Analysis
-
max time kernel
131s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
30-05-2024 18:00
Behavioral task
behavioral1
Sample
l.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
l.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
l1.exe
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
l1.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
l2.exe
Resource
win7-20240220-en
Behavioral task
behavioral6
Sample
l2.exe
Resource
win10v2004-20240508-en
General
-
Target
l1.exe
-
Size
145KB
-
MD5
05fa05bbba51c9fd5f2421f3fe2e2998
-
SHA1
e7fdbb0621abb858cdd31ad94118ca575aa8fe24
-
SHA256
b9d6537c7531a0592a4ec46a52c84108b9d5110ed947cec8ddb2fda4b771899b
-
SHA512
399004699bdacc815eeb5609fba3e81e3866c839766feb0fdd1aa8e1d7746405da2f90414deb17dc592982cf24c468c106d263bb167499c443bffe6ce357bd55
-
SSDEEP
1536:azICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xDtCYU0GsvgtwjECrozUYj3PeAU8:pqJogYkcSNm9V7DtCCGsg+AmYylQhTTJ
Malware Config
Signatures
-
Renames multiple (623) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
Processes:
l1.exedescription ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-2804150937-2146708401-419095071-1000\desktop.ini l1.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2804150937-2146708401-419095071-1000\desktop.ini l1.exe -
Modifies registry class 5 IoCs
Processes:
l1.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.FihqnBxYm l1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.FihqnBxYm\ = "FihqnBxYm" l1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FihqnBxYm\DefaultIcon l1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FihqnBxYm l1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FihqnBxYm\DefaultIcon\ = "C:\\ProgramData\\FihqnBxYm.ico" l1.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
l1.exepid Process 1396 l1.exe 1396 l1.exe 1396 l1.exe 1396 l1.exe 1396 l1.exe 1396 l1.exe 1396 l1.exe 1396 l1.exe 1396 l1.exe 1396 l1.exe 1396 l1.exe 1396 l1.exe 1396 l1.exe 1396 l1.exe 1396 l1.exe 1396 l1.exe 1396 l1.exe 1396 l1.exe 1396 l1.exe 1396 l1.exe 1396 l1.exe 1396 l1.exe 1396 l1.exe 1396 l1.exe 1396 l1.exe 1396 l1.exe 1396 l1.exe 1396 l1.exe 1396 l1.exe 1396 l1.exe 1396 l1.exe 1396 l1.exe 1396 l1.exe 1396 l1.exe 1396 l1.exe 1396 l1.exe 1396 l1.exe 1396 l1.exe 1396 l1.exe 1396 l1.exe 1396 l1.exe 1396 l1.exe 1396 l1.exe 1396 l1.exe 1396 l1.exe 1396 l1.exe 1396 l1.exe 1396 l1.exe 1396 l1.exe 1396 l1.exe 1396 l1.exe 1396 l1.exe 1396 l1.exe 1396 l1.exe 1396 l1.exe 1396 l1.exe 1396 l1.exe 1396 l1.exe 1396 l1.exe 1396 l1.exe 1396 l1.exe 1396 l1.exe 1396 l1.exe 1396 l1.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
