8760d739b888902708d9e65193bf68f3d9a9e56de07f894a4c39615e66a52d64

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17-09-2024 02:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

89862f1214998962cab6fb5fd76efe61.exe
Size

146KB
MD5

89862f1214998962cab6fb5fd76efe61
SHA1

512bca951a384de28a897013876c8e2d105e8d25
SHA256

8760d739b888902708d9e65193bf68f3d9a9e56de07f894a4c39615e66a52d64
SHA512

6daf93be1808b8e9e17e28d96fb7b3ab2834c406c2d6319a87d136fd633ccfebea3fd305d0777223f0b5b7a5b61b93cf51964fbf90148f4e229edbf96558034a
SSDEEP

3072:V6glyuxE4GsUPnliByocWepf7MInS0Slg:V6gDBGpvEByocWeRgdZ

Score

9^/10

defense_evasion discovery ransomware spyware stealer

Malware Config

Signatures

Renames multiple (334) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes itself 1 IoCs

Processes:

D643.tmp

pid	Process
1904	D643.tmp

Executes dropped EXE 1 IoCs

Processes:

D643.tmp

pid	Process
1904	D643.tmp

Loads dropped DLL 1 IoCs

Processes:

89862f1214998962cab6fb5fd76efe61.exe

pid	Process
2684	89862f1214998962cab6fb5fd76efe61.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 2 IoCs

Processes:

89862f1214998962cab6fb5fd76efe61.exe

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3290804112-2823094203-3137964600-1000\desktop.ini	89862f1214998962cab6fb5fd76efe61.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3290804112-2823094203-3137964600-1000\desktop.ini	89862f1214998962cab6fb5fd76efe61.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

89862f1214998962cab6fb5fd76efe61.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\6XHjQ1c1S.bmp"	89862f1214998962cab6fb5fd76efe61.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\6XHjQ1c1S.bmp"	89862f1214998962cab6fb5fd76efe61.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

89862f1214998962cab6fb5fd76efe61.exeD643.tmp

pid	Process
2684	89862f1214998962cab6fb5fd76efe61.exe
2684	89862f1214998962cab6fb5fd76efe61.exe
2684	89862f1214998962cab6fb5fd76efe61.exe
2684	89862f1214998962cab6fb5fd76efe61.exe
1904	D643.tmp

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

89862f1214998962cab6fb5fd76efe61.exeD643.tmpcmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	89862f1214998962cab6fb5fd76efe61.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	D643.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Control Panel 2 IoCs

evasion

Processes:

89862f1214998962cab6fb5fd76efe61.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\Desktop\WallpaperStyle = "10"	89862f1214998962cab6fb5fd76efe61.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\Desktop	89862f1214998962cab6fb5fd76efe61.exe

Modifies registry class 5 IoCs

Processes:

89862f1214998962cab6fb5fd76efe61.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\6XHjQ1c1S	89862f1214998962cab6fb5fd76efe61.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\6XHjQ1c1S\DefaultIcon\ = "C:\\ProgramData\\6XHjQ1c1S.ico"	89862f1214998962cab6fb5fd76efe61.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.6XHjQ1c1S	89862f1214998962cab6fb5fd76efe61.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.6XHjQ1c1S\ = "6XHjQ1c1S"	89862f1214998962cab6fb5fd76efe61.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\6XHjQ1c1S\DefaultIcon	89862f1214998962cab6fb5fd76efe61.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

89862f1214998962cab6fb5fd76efe61.exe

pid	Process
2684	89862f1214998962cab6fb5fd76efe61.exe
2684	89862f1214998962cab6fb5fd76efe61.exe
2684	89862f1214998962cab6fb5fd76efe61.exe
2684	89862f1214998962cab6fb5fd76efe61.exe
2684	89862f1214998962cab6fb5fd76efe61.exe
2684	89862f1214998962cab6fb5fd76efe61.exe
2684	89862f1214998962cab6fb5fd76efe61.exe
2684	89862f1214998962cab6fb5fd76efe61.exe
2684	89862f1214998962cab6fb5fd76efe61.exe
2684	89862f1214998962cab6fb5fd76efe61.exe
2684	89862f1214998962cab6fb5fd76efe61.exe
2684	89862f1214998962cab6fb5fd76efe61.exe
2684	89862f1214998962cab6fb5fd76efe61.exe
2684	89862f1214998962cab6fb5fd76efe61.exe

