d12c35c8825aad5b09855a89102236774ca847a7559132c4e9d92aaf69772815

Analysis

max time kernel
99s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
10/08/2024, 16:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

setup.exe
Size

146KB
MD5

ef531da468065fc649d072824c9a76e2
SHA1

93c35e2e7f4915645479f6ae680683dcb3d9bc54
SHA256

d12c35c8825aad5b09855a89102236774ca847a7559132c4e9d92aaf69772815
SHA512

4c212df24e00fb7d93a5d26f27c3c0628cd7dbea67d7ee72844d1de5d6c5713860e423a01a8226da825882507f5982a06d01d8677e8bb26c66a43f131dac7894
SSDEEP

1536:IzICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xDjkxB81Hd8lQG9XtPmSQVwpdNIQ:XqJogYkcSNm9V7DjQPQGfjLpjIa1tT

Score

10^/10

defense_evasion discovery ransomware spyware stealer

Malware Config

Extracted

Path

C:\xgU6NOijB.README.txt

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED!!! All your files, documents, photos, databases and other important files are encrypted. The only way to recover your files is to use a decryptor. To get the decryptor, write to us by mail or telegram, specify the ID of the encrypted files in the letter: Email: [email protected] Telegram: https://t.me/bit_decryptor Warning. * Do not rename encrypted files. * Do not attempt to decrypt data using third party software as this may result in permanent data loss. * Do not contact other people, only we can help you and recover your data. Your personal decryption ID: 8F1D8AE5590CFFAADFD183C34CCDCB2D

Emails

[email protected]

URLs

https://t.me/bit_decryptor

Signatures

Renames multiple (599) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	7417.tmp

Deletes itself 1 IoCs

pid	Process
2412	7417.tmp

Executes dropped EXE 1 IoCs

pid	Process
2412	7417.tmp

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2392887640-1187051047-2909758433-1000\desktop.ini	setup.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-2392887640-1187051047-2909758433-1000\desktop.ini	setup.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2412	7417.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7417.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3648	setup.exe
3648	setup.exe
3648	setup.exe
3648	setup.exe
3648	setup.exe
3648	setup.exe
3648	setup.exe
3648	setup.exe
3648	setup.exe
3648	setup.exe
3648	setup.exe
3648	setup.exe
3648	setup.exe
3648	setup.exe
3648	setup.exe
3648	setup.exe
3648	setup.exe
3648	setup.exe
3648	setup.exe
3648	setup.exe
3648	setup.exe
3648	setup.exe
3648	setup.exe
3648	setup.exe
3648	setup.exe
3648	setup.exe
3648	setup.exe
3648	setup.exe
3648	setup.exe
3648	setup.exe
3648	setup.exe
3648	setup.exe
3648	setup.exe
3648	setup.exe
3648	setup.exe
3648	setup.exe
3648	setup.exe
3648	setup.exe
3648	setup.exe
3648	setup.exe
3648	setup.exe
3648	setup.exe
3648	setup.exe
3648	setup.exe
3648	setup.exe
3648	setup.exe
3648	setup.exe
3648	setup.exe
3648	setup.exe
3648	setup.exe
3648	setup.exe
3648	setup.exe
3648	setup.exe
3648	setup.exe
3648	setup.exe
3648	setup.exe
3648	setup.exe
3648	setup.exe
3648	setup.exe
3648	setup.exe
3648	setup.exe
3648	setup.exe
3648	setup.exe
3648	setup.exe