l1.exedescription pid Process Token: SeAssignPrimaryTokenPrivilege 1396 l1.exe Token: SeBackupPrivilege 1396 l1.exe Token: SeDebugPrivilege 1396 l1.exe Token: 36 1396 l1.exe Token: SeImpersonatePrivilege 1396 l1.exe Token: SeIncBasePriorityPrivilege 1396 l1.exe Token: SeIncreaseQuotaPrivilege 1396 l1.exe Token: 33 1396 l1.exe Token: SeManageVolumePrivilege 1396 l1.exe Token: SeProfSingleProcessPrivilege 1396 l1.exe Token: SeRestorePrivilege 1396 l1.exe Token: SeSecurityPrivilege 1396 l1.exe Token: SeSystemProfilePrivilege 1396 l1.exe Token: SeTakeOwnershipPrivilege 1396 l1.exe Token: SeShutdownPrivilege 1396 l1.exe Token: SeDebugPrivilege 1396 l1.exe Token: SeBackupPrivilege 1396 l1.exe Token: SeBackupPrivilege 1396 l1.exe Token: SeSecurityPrivilege 1396 l1.exe Token: SeSecurityPrivilege 1396 l1.exe Token: SeBackupPrivilege 1396 l1.exe Token: SeBackupPrivilege 1396 l1.exe Token: SeSecurityPrivilege 1396 l1.exe Token: SeSecurityPrivilege 1396 l1.exe Token: SeBackupPrivilege 1396 l1.exe Token: SeBackupPrivilege 1396 l1.exe Token: SeSecurityPrivilege 1396 l1.exe Token: SeSecurityPrivilege 1396 l1.exe Token: SeBackupPrivilege 1396 l1.exe Token: SeBackupPrivilege 1396 l1.exe Token: SeSecurityPrivilege 1396 l1.exe Token: SeSecurityPrivilege 1396 l1.exe Token: SeBackupPrivilege 1396 l1.exe Token: SeBackupPrivilege 1396 l1.exe Token: SeSecurityPrivilege 1396 l1.exe Token: SeSecurityPrivilege 1396 l1.exe Token: SeBackupPrivilege 1396 l1.exe Token: SeBackupPrivilege 1396 l1.exe Token: SeSecurityPrivilege 1396 l1.exe Token: SeSecurityPrivilege 1396 l1.exe Token: SeBackupPrivilege 1396 l1.exe Token: SeBackupPrivilege 1396 l1.exe Token: SeSecurityPrivilege 1396 l1.exe Token: SeSecurityPrivilege 1396 l1.exe Token: SeBackupPrivilege 1396 l1.exe Token: SeBackupPrivilege 1396 l1.exe Token: SeSecurityPrivilege 1396 l1.exe Token: SeSecurityPrivilege 1396 l1.exe Token: SeBackupPrivilege 1396 l1.exe Token: SeBackupPrivilege 1396 l1.exe Token: SeSecurityPrivilege 1396 l1.exe Token: SeSecurityPrivilege 1396 l1.exe Token: SeBackupPrivilege 1396 l1.exe Token: SeBackupPrivilege 1396 l1.exe Token: SeSecurityPrivilege 1396 l1.exe Token: SeSecurityPrivilege 1396 l1.exe Token: SeBackupPrivilege 1396 l1.exe Token: SeBackupPrivilege 1396 l1.exe Token: SeSecurityPrivilege 1396 l1.exe Token: SeSecurityPrivilege 1396 l1.exe Token: SeBackupPrivilege 1396 l1.exe Token: SeBackupPrivilege 1396 l1.exe Token: SeSecurityPrivilege 1396 l1.exe Token: SeSecurityPrivilege 1396 l1.exe
Processes
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD547ef674bce604432920bc1574ea76d7c
SHA19df5613b52c91d5cb3389aaa5ecb0bec46ca8f42
SHA256b8efff7e7bf754d806c773d421eb8dbbde56c71aa5839e41589db85486f42de6
SHA5124c4c63faa804bff9f84c3d60d362011fb1262efaf990fb2229258eb79873c08a7cbba1720f18edbb4da249fb73dbd1e9e545d97ddce8beb6cff8d87a9644e365
-
Filesize
129B
MD551ef2dcfa1ba50c92bc3bf2938bf47d9
SHA19e7b40656da218a8a3ee39dd9a9319735bcd7de2
SHA2569d83cac0b488d5d5c87957835d1f38ea42d497e9800f6a2447e039df80c34273
SHA512e1efb96be5a99e517e820644768ad8bda82922447008c570b8b66af5f4165f9bfec2666103aa6d5382f4af6f272617a24511e987ae50695230a8a88fe5ba0725