f885292741e1b6d1bd35d6c35cf125ade98b5956f88f64e6596bde835fb15984

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04/08/2024, 07:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e586722144cb8d90672ec57043dd85d0N.exe
Size

147KB
MD5

e586722144cb8d90672ec57043dd85d0
SHA1

44d79cc55fc09b556e5cd29d686ac5658e0b9ada
SHA256

f885292741e1b6d1bd35d6c35cf125ade98b5956f88f64e6596bde835fb15984
SHA512

90ec3e866ee29d6b40cb7616ca4b5e9d5935be30ac067d07c7d3e81630881670642457326176b6eab15c5c62de55c4e9581bdb767fe894cce63a6cb934a586e7
SSDEEP

1536:QzICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xDHc4KWJXmP0bGAVXVd7YZx3JCTz:vqJogYkcSNm9V7DUWJXm8b7ld7IGTHT

Score

10^/10

defense_evasion discovery ransomware spyware stealer

Malware Config

Extracted

Path

C:\6MLkBJomc.README.txt

Ransom Note

------Dear managers!------ If you are reading this, it means your network has been attacked. What does that mean? We hacked your network and now all your files, documents, client database, projects and other important data safely encrypted with reliable algorithms. we also have a copy of all your data. WARNING!!! You don't have to go to the POLICE, etc. Otherwise we will not be able to help you. You cannot acces the files right now. But do not worry. You can get it back! It is easy to recover in a few steps. As proof, we can decrypt any 3 files you provide. We are not interested to ruin your business. We want to get ransom and be happy. Please bring this information to your team leaders as soon as possible. In case of a successfull transaction, we will restore your systems within 4-6 hours and also provide security recommendations. Don't cry, money is just paper! -----------------------WARNING----------------------- If you modify files - our decrypt software won't able to recover data If you use third party software - you can damage/modify files (see item 1) You nedd cipher key / our decrypt software to restore you files. The police or authorities will not be able to help you get the cipher key. We encourage you to consider your decisions. -----------------------RECOVERY----------------------- Use email: [email protected] (Alternate email address: [email protected]) You personal ID: 9203819856004948

Emails

[email protected]

Signatures

Renames multiple (632) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	BF29.tmp

Deletes itself 1 IoCs

pid	Process
2592	BF29.tmp

Executes dropped EXE 1 IoCs

pid	Process
2592	BF29.tmp

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2392887640-1187051047-2909758433-1000\desktop.ini	e586722144cb8d90672ec57043dd85d0N.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-2392887640-1187051047-2909758433-1000\desktop.ini	e586722144cb8d90672ec57043dd85d0N.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2592	BF29.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e586722144cb8d90672ec57043dd85d0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BF29.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4044	e586722144cb8d90672ec57043dd85d0N.exe
4044	e586722144cb8d90672ec57043dd85d0N.exe
4044	e586722144cb8d90672ec57043dd85d0N.exe
4044	e586722144cb8d90672ec57043dd85d0N.exe
4044	e586722144cb8d90672ec57043dd85d0N.exe
4044	e586722144cb8d90672ec57043dd85d0N.exe
4044	e586722144cb8d90672ec57043dd85d0N.exe
4044	e586722144cb8d90672ec57043dd85d0N.exe
4044	e586722144cb8d90672ec57043dd85d0N.exe
4044	e586722144cb8d90672ec57043dd85d0N.exe
4044	e586722144cb8d90672ec57043dd85d0N.exe
4044	e586722144cb8d90672ec57043dd85d0N.exe
4044	e586722144cb8d90672ec57043dd85d0N.exe
4044	e586722144cb8d90672ec57043dd85d0N.exe
4044	e586722144cb8d90672ec57043dd85d0N.exe
4044	e586722144cb8d90672ec57043dd85d0N.exe
4044	e586722144cb8d90672ec57043dd85d0N.exe
4044	e586722144cb8d90672ec57043dd85d0N.exe
4044	e586722144cb8d90672ec57043dd85d0N.exe
4044	e586722144cb8d90672ec57043dd85d0N.exe
4044	e586722144cb8d90672ec57043dd85d0N.exe
4044	e586722144cb8d90672ec57043dd85d0N.exe
4044	e586722144cb8d90672ec57043dd85d0N.exe
4044	e586722144cb8d90672ec57043dd85d0N.exe
4044	e586722144cb8d90672ec57043dd85d0N.exe
4044	e586722144cb8d90672ec57043dd85d0N.exe
4044	e586722144cb8d90672ec57043dd85d0N.exe
4044	e586722144cb8d90672ec57043dd85d0N.exe
4044	e586722144cb8d90672ec57043dd85d0N.exe
4044	e586722144cb8d90672ec57043dd85d0N.exe
4044	e586722144cb8d90672ec57043dd85d0N.exe
4044	e586722144cb8d90672ec57043dd85d0N.exe
4044	e586722144cb8d90672ec57043dd85d0N.exe
4044	e586722144cb8d90672ec57043dd85d0N.exe
4044	e586722144cb8d90672ec57043dd85d0N.exe
4044	e586722144cb8d90672ec57043dd85d0N.exe
4044	e586722144cb8d90672ec57043dd85d0N.exe
4044	e586722144cb8d90672ec57043dd85d0N.exe
4044	e586722144cb8d90672ec57043dd85d0N.exe
4044	e586722144cb8d90672ec57043dd85d0N.exe
4044	e586722144cb8d90672ec57043dd85d0N.exe
4044	e586722144cb8d90672ec57043dd85d0N.exe
4044	e586722144cb8d90672ec57043dd85d0N.exe
4044	e586722144cb8d90672ec57043dd85d0N.exe
4044	e586722144cb8d90672ec57043dd85d0N.exe
4044	e586722144cb8d90672ec57043dd85d0N.exe
4044	e586722144cb8d90672ec57043dd85d0N.exe
4044	e586722144cb8d90672ec57043dd85d0N.exe
4044	e586722144cb8d90672ec57043dd85d0N.exe
4044	e586722144cb8d90672ec57043dd85d0N.exe
4044	e586722144cb8d90672ec57043dd85d0N.exe
4044	e586722144cb8d90672ec57043dd85d0N.exe
4044	e586722144cb8d90672ec57043dd85d0N.exe
4044	e586722144cb8d90672ec57043dd85d0N.exe
4044	e586722144cb8d90672ec57043dd85d0N.exe
4044	e586722144cb8d90672ec57043dd85d0N.exe
4044	e586722144cb8d90672ec57043dd85d0N.exe
4044	e586722144cb8d90672ec57043dd85d0N.exe
4044	e586722144cb8d90672ec57043dd85d0N.exe
4044	e586722144cb8d90672ec57043dd85d0N.exe
4044	e586722144cb8d90672ec57043dd85d0N.exe
4044	e586722144cb8d90672ec57043dd85d0N.exe
4044	e586722144cb8d90672ec57043dd85d0N.exe
4044	e586722144cb8d90672ec57043dd85d0N.exe

