Overview

overview

10

Static

static

10

artifact.exe

windows7-x64

9

artifact.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    146s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-09-2024 02:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    artifact.exe

  • Size

    146KB

  • MD5

    b49f2ded048a1c07e09e731d84c7bbb8

  • SHA1

    826176b2a3f8258b944dacf1f17a4495b73d104a

  • SHA256

    4178821f84d63a57ba7858c0b1e6adfa9d206943c06ac70b1a497d9269388db3

  • SHA512

    fbcde9c4334756d305715e1ec5f6216515ffd25ab0b861945807d0605b1d84339933ddd24ddb45f77f5390e9915e7b237cbcef45ad2f883a98b25747d0cca774

  • SSDEEP

    3072:n6glyuxE4GsUPnliByocWep2ntZdy0OS55Ei:n6gDBGpvEByocWeordyXS55Ei

Score
9/10
defense_evasiondiscoveryransomwarespywarestealer

Malware Config

Signatures

  • Renames multiple (636) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 2 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Drops file in System32 directory 4 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\artifact.exe
    "C:\Users\Admin\AppData\Local\Temp\artifact.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2360
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
      • Drops file in System32 directory
      PID:376
    • C:\ProgramData\E909.tmp
      "C:\ProgramData\E909.tmp"
      2⤵
      • Checks computer location settings
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:860
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\E909.tmp >> NUL
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2764
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
    1⤵
      PID:4352
    • C:\Windows\system32\printfilterpipelinesvc.exe
      C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
      1⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:4496
      • C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
        /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{BA666881-865D-453C-861E-18BF8AAA756B}.xps" 133710126074780000
        2⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious use of SetWindowsHookEx
        PID:4160

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\$Recycle.Bin\S-1-5-21-1302416131-1437503476-2806442725-1000\LLLLLLLLLLL
      Filesize

      129B

      MD5

      232f3fe89c8fb223aa70f7aada475f8e

      SHA1

      0ff0e4f17e3825bfc2b53944955c58fb0a9d41b8

      SHA256

      15734f293208338c038c84943768ff238d3c700396e7ebaa7138266dda277afb

      SHA512

      162a1337e692839ba1a2eca541c4308015f0d3be789c6a286b11374a536dea115ca57f8dffee62c1b3e22c7b9e0b05f9a6fb203c8b6a21828774cc7de02c7b21

      Download Submit

    • C:\5OaQNrui8.README.txt
      Filesize

      343B

      MD5

      72b1ffaeb7de456483f491ecceadb088

      SHA1

      ee1953abc295245ab01f35a4a823883826bf2b41

      SHA256

      eb892eac9899b995047733bb17acd4945eb42b7b49f2ee8ad52b8026bc0297a7

      SHA512

      c0e7cad617cf1490bb25fc47936edc3ae164b190ed34f2d2a50e7e84ce6e0d6712a6ba9ab351cca1589266078326a00317516c53fecf96f20eaefe15e92ce445

      Download Submit

    • C:\ProgramData\E909.tmp
      Filesize

      14KB

      MD5

      294e9f64cb1642dd89229fff0592856b

      SHA1

      97b148c27f3da29ba7b18d6aee8a0db9102f47c9

      SHA256

      917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

      SHA512

      b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IIIIIIIIIIII
      Filesize

      146KB

      MD5

      aaffa0a49c97a64e042fa7071f0125ec

      SHA1

      fc8ce5ebdc74f8093788c37760e8772f376ff0c5

      SHA256

      778849d22caeea428c301b6850a86c38657bd4f17696159fd8d28b383b114fd2

      SHA512

      25605aae845ea5343bc1dfc0a190fefac67b49263da32a1c25d7a6924f054a896c0b5867e2b4307aa58b923bf3127f252d25898d85b72fd855416eebca4a9be6

      Download Submit

    • C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2
      Filesize

      4KB

      MD5

      6a465aa6263799d20fa7a8c4bc7e3f7a

      SHA1

      ad98ba37f13a9072b2574a881f1d95f905fc3a54

      SHA256

      dc749855f8edfddf93aa320364cdc420aaa94e4b95bfde9818ff4f756b5c89e8

      SHA512

      da6c92de2f2a95d907a0787c9c6987787a14925c03e5806edd04641a6e1721f23a9edf7f85ad080e8fa1b8b477aac6c6cf25252b02b996f6e0ab061cf2145f33

      Download Submit

    • F:\$RECYCLE.BIN\S-1-5-21-1302416131-1437503476-2806442725-1000\DDDDDDDDDDD
      Filesize

      129B

      MD5

      20f2c834343f3934df17325457a25e79

      SHA1

      d79bfc3425209021fac5ec6c13f50777c40f482a

      SHA256

      3bc5ec77d6a12d5a737775ad8ff499f181323f6389c2a8ff2aecd468a538e0d2

      SHA512

      3beb88f6123bfd8bd8160ab10b59dbfcdc26d1b4914bbad42b190feca78dc594e8adc36d03e63ac1f07671ce03a80bd0b315b471928dd8bc11adc244c39c9e4d

      Download Submit

    • memory/2360-2970-0x0000000002DD0000-0x0000000002DE0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2360-2969-0x0000000002DD0000-0x0000000002DE0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2360-1-0x0000000002DD0000-0x0000000002DE0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2360-2968-0x0000000002DD0000-0x0000000002DE0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2360-0-0x0000000002DD0000-0x0000000002DE0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2360-2-0x0000000002DD0000-0x0000000002DE0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4160-2986-0x00007FF9D9B10000-0x00007FF9D9B20000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4160-2988-0x00007FF9D9B10000-0x00007FF9D9B20000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4160-2987-0x00007FF9D9B10000-0x00007FF9D9B20000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4160-2990-0x00007FF9D9B10000-0x00007FF9D9B20000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4160-2989-0x00007FF9D9B10000-0x00007FF9D9B20000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4160-3019-0x00007FF9D7AB0000-0x00007FF9D7AC0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4160-3020-0x00007FF9D7AB0000-0x00007FF9D7AC0000-memory.dmp

      Filesize

      64KB

      Download