Overview

overview

10

Static

static

3

32efb1eb36...71.exe

windows7-x64

10

32efb1eb36...71.exe

windows10-1703-x64

10

32efb1eb36...71.exe

windows10-2004-x64

10

32efb1eb36...71.exe

windows11-21h2-x64

10

Resubmissions

26-08-2024 09:41

240826-ln48csyerj 10

29-01-2022 07:52

220129-jqhe9sgcg5 10

Analysis

  • max time kernel
    133s
  • max time network
    136s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    26-08-2024 09:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe

  • Size

    1.8MB

  • MD5

    59c3f3f99f44029de81293b1e7c37ed2

  • SHA1

    fb07496900468529719f07ed4b7432ece97a8d3d

  • SHA256

    32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471

  • SHA512

    9b3bd8a76d754bf9c899111be986c4fd6d14f6993a9a0e3dcd9b4a76c0f7764ac8798f5cbc7a0467c1562638d85bf52f627bd32c125f587b1e838beaf03c8a0e

  • SSDEEP

    49152:aIuQjMgjzus3wLNlDXjUoXFhKoT2iG6xQQqOeaGcWRrLy3pN+:a1bgjyQwhlDFEi5Qt7aGdRrLy5N

Score
10/10
mimikatzcredential_accessdefense_evasiondiscoveryevasionexecutionimpactransomwarespywarestealer

Malware Config

Signatures

  • Mimikatz

    mimikatz is an open source tool to dump credentials on Windows.

    mimikatz
  • Clears Windows event logs 1 TTPs 2 IoCs
    evasionransomware
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • mimikatz is an open source tool to dump credentials on Windows 1 IoCs
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Deletes itself 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 33 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe
    "C:\Users\Admin\AppData\Local\Temp\32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4944
    • C:\Users\Admin\AppData\Local\Temp\kafut.exe
      123 \\.\pipe\FF002AE6-052F-4989-8A82-AB4ECAF85B94
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:3748
    • C:\Users\Admin\AppData\Local\Temp\qqpck.exe
      123 \\.\pipe\DA3CD774-922E-4A9C-80EA-BED90DD839AC
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4608
    • C:\Users\Admin\AppData\Local\Temp\_igf.exe
      "C:\Users\Admin\AppData\Local\Temp\_igf.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1188
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c c:\Windows\system32\vssadmin.exe delete shadows /all /quiet
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3372
        • \??\c:\Windows\system32\vssadmin.exe
          c:\Windows\system32\vssadmin.exe delete shadows /all /quiet
          4⤵
          • Interacts with shadow copies
          PID:4876
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c wbadmin.exe delete catalog -quiet
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3868
        • C:\Windows\system32\wbadmin.exe
          wbadmin.exe delete catalog -quiet
          4⤵
          • Deletes backup catalog
          PID:2784
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1936
        • C:\Windows\system32\bcdedit.exe
          bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:3184
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} recoveryenabled no
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:1704
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c wevtutil.exe cl System
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:380
        • C:\Windows\system32\wevtutil.exe
          wevtutil.exe cl System
          4⤵
          • Clears Windows event logs
          • Suspicious use of AdjustPrivilegeToken
          PID:1296
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c wevtutil.exe cl Security
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:696
        • C:\Windows\system32\wevtutil.exe
          wevtutil.exe cl Security
          4⤵
          • Clears Windows event logs
          • Suspicious use of AdjustPrivilegeToken
          PID:5048
    • C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\system32\notepad.exe"
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:2404
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4076
  • C:\Windows\system32\wbengine.exe
    "C:\Windows\system32\wbengine.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3580
  • C:\Windows\System32\vdsldr.exe
    C:\Windows\System32\vdsldr.exe -Embedding
    1⤵
      PID:1960
    • C:\Windows\System32\vds.exe
      C:\Windows\System32\vds.exe
      1⤵
      • Checks SCSI registry key(s)
      PID:3384

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\_igf.exe
      Filesize

      36KB

      MD5

      3c0d740347b0362331c882c2dee96dbf

      SHA1

      8350e06f52e5c660bb416b03edb6a5ddc50c3a59

      SHA256

      ae9a4e244a9b3c77d489dee8aeaf35a7c3ba31b210e76d81ef2e91790f052c85

      SHA512

      a701f94b9cdebce6eff2f82552ec7554bf10d99019f8bcd6871ebca804d7519bdcfa3806ac7c7d8e604c3259c61c58b905293fa641c092a8fca8245f91eb0f8f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\kafut.exe
      Filesize

      751KB

      MD5

      68970b2cd5430c812bef5b87c1add6ea

      SHA1

      7695d829965b802c50d96a19dbc2fc361169624d

      SHA256

      e4e1e3c44e01c60fd433c6283bd8cd15a9941e1cbaad72e6409cc92e2e91263e

      SHA512

      1ea13dfb60cdca0338bb20a50419901a12387db2253c5d6ae3b6939c803e6f1e7998b7ba443c7472a931e64df94521cb6c6c3f646b01d5e671acb103d0a64475

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\qqpck.exe
      Filesize

      277KB

      MD5

      86d1a184850859a6a4d1c35982f3c40e

      SHA1

      4abde6ff4d7f30c60dc61e866c4a11a7eee5bef5

      SHA256

      eb766983a8a05ad16b15e356df43f4e00f36092b8c6effdff3a580c2de2bba8f

      SHA512

      e9c18e0a70af00119bef1c697f0a801e9942c4702046d7f20533ea33c987c37c2007066b13935c8df6e039628db885cad2338feb95490e27cdcdbd57a7d0cc1a

      Download Submit

    • memory/2404-31-0x00000000001F0000-0x00000000001F2000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3748-4-0x0000000010000000-0x00000000100AA000-memory.dmp

      Filesize

      680KB

      Download

    • memory/4608-15-0x0000000180000000-0x000000018002B000-memory.dmp

      Filesize

      172KB

      Download