Suspicious behavior: RenamesItself 26 IoCs

pid	Process
2592	BF29.tmp
2592	BF29.tmp
2592	BF29.tmp
2592	BF29.tmp
2592	BF29.tmp
2592	BF29.tmp
2592	BF29.tmp
2592	BF29.tmp
2592	BF29.tmp
2592	BF29.tmp
2592	BF29.tmp
2592	BF29.tmp
2592	BF29.tmp
2592	BF29.tmp
2592	BF29.tmp
2592	BF29.tmp
2592	BF29.tmp
2592	BF29.tmp
2592	BF29.tmp
2592	BF29.tmp
2592	BF29.tmp
2592	BF29.tmp
2592	BF29.tmp
2592	BF29.tmp
2592	BF29.tmp
2592	BF29.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	4044	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeBackupPrivilege	4044	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeDebugPrivilege	4044	e586722144cb8d90672ec57043dd85d0N.exe
Token: 36	4044	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeImpersonatePrivilege	4044	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeIncBasePriorityPrivilege	4044	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeIncreaseQuotaPrivilege	4044	e586722144cb8d90672ec57043dd85d0N.exe
Token: 33	4044	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeManageVolumePrivilege	4044	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeProfSingleProcessPrivilege	4044	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeRestorePrivilege	4044	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeSecurityPrivilege	4044	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeSystemProfilePrivilege	4044	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeTakeOwnershipPrivilege	4044	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeShutdownPrivilege	4044	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeDebugPrivilege	4044	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeBackupPrivilege	4044	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeBackupPrivilege	4044	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeSecurityPrivilege	4044	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeSecurityPrivilege	4044	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeBackupPrivilege	4044	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeBackupPrivilege	4044	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeSecurityPrivilege	4044	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeSecurityPrivilege	4044	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeBackupPrivilege	4044	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeBackupPrivilege	4044	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeSecurityPrivilege	4044	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeSecurityPrivilege	4044	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeBackupPrivilege	4044	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeBackupPrivilege	4044	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeSecurityPrivilege	4044	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeSecurityPrivilege	4044	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeBackupPrivilege	4044	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeBackupPrivilege	4044	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeSecurityPrivilege	4044	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeSecurityPrivilege	4044	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeBackupPrivilege	4044	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeBackupPrivilege	4044	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeSecurityPrivilege	4044	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeSecurityPrivilege	4044	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeBackupPrivilege	4044	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeBackupPrivilege	4044	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeSecurityPrivilege	4044	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeSecurityPrivilege	4044	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeBackupPrivilege	4044	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeBackupPrivilege	4044	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeSecurityPrivilege	4044	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeSecurityPrivilege	4044	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeBackupPrivilege	4044	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeBackupPrivilege	4044	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeSecurityPrivilege	4044	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeSecurityPrivilege	4044	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeBackupPrivilege	4044	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeBackupPrivilege	4044	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeSecurityPrivilege	4044	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeSecurityPrivilege	4044	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeBackupPrivilege	4044	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeBackupPrivilege	4044	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeSecurityPrivilege	4044	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeSecurityPrivilege	4044	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeBackupPrivilege	4044	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeBackupPrivilege	4044	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeSecurityPrivilege	4044	e586722144cb8d90672ec57043dd85d0N.exe
Token: SeSecurityPrivilege	4044	e586722144cb8d90672ec57043dd85d0N.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 4044 wrote to memory of 2592	4044	e586722144cb8d90672ec57043dd85d0N.exe	89
PID 4044 wrote to memory of 2592	4044	e586722144cb8d90672ec57043dd85d0N.exe	89
PID 4044 wrote to memory of 2592	4044	e586722144cb8d90672ec57043dd85d0N.exe	89
PID 4044 wrote to memory of 2592	4044	e586722144cb8d90672ec57043dd85d0N.exe	89
PID 2592 wrote to memory of 4016	2592	BF29.tmp	90
PID 2592 wrote to memory of 4016	2592	BF29.tmp	90
PID 2592 wrote to memory of 4016	2592	BF29.tmp	90

