 1904 l1.exe Token: 33 1904 l1.exe Token: SeManageVolumePrivilege 1904 l1.exe Token: SeProfSingleProcessPrivilege 1904 l1.exe Token: SeRestorePrivilege 1904 l1.exe Token: SeSecurityPrivilege 1904 l1.exe Token: SeSystemProfilePrivilege 1904 l1.exe Token: SeTakeOwnershipPrivilege 1904 l1.exe Token: SeShutdownPrivilege 1904 l1.exe Token: SeDebugPrivilege 1904 l1.exe Token: SeBackupPrivilege 1904 l1.exe Token: SeBackupPrivilege 1904 l1.exe Token: SeSecurityPrivilege 1904 l1.exe Token: SeSecurityPrivilege 1904 l1.exe Token: SeBackupPrivilege 1904 l1.exe Token: SeBackupPrivilege 1904 l1.exe Token: SeSecurityPrivilege 1904 l1.exe Token: SeSecurityPrivilege 1904 l1.exe Token: SeBackupPrivilege 1904 l1.exe Token: SeBackupPrivilege 1904 l1.exe Token: SeSecurityPrivilege 1904 l1.exe Token: SeSecurityPrivilege 1904 l1.exe Token: SeBackupPrivilege 1904 l1.exe Token: SeBackupPrivilege 1904 l1.exe Token: SeSecurityPrivilege 1904 l1.exe Token: SeSecurityPrivilege 1904 l1.exe Token: SeBackupPrivilege 1904 l1.exe Token: SeBackupPrivilege 1904 l1.exe Token: SeSecurityPrivilege 1904 l1.exe Token: SeSecurityPrivilege 1904 l1.exe Token: SeBackupPrivilege 1904 l1.exe Token: SeBackupPrivilege 1904 l1.exe Token: SeSecurityPrivilege 1904 l1.exe Token: SeSecurityPrivilege 1904 l1.exe Token: SeBackupPrivilege 1904 l1.exe Token: SeBackupPrivilege 1904 l1.exe Token: SeSecurityPrivilege 1904 l1.exe Token: SeSecurityPrivilege 1904 l1.exe Token: SeBackupPrivilege 1904 l1.exe Token: SeBackupPrivilege 1904 l1.exe Token: SeSecurityPrivilege 1904 l1.exe Token: SeSecurityPrivilege 1904 l1.exe Token: SeBackupPrivilege 1904 l1.exe Token: SeBackupPrivilege 1904 l1.exe Token: SeSecurityPrivilege 1904 l1.exe Token: SeSecurityPrivilege 1904 l1.exe Token: SeBackupPrivilege 1904 l1.exe Token: SeBackupPrivilege 1904 l1.exe Token: SeSecurityPrivilege 1904 l1.exe Token: SeSecurityPrivilege 1904 l1.exe Token: SeBackupPrivilege 1904 l1.exe Token: SeBackupPrivilege 1904 l1.exe Token: SeSecurityPrivilege 1904 l1.exe Token: SeSecurityPrivilege 1904 l1.exe Token: SeBackupPrivilege 1904 l1.exe Token: SeBackupPrivilege 1904 l1.exe Token: SeSecurityPrivilege 1904 l1.exe Token: SeSecurityPrivilege 1904 l1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\l1.exe"C:\Users\Admin\AppData\Local\Temp\l1.exe"1⤵
- Drops desktop.ini file(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1904
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x1481⤵PID:2632
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD58c71d33816803f7fa0ba14962b436c06
SHA1f88802d0da83029880135191ebff4df4df9e7703
SHA256bb61e23e40f5fda5d784f7b5e2a6cf8dd6fbafef062093cadcb08bc481caf06c
SHA5127f067ed23164159f4a9578f5b25405ca1fbd1d8d58b7247e858e9a3b7b63cd2638c7751aa6b875e98d4337ad820fa377cceb80c66a637fc9f4366aec0e47b9f0
-
Filesize
129B
MD51d32649828285400e34ff22624df4767
SHA1c6eb6da2acb49eedc804d14b7ddb79aa88ed2f02
SHA256b01f04ef4f009133abd7d3aef041d98cd34c2b6525beed443a5decb0ee316c3d
SHA5122d0170baca05fc9b222613f362df48f46d6f70e11ef6e0f4436669b6771a1490f66f09e9b704804ac8d655bdb088135d9938394d291482b7db0ff48f98804118