Suspicious behavior: RenamesItself 26 IoCs

Processes:

D643.tmp

pid	Process
1904	D643.tmp
1904	D643.tmp
1904	D643.tmp
1904	D643.tmp
1904	D643.tmp
1904	D643.tmp
1904	D643.tmp
1904	D643.tmp
1904	D643.tmp
1904	D643.tmp
1904	D643.tmp
1904	D643.tmp
1904	D643.tmp
1904	D643.tmp
1904	D643.tmp
1904	D643.tmp
1904	D643.tmp
1904	D643.tmp
1904	D643.tmp
1904	D643.tmp
1904	D643.tmp
1904	D643.tmp
1904	D643.tmp
1904	D643.tmp
1904	D643.tmp
1904	D643.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

89862f1214998962cab6fb5fd76efe61.exe

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	2684	89862f1214998962cab6fb5fd76efe61.exe
Token: SeBackupPrivilege	2684	89862f1214998962cab6fb5fd76efe61.exe
Token: SeDebugPrivilege	2684	89862f1214998962cab6fb5fd76efe61.exe
Token: 36	2684	89862f1214998962cab6fb5fd76efe61.exe
Token: SeImpersonatePrivilege	2684	89862f1214998962cab6fb5fd76efe61.exe
Token: SeIncBasePriorityPrivilege	2684	89862f1214998962cab6fb5fd76efe61.exe
Token: SeIncreaseQuotaPrivilege	2684	89862f1214998962cab6fb5fd76efe61.exe
Token: 33	2684	89862f1214998962cab6fb5fd76efe61.exe
Token: SeManageVolumePrivilege	2684	89862f1214998962cab6fb5fd76efe61.exe
Token: SeProfSingleProcessPrivilege	2684	89862f1214998962cab6fb5fd76efe61.exe
Token: SeRestorePrivilege	2684	89862f1214998962cab6fb5fd76efe61.exe
Token: SeSecurityPrivilege	2684	89862f1214998962cab6fb5fd76efe61.exe
Token: SeSystemProfilePrivilege	2684	89862f1214998962cab6fb5fd76efe61.exe
Token: SeTakeOwnershipPrivilege	2684	89862f1214998962cab6fb5fd76efe61.exe
Token: SeShutdownPrivilege	2684	89862f1214998962cab6fb5fd76efe61.exe
Token: SeDebugPrivilege	2684	89862f1214998962cab6fb5fd76efe61.exe
Token: SeBackupPrivilege	2684	89862f1214998962cab6fb5fd76efe61.exe
Token: SeBackupPrivilege	2684	89862f1214998962cab6fb5fd76efe61.exe
Token: SeSecurityPrivilege	2684	89862f1214998962cab6fb5fd76efe61.exe
Token: SeSecurityPrivilege	2684	89862f1214998962cab6fb5fd76efe61.exe
Token: SeBackupPrivilege	2684	89862f1214998962cab6fb5fd76efe61.exe
Token: SeBackupPrivilege	2684	89862f1214998962cab6fb5fd76efe61.exe
Token: SeSecurityPrivilege	2684	89862f1214998962cab6fb5fd76efe61.exe
Token: SeSecurityPrivilege	2684	89862f1214998962cab6fb5fd76efe61.exe
Token: SeBackupPrivilege	2684	89862f1214998962cab6fb5fd76efe61.exe
Token: SeBackupPrivilege	2684	89862f1214998962cab6fb5fd76efe61.exe
Token: SeSecurityPrivilege	2684	89862f1214998962cab6fb5fd76efe61.exe
Token: SeSecurityPrivilege	2684	89862f1214998962cab6fb5fd76efe61.exe
Token: SeBackupPrivilege	2684	89862f1214998962cab6fb5fd76efe61.exe
Token: SeBackupPrivilege	2684	89862f1214998962cab6fb5fd76efe61.exe
Token: SeSecurityPrivilege	2684	89862f1214998962cab6fb5fd76efe61.exe
Token: SeSecurityPrivilege	2684	89862f1214998962cab6fb5fd76efe61.exe
Token: SeBackupPrivilege	2684	89862f1214998962cab6fb5fd76efe61.exe
