Analysis
-
max time kernel
101s -
max time network
101s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
26-09-2024 23:34
General
-
Target
lk.exe
-
Size
146KB
-
MD5
7f6830b77ad13b244bc5d702d67137bf
-
SHA1
1fbd763388a3e9679ac66b35da8a78e041611fe4
-
SHA256
e097f98ea3416330ed2fd7856743d68a7ca880c6d57e8c264a384a112ac5a390
-
SHA512
488cb83c7267cfc70989e09489373f4372325531f7c02b1711fbdf6dfeaa377c39b84d5e971136e0e41d0a6dcde52ec4d21a749169eedb9e9ba43eb9caf077de
-
SSDEEP
3072:c6glyuxE4GsUPnliByocWep0XL63DjDeprS:c6gDBGpvEByocWeOmuNS
Malware Config
Signatures
-
Renames multiple (605) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
-
Drops file in System32 directory 4 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 7 IoCs
-
Opens file in notepad (likely ransom note) 2 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 32 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\lk.exe"C:\Users\Admin\AppData\Local\Temp\lk.exe"1⤵
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
- Drops file in System32 directory
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵
-
C:\Windows\system32\printfilterpipelinesvc.exeC:\Windows\system32\printfilterpipelinesvc.exe -Embedding1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{1332DA82-0F64-4CFD-88D9-DE32F22CE60F}.xps" 1337186730446300002⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\XQk8iLzOQ.README.txt1⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\RegisterWait.cmd" "1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\SelectResize.wmf.XQk8iLzOQ2⤵
- Opens file in notepad (likely ransom note)
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD54613ab580d5a3081e8f695ca87f8fa0a
SHA1e111c20c738f5fb2f5ee3e6f4df2e535ec098f6b
SHA25696e8b3cac3862ce2afe350827cae0bf3c3138b56ae6ab4b3ab8f64e08eb3637d
SHA512771ea21d8c7e445a7f5c3ee44fd1f4505ca35766f85365e2896e86a28669801bf9f523d119a99247e3a7d196b0763ffc123f09a1817cb2dad3370da7312be744
-
Filesize
4KB
MD5b71481d8c98b2dfb7b063c30578ac4a3
SHA189af74b03bfab88fcf77e62b21913e2f03309191
SHA25666115b92f64d7da52da10e87820784907221454faef4b639131bccdc9ad36073
SHA512d21c7e458cc4d5297c943abb2647208a1890b7b1f1f55043b305f508bac65e948c048dfdfb8d6cf58a4671587b80cac44123c6108413ce3e0c9f800b1d23dcbe
-
Filesize
341KB
MD5a1a4604634667911aaa909d52d2e3f31
SHA18166a77b96d136487c9c564433a917f65ce06f33
SHA256847c479be9cadaa0cb167c20d1abee76cc32f6ab52b0b59f2d3844ada5e8c09e
SHA512b77ce8e8e506e4f77320894c632b7a17f3c424af4986ee1a3e9128a160aede87f26459e6884324012ec6593e14e5bf28f7f04360244c6a9f85127f62628582bf
-
Filesize
343B
MD572b1ffaeb7de456483f491ecceadb088
SHA1ee1953abc295245ab01f35a4a823883826bf2b41
SHA256eb892eac9899b995047733bb17acd4945eb42b7b49f2ee8ad52b8026bc0297a7
SHA512c0e7cad617cf1490bb25fc47936edc3ae164b190ed34f2d2a50e7e84ce6e0d6712a6ba9ab351cca1589266078326a00317516c53fecf96f20eaefe15e92ce445
-
Filesize
129B
MD5cc647fb051bcdd47cdb7ae3dd14a504a
SHA12609dfa8a9e22d4614c777566967183630dac627
SHA256621a1ce91d34aafddb939226cb404667a10189c02f8b49b590db977cebba60f3
SHA5124ef47c215175e3831b37ed793e34fb571e0ba3a5c0040162fabec42cc46cf9b22e3335d91321118c56708e59639730b34eba01fb936fb903bed7a4acc25f0db2
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB