Analysis
-
max time kernel
397s -
max time network
1580s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
16-10-2024 17:43
Static task
static1
Behavioral task
behavioral1
Sample
M.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
M.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
M.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral4
Sample
M.exe
Resource
win11-20241007-en
General
-
Target
M.exe
-
Size
7.7MB
-
MD5
8d2bb901f05c4a95093b9ccb83fb25f8
-
SHA1
dd9029f020defa9c940c7e06d898d1ca1d1bcad4
-
SHA256
3d723ee0ac0517b8eec71b857fc847851024bea672f2e327584a5a0f3dfed5c9
-
SHA512
e8c8528abb41f1ac011ae4f0a7baabfac75e5be473a50ce69e359e53f10b98a0e7132a09889d2b43c597dc35e05876c5486eb713ee26c7a514ff1515237af6a1
-
SSDEEP
98304:uRH8WGVBNepIR3pEdEv5VdOZxMUw8W0oaLRRoe8neTdshq:uTIBNepIRaIOZLgaLfojeTd
Malware Config
Signatures
-
Renames multiple (2056) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.fzrtj M.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 1 discord.com 2 discord.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings cmd.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2872 wrote to memory of 644 2872 M.exe 75 PID 2872 wrote to memory of 644 2872 M.exe 75 PID 644 wrote to memory of 5008 644 cmd.exe 76 PID 644 wrote to memory of 5008 644 cmd.exe 76
Processes
-
C:\Users\Admin\AppData\Local\Temp\M.exe"C:\Users\Admin\AppData\Local\Temp\M.exe"1⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\system32\cmd.execmd /c start C:\Users\Admin\Desktop\README-NOW.txt2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:644 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\README-NOW.txt3⤵PID:5008
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5b828aca55cbdbed6e87d959ab16c96d6
SHA1bbd4a2a4127790d3772aff910a56ed79d1217cf8
SHA2567406959f058791d9b68d926470c023aad751fcb7b928c93316e9ff23a7a8e2da
SHA5128315bd40d0c31ffef09f3655533b2cac580c7144f308b6049a5b7c89859a1a8ec587896a674fa168c2ee26041131f45f92aa31a3f022b7bc90b173347e141e2b