Token: SeBackupPrivilege	2684	89862f1214998962cab6fb5fd76efe61.exe
Token: SeSecurityPrivilege	2684	89862f1214998962cab6fb5fd76efe61.exe
Token: SeSecurityPrivilege	2684	89862f1214998962cab6fb5fd76efe61.exe
Token: SeBackupPrivilege	2684	89862f1214998962cab6fb5fd76efe61.exe
Token: SeBackupPrivilege	2684	89862f1214998962cab6fb5fd76efe61.exe
Token: SeSecurityPrivilege	2684	89862f1214998962cab6fb5fd76efe61.exe
Token: SeSecurityPrivilege	2684	89862f1214998962cab6fb5fd76efe61.exe
Token: SeBackupPrivilege	2684	89862f1214998962cab6fb5fd76efe61.exe
Token: SeBackupPrivilege	2684	89862f1214998962cab6fb5fd76efe61.exe
Token: SeSecurityPrivilege	2684	89862f1214998962cab6fb5fd76efe61.exe
Token: SeSecurityPrivilege	2684	89862f1214998962cab6fb5fd76efe61.exe
Token: SeBackupPrivilege	2684	89862f1214998962cab6fb5fd76efe61.exe
Token: SeBackupPrivilege	2684	89862f1214998962cab6fb5fd76efe61.exe
Token: SeSecurityPrivilege	2684	89862f1214998962cab6fb5fd76efe61.exe
Token: SeSecurityPrivilege	2684	89862f1214998962cab6fb5fd76efe61.exe
Token: SeBackupPrivilege	2684	89862f1214998962cab6fb5fd76efe61.exe
Token: SeBackupPrivilege	2684	89862f1214998962cab6fb5fd76efe61.exe
Token: SeSecurityPrivilege	2684	89862f1214998962cab6fb5fd76efe61.exe
Token: SeSecurityPrivilege	2684	89862f1214998962cab6fb5fd76efe61.exe
Token: SeBackupPrivilege	2684	89862f1214998962cab6fb5fd76efe61.exe
Token: SeBackupPrivilege	2684	89862f1214998962cab6fb5fd76efe61.exe
Token: SeSecurityPrivilege	2684	89862f1214998962cab6fb5fd76efe61.exe
Token: SeSecurityPrivilege	2684	89862f1214998962cab6fb5fd76efe61.exe
Token: SeBackupPrivilege	2684	89862f1214998962cab6fb5fd76efe61.exe
Token: SeBackupPrivilege	2684	89862f1214998962cab6fb5fd76efe61.exe
Token: SeSecurityPrivilege	2684	89862f1214998962cab6fb5fd76efe61.exe
Token: SeSecurityPrivilege	2684	89862f1214998962cab6fb5fd76efe61.exe
Token: SeBackupPrivilege	2684	89862f1214998962cab6fb5fd76efe61.exe
Token: SeBackupPrivilege	2684	89862f1214998962cab6fb5fd76efe61.exe
Token: SeSecurityPrivilege	2684	89862f1214998962cab6fb5fd76efe61.exe
Token: SeSecurityPrivilege	2684	89862f1214998962cab6fb5fd76efe61.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

89862f1214998962cab6fb5fd76efe61.exeD643.tmp

description	pid	Process	procid_target
PID 2684 wrote to memory of 1904	2684	89862f1214998962cab6fb5fd76efe61.exe	33
PID 2684 wrote to memory of 1904	2684	89862f1214998962cab6fb5fd76efe61.exe	33
PID 2684 wrote to memory of 1904	2684	89862f1214998962cab6fb5fd76efe61.exe	33
PID 2684 wrote to memory of 1904	2684	89862f1214998962cab6fb5fd76efe61.exe	33
PID 2684 wrote to memory of 1904	2684	89862f1214998962cab6fb5fd76efe61.exe	33
PID 1904 wrote to memory of 2992	1904	D643.tmp	34
PID 1904 wrote to memory of 2992	1904	D643.tmp	34
PID 1904 wrote to memory of 2992	1904	D643.tmp	34
PID 1904 wrote to memory of 2992	1904	D643.tmp	34

