Analysis

  • max time kernel
    1728s
  • max time network
    1163s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-10-2024 17:43

General

  • Target

    M.exe

  • Size

    7.7MB

  • MD5

    8d2bb901f05c4a95093b9ccb83fb25f8

  • SHA1

    dd9029f020defa9c940c7e06d898d1ca1d1bcad4

  • SHA256

    3d723ee0ac0517b8eec71b857fc847851024bea672f2e327584a5a0f3dfed5c9

  • SHA512

    e8c8528abb41f1ac011ae4f0a7baabfac75e5be473a50ce69e359e53f10b98a0e7132a09889d2b43c597dc35e05876c5486eb713ee26c7a514ff1515237af6a1

  • SSDEEP

    98304:uRH8WGVBNepIR3pEdEv5VdOZxMUw8W0oaLRRoe8neTdshq:uTIBNepIRaIOZLgaLfojeTd

Malware Config

Signatures

  • Renames multiple (2326) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Modifies system certificate store 2 TTPs 3 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\M.exe
    "C:\Users\Admin\AppData\Local\Temp\M.exe"
    1⤵
    • Drops startup file
    • Modifies system certificate store
    • Suspicious use of WriteProcessMemory
    PID:3244
    • C:\Windows\system32\cmd.exe
      cmd /c start C:\Users\Admin\Desktop\README-NOW.txt
      2⤵
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2072
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\README-NOW.txt
        3⤵
          PID:2340

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\Desktop\README-NOW.txt

      Filesize

      1KB

      MD5

      3b4da5dcffffcc8de9f44e969a2e09b9

      SHA1

      4a0809846bf90aba28775ea2c4d997dcc57ec1c0

      SHA256

      05365e9375329638f2757e4000b25aa3b98e44f1c144454000f1230f5607fbb4

      SHA512

      40d006f40f0b5a34218b805e4adec41e0d6197225d30572ab5038737f9f10a012a891a988468b961a07986e4306e9e6c89add0948b129f92d29562907e85a81c