ac912d8d7b51eb2e29f72dd9fa1c99c99ee897d45acb60b3ffcd0ec436c1ade4

Analysis

max time kernel
132s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30/09/2024, 05:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sample.exe
Size

10KB
MD5

0e7215901aa61f182a5d229d289b073a
SHA1

a34cea415bc7d07d93c6b1b02e2a2349fc3b38b8
SHA256

6cd338d71c9b2e482089e164a2d58f03e0619734b4436fb745df4f57527eeed6
SHA512

d2d20855e7365c9db534b9c70e687c65503147619b18656fcd461424dcb7ccac32b4d5de029e7676037e78d9b2bb616688763b16559f262a34f0d11415c0b203
SSDEEP

192:X7slLwEkBoDGZu6qdkXn3sHBrDPNCGmkVQLrF:AV8+G4dk30XYoVor

Score

9^/10

discovery ransomware spyware stealer

Malware Config

Signatures

Renames multiple (276) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sample.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2656	NOTEPAD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1508	sample.exe

C:\Users\Admin\AppData\Local\Temp\sample.exe
"C:\Users\Admin\AppData\Local\Temp\sample.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1508

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\README.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\YLJ4V77F\desktop.ini.morgan

Filesize
80B

MD5
725d8afe23ea905cae56f435fe7c44b0

SHA1
897edb3424b0598dde41c6974cfc8bb26aef156a

SHA256
0710c738a7936f0cf6d2827daa2976cda07b07cbb4ff5333fe2ce1f0e93875e5

SHA512
864bd366efcaeceec6be2cd773837786991cd8f7f0d58d753880b519edd060e2a55f8893ea8e07e3c689285ebd3455b3331aa7a63ed8fc80a2964de867a340d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\container.dat.morgan

Filesize
16B

MD5
251f99e319b5addea972a7e58f2be094

SHA1
127a338fd88e666ada53b5103413dbc492cecad5

SHA256
0e6ea5e699f87bdc18dacc45e0bcbf94eb76a636eea0484a0fa941e03cff7810

SHA512
0353e530db30e57beeec454cb93ed42f66fd7d635d9c56632ca95282e2abea085b1d9efffb294c866866f90e64ddb3e3fa4efeb96f59581ba39fe4cf7b486358

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4k8o8gx5.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite.morgan

Filesize
48KB

MD5
991fcabbf3a527123ef4c1951f956883

SHA1
a8fc797ebce1ccd72ff66b154e4585bf212bb132

SHA256
5677abccec25c554311f47fd50bbcf4507d51f0d1f92dd187ac50301bbb061c5

SHA512
298dbd5aa8231feaf1d8fa7133066f503bd38af16c04b11ba06b7ed1ec13485c6b432a1b87faf689200738393435b48081c7a8b31ccdc043b24695e103b52253

Download Submit
C:\Users\Admin\Desktop\README.txt

Filesize
79B

MD5
8ff2adccd1e2672913cb387e285cb34a

SHA1
2bc418de0dceb2685bafa878ea5877ca354ce028

SHA256
e75362202b59fbe8a6eb8b50fe0790fbdcbc7266279b4ff225bb7c9435094cc5

SHA512
84d07a03b49ce432928d92bb6680c4219d205710907122264a7cf07315ae9b98f04a0dd27dc6aba8c812975db65ba82a602066ccc16fe9a72cba9134a78fd068

Download Submit
C:\Users\Admin\Documents\SelectUnprotect.xlsx.morgan

Filesize
16KB

MD5
a2f11f808953b007833e4265297e78ac

SHA1
6229d4583412f486e72e1c56a095217527550cd9

SHA256
8ae3dfa805195c31fff17ce5787adb927bcca53c323b17d6568a8107f02b7ff6

SHA512
3e6f065a18774e4764bc8f5c426b611817f571ad18a83b2fa25350dd6d726d99c9676b49f3ac749a0c8734d16c61fe9e7373aac4b48e508d6d60752a090469a0

Download Submit
memory/1508-0-0x0000000073EAE000-0x0000000073EAF000-memory.dmp

Filesize
4KB

Download
memory/1508-1-0x0000000000AF0000-0x0000000000AF8000-memory.dmp

Filesize
32KB

Download
memory/1508-2-0x0000000073EA0000-0x000000007458E000-memory.dmp

Filesize
6.9MB

Download
memory/1508-280-0x0000000073EA0000-0x000000007458E000-memory.dmp

Filesize
6.9MB

Download