Suspicious behavior: RenamesItself 26 IoCs

pid	Process
2412	7417.tmp
2412	7417.tmp
2412	7417.tmp
2412	7417.tmp
2412	7417.tmp
2412	7417.tmp
2412	7417.tmp
2412	7417.tmp
2412	7417.tmp
2412	7417.tmp
2412	7417.tmp
2412	7417.tmp
2412	7417.tmp
2412	7417.tmp
2412	7417.tmp
2412	7417.tmp
2412	7417.tmp
2412	7417.tmp
2412	7417.tmp
2412	7417.tmp
2412	7417.tmp
2412	7417.tmp
2412	7417.tmp
2412	7417.tmp
2412	7417.tmp
2412	7417.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	3648	setup.exe
Token: SeBackupPrivilege	3648	setup.exe
Token: SeDebugPrivilege	3648	setup.exe
Token: 36	3648	setup.exe
Token: SeImpersonatePrivilege	3648	setup.exe
Token: SeIncBasePriorityPrivilege	3648	setup.exe
Token: SeIncreaseQuotaPrivilege	3648	setup.exe
Token: 33	3648	setup.exe
Token: SeManageVolumePrivilege	3648	setup.exe
Token: SeProfSingleProcessPrivilege	3648	setup.exe
Token: SeRestorePrivilege	3648	setup.exe
Token: SeSecurityPrivilege	3648	setup.exe
Token: SeSystemProfilePrivilege	3648	setup.exe
Token: SeTakeOwnershipPrivilege	3648	setup.exe
Token: SeShutdownPrivilege	3648	setup.exe
Token: SeDebugPrivilege	3648	setup.exe
Token: SeBackupPrivilege	3648	setup.exe
Token: SeBackupPrivilege	3648	setup.exe
Token: SeSecurityPrivilege	3648	setup.exe
Token: SeSecurityPrivilege	3648	setup.exe
Token: SeBackupPrivilege	3648	setup.exe
Token: SeBackupPrivilege	3648	setup.exe
Token: SeSecurityPrivilege	3648	setup.exe
Token: SeSecurityPrivilege	3648	setup.exe
Token: SeBackupPrivilege	3648	setup.exe
Token: SeBackupPrivilege	3648	setup.exe
Token: SeSecurityPrivilege	3648	setup.exe
Token: SeSecurityPrivilege	3648	setup.exe
Token: SeBackupPrivilege	3648	setup.exe
Token: SeBackupPrivilege	3648	setup.exe
Token: SeSecurityPrivilege	3648	setup.exe
Token: SeSecurityPrivilege	3648	setup.exe
Token: SeBackupPrivilege	3648	setup.exe
Token: SeBackupPrivilege	3648	setup.exe
Token: SeSecurityPrivilege	3648	setup.exe
Token: SeSecurityPrivilege	3648	setup.exe
Token: SeBackupPrivilege	3648	setup.exe
Token: SeBackupPrivilege	3648	setup.exe
Token: SeSecurityPrivilege	3648	setup.exe
Token: SeSecurityPrivilege	3648	setup.exe
Token: SeBackupPrivilege	3648	setup.exe
Token: SeBackupPrivilege	3648	setup.exe
Token: SeSecurityPrivilege	3648	setup.exe
Token: SeSecurityPrivilege	3648	setup.exe
Token: SeBackupPrivilege	3648	setup.exe
Token: SeBackupPrivilege	3648	setup.exe
Token: SeSecurityPrivilege	3648	setup.exe
Token: SeSecurityPrivilege	3648	setup.exe
Token: SeBackupPrivilege	3648	setup.exe
Token: SeBackupPrivilege	3648	setup.exe
Token: SeSecurityPrivilege	3648	setup.exe
Token: SeSecurityPrivilege	3648	setup.exe
Token: SeBackupPrivilege	3648	setup.exe
Token: SeBackupPrivilege	3648	setup.exe
Token: SeSecurityPrivilege	3648	setup.exe
Token: SeSecurityPrivilege	3648	setup.exe
Token: SeBackupPrivilege	3648	setup.exe
Token: SeBackupPrivilege	3648	setup.exe
Token: SeSecurityPrivilege	3648	setup.exe
Token: SeSecurityPrivilege	3648	setup.exe
Token: SeBackupPrivilege	3648	setup.exe
Token: SeBackupPrivilege	3648	setup.exe
Token: SeSecurityPrivilege	3648	setup.exe
Token: SeSecurityPrivilege	3648	setup.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 3648 wrote to memory of 2412	3648	setup.exe	93
PID 3648 wrote to memory of 2412	3648	setup.exe	93
PID 3648 wrote to memory of 2412	3648	setup.exe	93
PID 3648 wrote to memory of 2412	3648	setup.exe	93
PID 2412 wrote to memory of 4576	2412	7417.tmp	94
PID 2412 wrote to memory of 4576	2412	7417.tmp	94
PID 2412 wrote to memory of 4576	2412	7417.tmp	94

