17db6fd9f81222711b1f33983a8f64b8c3bddfc7dc25f4f6b6e0c6c29d877eeb

Resubmissions

05-10-2024 14:52

241005-r81csszekf 9

20-08-2024 13:23

240820-qm5jystfpc 9

Analysis

max time kernel
136s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20-08-2024 13:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Morgan.exe
Size

14KB
MD5

cd2149ef2f2c9675e75a224c10f60a8e
SHA1

a1a962caae493a33f947ff6412d18f864c7fc3fb
SHA256

17db6fd9f81222711b1f33983a8f64b8c3bddfc7dc25f4f6b6e0c6c29d877eeb
SHA512

0aad285dcf287da822d1e9abdb444a4c353c66f054f5828df8fd4a7ebdc41ab0e269d4171e99cfee6f4857c5859a663c8b5f0345a0395e2ee2b0ee1dbbc965aa
SSDEEP

192:hI/3edqmr6APSJg15CHEcWIW2g93EUY68FL8GZDAPIrIvCGmaMiDVQvr:HdPKi15Ck4W2g9UUg8GRXLuMiDVMr

Score

9^/10

discovery ransomware spyware stealer

Malware Config

Signatures

Renames multiple (703) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wallpaper.png"	Morgan.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Morgan.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3664	Morgan.exe
3664	Morgan.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3664	Morgan.exe

C:\Users\Admin\AppData\Local\Temp\Morgan.exe
"C:\Users\Admin\AppData\Local\Temp\Morgan.exe"
1⤵
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\000003.log.alci

Filesize
16B

MD5
473a21807f56dd0b81933bec142da7c5

SHA1
c8db2151d4dd7085b1bd68003d95d86dc5ce6eda

SHA256
35aaa6d6798083c07f45506748bd583b88ee6fbe7a85bf6e6b32c3954cad33d1

SHA512
c2b7675dff5d625342ceb46ebe6fabcba8ac7a5b0d9cd760e4914ed398347f1d69606818dc14fdcd8b8c91edf52b5243642c9f0f3bafe60ca8b944fe9888164a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.AccountsControl_cw5n1h2txyewy\Settings\settings.dat.alci

Filesize
8KB

MD5
1ac60a88c3fa0eef7b6fa9c30278437a

SHA1
50a36e60ff625f4dae02945c3787223e67b75475

SHA256
ef7fee3988713eb541e00125802051944ee74612e6034faed7d5149786c21ef5

SHA512
a7d192df6ff17436ecf1da679524d9006826e4cf9ad83f784cc5500bdfcf2648f14be32cd6e64083c94f94c051b88cd755dbdffbd2fd67fc70ec06e2674599f0

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{80b6cdc2-7446-4fc0-aa0b-297ff3590631}\0.1.filtertrie.intermediate.txt.alci

Filesize
16B

MD5
3a1108f9425977cf097ce1b82be6c993

SHA1
932f6074f27d9a26ecb8d4fc06235298caee8521

SHA256
d2b437177528c4adde5228d59bfb869fc85befcb989de94f6debdb7ef90a9a5c

SHA512
9a33100732f907839caa9607567bf31dc9164d4daa94b99a78a9e056051e92d95ee1261a831d15376f16d1064101fa1a2ae46502f3a3ed2ce54dc71b28ac470a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{80b6cdc2-7446-4fc0-aa0b-297ff3590631}\0.2.filtertrie.intermediate.txt.alci

Filesize
16B

MD5
d34457a559581cb72dc6e92da6aae4a1

SHA1
adf7bfd0e8d98fe8915dc9760c0fb1d877783b7a

SHA256
3c60044e96e7c812558a83ce922afbd596171b830697da9313d5fca7c5034186

SHA512
8361ef85b27cf54071fd05932c35a678de4f686663fb6c8f0bd5811e2678ac254220ac506b669ac6361ae1c0820541feea2dc7ad9b756605beab6aaaf7cb515c

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133670754214864666.txt.alci

Filesize
77KB

MD5
35d72de67be240165c6d54d22a9c4c64

SHA1
c64b49c35bd587d35f8b759d766ccbe6c90d2a18

SHA256
2c137490ea9bda3e0511b413c15c29217a6d83f74f16a255e25be556f0f30616

SHA512
ca74fca4b881d92b275450107a854aa733198eb4c95bb354284699320915c32bb9fc4ff0695248e15084cb21a39fe798096f8b47c3ef5e37e8fa59ff2afeef1f

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133670755826425795.txt.alci

Filesize
47KB

MD5
9f8ca7bfbc19c0a9506101583a2d76f3

SHA1
1677f8b4c4113c5add793dc07b375e822e820f2c

SHA256
fb56a5b32734e4bad523310a3d8004e52a4f3a851ee686ae4fc0d735e4a54492

SHA512
0b5a0ad7dafea0c27093e3b0c6d38f39c9ef71860e1e2f72b4bebb5db1077fbb4281d3aa0e77f86ca0ad95f05026b96c0590a74599180c10c18e02c3c148dd02

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133670762122530084.txt.alci

Filesize
65KB

MD5
da063cf8292c55d487a14b31f8c46216

SHA1
2be215e5031c3e9d31da2dcd1913eb296915a6b2

SHA256
c7a71022a3e30af25e7f1ea15a3c17eb20a67879f7c4c0a7bd754ee5e1fd25a7

SHA512
97ec13a49d92185b4e49bfe35e9730cc29cb00ab157c9bd42293439744426983952d466cae0f9311eb0c3018872da9fc0115c83969e5a62a73be747a9ed523ca

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133670792315738820.txt.alci

Filesize
74KB

MD5
b70348b4acafd7a810a9a17ff447f89b

SHA1
0003ac8284e6fc470f4a51be94de9e82f3d97d52

SHA256
6bbc22d63916682f0f07a9edac1a3d3e301b1daf8f1ffb3495387f4c90415e69

SHA512
c735bb2ad30f59ee51c4595dd103ab322ebc39c45ce1ffcf005ccd18db5990fa2a6ee8fba3fe8cfa07bf124cc6fbb7175148958731f6c7c434213c7dfe64792b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite.alci

Filesize
48KB

MD5
0f133c92be06b7d57e544f279982255e

SHA1
da513c51c84de8409b612b633eb974218b0a081e

SHA256
9e84a4f159e01ebf609efc50d3b4c52270a45c6ec755589d81fc78244cd8c325

SHA512
440abdb412ff33c9f8ecccdb27eb79df008875bb97aa3ae1184307b3994f14c7af0854d485ec32dafa79fa84c5bb5feee3b50851cd54c088259336aa11460dc7

Download Submit
memory/3664-2-0x00000000748A0000-0x0000000075050000-memory.dmp

Filesize
7.7MB

Download
memory/3664-1-0x0000000000E30000-0x0000000000E3A000-memory.dmp

Filesize
40KB

Download
memory/3664-0-0x00000000748AE000-0x00000000748AF000-memory.dmp

Filesize
4KB

Download
memory/3664-709-0x00000000748A0000-0x0000000075050000-memory.dmp

Filesize
7.7MB

Download