Analysis

  • max time kernel
    120s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    05-06-2024 11:51

General

  • Target

    8ea416fd97ba762b5fa6519906c56f6c98f078f398ff75be7ed43fa1cc5313a9.exe

  • Size

    147KB

  • MD5

    56331e7b131dec58aba05405aa1242f5

  • SHA1

    f2f3a1cf7786abacb972cf31378d056de564b7c6

  • SHA256

    8ea416fd97ba762b5fa6519906c56f6c98f078f398ff75be7ed43fa1cc5313a9

  • SHA512

    4412ff6e3d4b3f916f28ddd342e72b19a8249428249fbb20b5408e093564f3fa9044947e1e3ff7177d49f62d98a9210338a25dbc236338136e6bcf6328d170ba

  • SSDEEP

    3072:P6glyuxE4GsUPnliByocWepDnc6TQHR/BLv/p:P6gDBGpvEByocWeUHjv/

Malware Config

Extracted

Path

C:\523XaDi1i.README.txt

Ransom Note
Dear managment! ---Welcome! Your are locked by SenSayQ!--- If you are reading this message, means that: * Your network infrastructures have been compromized! * Critical data has leaked! * Files are encrypted! ----------------------------------------------------------------------- The best and only thing you can do is to contact us to settle the matter before any losses occurs. ----------------------------------------------------------------------- 1. If you modify files - our decrypt software won't able to recover data. 2. If you use third party software - you can damage/modify files (see item 1). 3. You need cipher key / our decrypt software to restore you files. 4. The police or authorities will not be able to help you get the cipher key. We encourage you to consider your decisions. Contacting us will be the fastest and safest solution to the problem. ----------------------------------------------------------------------- Attention! If you do not contact us within 72 hours, we will be forced to publish the stolen data on our website. To contact us: 1. Download and install Tor Browser - torproject.org/download 2. Follow the link: ppzmaodrgtg7r6zcputdlaqfliubmmjpo4u56l3ayckut3nyvw6dyayd.onion 3. Enter your ID: TFfgc8xENZ62nkC0Yt7oNeR3Uqg07IcLs1eEiuDcOAzAJl1GhJbs3QzbxidYAtsddy4JfaZE3wubaPiNbHhWaThiTHJI E-mail support: [email protected]
URLs

http://ppzmaodrgtg7r6zcputdlaqfliubmmjpo4u56l3ayckut3nyvw6dyayd.onion

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8ea416fd97ba762b5fa6519906c56f6c98f078f398ff75be7ed43fa1cc5313a9.exe
    "C:\Users\Admin\AppData\Local\Temp\8ea416fd97ba762b5fa6519906c56f6c98f078f398ff75be7ed43fa1cc5313a9.exe"
    1⤵
    • Loads dropped DLL
    • Drops desktop.ini file(s)
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1952
    • C:\ProgramData\34A7.tmp
      "C:\ProgramData\34A7.tmp"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:1792
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\34A7.tmp >> NUL
        3⤵
          PID:1352
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x14c
      1⤵
        PID:2140

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\$Recycle.Bin\S-1-5-21-268080393-3149932598-1824759070-1000\desktop.ini

        Filesize

        129B

        MD5

        2e1b74c9893c59c9ec505c8e87ed79c4

        SHA1

        1011a8fd20eefb6581ea1d53ab85a0cca490446f

        SHA256

        61f8eae95543508885a1a31024877c439be814b90d21d4588911ad5c4c32b361

        SHA512

        d958f1a7abd1e2dce4815e5d7142028cf03510544f7c57c5cc791d431f10b54c1bf78417b88cf6044fcf5710b98525e3a71633b9924d9f995609d5f3c6accfb8

      • C:\523XaDi1i.README.txt

        Filesize

        1KB

        MD5

        eeff0df021548b44338487d14288c5a8

        SHA1

        a8488008932b49dc1b8de6113b71462d8a329dce

        SHA256

        373c7f87fda765fd8ff40f77a06d1b969ba9766370a10e1ecf52465e49771052

        SHA512

        6dfc2fbe8a3d31e806f357016b0af93024aeabf40fcb1d4dc4c917227306f779c3c4a9019d18e46a17c7ade6769312dcee705e27362d226bc25b67c5e9bc77dc

      • C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

        Filesize

        147KB

        MD5

        bb662ddeb4c2383c94d5ea83f46cd2cd

        SHA1

        ee66347da5e7a1cc90d4da7758cfe293705930e4

        SHA256

        c32c5ce4c2c568ddb15004a5a7293120e2128ea84e8215093c8d42aafe090b49

        SHA512

        be87c5ed97cefe0aebec836f85909288142d675c263c37791247b2dc2e03a10ca5f6ef205f93d820dbe358a5c63194d5aeec9c8572c684905aed802e6c89a7af

      • F:\$RECYCLE.BIN\S-1-5-21-268080393-3149932598-1824759070-1000\DDDDDDDDDDD

        Filesize

        129B

        MD5

        28302d967515d6b2c2b4cd1755b0e07d

        SHA1

        4be1d701e272533d77304134548dab92b809fbae

        SHA256

        cc9d7c827981aadebdc5044de6caedeb8d8223e11e62e75aacfd40a2b3a56ec1

        SHA512

        ffb3d1e8917af76b067780591c74ed48a60e58b6d5da9a8fdefcc7af386f1baeb24f5c4d74d05dc78b47d02d7ea9a24cd717644edeac5b38204d9cfec0da3d92

      • \ProgramData\34A7.tmp

        Filesize

        14KB

        MD5

        294e9f64cb1642dd89229fff0592856b

        SHA1

        97b148c27f3da29ba7b18d6aee8a0db9102f47c9

        SHA256

        917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

        SHA512

        b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

      • memory/1792-871-0x0000000000400000-0x0000000000407000-memory.dmp

        Filesize

        28KB

      • memory/1792-870-0x0000000000401000-0x0000000000404000-memory.dmp

        Filesize

        12KB

      • memory/1952-0-0x00000000004E0000-0x0000000000520000-memory.dmp

        Filesize

        256KB