Overview

overview

10

Static

static

10

315d043b99...13.exe

windows7-x64

9

315d043b99...13.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    149s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/08/2024, 01:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    315d043b99f988ce9d9f69d7225292eb44623a97c1a029933b62ede699fa9f13.exe

  • Size

    146KB

  • MD5

    6edfb62405f50d7fb16882ca9b16ed36

  • SHA1

    73c346267e9527ca5886bf8a90b77f9ebceb58fe

  • SHA256

    315d043b99f988ce9d9f69d7225292eb44623a97c1a029933b62ede699fa9f13

  • SHA512

    b3ea04a001c846af5d93435db055986a448fc5d01e86a9292937ce085609b653d41719111d2d031c8b6694eb01d5856e86f9e1a65e8cdc43af51a8ed3d370d2f

  • SSDEEP

    3072:PqJogYkcSNm9V7DGoNK696RTpfnEsCygHQlyT:Pq2kc4m9tDHNK6UlJ9CyN

Score
9/10
defense_evasiondiscoveryransomwarespywarestealer

Malware Config

Signatures

  • Renames multiple (674) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 2 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Drops file in System32 directory 4 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\315d043b99f988ce9d9f69d7225292eb44623a97c1a029933b62ede699fa9f13.exe
    "C:\Users\Admin\AppData\Local\Temp\315d043b99f988ce9d9f69d7225292eb44623a97c1a029933b62ede699fa9f13.exe"
    1⤵
    • Drops desktop.ini file(s)
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1440
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
      • Drops file in System32 directory
      PID:5116
    • C:\ProgramData\AAD2.tmp
      "C:\ProgramData\AAD2.tmp"
      2⤵
      • Checks computer location settings
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:1040
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\AAD2.tmp >> NUL
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1448
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4148,i,3387628439405076340,17957358341235678872,262144 --variations-seed-version --mojo-platform-channel-handle=4208 /prefetch:8
    1⤵
      PID:2344
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
      1⤵
        PID:4076
      • C:\Windows\system32\printfilterpipelinesvc.exe
        C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
        1⤵
        • Drops file in System32 directory
        • Suspicious use of WriteProcessMemory
        PID:4380
        • C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
          /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{5739DA08-1D5F-4BCF-83B4-D454242526EF}.xps" 133684180948040000
          2⤵
          • Checks processor information in registry
          • Enumerates system info in registry
          • Suspicious use of SetWindowsHookEx
          PID:4572

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\$Recycle.Bin\S-1-5-21-2170637797-568393320-3232933035-1000\NNNNNNNNNNN
        Filesize

        129B

        MD5

        3551cbc67496c583454503376841522e

        SHA1

        b07c6d60ba9e65b5ff22221c3c2d9773fa6d0986

        SHA256

        63e2fc3f64daf38d4a613baaf5ea33440c2443b99af12f79a5b16c6c9aed5529

        SHA512

        488a498df94fc92190a48f35ee1e84d56cec44a1f577ff41aa9ff249e059b3862f8b55cf1a7d98ca1210078dcdf496afa51d87260e0203658c643bd3792256fe

        Download Submit

      • C:\ProgramData\AAD2.tmp
        Filesize

        14KB

        MD5

        294e9f64cb1642dd89229fff0592856b

        SHA1

        97b148c27f3da29ba7b18d6aee8a0db9102f47c9

        SHA256

        917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

        SHA512

        b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
        Filesize

        146KB

        MD5

        4817431e2b13670b7555f985ac90923a

        SHA1

        8f7e9cc84d173fe6b6400042c672101878d1837f

        SHA256

        1e9331decc3b740018bc0caefe9242fd4c6133c2b37926c72df72c3835977d70

        SHA512

        ec60be6832d10ddae25d147d157780962189889fa9752090d270de246cb44a400f6ba1aa1ffbfa42bf0e38a9da2ca9821ab2642d77f88990c38e8d97e8200dc7

        Download Submit

      • C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2
        Filesize

        4KB

        MD5

        7b192e1f2988f48e4a40f696c556062e

        SHA1

        1d5a1a56be0c230e59fe3eafad3df7b36aefe2ea

        SHA256

        8a4f7e16e245bda59dcbe3467027d25efaccb4432ffc3082fd3fc0fad9059f55

        SHA512

        fe6bbb6350fa2cb8935b8d63c88d672da904911763d265ca071d1bd11477dbbfdd84955e6edbaec1f84b0ce79fb8d465eb7ee2b015cb728da091a0da97d58e21

        Download Submit

      • C:\raMFGAusF.README.txt
        Filesize

        597B

        MD5

        8b868d53629149c6b3a461ff64ce8cef

        SHA1

        b8a0b57cfe78c6d8468bdd5ef52411765a456e41

        SHA256

        5f8d2cdb81cac5d0b7df3bae0634042b305b4ac7ad06c728b21df0ea9628da25

        SHA512

        2fbb224b435621bc8947caf5aa4e294725f7df1c79dfaae1674086c8e92fcdb106d734680ac58e02b112613c778b582b2eaa8e6979dc1d75dc1dccab54f7c337

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-2170637797-568393320-3232933035-1000\DDDDDDDDDDD
        Filesize

        129B

        MD5

        d2f96385ae0bf31dd6eb75ce66560805

        SHA1

        fc99cf9d41b7516539f90d64d68328a22e15bfd3

        SHA256

        8fad45cebaf932a7d943dc4838a84cad7293a39cd6c96c1ce65c35d10df81811

        SHA512

        7a5b1820f0953c6e3c8af84ca8378531e34dc8f54efedaaeb2cd48a9e714d0b15ff9cf57ea467c0413e1dedec97066f73af26987a87da779a3338d6243c69d3c

        Download Submit

      • memory/1440-2-0x0000000000860000-0x0000000000870000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1440-1-0x0000000000860000-0x0000000000870000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1440-3296-0x0000000000860000-0x0000000000870000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1440-0-0x0000000000860000-0x0000000000870000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4572-3311-0x00007FFE490F0000-0x00007FFE49100000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4572-3314-0x00007FFE490F0000-0x00007FFE49100000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4572-3312-0x00007FFE490F0000-0x00007FFE49100000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4572-3315-0x00007FFE490F0000-0x00007FFE49100000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4572-3344-0x00007FFE46790000-0x00007FFE467A0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4572-3345-0x00007FFE46790000-0x00007FFE467A0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4572-3313-0x00007FFE490F0000-0x00007FFE49100000-memory.dmp

        Filesize

        64KB

        Download