Analysis

  • max time kernel
    1510s
  • max time network
    1551s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    16-10-2024 17:43

General

  • Target

    M.exe

  • Size

    7.7MB

  • MD5

    8d2bb901f05c4a95093b9ccb83fb25f8

  • SHA1

    dd9029f020defa9c940c7e06d898d1ca1d1bcad4

  • SHA256

    3d723ee0ac0517b8eec71b857fc847851024bea672f2e327584a5a0f3dfed5c9

  • SHA512

    e8c8528abb41f1ac011ae4f0a7baabfac75e5be473a50ce69e359e53f10b98a0e7132a09889d2b43c597dc35e05876c5486eb713ee26c7a514ff1515237af6a1

  • SSDEEP

    98304:uRH8WGVBNepIR3pEdEv5VdOZxMUw8W0oaLRRoe8neTdshq:uTIBNepIRaIOZLgaLfojeTd

Malware Config

Signatures

  • Renames multiple (2198) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Modifies system certificate store 2 TTPs 3 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\M.exe
    "C:\Users\Admin\AppData\Local\Temp\M.exe"
    1⤵
    • Drops startup file
    • Modifies system certificate store
    • Suspicious use of WriteProcessMemory
    PID:5788
    • C:\Windows\system32\cmd.exe
      cmd /c start C:\Users\Admin\Desktop\README-NOW.txt
      2⤵
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3832
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\README-NOW.txt
        3⤵
          PID:1540

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\Desktop\README-NOW.txt

      Filesize

      1KB

      MD5

      d93ad4a80a2c802ea031c767ce078def

      SHA1

      86ca2f8688864eaf457c5d7daf5e41c2feec1152

      SHA256

      6d7692195fe939c31dbf365acfa6c653c125b3de4c3a15e8f7137a96e0931c13

      SHA512

      acd3703ae8572b04b9492e5d2c28457786ea0deb1bb7c7e2cd44da5a24c603be1399ec84c81a6e2388dc0aa00352a60418a0ffce1cc319673d7065578ca1f6a4