Overview

overview

10

Static

static

10

c394e16732...05.exe

windows11-21h2-x64

Resubmissions

21-07-2024 10:03

240721-l3sswaybja 10

21-07-2024 09:38

240721-ll4ttazdpl 10

Analysis

  • max time kernel
    59s
  • max time network
    42s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240709-en
  • resource tags

    arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    21-07-2024 10:03

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    c394e1673274a8d0861ed637c425de244ead5f8ffbc7cb84862d9b81ec884505.exe

  • Size

    145KB

  • MD5

    337559ae1b02b42586781787918b4b6c

  • SHA1

    114577ce6270fde6ed9dbc782484bfa36766baed

  • SHA256

    c394e1673274a8d0861ed637c425de244ead5f8ffbc7cb84862d9b81ec884505

  • SHA512

    8f6a3ed66d74a3950c78b24c8617714697ba8f3eea8ff75ba74206a2ee814212389d50d2824cdf96311774f16730429e4bae28b9c59b97dd0baf4e20dc73189f

  • SSDEEP

    3072:uqJogYkcSNm9V7D/Lwi7Z2ncxMN9vMWT:uq2kc4m9tDTwi7Z2cF

Score
7/10
ransomwarespywarestealer

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 2 IoCs
  • Drops file in System32 directory 4 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies registry class 6 IoCs
  • Opens file in notepad (likely ransom note) 2 IoCs
    ransomware
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 15 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c394e1673274a8d0861ed637c425de244ead5f8ffbc7cb84862d9b81ec884505.exe
    "C:\Users\Admin\AppData\Local\Temp\c394e1673274a8d0861ed637c425de244ead5f8ffbc7cb84862d9b81ec884505.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3140
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
      • Drops file in System32 directory
      PID:2836
    • C:\ProgramData\D300.tmp
      "C:\ProgramData\D300.tmp"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: RenamesItself
      PID:1224
  • C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\txdM9F1WD.README.txt
    1⤵
    • Opens file in notepad (likely ransom note)
    PID:4496
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
    1⤵
      PID:1492
    • C:\Windows\system32\printfilterpipelinesvc.exe
      C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
      1⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:400
      • C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
        /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{90048E1F-303E-482B-B23C-94BE35A44F9C}.xps" 133660298574790000
        2⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of SetWindowsHookEx
        PID:2276
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:2464
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\txdM9F1WD.README.txt
      1⤵
      • Opens file in notepad (likely ransom note)
      PID:1728

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\$Recycle.Bin\S-1-5-21-514081398-208714212-3319599467-1000\AAAAAAAAAAA
      Filesize

      129B

      MD5

      7aec939612f68ba04aa24aa2bca6afe7

      SHA1

      2087b342edc5101df8006acf1e9c53c9813ed535

      SHA256

      1ec3e42fa6437ae4f22156b1b1518326be85d95541d6b1575bfa77f0fbcef7a7

      SHA512

      182923d5da9be5b1d607b0e5ca922453cd6745d204a1d98594ff860da847d2d8245bf59f85a71ee0ce55888a3db21086309c48da023ff68d76e430f9a85e7984

      Download Submit

    • C:\ProgramData\D300.tmp
      Filesize

      14KB

      MD5

      294e9f64cb1642dd89229fff0592856b

      SHA1

      97b148c27f3da29ba7b18d6aee8a0db9102f47c9

      SHA256

      917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

      SHA512

      b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE
      Filesize

      145KB

      MD5

      6b65f42042fb30261cfc56a60f7506b9

      SHA1

      e8588fb875f0c87ef0e4db03e23a6184c87cfa4a

      SHA256

      e0d5c3a8989221d1d8be4ffb16f1d76be222c1e0b7c07734a35f896bd91227cb

      SHA512

      261253456af705256695ee966e30490d1383921738c62c865e40e6ad17ba32af5934f2a1dbc2200fc5c9ddda754d6d84e6273274776d2f4531d1dac823e55373

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\{32401933-776B-4A3A-B883-0792D3782FD1}
      Filesize

      4KB

      MD5

      b775ac262189769cd6740d6952904baa

      SHA1

      3d576b63a69b4325d9e52c6d60b4a0863bd20059

      SHA256

      b29d62acb145a7c06ba456dd21e88f52ccfb5cf2c3cacdb5ebea3837db06d8b5

      SHA512

      0c44cdde75afd7373c0b80cdbf147678388969d3532eb5d1d6640be3f000310195c41500f1d62ed31184b4a7eb70452cc08df522c48f9f6a4e1298199f50b315

      Download Submit

    • C:\Users\txdM9F1WD.README.txt
      Filesize

      27B

      MD5

      734928ecdc131bc5f8de15316a4a3c36

      SHA1

      99f69f63b39bc26bab9e3a88a37e5eca67aff5c8

      SHA256

      5778fea386e2432c9d30e0a22ad06a4021462d6688c3dd2bf19e7a0206049fd5

      SHA512

      e0490bc9cb7cb18c99824eaf8aa37ee10be841245a3aa03f227d80dfd63ab125d025de6d9374883707a0ce60dc6e85079ada0bd1a22121ed9e9c75836fcf979d

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-514081398-208714212-3319599467-1000\DDDDDDDDDDD
      Filesize

      129B

      MD5

      2660d25b23c2e905f25a5ff88d2880cd

      SHA1

      06e8a90658fe1fe67426429e7fab0443f362581f

      SHA256

      784f74439ed025d400c1029a78112121c9e8591270ba433c081f463538a84a79

      SHA512

      2e1b096aa0ee49756570a80acbd2ec869269458d4d999c10072a116b5a4b7c9be23467fbe8a8b8b883ef610bc35c14cca00d913316b3c8ed39248a3d9721a554

      Download Submit

    • memory/2276-2782-0x00007FFA0AF90000-0x00007FFA0AFA0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2276-2712-0x00007FFA0AF90000-0x00007FFA0AFA0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2276-2711-0x00007FFA0AF90000-0x00007FFA0AFA0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2276-2715-0x00007FFA0AF90000-0x00007FFA0AFA0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2276-2713-0x00007FFA0AF90000-0x00007FFA0AFA0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2276-2714-0x00007FFA0AF90000-0x00007FFA0AFA0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2276-2779-0x00007FFA0AF90000-0x00007FFA0AFA0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2276-2744-0x00007FFA08C50000-0x00007FFA08C60000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2276-2745-0x00007FFA08C50000-0x00007FFA08C60000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2276-2780-0x00007FFA0AF90000-0x00007FFA0AFA0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2276-2781-0x00007FFA0AF90000-0x00007FFA0AFA0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3140-1-0x0000000002760000-0x0000000002770000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3140-2-0x0000000002760000-0x0000000002770000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3140-0-0x0000000002760000-0x0000000002770000-memory.dmp

      Filesize

      64KB

      Download