6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26-06-2024 08:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe
Size

147KB
MD5

9c5698924d4d1881efaf88651a304cb3
SHA1

c60a0b99729eb6d95c2d9f8b76b9714411a3a751
SHA256

6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417
SHA512

1e9cc0d7c831a496e3dbcc56f2d5d477e7a7546c2f223b0278fedfa10fc1bebb0412fd5d81ac02a77aa503ddc99dea1d59d9120d076ae7a0f5137c9260a64eea
SSDEEP

3072:+6glyuxE4GsUPnliByocWepMT0CY2gbP39m3Lpdp:+6gDBGpvEByocWeAYTbPN8p

Score

10^/10

ransomware spyware stealer

Malware Config

Extracted

Path

C:\flzQgniJJ.README.txt

Ransom Note

*** Welcome to Brain Cipher Ransomware! *** Dear managers! If you're reading this, it means your systems have been hacked and encrypted and your data stolen. *** The most proper way to safely recover your data is through our support. We can recover your systems within 4-6 hours. In order for it to be successful, you must follow a few points: 1.Don't go to the police, etc. 2.Do not attempt to recover data on your own. 3.Do not take the help of third-party data recovery companies. In most cases, they are scammers who will pay us a ransom and take a for themselves. *** If you violate any 1 of these points, we will refuse to cooperate with you!!! 3 steps to data recovery: 1. Download and install Tor Browser (https://www.torproject.org/download/) 2. Go to our support page: http://mybmtbgd7aprdnw2ekxht5qap5daam2wch25coqerrq2zdioanob34ad.onion 3. Enter your encryption ID: uYrTA6hpRFsWQR0nqlFk5WK8S+zUIHNd9T3L6aykdR27ztPJwC3xHOsdSBkZhmr+yKcnVLCct0ffjVRy5yvFQydzhzQWJR Email to support: [email protected]

Emails

[email protected]

URLs

http://mybmtbgd7aprdnw2ekxht5qap5daam2wch25coqerrq2zdioanob34ad.onion

Signatures

Deletes itself 1 IoCs

Processes:

2674.tmp

pid	Process
2488	2674.tmp

Executes dropped EXE 1 IoCs

Processes:

2674.tmp

pid	Process
2488	2674.tmp

Loads dropped DLL 1 IoCs

Processes:

6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe

pid	Process
1712	6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 2 IoCs

Processes:

6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2297530677-1229052932-2803917579-1000\desktop.ini	6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-2297530677-1229052932-2803917579-1000\desktop.ini	6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe2674.tmp

pid	Process
1712	6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe
1712	6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe
1712	6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe
1712	6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe
2488	2674.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe

pid	Process
1712	6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe
1712	6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe
1712	6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe
1712	6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe
1712	6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe
1712	6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe
1712	6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe
1712	6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe
1712	6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe
1712	6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe
1712	6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe
1712	6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe

Suspicious behavior: RenamesItself 26 IoCs

Processes:

2674.tmp

pid	Process
2488	2674.tmp
2488	2674.tmp
2488	2674.tmp
2488	2674.tmp
2488	2674.tmp
2488	2674.tmp
2488	2674.tmp
2488	2674.tmp
2488	2674.tmp
2488	2674.tmp
2488	2674.tmp
2488	2674.tmp
2488	2674.tmp
2488	2674.tmp
2488	2674.tmp
2488	2674.tmp
2488	2674.tmp
2488	2674.tmp
2488	2674.tmp
2488	2674.tmp
2488	2674.tmp
2488	2674.tmp
2488	2674.tmp
2488	2674.tmp
2488	2674.tmp
2488	2674.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	1712	6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe
Token: SeBackupPrivilege	1712	6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe
Token: SeDebugPrivilege	1712	6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe
Token: 36	1712	6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe
Token: SeImpersonatePrivilege	1712	6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe
Token: SeIncBasePriorityPrivilege	1712	6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe
Token: SeIncreaseQuotaPrivilege	1712	6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe
Token: 33	1712	6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe
Token: SeManageVolumePrivilege	1712	6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe
Token: SeProfSingleProcessPrivilege	1712	6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe
Token: SeRestorePrivilege	1712	6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe
Token: SeSecurityPrivilege	1712	6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe
Token: SeSystemProfilePrivilege	1712	6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe
Token: SeTakeOwnershipPrivilege	1712	6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe
Token: SeShutdownPrivilege	1712	6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe
Token: SeDebugPrivilege	1712	6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe
Token: SeBackupPrivilege	1712	6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe
Token: SeBackupPrivilege	1712	6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe
Token: SeSecurityPrivilege	1712	6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe
Token: SeSecurityPrivilege	1712	6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe
Token: SeBackupPrivilege	1712	6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe
Token: SeBackupPrivilege	1712	6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe
Token: SeSecurityPrivilege	1712	6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe
Token: SeSecurityPrivilege	1712	6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe
Token: SeBackupPrivilege	1712	6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe
Token: SeBackupPrivilege	1712	6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe
Token: SeSecurityPrivilege	1712	6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe
Token: SeSecurityPrivilege	1712	6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe
Token: SeBackupPrivilege	1712	6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe
Token: SeBackupPrivilege	1712	6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe
Token: SeSecurityPrivilege	1712	6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe
Token: SeSecurityPrivilege	1712	6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe
Token: SeBackupPrivilege	1712	6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe
Token: SeBackupPrivilege	1712	6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe
Token: SeSecurityPrivilege	1712	6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe
Token: SeSecurityPrivilege	1712	6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe
Token: SeBackupPrivilege	1712	6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe
Token: SeBackupPrivilege	1712	6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe
Token: SeSecurityPrivilege	1712	6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe
Token: SeSecurityPrivilege	1712	6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe
Token: SeBackupPrivilege	1712	6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe
Token: SeBackupPrivilege	1712	6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe
Token: SeSecurityPrivilege	1712	6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe
Token: SeSecurityPrivilege	1712	6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe
Token: SeBackupPrivilege	1712	6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe
Token: SeBackupPrivilege	1712	6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe
Token: SeSecurityPrivilege	1712	6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe
Token: SeSecurityPrivilege	1712	6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe
Token: SeBackupPrivilege	1712	6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe
Token: SeBackupPrivilege	1712	6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe
Token: SeSecurityPrivilege	1712	6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe
Token: SeSecurityPrivilege	1712	6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe
Token: SeBackupPrivilege	1712	6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe
Token: SeBackupPrivilege	1712	6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe
Token: SeSecurityPrivilege	1712	6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe
Token: SeSecurityPrivilege	1712	6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe
Token: SeBackupPrivilege	1712	6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe
Token: SeBackupPrivilege	1712	6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe
Token: SeSecurityPrivilege	1712	6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe
Token: SeSecurityPrivilege	1712	6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe
Token: SeBackupPrivilege	1712	6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe
Token: SeBackupPrivilege	1712	6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe
Token: SeSecurityPrivilege	1712	6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe
Token: SeSecurityPrivilege	1712	6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe2674.tmp

