f885292741e1b6d1bd35d6c35cf125ade98b5956f88f64e6596bde835fb15984

Analysis

max time kernel
117s
max time network
117s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
04/08/2024, 07:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e586722144cb8d90672ec57043dd85d0N.exe
Size

147KB
MD5

e586722144cb8d90672ec57043dd85d0
SHA1

44d79cc55fc09b556e5cd29d686ac5658e0b9ada
SHA256

f885292741e1b6d1bd35d6c35cf125ade98b5956f88f64e6596bde835fb15984
SHA512

90ec3e866ee29d6b40cb7616ca4b5e9d5935be30ac067d07c7d3e81630881670642457326176b6eab15c5c62de55c4e9581bdb767fe894cce63a6cb934a586e7
SSDEEP

1536:QzICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xDHc4KWJXmP0bGAVXVd7YZx3JCTz:vqJogYkcSNm9V7DUWJXm8b7ld7IGTHT

Score

10^/10

defense_evasion discovery ransomware spyware stealer

Malware Config

Extracted

Path

C:\6MLkBJomc.README.txt

Ransom Note

------Dear managers!------ If you are reading this, it means your network has been attacked. What does that mean? We hacked your network and now all your files, documents, client database, projects and other important data safely encrypted with reliable algorithms. we also have a copy of all your data. WARNING!!! You don't have to go to the POLICE, etc. Otherwise we will not be able to help you. You cannot acces the files right now. But do not worry. You can get it back! It is easy to recover in a few steps. As proof, we can decrypt any 3 files you provide. We are not interested to ruin your business. We want to get ransom and be happy. Please bring this information to your team leaders as soon as possible. In case of a successfull transaction, we will restore your systems within 4-6 hours and also provide security recommendations. Don't cry, money is just paper! -----------------------WARNING----------------------- If you modify files - our decrypt software won't able to recover data If you use third party software - you can damage/modify files (see item 1) You nedd cipher key / our decrypt software to restore you files. The police or authorities will not be able to help you get the cipher key. We encourage you to consider your decisions. -----------------------RECOVERY----------------------- Use email: [email protected] (Alternate email address: [email protected]) You personal ID: 9203819856004948

Emails

[email protected]

Signatures

Renames multiple (322) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes itself 1 IoCs

pid	Process
1924	9B07.tmp

Executes dropped EXE 1 IoCs

pid	Process
1924	9B07.tmp

Loads dropped DLL 1 IoCs

pid	Process
2392	e586722144cb8d90672ec57043dd85d0N.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3294248377-1418901787-4083263181-1000\desktop.ini	e586722144cb8d90672ec57043dd85d0N.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3294248377-1418901787-4083263181-1000\desktop.ini	e586722144cb8d90672ec57043dd85d0N.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1924	9B07.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e586722144cb8d90672ec57043dd85d0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9B07.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2392	e586722144cb8d90672ec57043dd85d0N.exe
2392	e586722144cb8d90672ec57043dd85d0N.exe
2392	e586722144cb8d90672ec57043dd85d0N.exe
2392	e586722144cb8d90672ec57043dd85d0N.exe
2392	e586722144cb8d90672ec57043dd85d0N.exe
2392	e586722144cb8d90672ec57043dd85d0N.exe
2392	e586722144cb8d90672ec57043dd85d0N.exe
2392	e586722144cb8d90672ec57043dd85d0N.exe
2392	e586722144cb8d90672ec57043dd85d0N.exe
2392	e586722144cb8d90672ec57043dd85d0N.exe
2392	e586722144cb8d90672ec57043dd85d0N.exe
2392	e586722144cb8d90672ec57043dd85d0N.exe

