d2d690bcb348fcc6afeaba3fb88ebb1c29df30ebec7aaf85fd91ccf4582693a3

Analysis

max time kernel
16s
max time network
22s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
15-07-2024 08:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Loader 3.0.exe
Size

147KB
MD5

ff4cd364323fc2048c35783a38070aef
SHA1

4736172dd07a3a196343b94dd56b4e4edc0f2bce
SHA256

6dd7522accb6773bade16720b53ca577574defae5b1c7caf4b7fc6826dfed7e7
SHA512

c72b07b78ccbcfad14fa9f7bc3e8a086c29969b4f7f30dbe57a1a173cd82d61a20bf5ead0bc7b627d5d7f7f0def71710e2ce09590be7a886ad6c9414981eb961
SSDEEP

1536:FzICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xDEtDyI4njdbJBGCkmsQwvB6jr4j:GqJogYkcSNm9V7Dk4F91qYUrnbT

Score

9^/10

ransomware spyware stealer

Malware Config

Signatures

Renames multiple (356) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes itself 1 IoCs

Processes:

EBE5.tmp

pid	Process
896	EBE5.tmp

Executes dropped EXE 1 IoCs

Processes:

EBE5.tmp

pid	Process
896	EBE5.tmp

Loads dropped DLL 1 IoCs

Processes:

Loader 3.0.exe

pid	Process
2344	Loader 3.0.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 2 IoCs

Processes:

Loader 3.0.exe

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2958949473-3205530200-1453100116-1000\desktop.ini	Loader 3.0.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-2958949473-3205530200-1453100116-1000\desktop.ini	Loader 3.0.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

Loader 3.0.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\Jw5Jgl9mC.bmp"	Loader 3.0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\Jw5Jgl9mC.bmp"	Loader 3.0.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

EBE5.tmp

pid	Process
896	EBE5.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 2 IoCs

evasion

Processes:

Loader 3.0.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Control Panel\Desktop	Loader 3.0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Control Panel\Desktop\WallpaperStyle = "10"	Loader 3.0.exe

Modifies registry class 5 IoCs

Processes:

Loader 3.0.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Jw5Jgl9mC\DefaultIcon\ = "C:\\ProgramData\\Jw5Jgl9mC.ico"	Loader 3.0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Jw5Jgl9mC	Loader 3.0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Jw5Jgl9mC\ = "Jw5Jgl9mC"	Loader 3.0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Jw5Jgl9mC\DefaultIcon	Loader 3.0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Jw5Jgl9mC	Loader 3.0.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

Loader 3.0.exe

pid	Process
2344	Loader 3.0.exe
2344	Loader 3.0.exe
2344	Loader 3.0.exe
2344	Loader 3.0.exe
2344	Loader 3.0.exe
2344	Loader 3.0.exe
2344	Loader 3.0.exe
2344	Loader 3.0.exe
2344	Loader 3.0.exe
2344	Loader 3.0.exe
2344	Loader 3.0.exe
2344	Loader 3.0.exe
2344	Loader 3.0.exe
2344	Loader 3.0.exe

Suspicious behavior: RenamesItself 26 IoCs

Processes:

EBE5.tmp

pid	Process
896	EBE5.tmp
896	EBE5.tmp
896	EBE5.tmp
896	EBE5.tmp
896	EBE5.tmp
896	EBE5.tmp
896	EBE5.tmp
896	EBE5.tmp
896	EBE5.tmp
896	EBE5.tmp
896	EBE5.tmp
896	EBE5.tmp
896	EBE5.tmp
896	EBE5.tmp
896	EBE5.tmp
896	EBE5.tmp
896	EBE5.tmp
896	EBE5.tmp
896	EBE5.tmp
896	EBE5.tmp
896	EBE5.tmp
896	EBE5.tmp
896	EBE5.tmp
896	EBE5.tmp
896	EBE5.tmp
896	EBE5.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Loader 3.0.exe

