Resubmissions

30/06/2024, 00:43

240630-a225da1apg 9

30/06/2024, 00:40

240630-az78ls1alc 9

Analysis

  • max time kernel
    1560s
  • max time network
    1561s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    30/06/2024, 00:43

General

  • Target

    a62c2d7ccf33edfced2f449ecbc4e861c97870f66346eccc3ac3d8fb81db347a.exe

  • Size

    79KB

  • MD5

    725e65aa9cb9f4e2e7e85f6893cd189f

  • SHA1

    b785900d47cae459aace67417c7b2df977c012f0

  • SHA256

    a62c2d7ccf33edfced2f449ecbc4e861c97870f66346eccc3ac3d8fb81db347a

  • SHA512

    7adddd2f38483ebf77d0cfd2967a02ebd2eaf6a7add751c6d5423034139f6d75b05d6a46b0bd3e36072882e4d7ad973612c2f2c610a16ce85515172bfa90f31b

  • SSDEEP

    768:W7BlpDpARFbhYQkQjjIXYvPXzWPXzK3733uF4V7en5c5HChCrmhYCDPdICDPdoQc:W7ZDpApYbWjIoPyPoLzV7c6Sh1dldoQc

Malware Config

Signatures

  • Renames multiple (16877) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Drops file in Drivers directory 39 IoCs
  • Deletes itself 1 IoCs
  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a62c2d7ccf33edfced2f449ecbc4e861c97870f66346eccc3ac3d8fb81db347a.exe
    "C:\Users\Admin\AppData\Local\Temp\a62c2d7ccf33edfced2f449ecbc4e861c97870f66346eccc3ac3d8fb81db347a.exe"
    1⤵
    • Drops file in Drivers directory
    • Drops startup file
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2876
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\A62C2D~1.EXE > nul
      2⤵
      • Deletes itself
      PID:944

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-2721934792-624042501-2768869379-1000\desktop.ini.tmp

    Filesize

    80KB

    MD5

    057a0310f959c4420dc8fc034f17c25c

    SHA1

    54998aaa41f5dd99788c31a1c8da12669e724592

    SHA256

    faa7e1f5136da5edd74194c497e91d0c822a3f3f298f02310c8f8bd053981aad

    SHA512

    4fbac41b6b2ef2f1722168aa5c85402d6dd18246a4c0bcaad156e1ccae01bcf0e57e07e19464646701c9039a0c9f4769fc2b069e70bdc948c27dac9894d224da

  • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

    Filesize

    89KB

    MD5

    e198d4db3cf544c1d89b89e33bc35172

    SHA1

    8f7d9e56b9b1e796a89e10a41130ce11ee155a81

    SHA256

    8a9594a9a59f7faeb9544837247ace4fae608f2b1d4451a592de45029c86f70b

    SHA512

    8a0a80abaefd72846d4f5ec4904e3cf42a159fe897147e854572ff87afe50ec86037f264a7c797f152efd5403cad60e0f00c278c61f78f5ac736efc76e767505