Overview

overview

9

Static

static

3

eaa0e773eb...bc.exe

windows7-x64

9

eaa0e773eb...bc.exe

windows10-1703-x64

9

eaa0e773eb...bc.exe

windows10-2004-x64

9

eaa0e773eb...bc.exe

windows11-21h2-x64

9

Resubmissions

13-08-2024 12:55

240813-p5s37svarb 9

03-08-2024 05:56

240803-gng1lsvfnn 9

29-07-2024 17:59

240729-wkpzdawhlc 9

29-07-2024 13:14

240729-qg3heazdpj 9

Analysis

  • max time kernel
    134s
  • max time network
    145s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    13-08-2024 12:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc.exe

  • Size

    162KB

  • MD5

    7e851829ee37bc0cf65a268d1d1baa7a

  • SHA1

    672553c79db2a3859a8ea216804d4ff8d2ded538

  • SHA256

    eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc

  • SHA512

    856c6d27669b3123064d85adbc119414f5418f80bbbc9f85f4575df97cf34d1f4ab96fab5442a337ac6a90c076ba5af835f5286cb403acfb3a1e4fc5d0834ebd

  • SSDEEP

    3072:rjvNTtA6pzarOLgSua/iw6kzg3qe1PTjrnFFMVUT6tSTC6D1vtPR1DO66ddJpW3h:r72qe1PTjrnf/KMR1j6df01fiuAP3xFm

Score
9/10
credential_accessdiscoveryransomwarestealer

Malware Config

Signatures

  • Renames multiple (1101) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

    credential_accessstealer
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 3 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc.exe
    "C:\Users\Admin\AppData\Local\Temp\eaa0e773eb593b0046452f420b6db8a47178c09e6db0fa68f6a2d42c3f48e3bc.exe"
    1⤵
    • Enumerates connected drives
    • Drops file in System32 directory
    • Sets desktop wallpaper using registry
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    PID:4236
  • C:\Windows\system32\printfilterpipelinesvc.exe
    C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
    1⤵
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:8444
    • C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
      /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{B470D309-067E-4AFF-92B6-67F5EF3A55EC}.xps" 133680273361150000
      2⤵
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:8544

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials from Password Stores

1
T1555

Windows Credential Manager

1
T1555.004

Discovery

Query Registry

3
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

4
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Microsoft\Office\ClickToRunPackageLocker
    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

    Download Submit
  • C:\ProgramData\Microsoft\Provisioning\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\MasterDatastore.xml
    Filesize

    387B

    MD5

    50a55abbfe130e3d85ffd4b976ad324e

    SHA1

    9eda7c1b339f23180329fbb2587dba152b31982e

    SHA256

    09dca1ce93ac6d57b0527ae2040bf5a205f316fe145adbde919c487705476279

    SHA512

    30368a33a47b9b0da43f6a984d534c6786d61bf8702482cabcb45b27593ec155a174e0518c9f9303f1f177321989064a7b2973a411593b36725d366f1224c0b8

    Download Submit
  • C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\Prov\RunTime\191__Cellular_PerSimSettings_$(__ICCID)_AppID.provxml
    Filesize

    480B

    MD5

    bfbff89c7d2533270a97429879704295

    SHA1

    61fe4d0adfcbc0400bb7408d053efdd1dac7f207

    SHA256

    939f86c8e33354025c9231816294414658f82a6f3f1fc4bda17e603aa9f0b584

    SHA512

    83ee9190296fbdd5ae465e9f35b93f9d7051f94db983e01c413e201f58bf5e99cfac2a9b2236acf0694fa0958df6643df3b0e36981c269e92c839118a4ac7c6a

    Download Submit
  • C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\Prov\RunTime\623__Cellular_PerSimSettings_$(__ICCID)_AccountExperienceURL.provxml
    Filesize

    459B

    MD5

    7d3cea937f70e905bd40a3f403ef7d3e

    SHA1

    0231624a58e078e99a7148c94ee13b75896efd70

    SHA256

    eaa4c9f587e5b29894fbfecd197936c10a7aa5189614b581a33a79d66ad797d5

    SHA512

    5d1d58b5f017a78b334feae183fb8e1b62751270cfb635e025c8eb3545bbaf0482d013f5da986cbf43b09485c438892ad1fa0328e8e0f557d414b18edbea832f

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\{81271E8C-4847-4D0F-8C85-F820F4CE1FC0}
    Filesize

    4KB

    MD5

    e79ff7c3b6ecd26f0cb38a89ddc25002

    SHA1

    1f93545484f94000a09639bec2408b0a18ca3d9f

    SHA256

    6db62feaa1cd45e2f7f2eed12c09c585326e0c48e2af213aa195ebab751273e2

    SHA512

    e021f1effcca20c1399a81c283f7fa209066b9d487b43e1f0936cacb3628415601689355dbbbb839fae16a55c9bd86458a2a58fa1af4d1663524673f5d9cc5cf

    Download Submit
  • C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2
    Filesize

    4KB

    MD5

    5da9581a6c7f4504368d73299f604aab

    SHA1

    107dd1429005cb905f25e2972591bf9d960eb7e6

    SHA256

    db2f488519deb912f434ca4a8a844d05e0c82c4727be798835005038f6f86e11

    SHA512

    17e0c4edd74453a39499fa5659174648785f4e85b18c331dba9f4914a76b40de2cd352db313c7be564fb87f746ca9f3fac3ade79d625a6712d9e994ad288ba69

    Download Submit
  • F:\README.txt
    Filesize

    423B

    MD5

    7ff94943cdf15452a094e7a8587755b6

    SHA1

    663d82d423fd075b4c87e6428e9c2556c474b88e

    SHA256

    6497c4ac3c3c1dc3fa0405571007a21ae4cecb7cc7cc170c4ad17f683a6118a5

    SHA512

    da91f22c6c9fd4f25a5bc6be74c2dbf1b4d886af97d6dba49de12bef6f9d511b7cd834bae1851a5b4057b665353b2d6b802c5c45076ca5af94827db2ef2028ef

    Download Submit
  • memory/8544-3633-0x00007FFFAFD40000-0x00007FFFAFD50000-memory.dmp
    Filesize

    64KB

    Download
  • memory/8544-3635-0x00007FFFAFD40000-0x00007FFFAFD50000-memory.dmp
    Filesize

    64KB

    Download
  • memory/8544-3638-0x00007FFFAD1F0000-0x00007FFFAD200000-memory.dmp
    Filesize

    64KB

    Download
  • memory/8544-3639-0x00007FFFAD1F0000-0x00007FFFAD200000-memory.dmp
    Filesize

    64KB

    Download
  • memory/8544-3634-0x00007FFFAFD40000-0x00007FFFAFD50000-memory.dmp
    Filesize

    64KB

    Download
  • memory/8544-3632-0x00007FFFAFD40000-0x00007FFFAFD50000-memory.dmp
    Filesize

    64KB

    Download