Overview

overview

10

Static

static

10

dec9845622...6f.exe

windows7-x64

9

dec9845622...6f.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    147s
  • max time network
    137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-08-2024 03:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dec9845622a1996d768b0f38b7d7d16e6c76b2572b7e2eac55f678e686d4dc6f.exe

  • Size

    145KB

  • MD5

    2a704c78d287be6fb1a9324dd3bbd780

  • SHA1

    2f79d2d07b33be225d3d333477c2d2159a471e0e

  • SHA256

    dec9845622a1996d768b0f38b7d7d16e6c76b2572b7e2eac55f678e686d4dc6f

  • SHA512

    a2681bdb05ecb2636958b37a65c32bfd27467b241052133ad7f02bb634ad6e5539718ba810c3568f9cf3d10996cdd255e6632c75565ec40b278cff88713a812d

  • SSDEEP

    3072:S6glyuxE4GsUPnliByocWepLk+B2Rq+V8Lmp:S6gDBGpvEByocWelKq8T

Score
9/10
defense_evasiondiscoveryransomwarespywarestealer

Malware Config

Signatures

  • Renames multiple (617) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 2 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Drops file in System32 directory 4 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dec9845622a1996d768b0f38b7d7d16e6c76b2572b7e2eac55f678e686d4dc6f.exe
    "C:\Users\Admin\AppData\Local\Temp\dec9845622a1996d768b0f38b7d7d16e6c76b2572b7e2eac55f678e686d4dc6f.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1464
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
      • Drops file in System32 directory
      PID:1488
    • C:\ProgramData\BA0A.tmp
      "C:\ProgramData\BA0A.tmp"
      2⤵
      • Checks computer location settings
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:3708
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\BA0A.tmp >> NUL
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4880
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
    1⤵
      PID:2132
    • C:\Windows\system32\printfilterpipelinesvc.exe
      C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
      1⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:928
      • C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
        /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{C5308402-6870-4426-A6CB-EA6B2FABFB04}.xps" 133695486431740000
        2⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious use of SetWindowsHookEx
        PID:3644

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\$Recycle.Bin\S-1-5-21-4182098368-2521458979-3782681353-1000\CCCCCCCCCCC
      Filesize

      129B

      MD5

      a569ed305e336191196ca03e09187a1b

      SHA1

      bd528cf6be33bd7e790802b78fc3f855da3d062a

      SHA256

      70f442d7ae39d9104044ef805d4398fe90b3ab32d8a1e002602d71f1e9717109

      SHA512

      6a0899c9c7d699497a09f859a6b353cbaf9d5f3c7d1185f83a8246794670b04270d7f211465d77bd1801078001eb0ef95778c5dd09850d9f8b4ec2ec89930169

      Download Submit

    • C:\AjrMf9Fb5.README.txt
      Filesize

      19B

      MD5

      7edb66f1ed51a03a8b381c2307756c3c

      SHA1

      60fbdfcefe96843c077b66f7df2f89cbb3bd0312

      SHA256

      0fb417b326d101acbdbb29f1a10c8cfea19b6ce313c17f970ecbfd318c5015dd

      SHA512

      f65dc6c8a1494c267b217f562a6c98fa4b8d7ee9a77127d4062a6fba5e26879b9a4adb5649b3777d26f95ba491f29cde343fc4353e9ef6c8648ed51332a87dff

      Download Submit

    • C:\ProgramData\BA0A.tmp
      Filesize

      14KB

      MD5

      294e9f64cb1642dd89229fff0592856b

      SHA1

      97b148c27f3da29ba7b18d6aee8a0db9102f47c9

      SHA256

      917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

      SHA512

      b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
      Filesize

      145KB

      MD5

      58499815df3b85792ed6ae3891183e0f

      SHA1

      5193a70688bb4e6ad30139589d4a8152f9d3f34b

      SHA256

      0f1f7bdd6379c1079461576c2945f2d731c57ce2f2d9d887db8f42ad17115098

      SHA512

      72a062440b3a42b4dc9cc0d5c2afa18195e2cc549d0bcb049cecb5249a92302928749be4c48ba8d4e691dfdf7def82236ca92cc1ee58eb47805dc789a337f6e8

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\{FDBEF3E8-9AAC-459C-8A02-D1C38B2C48A3}
      Filesize

      4KB

      MD5

      7b261235e57e71eb8afa0ff85fcd7ce7

      SHA1

      5f7da60b1f7d3411a8090b9ce272ec2e1d370729

      SHA256

      1249303e56698ddc55600813f23cace3f54267d84ab420b675162a42ffae370e

      SHA512

      0caa6458a609e40544790474e6e60798c696c0e68e8aba87c13519011883472485983f5dafc70ab1a844fa12f9a9d5ff2b552554b04de1afbfea4b3cd4c75f39

      Download Submit

    • C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2
      Filesize

      4KB

      MD5

      174f13d6070f45327154f971feaeb685

      SHA1

      59452aaafa7a2d4e7d6f2bb58f03ae1548a04282

      SHA256

      ae0511adb1db24f4794004c50cb3df2cfb0d61c53b8e21e0937a852fb5934b2b

      SHA512

      dae839bcf39fcb5366969c5072aaa14e3381e309a4491415fc6a61c5dffd0db0816a1b23b1db684a22a320f0daf130bf2c62529d707c002d2de7b5841f93670a

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-4182098368-2521458979-3782681353-1000\DDDDDDDDDDD
      Filesize

      129B

      MD5

      6e665eb8e4c519f7febb77edb6c99942

      SHA1

      e6fd61dbca6300ffc15297d296350ae74518a879

      SHA256

      31089baf6859b7dedaf7dc06da297af13007bcf91f59a7ec035f4ca613af09a7

      SHA512

      0a7a8beb7303ee45369501fc3e400dcb248735f2d2273b3b20546403c795f53727fee18f8e2ee109e0f60dc510a36ab95129eea23c7610ce9e06dd1a3da82b6d

      Download Submit

    • memory/1464-1-0x00000000026E0000-0x00000000026F0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1464-0-0x00000000026E0000-0x00000000026F0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1464-2963-0x00000000026E0000-0x00000000026F0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1464-2962-0x00000000026E0000-0x00000000026F0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1464-2961-0x00000000026E0000-0x00000000026F0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1464-2-0x00000000026E0000-0x00000000026F0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3644-2983-0x00007FF967730000-0x00007FF967740000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3644-2979-0x00007FF967730000-0x00007FF967740000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3644-2980-0x00007FF967730000-0x00007FF967740000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3644-3012-0x00007FF965280000-0x00007FF965290000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3644-3013-0x00007FF965280000-0x00007FF965290000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3644-2982-0x00007FF967730000-0x00007FF967740000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3644-2981-0x00007FF967730000-0x00007FF967740000-memory.dmp

      Filesize

      64KB

      Download