Analysis

  • max time kernel
    1558s
  • max time network
    1559s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    16-07-2024 08:54

General

  • Target

    b923f1d2ece074dabe58bb6a603ed5d49e8d62044a1293a37e8afbcac029dded.exe

  • Size

    146KB

  • MD5

    a96ac42f9ccc7d11663f2741d5dfe930

  • SHA1

    3ff257bcb32b3862d4eb08c73949e1aa930a2384

  • SHA256

    b923f1d2ece074dabe58bb6a603ed5d49e8d62044a1293a37e8afbcac029dded

  • SHA512

    0021067adc17831733b267893639e034db928583acb5a2c18221213772ae7e85fd52bfdf7f90377cee63495d5ba05ce4bd706af302f81357f41fabde9fe29409

  • SSDEEP

    3072:q6glyuxE4GsUPnliByocWepqzYq7G9HkRgeXCDy8MD5:q6gDBGpvEByocWe4Y7pkRgeS28MD5

Malware Config

Extracted

Path

C:\6KMVhDmrY.README.txt

Ransom Note
~~~ Your computer was infected with a ransomware virus~~~ >>>> Your data are stolen and encrypted The data will be published on TOR website if you do not pay the ransom You won't be able to decrypt them without our help. >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems! >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will decrypt all your files and delete your data from our database If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future. >>>> Payment information To recover your files, Send $50 worth of Bitcoin to the following address: bc1qe4mvvcsycwsu6gp7chnd7r4wd5f5sgy2man87k Contact us (email addess): [email protected]

Signatures

  • Renames multiple (355) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 2 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Modifies Control Panel 2 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b923f1d2ece074dabe58bb6a603ed5d49e8d62044a1293a37e8afbcac029dded.exe
    "C:\Users\Admin\AppData\Local\Temp\b923f1d2ece074dabe58bb6a603ed5d49e8d62044a1293a37e8afbcac029dded.exe"
    1⤵
    • Loads dropped DLL
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1908
    • C:\ProgramData\1C76.tmp
      "C:\ProgramData\1C76.tmp"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:1708
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\1C76.tmp >> NUL
        3⤵
          PID:2936
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x14c
      1⤵
        PID:2844

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\$Recycle.Bin\S-1-5-21-3551809350-4263495960-1443967649-1000\desktop.ini

        Filesize

        129B

        MD5

        40bebb6a6c23933f961950725c65af35

        SHA1

        dba2770356b209d604e3f641e2e933bf30765123

        SHA256

        519a0aa3aef5fe2b022d89a0f2320bb837a2e7274121f2155bb8fb2dd0c46d75

        SHA512

        5366a01e32d916a3533299cdf7f17d299cd080dfa4d896c3cb19700440de4d6c037bc106d848f5deca70f204dd25a94f7185eddeeaa0452610af63a22b55db14

      • C:\6KMVhDmrY.README.txt

        Filesize

        917B

        MD5

        f0b4ce69ecdf87a5ad8964b5808bd31c

        SHA1

        c9399bd45e873d8a31bd916833113f1e33cb02e1

        SHA256

        cea6173bbf09f291f3397f81e30a918217217ec14308c69b573fbb83335b9d0f

        SHA512

        6683a9eea59640201239f57b1e6b2225d332cddf5899fb237b01848e5db6b7fa590fd7a893b48ac6b29cd63c180934dc54f0401f213a86b9be4773a0f33a5463

      • C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

        Filesize

        146KB

        MD5

        e45d09256464fe6fef8902a49304cde3

        SHA1

        4cb21c696e77db383bdda131417b8d275dab1f28

        SHA256

        33d184ddcb7eb2d5f8f38ef7680b33dfd2ce2f93a1cc4bbc5d0d90f02990cb70

        SHA512

        7bde9d1eaa6ab0737adff751eddbe9a3b326f4c581d4151eba4055527ec3a8074ff0dbda731a7a53e2e55e5049bac7a8940028a5ae2cf82f04e396e35f971804

      • F:\$RECYCLE.BIN\S-1-5-21-3551809350-4263495960-1443967649-1000\DDDDDDDDDDD

        Filesize

        129B

        MD5

        8a5836a68995f312797eb2ece67574f2

        SHA1

        4b63d79b4c178af644501b316b5cfbf135fbe3cf

        SHA256

        6321c5e993aa3092b944bf8728c7eb2d5f9f14939cc58de81dbe8f1f726a7919

        SHA512

        c3452556499341bf3c063d6fec077c6c9cd9e63455bcc1a6657cbcab05bc816563e3c3a2a1cc6cfb3dcdad9a31e7400aa436a3ef66cf3f3a31ec003146cffe7a

      • \ProgramData\1C76.tmp

        Filesize

        14KB

        MD5

        294e9f64cb1642dd89229fff0592856b

        SHA1

        97b148c27f3da29ba7b18d6aee8a0db9102f47c9

        SHA256

        917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

        SHA512

        b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

      • memory/1708-889-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

        Filesize

        4KB

      • memory/1708-892-0x000000007EF20000-0x000000007EF21000-memory.dmp

        Filesize

        4KB

      • memory/1708-891-0x000000007EF80000-0x000000007EF81000-memory.dmp

        Filesize

        4KB

      • memory/1708-890-0x0000000002270000-0x00000000022B0000-memory.dmp

        Filesize

        256KB

      • memory/1708-922-0x000000007EF60000-0x000000007EF61000-memory.dmp

        Filesize

        4KB

      • memory/1708-921-0x000000007EF40000-0x000000007EF41000-memory.dmp

        Filesize

        4KB

      • memory/1908-0-0x0000000002370000-0x00000000023B0000-memory.dmp

        Filesize

        256KB