Overview

overview

10

Static

static

10

c394e16732...05.exe

windows7-x64

c394e16732...05.exe

windows10-2004-x64

Resubmissions

21-07-2024 10:03

240721-l3sswaybja 10

21-07-2024 09:38

240721-ll4ttazdpl 10

Analysis

  • max time kernel
    71s
  • max time network
    26s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    21-07-2024 09:38

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    c394e1673274a8d0861ed637c425de244ead5f8ffbc7cb84862d9b81ec884505.exe

  • Size

    145KB

  • MD5

    337559ae1b02b42586781787918b4b6c

  • SHA1

    114577ce6270fde6ed9dbc782484bfa36766baed

  • SHA256

    c394e1673274a8d0861ed637c425de244ead5f8ffbc7cb84862d9b81ec884505

  • SHA512

    8f6a3ed66d74a3950c78b24c8617714697ba8f3eea8ff75ba74206a2ee814212389d50d2824cdf96311774f16730429e4bae28b9c59b97dd0baf4e20dc73189f

  • SSDEEP

    3072:uqJogYkcSNm9V7D/Lwi7Z2ncxMN9vMWT:uq2kc4m9tDTwi7Z2cF

Score
7/10
ransomwarespywarestealer

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 2 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c394e1673274a8d0861ed637c425de244ead5f8ffbc7cb84862d9b81ec884505.exe
    "C:\Users\Admin\AppData\Local\Temp\c394e1673274a8d0861ed637c425de244ead5f8ffbc7cb84862d9b81ec884505.exe"
    1⤵
    • Loads dropped DLL
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2624
    • C:\ProgramData\FFC2.tmp
      "C:\ProgramData\FFC2.tmp"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: RenamesItself
      PID:1028
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x14c
    1⤵
      PID:2752

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\$Recycle.Bin\S-1-5-21-2958949473-3205530200-1453100116-1000\desktop.ini
      Filesize

      129B

      MD5

      79f5c5fd5fefe334200b1ae81177b93f

      SHA1

      4a315854f5b863e611dc31927c66a11bcb69b242

      SHA256

      5431df579b8d9fad2f14e10f423ab5b8a234026b84589c04f9a7e6fe7901ce21

      SHA512

      2fc6c445893e10c1b0fa5391e597fe6f79ac30ebb62fa346e7769cd8cac59943f681064e367b48f0532ffed09078166b4f5bdee6004599dfd86e0b14a12f4431

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
      Filesize

      145KB

      MD5

      642d50edaac7d9985f98434d201fc559

      SHA1

      4edbd44e78c0e81cd401b95e6c4c7fba7dcb2600

      SHA256

      6b774666ca7cbfc239fffc8cd7dcf0f2520fbf46aeda80a7037f2692a5ef7d18

      SHA512

      fb70e9ea3b24ee7a7591757e127705d1cdd6a8c98ed185d23a104a60e1931f03790c13efd320e6657776d92fdb52fb4584f8bf6a139343070190cd8cfd35e599

      Download Submit

    • C:\txdM9F1WD.README.txt
      Filesize

      27B

      MD5

      734928ecdc131bc5f8de15316a4a3c36

      SHA1

      99f69f63b39bc26bab9e3a88a37e5eca67aff5c8

      SHA256

      5778fea386e2432c9d30e0a22ad06a4021462d6688c3dd2bf19e7a0206049fd5

      SHA512

      e0490bc9cb7cb18c99824eaf8aa37ee10be841245a3aa03f227d80dfd63ab125d025de6d9374883707a0ce60dc6e85079ada0bd1a22121ed9e9c75836fcf979d

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-2958949473-3205530200-1453100116-1000\DDDDDDDDDDD
      Filesize

      129B

      MD5

      da813a0644cea18da7e61a8b3cae22f2

      SHA1

      147aa2b6647f964676453b5115df869aa55739d8

      SHA256

      3f969c61a84fd58d1640348d61ff70defbc2afb9d99f9ffffcab9e215211341d

      SHA512

      2a5e405da5b73a59790c78add9d60340324faaaf8aae0fa7e2bd715125114d2614ddedeecce0484dba2d9a883847d0d9ef1d9e867ee4b7009cf16ff35005611d

      Download Submit

    • \ProgramData\FFC2.tmp
      Filesize

      14KB

      MD5

      294e9f64cb1642dd89229fff0592856b

      SHA1

      97b148c27f3da29ba7b18d6aee8a0db9102f47c9

      SHA256

      917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

      SHA512

      b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

      Download Submit

    • memory/1028-885-0x000000007EF20000-0x000000007EF21000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1028-884-0x000000007EF80000-0x000000007EF81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1028-883-0x00000000021E0000-0x0000000002220000-memory.dmp

      Filesize

      256KB

      Download

    • memory/1028-882-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2624-0-0x0000000000520000-0x0000000000560000-memory.dmp

      Filesize

      256KB

      Download