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	2344	Loader 3.0.exe
Token: SeBackupPrivilege	2344	Loader 3.0.exe
Token: SeDebugPrivilege	2344	Loader 3.0.exe
Token: 36	2344	Loader 3.0.exe
Token: SeImpersonatePrivilege	2344	Loader 3.0.exe
Token: SeIncBasePriorityPrivilege	2344	Loader 3.0.exe
Token: SeIncreaseQuotaPrivilege	2344	Loader 3.0.exe
Token: 33	2344	Loader 3.0.exe
Token: SeManageVolumePrivilege	2344	Loader 3.0.exe
Token: SeProfSingleProcessPrivilege	2344	Loader 3.0.exe
Token: SeRestorePrivilege	2344	Loader 3.0.exe
Token: SeSecurityPrivilege	2344	Loader 3.0.exe
Token: SeSystemProfilePrivilege	2344	Loader 3.0.exe
Token: SeTakeOwnershipPrivilege	2344	Loader 3.0.exe
Token: SeShutdownPrivilege	2344	Loader 3.0.exe
Token: SeDebugPrivilege	2344	Loader 3.0.exe
Token: SeBackupPrivilege	2344	Loader 3.0.exe
Token: SeBackupPrivilege	2344	Loader 3.0.exe
Token: SeSecurityPrivilege	2344	Loader 3.0.exe
Token: SeSecurityPrivilege	2344	Loader 3.0.exe
Token: SeBackupPrivilege	2344	Loader 3.0.exe
Token: SeBackupPrivilege	2344	Loader 3.0.exe
Token: SeSecurityPrivilege	2344	Loader 3.0.exe
Token: SeSecurityPrivilege	2344	Loader 3.0.exe
Token: SeBackupPrivilege	2344	Loader 3.0.exe
Token: SeBackupPrivilege	2344	Loader 3.0.exe
Token: SeSecurityPrivilege	2344	Loader 3.0.exe
Token: SeSecurityPrivilege	2344	Loader 3.0.exe
Token: SeBackupPrivilege	2344	Loader 3.0.exe
Token: SeBackupPrivilege	2344	Loader 3.0.exe
Token: SeSecurityPrivilege	2344	Loader 3.0.exe
Token: SeSecurityPrivilege	2344	Loader 3.0.exe
Token: SeBackupPrivilege	2344	Loader 3.0.exe
Token: SeBackupPrivilege	2344	Loader 3.0.exe
Token: SeSecurityPrivilege	2344	Loader 3.0.exe
Token: SeSecurityPrivilege	2344	Loader 3.0.exe
Token: SeBackupPrivilege	2344	Loader 3.0.exe
Token: SeBackupPrivilege	2344	Loader 3.0.exe
Token: SeSecurityPrivilege	2344	Loader 3.0.exe
Token: SeSecurityPrivilege	2344	Loader 3.0.exe
Token: SeBackupPrivilege	2344	Loader 3.0.exe
Token: SeBackupPrivilege	2344	Loader 3.0.exe
Token: SeSecurityPrivilege	2344	Loader 3.0.exe
Token: SeSecurityPrivilege	2344	Loader 3.0.exe
Token: SeBackupPrivilege	2344	Loader 3.0.exe
Token: SeBackupPrivilege	2344	Loader 3.0.exe
Token: SeSecurityPrivilege	2344	Loader 3.0.exe
Token: SeSecurityPrivilege	2344	Loader 3.0.exe
Token: SeBackupPrivilege	2344	Loader 3.0.exe
Token: SeBackupPrivilege	2344	Loader 3.0.exe
Token: SeSecurityPrivilege	2344	Loader 3.0.exe
Token: SeSecurityPrivilege	2344	Loader 3.0.exe
Token: SeBackupPrivilege	2344	Loader 3.0.exe
Token: SeBackupPrivilege	2344	Loader 3.0.exe
Token: SeSecurityPrivilege	2344	Loader 3.0.exe
Token: SeSecurityPrivilege	2344	Loader 3.0.exe
Token: SeBackupPrivilege	2344	Loader 3.0.exe
Token: SeBackupPrivilege	2344	Loader 3.0.exe
Token: SeSecurityPrivilege	2344	Loader 3.0.exe
Token: SeSecurityPrivilege	2344	Loader 3.0.exe
Token: SeBackupPrivilege	2344	Loader 3.0.exe
Token: SeBackupPrivilege	2344	Loader 3.0.exe
Token: SeSecurityPrivilege	2344	Loader 3.0.exe
Token: SeSecurityPrivilege	2344	Loader 3.0.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

