43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792

Analysis

max time kernel
121s
max time network
125s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
31/05/2024, 06:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Size

350KB
MD5

2ca90a883f3db6d96bc5722be2fb8bc2
SHA1

0e8c787283fa2c046f388ef0c5fa215541a97043
SHA256

43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792
SHA512

c87f815182108f62fffd502d590284ae3f0f4c6dabc823271da87dbe5f54c843eb65cc690314e0ac10188b3e43c258ace549567fe7380b4d217c2befbcde3c74
SSDEEP

6144:9yAIPCuAZOXWUVg1XN5MC81xSNmG+f0bwu/WekQTp4Aum1:9MPCuAZOXRu1zMd1xaH+f0bn/Wexp4AJ

Score

10^/10

ransomware spyware stealer

Malware Config

Extracted

Path

C:\iHpE7aGA3.README.txt

Ransom Note

~~~ ############################################~~~ YOUR FILES ARE ENCRYPTED !!! TO DECRYPT, FOLLOW THE INSTRUCTIONS: To recover data you need decrypt tool. To get the decrypt tool you should: 1.In the letter include your personal ID! Send me this ID in your first email to me! 2.We can give you free test for decrypt few files (NOT VALUE) and assign the price for decryption all files! 3.After we send you instruction how to pay for decrypt tool and after payment you will receive a decryption tool! 4.We can decrypt few files in quality the evidence that we have the decoder. ATTENTION !!! THIS IS YOUR PERSONAL ID WICH YOU HAVE TO SEND IN FIRST LETTER: 9ZBmWdet8f1JlGuD6wXnVL7YEzCpFk5QoIScRsh4KgvNqUPy3TM02Oxjbai AHrYzBOCDmMiT9SdByUHVnikJS8i3JN83X5wzhTArBh59XFkyhocrfLLJOM 4PF6jRhHv3PCAj9dH0qWwLbBerVrYVKKsqFs2WTAicFxaxi05fJyUPRpZXgG p7mWr6RgYgXEbUXYldb26gl9CDAdzifhk5IMFRHR1yZk00U2tGTG3oyzZo3s UuC96xy0ulnU4yjd6ahHB5KWGl9sozpjo6OWitVD1ZaIF0ID1o0ILJih6ptPGB CONTACT US BY MAIL: [email protected] CONTACT US BY MAIL 2: [email protected] CONTACT US BY UTOX ID: 34BA12E4BE532885BAD25BDC4EFA0BCC4145B76B58A90E0C4E2A80D37A5A9F30E03477050899 Download link UTOX: https://github.com/uTox/uTox/releases/download/v0.18.1/utox_x86_64.exe How do I pay, where do I get Bitcoin? Purchasing Bitcoin varies from country to country, you are best advised to do a quick google search yourself to find out how to buy Bitcoin. Many of our customers have reported these sites to be fast and reliable: Coinmama - hxxps://www.coinmama.com Bitpanda - hxxps://www.bitpanda.com

Emails

[email protected]

URLs

https://github.com/uTox/uTox/releases/download/v0.18.1/utox_x86_64.exe

Signatures

Renames multiple (336) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes itself 1 IoCs

pid	Process
1604	2CDA.tmp

Executes dropped EXE 1 IoCs

pid	Process
1604	2CDA.tmp

Loads dropped DLL 1 IoCs

pid	Process
2160	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2248906074-2862704502-246302768-1000\desktop.ini	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-2248906074-2862704502-246302768-1000\desktop.ini	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1604	2CDA.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2160	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
2160	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
2160	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
2160	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
2160	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
2160	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
2160	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
2160	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
2160	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
2160	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
2160	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
2160	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe

Suspicious behavior: RenamesItself 26 IoCs

pid	Process
1604	2CDA.tmp
1604	2CDA.tmp
1604	2CDA.tmp
1604	2CDA.tmp
1604	2CDA.tmp
1604	2CDA.tmp
1604	2CDA.tmp
1604	2CDA.tmp
1604	2CDA.tmp
1604	2CDA.tmp
1604	2CDA.tmp
1604	2CDA.tmp
1604	2CDA.tmp
1604	2CDA.tmp
1604	2CDA.tmp
1604	2CDA.tmp
1604	2CDA.tmp
1604	2CDA.tmp
1604	2CDA.tmp
1604	2CDA.tmp
1604	2CDA.tmp
1604	2CDA.tmp
1604	2CDA.tmp
1604	2CDA.tmp
1604	2CDA.tmp
1604	2CDA.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	2160	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeBackupPrivilege	2160	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeDebugPrivilege	2160	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: 36	2160	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeImpersonatePrivilege	2160	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeIncBasePriorityPrivilege	2160	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeIncreaseQuotaPrivilege	2160	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: 33	2160	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeManageVolumePrivilege	2160	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeProfSingleProcessPrivilege	2160	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeRestorePrivilege	2160	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeSecurityPrivilege	2160	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeSystemProfilePrivilege	2160	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeTakeOwnershipPrivilege	2160	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeShutdownPrivilege	2160	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeDebugPrivilege	2160	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeBackupPrivilege	2160	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeBackupPrivilege	2160	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeSecurityPrivilege	2160	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeSecurityPrivilege	2160	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeBackupPrivilege	2160	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeBackupPrivilege	2160	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeSecurityPrivilege	2160	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeSecurityPrivilege	2160	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeBackupPrivilege	2160	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeBackupPrivilege	2160	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeSecurityPrivilege	2160	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeSecurityPrivilege	2160	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeBackupPrivilege	2160	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeBackupPrivilege	