Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
30-05-2024 18:00
Behavioral task
behavioral1
Sample
l.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
l.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
l1.exe
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
l1.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
l2.exe
Resource
win7-20240220-en
Behavioral task
behavioral6
Sample
l2.exe
Resource
win10v2004-20240508-en
General
-
Target
l2.exe
-
Size
145KB
-
MD5
76b23dd72a883d8b1302bb4a514b7967
-
SHA1
338e19e8a3615c29d8a825ebba66cf55fa0caa2c
-
SHA256
311edf744c2e90d7bfc550c893478f43d1d7977694d5dcecf219795f3eb99b86
-
SHA512
39d98f914ec9d8551a894306163bc726f035f9228f3f198de78555988cea5a7b423be8c2a19913c76b996220a81a9b3a257b7f0af67913aa8a50b77321b17735
-
SSDEEP
1536:azICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xDtCYU0GsvgtwjECrozUYj3PeAU2:pqJogYkcSNm9V7DtCCGsg+AmYylQhTT
Malware Config
Signatures
-
Renames multiple (636) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
Processes:
l2.exedescription ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-3558294865-3673844354-2255444939-1000\desktop.ini l2.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3558294865-3673844354-2255444939-1000\desktop.ini l2.exe -
Modifies registry class 5 IoCs
Processes:
l2.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.FihqnBxYm l2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.FihqnBxYm\ = "FihqnBxYm" l2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FihqnBxYm\DefaultIcon l2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FihqnBxYm l2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FihqnBxYm\DefaultIcon\ = "C:\\ProgramData\\FihqnBxYm.ico" l2.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
l2.exepid Process 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe 5104 l2.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
l2.exedescription pid Process Token: SeAssignPrimaryTokenPrivilege 5104 l2.exe Token: SeBackupPrivilege 5104 l2.exe Token: SeDebugPrivilege 5104 l2.exe Token: 36 5104 l2.exe Token: SeImpersonatePrivilege 5104 l2.exe Token: SeIncBasePriorityPrivilege 5104 l2.exe Token: SeIncreaseQuotaPrivilege 5104 l2.exe Token: 33 5104 l2.exe Token: SeManageVolumePrivilege 5104 l2.exe Token: SeProfSingleProcessPrivilege 5104 l2.exe Token: SeRestorePrivilege 5104 l2.exe Token: SeSecurityPrivilege 5104 l2.exe Token: SeSystemProfilePrivilege 5104 l2.exe Token: SeTakeOwnershipPrivilege 5104 l2.exe Token: SeShutdownPrivilege 5104 l2.exe Token: SeDebugPrivilege 5104 l2.exe Token: SeBackupPrivilege 5104 l2.exe Token: SeBackupPrivilege 5104 l2.exe Token: SeSecurityPrivilege 5104 l2.exe Token: SeSecurityPrivilege 5104 l2.exe Token: SeBackupPrivilege 5104 l2.exe Token: SeBackupPrivilege 5104 l2.exe Token: SeSecurityPrivilege 5104 l2.exe Token: SeSecurityPrivilege 5104 l2.exe Token: SeBackupPrivilege 5104 l2.exe Token: SeBackupPrivilege 5104 l2.exe Token: SeSecurityPrivilege 5104 l2.exe Token: SeSecurityPrivilege 5104 l2.exe Token: SeBackupPrivilege 5104 l2.exe Token: SeBackupPrivilege 5104 l2.exe Token: SeSecurityPrivilege 5104 l2.exe Token: SeSecurityPrivilege 5104 l2.exe Token: SeBackupPrivilege 5104 l2.exe Token: SeBackupPrivilege 5104 l2.exe Token: SeSecurityPrivilege 5104 l2.exe Token: SeSecurityPrivilege 5104 l2.exe Token: SeBackupPrivilege 5104 l2.exe Token: SeBackupPrivilege 5104 l2.exe Token: SeSecurityPrivilege 5104 l2.exe Token: SeSecurityPrivilege 5104 l2.exe Token: SeBackupPrivilege 5104 l2.exe Token: SeBackupPrivilege 5104 l2.exe Token: SeSecurityPrivilege 5104 l2.exe Token: SeSecurityPrivilege 5104 l2.exe Token: SeBackupPrivilege 5104 l2.exe Token: SeBackupPrivilege 5104 l2.exe Token: SeSecurityPrivilege 5104 l2.exe Token: SeSecurityPrivilege 5104 l2.exe Token: SeBackupPrivilege 5104 l2.exe Token: SeBackupPrivilege 5104 l2.exe Token: SeSecurityPrivilege 5104 l2.exe Token: SeSecurityPrivilege 5104 l2.exe Token: SeBackupPrivilege 5104 l2.exe Token: SeBackupPrivilege 5104 l2.exe Token: SeSecurityPrivilege 5104 l2.exe Token: SeSecurityPrivilege 5104 l2.exe Token: SeBackupPrivilege 5104 l2.exe Token: SeBackupPrivilege 5104 l2.exe Token: SeSecurityPrivilege 5104 l2.exe Token: SeSecurityPrivilege 5104 l2.exe Token: SeBackupPrivilege 5104 l2.exe Token: SeBackupPrivilege 5104 l2.exe Token: SeSecurityPrivilege 5104 l2.exe Token: SeSecurityPrivilege 5104 l2.exe
Processes
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD59c43fc6a0bbd757a538a20cf6060f311
SHA184e5eff9ce370e0a64891458fd535d111eb28caa
SHA256dc3f84b88356190f14670e78936239e7a0934b80a30cd0eaeb889f2fdf3bb789
SHA512891f4d651dae2a00560ead710321de3add5599425a013db208d96317ed1b312933502358a075798bff6549fd718e1649c6bfaa1fe596e32393c81e7add7f2677
-
Filesize
129B
MD50848d9a93bb573b566736a86e638debc
SHA192b4d6c4f858da73cddf33d21fa744d914161b0f
SHA256d452d83bca47154a00663e8208143d1b1f96c8eded6582f13d5fe8875d3e29db
SHA5126080c4228a9af4c607bdd4d99857da90ed555bb165693f0d0dbd16d18e68ea4ddadf639140ab9a26355fbca64734bfe98a443f5b142520f626b1337b968d601a