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- Drops desktop.ini file(s)
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3648
- C:\ProgramData\7417.tmp
  "C:\ProgramData\7417.tmp"
  2⤵
  - Checks computer location settings
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:2412
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\7417.tmp >> NUL
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2392887640-1187051047-2909758433-1000\MMMMMMMMMMM

Filesize
129B

MD5
e8aac33fd999efbb204456a52473b7fc

SHA1
55255139cd8e1cf8a63be5389083550f4cb84b00

SHA256
cb729bd62f2d6686092287d1abb855ff2f463fdd65240ddf8dcbb8655e8407ea

SHA512
0deeadc9efbaab2adc80b659c812c7c1258bee655dd726ae5bbe2236e380f8393d8b907e63573d9fd32c8a024d94e143434c2af5a3635def70fa111350a42b8b

Download Submit
C:\ProgramData\7417.tmp

Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDD

Filesize
146KB

MD5
5a715fbbc2f54c29ee83cfcf7134b6a4

SHA1
7615ac4c2ce586bd416816ae0e5db429fd7806dc

SHA256
38d7c6b0a29d18edd236b2911eb162393184c0c43fee9241b61edfcb9ad56b77

SHA512
335caa5aa19b2733e07e02c738655353a8e7defa5b7626767a1947a0c097aa606c62086080b6f25292a378acda116de9dfd91d795cac27a5520cdff7645b360d

Download Submit
C:\xgU6NOijB.README.txt

Filesize
659B

MD5
762abaf45da9481f8cfada8043b345d0

SHA1
6fe3ca0aeef4d68b402302b434b1c6fac35d61ab

SHA256
686cc5583b9635d5cbdf24e530decd3d9b8fc0b00ac97c2b9caa14ed4f5bcbd0

SHA512
3619686907603d090c7b3a323679a7a45f15141e6169f808ac5ea8e5bf7c358277e7a91e90b653f9e639ab36529ce6238d6bfe60bf394e97c6ace0809dffa1d8

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2392887640-1187051047-2909758433-1000\DDDDDDDDDDD

Filesize
129B

MD5
e7602c5c8d0da93f51607fea13fdd96f

SHA1
e85bd5551f7762a35219cee30197cc599097202c

SHA256
0701831669a8b0634661d1eee90d3640ff9372b4ab2e09c6eff9786c4c498d7b

SHA512
7806ea352740569584c72534179038324def8a0f86ae8c6cb534ddd13d02cacb8a8120877ba6b3905441a9dc8b871323770121a5f31bb35eb44a727ee8a09056

Download Submit
memory/2412-2785-0x000000007FDC0000-0x000000007FDC1000-memory.dmp

Filesize
4KB

Download
memory/2412-2781-0x000000007FE40000-0x000000007FE41000-memory.dmp

Filesize
4KB

Download
memory/2412-2784-0x000000007FE20000-0x000000007FE21000-memory.dmp

Filesize
4KB

Download
memory/2412-2783-0x00000000026B0000-0x00000000026C0000-memory.dmp

Filesize
64KB

Download
memory/2412-2782-0x00000000026B0000-0x00000000026C0000-memory.dmp

Filesize
64KB

Download
memory/2412-2815-0x000000007FE00000-0x000000007FE01000-memory.dmp

Filesize
4KB

Download
memory/2412-2814-0x000000007FDE0000-0x000000007FDE1000-memory.dmp

Filesize
4KB

Download
memory/3648-2-0x0000000002810000-0x0000000002820000-memory.dmp

Filesize
64KB

Download
memory/3648-0-0x0000000002810000-0x0000000002820000-memory.dmp

Filesize
64KB

Download
memory/3648-1-0x0000000002810000-0x0000000002820000-memory.dmp

Filesize
64KB

Download