Overview

overview

9

Static

static

3

eaa0e773eb...bc.exe

windows7-x64

9

eaa0e773eb...bc.exe

windows10-1703-x64

9

eaa0e773eb...bc.exe

windows10-2004-x64

9

eaa0e773eb...bc.exe

windows11-21h2-x64

9

Resubmissions

13-08-2024 12:55

240813-p5s37svarb 9

03-08-2024 05:56

240803-gng1lsvfnn 9

29-07-2024 17:59

240729-wkpzdawhlc 9

29-07-2024 13:14

240729-qg3heazdpj 9

Analysis

  • max time kernel
    134s
  • max time network
    148s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    29-07-2024 17:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc.exe

  • Size

    162KB

  • MD5

    7e851829ee37bc0cf65a268d1d1baa7a

  • SHA1

    672553c79db2a3859a8ea216804d4ff8d2ded538

  • SHA256

    eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc

  • SHA512

    856c6d27669b3123064d85adbc119414f5418f80bbbc9f85f4575df97cf34d1f4ab96fab5442a337ac6a90c076ba5af835f5286cb403acfb3a1e4fc5d0834ebd

  • SSDEEP

    3072:rjvNTtA6pzarOLgSua/iw6kzg3qe1PTjrnFFMVUT6tSTC6D1vtPR1DO66ddJpW3h:r72qe1PTjrnf/KMR1j6df01fiuAP3xFm

Score
9/10
credential_accessdiscoveryransomwarestealer

Malware Config

Signatures

  • Renames multiple (1119) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

    credential_accessstealer
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 3 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc.exe
    "C:\Users\Admin\AppData\Local\Temp\eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc.exe"
    1⤵
    • Enumerates connected drives
    • Drops file in System32 directory
    • Sets desktop wallpaper using registry
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    PID:1012
  • C:\Windows\system32\printfilterpipelinesvc.exe
    C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
    1⤵
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:8228
    • C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
      /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{7ECE8FFB-AA5E-4A89-9133-80748F551754}.xps" 133667496044570000
      2⤵
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:8424

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials from Password Stores

1
T1555

Windows Credential Manager

1
T1555.004

Discovery

Query Registry

3
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

4
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Adobe\README.txt
    Filesize

    423B

    MD5

    7ff94943cdf15452a094e7a8587755b6

    SHA1

    663d82d423fd075b4c87e6428e9c2556c474b88e

    SHA256

    6497c4ac3c3c1dc3fa0405571007a21ae4cecb7cc7cc170c4ad17f683a6118a5

    SHA512

    da91f22c6c9fd4f25a5bc6be74c2dbf1b4d886af97d6dba49de12bef6f9d511b7cd834bae1851a5b4057b665353b2d6b802c5c45076ca5af94827db2ef2028ef

    Download Submit
  • C:\ProgramData\Microsoft\Office\ClickToRunPackageLocker
    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

    Download Submit
  • C:\ProgramData\Microsoft\Provisioning\{99b095d8-5959-4820-bea7-7448c8427b4e}\MasterDatastore.xml
    Filesize

    387B

    MD5

    0a6645d2b49d41bbe572387ed7bc2b79

    SHA1

    1bb3cce8fa7938fc6e4282ba327ce21045e62fc9

    SHA256

    5d4490da345ed58ebdedd9d97b8cb8b37db4e5e52d426e214053a6d2f7577dd6

    SHA512

    c78c9b19f3b71a416e27b00ac82ef325faade36bbcbf2e92d28ffa432a700819274391fbdc940aad6b92f56d3437fde7948e1178de9800dbfdaa0e7f3e0d5a22

    Download Submit
  • C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\Prov\RunTime\188__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml
    Filesize

    596B

    MD5

    38de9baf4b834682d955ab28e9adbd7a

    SHA1

    ca9465666c6c2ee084d23c605e824f643aad1095

    SHA256

    828f20b66aa83e8de36d9d052830ba5b81c7cdf6414b6cd08af11fb981c4171b

    SHA512

    1df9bb0e2011c82882731c206a56863c8ee6c8854871ddcb4e1b7367f23bc81e65caa10d318844d0cfe59b4ebb19d57cb81d764fd3dac98773b6549900c5b751

    Download Submit
  • C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\Prov\RunTime\623__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml
    Filesize

    459B

    MD5

    7d3cea937f70e905bd40a3f403ef7d3e

    SHA1

    0231624a58e078e99a7148c94ee13b75896efd70

    SHA256

    eaa4c9f587e5b29894fbfecd197936c10a7aa5189614b581a33a79d66ad797d5

    SHA512

    5d1d58b5f017a78b334feae183fb8e1b62751270cfb635e025c8eb3545bbaf0482d013f5da986cbf43b09485c438892ad1fa0328e8e0f557d414b18edbea832f

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\{1B99834A-8F10-4476-827A-11AFC9F359CC}
    Filesize

    4KB

    MD5

    06e69b3390eec0e2555bf5e6b2f6a40b

    SHA1

    b588ad1e786636e09f03e9661aa22bb574a3d5d1

    SHA256

    312c259f8b8af11985ea45346549b13f77ff90c89852055058dd282ef9f7e95f

    SHA512

    3b8821ee8948ab8bb0b2257ba5a1a303c056fc4ceae181faaef1e3742ad5461b7571fc0d3fb16992448370f208f06504807a5bfe4285ef36181bd39eb3164938

    Download Submit
  • C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2
    Filesize

    4KB

    MD5

    11a72dcb3484d0a77b3a67c38c59f616

    SHA1

    e63a6891459668e41d1a8fa2e41f49b04f939951

    SHA256

    1c1befe8b2f18c45921abc38a2e6ba5e97be2d7eb31f66bcf06cd78296d458c2

    SHA512

    02fd59298d5ba35fd2e5576cf37a108f240a19548458966c78f933fb5eec6b6b208890cee4cdf72f35df58882f6654fc3f4ba2c3b32e170ffd5b933880967c3b

    Download Submit
  • memory/8424-3687-0x00007FF80CB30000-0x00007FF80CB40000-memory.dmp
    Filesize

    64KB

    Download
  • memory/8424-3689-0x00007FF80CB30000-0x00007FF80CB40000-memory.dmp
    Filesize

    64KB

    Download
  • memory/8424-3692-0x00007FF809220000-0x00007FF809230000-memory.dmp
    Filesize

    64KB

    Download
  • memory/8424-3693-0x00007FF809220000-0x00007FF809230000-memory.dmp
    Filesize

    64KB

    Download
  • memory/8424-3688-0x00007FF80CB30000-0x00007FF80CB40000-memory.dmp
    Filesize

    64KB

    Download
  • memory/8424-3686-0x00007FF80CB30000-0x00007FF80CB40000-memory.dmp
    Filesize

    64KB

    Download