Analysis

  • max time kernel
    397s
  • max time network
    1580s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    16-10-2024 17:43

General

  • Target

    M.exe

  • Size

    7.7MB

  • MD5

    8d2bb901f05c4a95093b9ccb83fb25f8

  • SHA1

    dd9029f020defa9c940c7e06d898d1ca1d1bcad4

  • SHA256

    3d723ee0ac0517b8eec71b857fc847851024bea672f2e327584a5a0f3dfed5c9

  • SHA512

    e8c8528abb41f1ac011ae4f0a7baabfac75e5be473a50ce69e359e53f10b98a0e7132a09889d2b43c597dc35e05876c5486eb713ee26c7a514ff1515237af6a1

  • SSDEEP

    98304:uRH8WGVBNepIR3pEdEv5VdOZxMUw8W0oaLRRoe8neTdshq:uTIBNepIRaIOZLgaLfojeTd

Malware Config

Signatures

  • Renames multiple (2056) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\M.exe
    "C:\Users\Admin\AppData\Local\Temp\M.exe"
    1⤵
    • Drops startup file
    • Suspicious use of WriteProcessMemory
    PID:2872
    • C:\Windows\system32\cmd.exe
      cmd /c start C:\Users\Admin\Desktop\README-NOW.txt
      2⤵
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:644
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\README-NOW.txt
        3⤵
          PID:5008

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\Desktop\README-NOW.txt

      Filesize

      1KB

      MD5

      b828aca55cbdbed6e87d959ab16c96d6

      SHA1

      bbd4a2a4127790d3772aff910a56ed79d1217cf8

      SHA256

      7406959f058791d9b68d926470c023aad751fcb7b928c93316e9ff23a7a8e2da

      SHA512

      8315bd40d0c31ffef09f3655533b2cac580c7144f308b6049a5b7c89859a1a8ec587896a674fa168c2ee26041131f45f92aa31a3f022b7bc90b173347e141e2b