Analysis

  • max time kernel
    141s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-05-2024 20:03

General

  • Target

    311edf744c2e90d7bfc550c893478f43d1d7977694d5dcecf219795f3eb99b86.exe

  • Size

    145KB

  • MD5

    76b23dd72a883d8b1302bb4a514b7967

  • SHA1

    338e19e8a3615c29d8a825ebba66cf55fa0caa2c

  • SHA256

    311edf744c2e90d7bfc550c893478f43d1d7977694d5dcecf219795f3eb99b86

  • SHA512

    39d98f914ec9d8551a894306163bc726f035f9228f3f198de78555988cea5a7b423be8c2a19913c76b996220a81a9b3a257b7f0af67913aa8a50b77321b17735

  • SSDEEP

    1536:azICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xDtCYU0GsvgtwjECrozUYj3PeAU2:pqJogYkcSNm9V7DtCCGsg+AmYylQhTT

Malware Config

Signatures

  • Renames multiple (629) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 2 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\311edf744c2e90d7bfc550c893478f43d1d7977694d5dcecf219795f3eb99b86.exe
    "C:\Users\Admin\AppData\Local\Temp\311edf744c2e90d7bfc550c893478f43d1d7977694d5dcecf219795f3eb99b86.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:4900
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1660,i,13640054265074968359,8146127767143474550,262144 --variations-seed-version --mojo-platform-channel-handle=3832 /prefetch:8
    1⤵
      PID:4296

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\$Recycle.Bin\S-1-5-21-1181767204-2009306918-3718769404-1000\PPPPPPPPPPP

      Filesize

      129B

      MD5

      05416c2e5949bd7b908e088a3309dfe8

      SHA1

      83d011dd7f2eb8575efdec1e85e5ad4ae601f643

      SHA256

      7607bbd15229f23401f2f3b61d66522c88539595aea7b523dd929eb570c989ac

      SHA512

      d60a19f9676c4f6707747fd471426ad44c26111a4247b92a840ba4150f1e1302d50003d89d009696a048ea1022198f33f5e5107e98e486d9ebbd7d85c8f200de

    • F:\$RECYCLE.BIN\S-1-5-21-1181767204-2009306918-3718769404-1000\DDDDDDDDDDD

      Filesize

      129B

      MD5

      7f486abe0adc12e89fd1d3699bcd9363

      SHA1

      6405f7ba52d68ea1f66e8a1fdd741be6be0670b1

      SHA256

      21b79811633e1b3cba15c8ed2552eb351d6137b7ec4867dc61571fba26585f97

      SHA512

      5edd1177742fea0e3f5c749b13bf9e58fb07466a29d7aecf6794bb61b140ce23f20eaeb47ebe8ceca7b19ebef79e3d6959c07f40767537d72721259a82ec3c80

    • memory/4900-0-0x00000000031C0000-0x00000000031D0000-memory.dmp

      Filesize

      64KB

    • memory/4900-2-0x00000000031C0000-0x00000000031D0000-memory.dmp

      Filesize

      64KB

    • memory/4900-1-0x00000000031C0000-0x00000000031D0000-memory.dmp

      Filesize

      64KB