Loader 3.0.exeEBE5.tmp

description	pid	Process	procid_target
PID 2344 wrote to memory of 896	2344	Loader 3.0.exe	33
PID 2344 wrote to memory of 896	2344	Loader 3.0.exe	33
PID 2344 wrote to memory of 896	2344	Loader 3.0.exe	33
PID 2344 wrote to memory of 896	2344	Loader 3.0.exe	33
PID 2344 wrote to memory of 896	2344	Loader 3.0.exe	33
PID 896 wrote to memory of 2456	896	EBE5.tmp	34
PID 896 wrote to memory of 2456	896	EBE5.tmp	34
PID 896 wrote to memory of 2456	896	EBE5.tmp	34
PID 896 wrote to memory of 2456	896	EBE5.tmp	34

C:\Users\Admin\AppData\Local\Temp\Loader 3.0.exe
"C:\Users\Admin\AppData\Local\Temp\Loader 3.0.exe"
1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2344
- C:\ProgramData\EBE5.tmp
  "C:\ProgramData\EBE5.tmp"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:896
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\EBE5.tmp >> NUL
    3⤵
    PID:2456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2958949473-3205530200-1453100116-1000\desktop.ini

Filesize
129B

MD5
9483a86c8a34ee27643354c8e1f58aa1

SHA1
a33208f1b667db4d3996ceaf41f12296a2093bda

SHA256
322d32dfdd09e0225fc7fae093b1b0d97e13a6a29496e027b0ac249e7b52f29a

SHA512
653d93d6797232571008f85ea41c086c4b1a7feef1f2ffaa7fc4dfc1d1205335992bd327b9ce6ea249724cf83aa02f23949585ea4b456febaa87a1e3b18ef207

Download Submit
C:\Jw5Jgl9mC.README.txt

Filesize
1KB

MD5
8b28296a2c168d86adbafc888d0f95f0

SHA1
49d6b109bf24f39c2c0f62c0796b8693c0bd99e5

SHA256
7b3daacf846fe79840647e67d9c5226a7fda47d5b32c24d874654e8ff78ffcc9

SHA512
b0f0e0a6f2962250c3b9f87637854756e7a0fcde561aae14654d0dcd1e1013876442c0354e41c5bc8e3ef57f170ac2073874ff22fdc5656f62f930350f9df6ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDD

Filesize
147KB

MD5
8959f74ddfd1d038bbcc1b06c323462a

SHA1
5a0f6168238e459f056b722b575af4cb39531a2f

SHA256
017125a6568060f23baaf67c0e9586abad97e2458e2317d95bba42f1fe36a7ff

SHA512
0a3cc62604ec07642b1d1619a0ab59a46d5490e9bd0814f101418ede83f7f6c479a765fddf52ec4ea8bf3359ccae17e79c0819be41ba6548acf6fed2ba28e42a

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2958949473-3205530200-1453100116-1000\DDDDDDDDDDD

Filesize
129B

MD5
3d4eba11905817f2a4e80cb7ee2e7cc3

SHA1
21238f220533c4017d5bccbf95c3ff3fcf896875

SHA256
26d2d8f1aa4e99a39282895dcb55f2db7687b7e6b5975327db8b2152b354fb5b

SHA512
5406c54f4725573953288b6c13400f01d786517fb73d2da0625969b3bd6c4e117a3e4331cc40331449848a75903c88a4d9e67d76c9a4ab93d6a93c5e47d2a0f1

Download Submit
\ProgramData\EBE5.tmp

Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
memory/896-891-0x0000000000370000-0x00000000003B0000-memory.dmp

Filesize
256KB

Download
memory/896-890-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

Filesize
4KB

Download
memory/896-923-0x000000007EF60000-0x000000007EF61000-memory.dmp

Filesize
4KB

Download
memory/896-922-0x000000007EF40000-0x000000007EF41000-memory.dmp

Filesize
4KB

Download
memory/896-893-0x000000007EF20000-0x000000007EF21000-memory.dmp

Filesize
4KB

Download
memory/896-892-0x000000007EF80000-0x000000007EF81000-memory.dmp

Filesize
4KB

Download
memory/2344-0-0x0000000000180000-0x00000000001C0000-memory.dmp

Filesize
256KB

Download