C:\Users\Admin\AppData\Local\Temp\e586722144cb8d90672ec57043dd85d0N.exe
"C:\Users\Admin\AppData\Local\Temp\e586722144cb8d90672ec57043dd85d0N.exe"
1⤵
- Drops desktop.ini file(s)
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4044
- C:\ProgramData\BF29.tmp
  "C:\ProgramData\BF29.tmp"
  2⤵
  - Checks computer location settings
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:2592
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\BF29.tmp >> NUL
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2392887640-1187051047-2909758433-1000\desktop.ini

Filesize
129B

MD5
53640a9501e5c1ec476f6b497bb63486

SHA1
552f393f11e5a977b905c8f6114d7d8c2bab658b

SHA256
cd18315e6a4d9b40711f45b9fc448421b6ec54d6f21ba620f10ce3875a127cb1

SHA512
c7354984b3aeaaba5e6d3b17c71f3ae875b9416d70f308fee89f16fcffc2baa6875c88a48f719e8925827b7683bbf203e2a02664faa465c2ed52b14ceead7790

Download Submit
C:\6MLkBJomc.README.txt

Filesize
1KB

MD5
5d5e3bcf3bf2dbe5a7550905da970fe7

SHA1
435377160c7cc453c1b0f5434cf43f27f0e26f65

SHA256
3f87ea04b7b04c9d7d2fd2b631bc1b3273cfda1ffc1562de09feef03e60a706c

SHA512
4eb102f496c14d8dd1439b62a920ba0595f74391473c81f88d7ce30bac5c0741217b5065490f66344594f2534bffc2e6f8107b99683b1383e6d91d7e0443e62f

Download Submit
C:\ProgramData\BF29.tmp

Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE

Filesize
147KB

MD5
90c11940454e4aedc2feeeeb72f3baa2

SHA1
e0b044d125ac9a4de2c6e41bff3a102b8c631609

SHA256
dfa366ab46178ab37523c7395ab2c5a95ad7dc35e0d333bb0e611e3becf2bf76

SHA512
7431315bff9e20e417d75f11eb4342008febf0f2e7c2ca03983b09f5ca27a395c8ad7e11bdc5bd23407a56874c3a96b9b733e65e593b528a960738ec263fbfcd

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2392887640-1187051047-2909758433-1000\DDDDDDDDDDD

Filesize
129B

MD5
bd43c66d1dbb3e3ecd140092facb00d7

SHA1
644122db2d85d8ac5223fceed36be278daf09f83

SHA256
ea8f55b4829a6d43db4b8ec6294f1304805ae36871f5345c1fd9f30e1452e2aa

SHA512
f9993d49a0c0a160fdda643dee07c009bb4e6cc7130876304711a77fa90424ec3d22251ee3f81eba1ff3c9c38a29e07b9b0677739562d50c6b51516fadf6f8d6

Download Submit
memory/2592-2970-0x000000007FE40000-0x000000007FE41000-memory.dmp

Filesize
4KB

Download
memory/2592-2974-0x000000007FDC0000-0x000000007FDC1000-memory.dmp

Filesize
4KB

Download
memory/2592-2973-0x000000007FE20000-0x000000007FE21000-memory.dmp

Filesize
4KB

Download
memory/2592-2972-0x0000000002480000-0x0000000002490000-memory.dmp

Filesize
64KB

Download
memory/2592-2971-0x0000000002480000-0x0000000002490000-memory.dmp

Filesize
64KB

Download
memory/2592-3003-0x000000007FDE0000-0x000000007FDE1000-memory.dmp

Filesize
4KB

Download
memory/2592-3004-0x000000007FE00000-0x000000007FE01000-memory.dmp

Filesize
4KB

Download
memory/4044-0-0x0000000000F50000-0x0000000000F60000-memory.dmp

Filesize
64KB

Download
memory/4044-1-0x0000000000F50000-0x0000000000F60000-memory.dmp

Filesize
64KB

Download
memory/4044-2-0x0000000000F50000-0x0000000000F60000-memory.dmp

Filesize
64KB

Download