2160	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeSecurityPrivilege	2160	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeSecurityPrivilege	2160	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeBackupPrivilege	2160	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeBackupPrivilege	2160	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeSecurityPrivilege	2160	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeSecurityPrivilege	2160	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeBackupPrivilege	2160	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeBackupPrivilege	2160	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeSecurityPrivilege	2160	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeSecurityPrivilege	2160	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeBackupPrivilege	2160	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeBackupPrivilege	2160	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeSecurityPrivilege	2160	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeSecurityPrivilege	2160	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeBackupPrivilege	2160	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeBackupPrivilege	2160	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeSecurityPrivilege	2160	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeSecurityPrivilege	2160	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeBackupPrivilege	2160	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeBackupPrivilege	2160	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeSecurityPrivilege	2160	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeSecurityPrivilege	2160	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeBackupPrivilege	2160	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeBackupPrivilege	2160	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeSecurityPrivilege	2160	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeSecurityPrivilege	2160	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeBackupPrivilege	2160	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeBackupPrivilege	2160	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeSecurityPrivilege	2160	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeSecurityPrivilege	2160	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeBackupPrivilege	2160	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeBackupPrivilege	2160	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeSecurityPrivilege	2160	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
Token: SeSecurityPrivilege	2160	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2160 wrote to memory of 1604	2160	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe	30
PID 2160 wrote to memory of 1604	2160	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe	30
PID 2160 wrote to memory of 1604	2160	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe	30
PID 2160 wrote to memory of 1604	2160	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe	30
PID 2160 wrote to memory of 1604	2160	43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe	30
PID 1604 wrote to memory of 2932	1604	2CDA.tmp	31
PID 1604 wrote to memory of 2932	1604	2CDA.tmp	31
PID 1604 wrote to memory of 2932	1604	2CDA.tmp	31
PID 1604 wrote to memory of 2932	1604	2CDA.tmp	31

C:\Users\Admin\AppData\Local\Temp\43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe
"C:\Users\Admin\AppData\Local\Temp\43a500e327fa47db6e1ee241b553c46bea58f6ba143d38af8b006051e8952792.exe"
1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2160
- C:\ProgramData\2CDA.tmp
  "C:\ProgramData\2CDA.tmp"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:1604
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\2CDA.tmp >> NUL
    3⤵
    PID:2932

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x148
1⤵
PID:1248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2248906074-2862704502-246302768-1000\KKKKKKKKKKK

Filesize
129B

MD5
e9d2d16c5f31c2ffb978680cd1496669

SHA1
3d85bc7cf303965189748fdedbf139eea33a9bf6

SHA256
2f00107621e0e985dc63d94f86612e01036c11a527c206234627605271460f07

SHA512
ab342ab6bba098c2752b37a1971ba465de2dfe072f691d02e51f4f939ba0d488cf08b68d71a000024436031bed84d65a26c9cd3a517829178426886af41e3453

Download Submit
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

Filesize
350KB

MD5
08c19a6cdde845b27c2c88196d86186b

SHA1
985de319dce1642e08ba94a04bc84bfab8012552

SHA256
29675e76d59f64df92f7101e77d689f8b86360bd9e179e6141b4275169df117b

SHA512
7d4072b5ed7e6bd69a9f886cacae7fbbff37966fb9fd9040027708db68994c709f5eae8a0ea10cfa3688f9d47bc7aa3f6d5eacdde66af09b0b979b93c1bbe659

Download Submit
C:\iHpE7aGA3.README.txt

Filesize
1KB

MD5
481f6946b253bb263007b53a2010c7a4

SHA1
fd65cc5ebca40e832d31601e4304e0e1e2f5ea89

SHA256
34b4b51dc57d0cd622e0c06811701b615d01a85f8c3bc41f13ce9304b99398f7

SHA512
a6e1f48429fb3649180ae94a3f826684b16d1db9dfc699048185182049fc7058e517e3583474b1124bfa4425057633967ec07213fb02af9481a5cf8a0ba1aa98

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2248906074-2862704502-246302768-1000\DDDDDDDDDDD

Filesize
129B

MD5
dacbc28a9cb939d43a36421a9a3a6f38

SHA1
eaa9908f9aa5aeb9977d6f1c5e4b47610d04e6d5

SHA256
897f6095c0f01b80e406fa037b59e31aca8f5317eb1b97a84bededd51d9f3033

SHA512
614aacce9663373f200dfda9a2bba1e5f469859043901adb253274df4dacaba4cc3f7a59c4460b543bccb8de992ebbef236b1355ea7ee3c28a4315b10e1d31c4

Download Submit
\ProgramData\2CDA.tmp

Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
memory/1604-867-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2160-3-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2160-6-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2160-8-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2160-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2160-2-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/2160-1-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2160-4-0x0000000000300000-0x000000000033C000-memory.dmp

Filesize
240KB

Download
memory/2160-7-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2160-868-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2160-869-0x0000000000300000-0x000000000033C000-memory.dmp

Filesize
240KB

Download
memory/2160-5-0x0000000000401000-0x0000000000419000-memory.dmp

Filesize
96KB

Download