description	pid	Process	procid_target
PID 1712 wrote to memory of 2488	1712	6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe	30
PID 1712 wrote to memory of 2488	1712	6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe	30
PID 1712 wrote to memory of 2488	1712	6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe	30
PID 1712 wrote to memory of 2488	1712	6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe	30
PID 1712 wrote to memory of 2488	1712	6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe	30
PID 2488 wrote to memory of 1956	2488	2674.tmp	31
PID 2488 wrote to memory of 1956	2488	2674.tmp	31
PID 2488 wrote to memory of 1956	2488	2674.tmp	31
PID 2488 wrote to memory of 1956	2488	2674.tmp	31

C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe
"C:\Users\Admin\AppData\Local\Temp\6e07da23603fbe5b26755df5b8fec19cadf1f7001b1558ea4f12e20271263417.exe"
1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1712
- C:\ProgramData\2674.tmp
  "C:\ProgramData\2674.tmp"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:2488
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\2674.tmp >> NUL
    3⤵
    PID:1956

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x14c
1⤵
PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2297530677-1229052932-2803917579-1000\desktop.ini

Filesize
129B

MD5
279d6ce9bd056a66df0bbc9621fb5551

SHA1
75cc1b9b7ab0f565cfc3070078981a78cce77df1

SHA256
45890a9ef6c825e5e3048bfebc02921a793bd2b1bb09f02e6f102a26170f2530

SHA512
a8c089743320ee2507e2a9d71f4eb19a10b8d494d241516d28a1ceb97c6d0afeacbe379512aa0fb01f7d0047ee27d85c7ee40c2162bae7e2e154b84bbf8ec9fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

Filesize
147KB

MD5
25ee540455aa6e7c2a62dd2b031338a9

SHA1
3cb32879f4c7ebd5d6f0d6a8bb9784382e953a6a

SHA256
fe2ee862b95abf378b011b78a48e04c1734df7bd6152c98376271b83e66a84e0

SHA512
be06066eca9cba4720496e16634591bfc31e4ba14f6147b283d3cfb776342e46230bb92f61d2fb8c99e3930cd1835e2b6f526a73d26b235beef178b0f72d868e

Download Submit
C:\flzQgniJJ.README.txt

Filesize
1KB

MD5
3bebb5494e1c3d4753ce92a479e7eda5

SHA1
243685d0515d19210e4e2f354d367be6212e98ff

SHA256
13d69c85aeb5beab58caefaa2cdc257d668f568103a5cebbd98038b3b66b66bd

SHA512
0e31e7bf96fbd6bb91fbe96e59acf96dd0fef5e9db9e93e924afd17fe1066c04b0d9bf9e2d60c335db4f0347107a63d92dfc9ba9b166d2e3151e5440232f63da

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2297530677-1229052932-2803917579-1000\DDDDDDDDDDD

Filesize
129B

MD5
909ccf477533aab846be71b943c87f39

SHA1
2e01477cefc43a17f22927ae1c4d5250eb5110e5

SHA256
197a98bb20b549f41fbe2794853ec18a2a999b777593c8c9e4171ac657745703

SHA512
ae13384ab0e5d1f1860243963646f53af74138cea7bff404f9e9ea22b19674b2d04657a682c6a2300d7aa7426f3d0189cb2721495a2e90c182b9e3c8cbb37317

Download Submit
\ProgramData\2674.tmp

Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
memory/1712-0-0x0000000000170000-0x00000000001B0000-memory.dmp

Filesize
256KB

Download
memory/2488-871-0x000000007EF20000-0x000000007EF21000-memory.dmp

Filesize
4KB

Download
memory/2488-870-0x000000007EF80000-0x000000007EF81000-memory.dmp

Filesize
4KB

Download
memory/2488-869-0x00000000022C0000-0x0000000002300000-memory.dmp

Filesize
256KB

Download
memory/2488-868-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

Filesize
4KB

Download
memory/2488-901-0x000000007EF60000-0x000000007EF61000-memory.dmp

Filesize
4KB

Download
memory/2488-900-0x000000007EF40000-0x000000007EF41000-memory.dmp

Filesize
4KB

Download