Suspicious behavior: RenamesItself 26 IoCs

pid	Process
1924	9B07.tmp
1924	9B07.tmp
1924	9B07.tmp
1924	9B07.tmp
1924	9B07.tmp
1924	9B07.tmp
1924	9B07.tmp
1924	9B07.tmp
1924	9B07.tmp
1924	9B07.tmp
1924	9B07.tmp
1924	9B07.tmp
1924	9B07.tmp
1924	9B07.tmp
1924	9B07.tmp
1924	9B07.tmp
1924	9B07.tmp
1924	9B07.tmp
1924	9B07.tmp
1924	9B07.tmp
1924	9B07.tmp
1924	9B07.tmp
1924	9B07.tmp
1924	9B07.tmp
1924	9B07.tmp
1924	9B07.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	2392	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeBackupPrivilege	2392	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeDebugPrivilege	2392	e586722144cb8d90672ec57043dd85d0N.exe
Token: 36	2392	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeImpersonatePrivilege	2392	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeIncBasePriorityPrivilege	2392	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeIncreaseQuotaPrivilege	2392	e586722144cb8d90672ec57043dd85d0N.exe
Token: 33	2392	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeManageVolumePrivilege	2392	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeProfSingleProcessPrivilege	2392	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeRestorePrivilege	2392	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeSecurityPrivilege	2392	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeSystemProfilePrivilege	2392	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeTakeOwnershipPrivilege	2392	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeShutdownPrivilege	2392	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeDebugPrivilege	2392	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeBackupPrivilege	2392	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeBackupPrivilege	2392	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeSecurityPrivilege	2392	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeSecurityPrivilege	2392	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeBackupPrivilege	2392	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeBackupPrivilege	2392	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeSecurityPrivilege	2392	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeSecurityPrivilege	2392	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeBackupPrivilege	2392	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeBackupPrivilege	2392	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeSecurityPrivilege	2392	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeSecurityPrivilege	2392	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeBackupPrivilege	2392	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeBackupPrivilege	2392	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeSecurityPrivilege	2392	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeSecurityPrivilege	2392	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeBackupPrivilege	2392	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeBackupPrivilege	2392	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeSecurityPrivilege	2392	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeSecurityPrivilege	2392	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeBackupPrivilege	2392	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeBackupPrivilege	2392	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeSecurityPrivilege	2392	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeSecurityPrivilege	2392	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeBackupPrivilege	2392	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeBackupPrivilege	2392	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeSecurityPrivilege	2392	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeSecurityPrivilege	2392	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeBackupPrivilege	2392	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeBackupPrivilege	2392	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeSecurityPrivilege	2392	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeSecurityPrivilege	2392	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeBackupPrivilege	2392	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeBackupPrivilege	2392	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeSecurityPrivilege	2392	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeSecurityPrivilege	2392	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeBackupPrivilege	2392	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeBackupPrivilege	2392	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeSecurityPrivilege	2392	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeSecurityPrivilege	2392	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeBackupPrivilege	2392	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeBackupPrivilege	2392	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeSecurityPrivilege	2392	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeSecurityPrivilege	2392	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeBackupPrivilege	2392	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeBackupPrivilege	2392	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeSecurityPrivilege	2392	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeSecurityPrivilege	2392	e586722144cb8d90672ec57043dd85d0N.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2392 wrote to memory of 1924	2392	e586722144cb8d90672ec57043dd85d0N.exe	32
PID 2392 wrote to memory of 1924	2392	e586722144cb8d90672ec57043dd85d0N.exe	32
PID 2392 wrote to memory of 1924	2392	e586722144cb8d90672ec57043dd85d0N.exe	32
PID 2392 wrote to memory of 1924	2392	e586722144cb8d90672ec57043dd85d0N.exe	32
PID 2392 wrote to memory of 1924	2392	e586722144cb8d90672ec57043dd85d0N.exe	32
PID 1924 wrote to memory of 2300	1924	9B07.tmp	33
PID 1924 wrote to memory of 2300	1924	9B07.tmp	33
PID 1924 wrote to memory of 2300	1924	9B07.tmp	33
PID 1924 wrote to memory of 2300	1924	9B07.tmp	33

C:\Users\Admin\AppData\Local\Temp\e586722144cb8d90672ec57043dd85d0N.exe
"C:\Users\Admin\AppData\Local\Temp\e586722144cb8d90672ec57043dd85d0N.exe"
1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2392
- C:\ProgramData\9B07.tmp
  "C:\ProgramData\9B07.tmp"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:1924
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\9B07.tmp >> NUL
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2300

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x14c
1⤵
PID:928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3294248377-1418901787-4083263181-1000\desktop.ini

Filesize
129B

MD5
7bb2e3bcfcaa80ab37ef567f3a22f1a0

SHA1
c896f08189be1e348beb3371e97ebfa1d3dd5075

SHA256
de94fca2c3d8648aa9697c8258020e2ab6b69df64ea78dae3cf78eacebb809ca

SHA512
7faec217fbe5c224377d7402c10971b396745abe421b16fb0490a88bd8d7600a7e942ead45a384882046acf3100cf4c8af67ea22ee1098cd829b9ac51c90617f

Download Submit
C:\6MLkBJomc.README.txt

Filesize
1KB

MD5
5d5e3bcf3bf2dbe5a7550905da970fe7

SHA1
435377160c7cc453c1b0f5434cf43f27f0e26f65

SHA256
3f87ea04b7b04c9d7d2fd2b631bc1b3273cfda1ffc1562de09feef03e60a706c

SHA512
4eb102f496c14d8dd1439b62a920ba0595f74391473c81f88d7ce30bac5c0741217b5065490f66344594f2534bffc2e6f8107b99683b1383e6d91d7e0443e62f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

Filesize
147KB

MD5
50dac8a618c89163f8be28cb2b0add0e

SHA1
ca87f0a6b71606bd6927a755c31a5f72880e9cb5

SHA256
d7145c3f1af20da72af8fe46618ed3b8bdc0a15d376f361cf07f611ca8cd3aaa

SHA512
542bd2bb9a5258f08bbad9d60005192ff8d2279f9b82b107b0f4fb985fdf03f81d23582327d023f4fcaed0a0cac5383253d6e715ebd17e37ece292b3077d69c2

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3294248377-1418901787-4083263181-1000\DDDDDDDDDDD

Filesize
129B

MD5
c496c1f08e3c1b0e274b5746639097ad

SHA1
a82a7b1fa3def1bb0afd88d33bad86567154d702

SHA256
1257a025152bcfd190f683fa9c6076440581233314370ee08db55d0af5b8b0c5

SHA512
e6d758138dcee3bf37b33f4d3b4116f8d284491358b79d27a76b575eb1aeb197a73d3a4822667abaf9866059fb264fbf46e32bbe4a313cc734489b1277a7525b

Download Submit
\ProgramData\9B07.tmp

Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
memory/1924-854-0x0000000002420000-0x0000000002460000-memory.dmp

Filesize
256KB

Download
memory/1924-856-0x000000007EF20000-0x000000007EF21000-memory.dmp

Filesize
4KB

Download
memory/1924-855-0x000000007EF80000-0x000000007EF81000-memory.dmp

Filesize
4KB

Download
memory/1924-853-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

Filesize
4KB

Download
memory/1924-886-0x000000007EF60000-0x000000007EF61000-memory.dmp

Filesize
4KB

Download
memory/1924-885-0x000000007EF40000-0x000000007EF41000-memory.dmp

Filesize
4KB

Download
memory/2392-0-0x0000000002290000-0x00000000022D0000-memory.dmp

Filesize
256KB

Download