17db6fd9f81222711b1f33983a8f64b8c3bddfc7dc25f4f6b6e0c6c29d877eeb

Resubmissions

05-10-2024 14:52

241005-r81csszekf 9

20-08-2024 13:23

240820-qm5jystfpc 9

Analysis

max time kernel
95s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05-10-2024 14:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Morgan.exe
Size

14KB
MD5

cd2149ef2f2c9675e75a224c10f60a8e
SHA1

a1a962caae493a33f947ff6412d18f864c7fc3fb
SHA256

17db6fd9f81222711b1f33983a8f64b8c3bddfc7dc25f4f6b6e0c6c29d877eeb
SHA512

0aad285dcf287da822d1e9abdb444a4c353c66f054f5828df8fd4a7ebdc41ab0e269d4171e99cfee6f4857c5859a663c8b5f0345a0395e2ee2b0ee1dbbc965aa
SSDEEP

192:hI/3edqmr6APSJg15CHEcWIW2g93EUY68FL8GZDAPIrIvCGmaMiDVQvr:HdPKi15Ck4W2g9UUg8GRXLuMiDVMr

Score

9^/10

discovery ransomware spyware stealer

Malware Config

Signatures

Renames multiple (748) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wallpaper.png"	Morgan.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Morgan.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3964	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2984	Morgan.exe
2984	Morgan.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2984	Morgan.exe

C:\Users\Admin\AppData\Local\Temp\Morgan.exe
"C:\Users\Admin\AppData\Local\Temp\Morgan.exe"
1⤵
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2984

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\README.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:3964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\000003.log.alci

Filesize
16B

MD5
2b852f3ff21ec150d38955996601860c

SHA1
de7137883c5e8cea72036e8956dd536b72de94d1

SHA256
46299c414931db1fc57e3aac297f7bfb95da426644e88223169babb43866b96d

SHA512
114149478a5f4a963689f532a20bb252f12aa6914684152c616e167efa97ffaeeb00c68ef1ea03b3cce9a125dbeaadb2b107616f1ceb3ed4a4eb5a01264bee1c

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.AccountsControl_cw5n1h2txyewy\Settings\settings.dat.alci

Filesize
8KB

MD5
6227261b1c40c57f4918168df7985a99

SHA1
d78c9f819df96de7c2f797c819906a81b391415c

SHA256
5ebce46fc3de1743db53fe0e6474f0118b0f020c25e4a1455d7056c05c5af099

SHA512
10df4982c4cabf2a5a01f203c2efc6c224201ff6d38d3fc40fafec66a4e9411d5e5f8a8a8b8376e1e30051631127f9981abc481dba5a3011e72cd90fff66d3af

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{62dae786-3a6b-4e1b-8a31-77837716d7ba}\0.1.filtertrie.intermediate.txt.alci

Filesize
16B

MD5
b04f41deb9720685f20ae417e7cba6af

SHA1
b487ebbb43f0bf287d3a438e2c4c53004ff40030

SHA256
e620bc12ace63460cf1a615843466d90e8c5847892b9fc4767c2dde421f7bc03

SHA512
fd9ad99efb949029b16c41554dc4b91770f971453971af0d2dfb6153472dd32d7104a3f4b93682ce219bdee2ccdc8c059ed852f557ddb5b08abfb3ab74908ada

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{62dae786-3a6b-4e1b-8a31-77837716d7ba}\0.2.filtertrie.intermediate.txt.alci

Filesize
16B

MD5
5576669c0bc2bbf1ceb545cd0d894255

SHA1
12e3883b089d60c5ebb97c0a79c435eaf446fd01

SHA256
a93f51f9ec1300f7dd1e8be2c1beba9b47e1a015bb08096062730ee94888f4b8

SHA512
b718a0b7e2250b95a843899d3d24b3c87e92021c0953bdfa2f0b2891043223597146ccdddc368843e4d9e2a704ca0227c7bce7029fce2bffd5cfa06b9462cb11

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133670754182594331.txt.alci

Filesize
77KB

MD5
65c7d2c6ddc4ffb923871f981d8e168e

SHA1
7f9c3914e75b06ebf8e5b8f26351114e032ef2fb

SHA256
cb3f2027f82b69d0f0dcc78e94692deded007d78b6e2ceb4153c285487c3457f

SHA512
379bf14ec6f5899c46d821c54740556f0ffea58f8aea067fdbd1aa9b4edcd431f57f289c812a319a43dd450a8059f0b4de7b1983ccb728fb464ba8c938db050e

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133670756182462133.txt.alci

Filesize
47KB

MD5
d6812c611c8ef1562b64eca9ee6c98d1

SHA1
545c8224a3eb596d3003e4b6ce26087cd087db47

SHA256
d07decbd6ec971a9282c79e283f1665575f8ce7d921698a337f87c5c8a7090d1

SHA512
be377b8182ffb18bce9bc7a7e85ecb86a961c4b825330270551593d3aface907e9a6e5e7df01e628048d5275354b27b63047edc2da99099f880a1cc8cec5c9a4

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133670762750809265.txt.alci

Filesize
65KB

MD5
0a28de27fe9993332ccea765d3ca09b6

SHA1
7b7b4aecf5cc600aea197b4b09e023b2ae8e7838

SHA256
797fd3f310305aa001ac074a4b65a3dee1d20b2ab598fa1edb2e017d968c9ed1

SHA512
3aff83c1b34755885d22c417910ac3e9c13529d751978f6ceacb9ec23c46bec0893cbf4df035a71b29bb8365339893b6580fd5c9b197942c62d84115154a03f7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5r4i2p4s.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite.alci

Filesize
48KB

MD5
e18de76129321196d0be7df40994c0c3

SHA1
88660e8370c251af28c48f60c6fadc11bc945568

SHA256
105d9cdc4225d599d276fec286d9407f6d1880148ef5a057403a282692e6a4a6

SHA512
0bf0735e50352c2e52037255dc91c893f3027a7b4e2e95fb0d3faaafb2a76e7e0651ca23dc6969e686742a781b11ab245a8db2627d76b6140d366c305fc4cf36

Download Submit
C:\Users\Admin\Desktop\README.txt

Filesize
79B

MD5
e7d2fa002fbe0e2bd5ef524277d0487b

SHA1
a35c931c10832a053500364e3625959d46accbc2

SHA256
c02212955b98dd5f68117301335e3062af9aa2c0054d6b15a9de4c602367442c

SHA512
273fd906630b87c43808e7648439f9eabe8405ab7c0e057a9d4538e31b753fb8eb28b38039e795ca1d50ad88e01f9135fa3962137752b95c0c0e01d8e0882cd3

Download Submit
memory/2984-2-0x0000000074CC0000-0x0000000075470000-memory.dmp

Filesize
7.7MB

Download
memory/2984-1-0x0000000000D20000-0x0000000000D2A000-memory.dmp

Filesize
40KB

Download
memory/2984-0-0x0000000074CCE000-0x0000000074CCF000-memory.dmp

Filesize
4KB

Download
memory/2984-754-0x0000000074CC0000-0x0000000075470000-memory.dmp

Filesize
7.7MB

Download