Overview

overview

9

Static

static

3

9df8195bcf...09.exe

windows7-x64

9

9df8195bcf...09.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-05-2024 11:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9df8195bcf7875fbe9c606b0c55dd237edc3160078ac927c94995378d59b3409.exe

  • Size

    348KB

  • MD5

    67233b799136b9b170c9506b8e82cb81

  • SHA1

    8c4b5d442530f1cd31355f3a782e88e65e024007

  • SHA256

    9df8195bcf7875fbe9c606b0c55dd237edc3160078ac927c94995378d59b3409

  • SHA512

    977ba52c0d3dd07cc4ca99c85f7907f3cff4c5f6253947107a56a213e47307b6b8f02e589fa96288a76f217b028df889f74770981233dba732dcd0cea236b8ab

  • SSDEEP

    6144:pLFkCMg+SX2RIcFMzbNSYMor7uhyFQIChwTd4E4rKgKYfHF2yqLtgnWaIFSNfseC:RFJURIIibNQorqhyKo4BJ/0yqLtaEk0x

Score
9/10
ransomwarespywarestealer

Malware Config

Signatures

  • Renames multiple (594) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 2 IoCs
  • Drops file in System32 directory 4 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9df8195bcf7875fbe9c606b0c55dd237edc3160078ac927c94995378d59b3409.exe
    "C:\Users\Admin\AppData\Local\Temp\9df8195bcf7875fbe9c606b0c55dd237edc3160078ac927c94995378d59b3409.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:900
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
      • Drops file in System32 directory
      PID:3472
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
    1⤵
      PID:3984
    • C:\Windows\system32\printfilterpipelinesvc.exe
      C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
      1⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:984
      • C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
        /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{19A0A2F8-8F6D-4651-BE9E-A93ACB09C632}.xps" 133616289369310000
        2⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious use of SetWindowsHookEx
        PID:5080

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\$Recycle.Bin\S-1-5-21-1337824034-2731376981-3755436523-1000\BBBBBBBBBBB
      Filesize

      129B

      MD5

      8dce886fe75acd318469961d1157740d

      SHA1

      f7800ab2d2f59ac2da1b9c78368b1e758cf9d619

      SHA256

      cd30bc7ebda1d9755881db9aa5a1ab1df4fee505ac9988a5bb0097ba492bad84

      SHA512

      10eb757188b95529286397edb7582d8fffa3fa61170dbd8be4b77b0d3dbe3a1bfa45d96004204aae608a74ac61a48cd03588067a5ebaf9c924dd95af41c50255

      Download Submit

    • C:\CHR4bQVWh.README.txt
      Filesize

      122B

      MD5

      1cd2c508680a93907346e98d6a1677e6

      SHA1

      42ab98d499046fe5477610f5c256aff0b0f5be5e

      SHA256

      f722457807534d1c563d6cfaa43e3a8b90d721dcef1d48c0a3921b4025cd6bda

      SHA512

      2757aeab0f7c2703e0dfb095b37aada25d2947d21c7c988e4dc4b842d07741f34e4f35447694bae5a60de374f6812c511fd912177c81f37a3efd578848ae574c

      Download Submit

    • C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2
      Filesize

      4KB

      MD5

      cbe9d71aaef302e74ee2b127ac8ccce6

      SHA1

      abe7036b87bbcb9fd4f14893b5f41f3675917988

      SHA256

      31ad354e5efe3605399b8984d20d418eba01f7d836729edd215ec53a9b934e69

      SHA512

      7c8e512086d724136cf685791031c1965d232506f944bbecb464a36aba3c69bb73abbfa106979abb3e362adb8bffe18fe870b51cb86077f83cf815e17af3bb76

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-1337824034-2731376981-3755436523-1000\DDDDDDDDDDD
      Filesize

      129B

      MD5

      49edef650edc602be7b5835badb7785d

      SHA1

      a7c13eb5c26370b0f52770e61a9fdb46b0a0eea9

      SHA256

      957736c96350085fecec65f96c0e1c3491fa6f72b240a2af1c4169d3fe3b34ca

      SHA512

      21d259bfb94a692f8cc16ea387f06dc50929f990868ec09c75a5002012fb908f9e7e0266b71751d837dde0c1287e64e531bf0c968d25063f4c05d065d2a4447a

      Download Submit

    • memory/900-10-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

      Download

    • memory/900-3-0x00000000006F0000-0x00000000006F1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/900-9-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

      Download

    • memory/900-8-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

      Download

    • memory/900-7-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

      Download

    • memory/900-4-0x00000000006B0000-0x00000000006EC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/900-1-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

      Download

    • memory/900-6-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

      Download

    • memory/900-0-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

      Download

    • memory/900-5-0x0000000000401000-0x0000000000419000-memory.dmp

      Filesize

      96KB

      Download

    • memory/900-2739-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

      Download

    • memory/900-2-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

      Download

    • memory/5080-2753-0x00007FFEA9930000-0x00007FFEA9940000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5080-2752-0x00007FFEA9930000-0x00007FFEA9940000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5080-2754-0x00007FFEA9930000-0x00007FFEA9940000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5080-2755-0x00007FFEA9930000-0x00007FFEA9940000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5080-2756-0x00007FFEA7650000-0x00007FFEA7660000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5080-2757-0x00007FFEA7650000-0x00007FFEA7660000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5080-2751-0x00007FFEA9930000-0x00007FFEA9940000-memory.dmp

      Filesize

      64KB

      Download