C:\Users\Admin\AppData\Local\Temp\89862f1214998962cab6fb5fd76efe61.exe
"C:\Users\Admin\AppData\Local\Temp\89862f1214998962cab6fb5fd76efe61.exe"
1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2684
- C:\ProgramData\D643.tmp
  "C:\ProgramData\D643.tmp"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:1904
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\D643.tmp >> NUL
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2992

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x148
1⤵
PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3290804112-2823094203-3137964600-1000\CCCCCCCCCCC

Filesize
129B

MD5
dd3f6f6a6bca6b0b810cc71472bac90d

SHA1
c3748c39221ed5a134887bf4e72892164e7ac741

SHA256
f968c0b26e98c99cc03e5f1af9ab244ad8658fd1a35451ab2ba2f7e1f899c516

SHA512
6ef0afbfe011e20d8960886461f4eb32ef6b924dc97e6f65558c746eea233a399a9d27449a685be338c4867d34e9bf5879f146c0d2cb7e520ec8077a9fda4b2c

Download Submit
C:\6XHjQ1c1S.README.txt

Filesize
343B

MD5
72b1ffaeb7de456483f491ecceadb088

SHA1
ee1953abc295245ab01f35a4a823883826bf2b41

SHA256
eb892eac9899b995047733bb17acd4945eb42b7b49f2ee8ad52b8026bc0297a7

SHA512
c0e7cad617cf1490bb25fc47936edc3ae164b190ed34f2d2a50e7e84ce6e0d6712a6ba9ab351cca1589266078326a00317516c53fecf96f20eaefe15e92ce445

Download Submit
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

Filesize
146KB

MD5
9d7caddb4ec8d09d946fe1c64edde33e

SHA1
c5449453b23bb4c90ae0d392f794d33da6e26900

SHA256
74450d17db920d8d4e019bb1915f7d60be75dca8a4da3341a7e8d2930f15ca99

SHA512
8eeea9c04b5136d669c2cb167d002fb744797814427f6397491a9abb9b464aee738ce790426bf2c0f7ccfca557622ec757a5874012b7495832b46844a3a80d05

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3290804112-2823094203-3137964600-1000\DDDDDDDDDDD

Filesize
129B

MD5
cc94ebf3e898d262ed1ed12127db0a49

SHA1
a14d81a80a5311237d151a61e16bb11d1da0ba53

SHA256
023309c8fa0c37d9d527fc71574f6a0498410828cc59c8101f6730c9dc1b14bd

SHA512
fccb7d20857162eabfe1966633082be7b8687a0c07d80a6657781e41ef44897b7cb9d44003d4078229feb6d1a2d2315a87adb02802267fb40e536c8465690b00

Download Submit
\ProgramData\D643.tmp

Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
memory/1904-869-0x00000000004F0000-0x0000000000530000-memory.dmp

Filesize
256KB

Download
memory/1904-872-0x000000007EF20000-0x000000007EF21000-memory.dmp

Filesize
4KB

Download
memory/1904-871-0x000000007EF80000-0x000000007EF81000-memory.dmp

Filesize
4KB

Download
memory/1904-870-0x00000000004F0000-0x0000000000530000-memory.dmp

Filesize
256KB

Download
memory/1904-868-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

Filesize
4KB

Download
memory/1904-902-0x000000007EF60000-0x000000007EF61000-memory.dmp

Filesize
4KB

Download
memory/1904-901-0x000000007EF40000-0x000000007EF41000-memory.dmp

Filesize
4KB

Download
memory/2684-0-0x00000000021E0000-0x0000000002220000-memory.dmp

Filesize
256KB

Download