Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    30-05-2024 18:00

General

  • Target

    l1.exe

  • Size

    145KB

  • MD5

    05fa05bbba51c9fd5f2421f3fe2e2998

  • SHA1

    e7fdbb0621abb858cdd31ad94118ca575aa8fe24

  • SHA256

    b9d6537c7531a0592a4ec46a52c84108b9d5110ed947cec8ddb2fda4b771899b

  • SHA512

    399004699bdacc815eeb5609fba3e81e3866c839766feb0fdd1aa8e1d7746405da2f90414deb17dc592982cf24c468c106d263bb167499c443bffe6ce357bd55

  • SSDEEP

    1536:azICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xDtCYU0GsvgtwjECrozUYj3PeAU8:pqJogYkcSNm9V7DtCCGsg+AmYylQhTTJ

Malware Config

Signatures

  • Renames multiple (351) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 2 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\l1.exe
    "C:\Users\Admin\AppData\Local\Temp\l1.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:1904
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x148
    1⤵
      PID:2632

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\$Recycle.Bin\S-1-5-21-3691908287-3775019229-3534252667-1000\BBBBBBBBBBB

      Filesize

      129B

      MD5

      8c71d33816803f7fa0ba14962b436c06

      SHA1

      f88802d0da83029880135191ebff4df4df9e7703

      SHA256

      bb61e23e40f5fda5d784f7b5e2a6cf8dd6fbafef062093cadcb08bc481caf06c

      SHA512

      7f067ed23164159f4a9578f5b25405ca1fbd1d8d58b7247e858e9a3b7b63cd2638c7751aa6b875e98d4337ad820fa377cceb80c66a637fc9f4366aec0e47b9f0

    • F:\$RECYCLE.BIN\S-1-5-21-3691908287-3775019229-3534252667-1000\DDDDDDDDDDD

      Filesize

      129B

      MD5

      1d32649828285400e34ff22624df4767

      SHA1

      c6eb6da2acb49eedc804d14b7ddb79aa88ed2f02

      SHA256

      b01f04ef4f009133abd7d3aef041d98cd34c2b6525beed443a5decb0ee316c3d

      SHA512

      2d0170baca05fc9b222613f362df48f46d6f70e11ef6e0f4436669b6771a1490f66f09e9b704804ac8d655bdb088135d9938394d291482b7db0ff48f98804118

    • memory/1904-0-0x0000000000A80000-0x0000000000AC0000-memory.dmp

      Filesize

      256KB