Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/11/2024, 12:12

General

  • Target

    4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412.exe

  • Size

    165KB

  • MD5

    65c0c7c9fe6bc1d5296447aae6c6c14c

  • SHA1

    67217e5c6859afb1b2c736625fcf8bee9ad158cc

  • SHA256

    4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412

  • SHA512

    2453322a835c47aa10c1c7d3005319e75c01faf972efb03de9381f9dac870849917e96ca58cdd0e1f501b3d016dbda73a12af446971b545fe9fd164d739ce264

  • SSDEEP

    3072:l7v9etA6pzarOLgSua/iw6kzgm0Ip1qHlBxpN/FaV0jZB6SbFW2CT75I8Buowhvw:ljm0IpqlBxpN/Fd5bFWLT7mM7w0F3+k1

Malware Config

Signatures

  • Renames multiple (313) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 3 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412.exe
    "C:\Users\Admin\AppData\Local\Temp\4e5b9ab271a1409be300e5f3fd90f934f317116f30b40eddc82a4dfd18366412.exe"
    1⤵
    • Enumerates connected drives
    • Drops file in System32 directory
    • Sets desktop wallpaper using registry
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    PID:2368
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
    1⤵
      PID:5744
    • C:\Windows\system32\printfilterpipelinesvc.exe
      C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
      1⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:5924
      • C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
        /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{2D6D0FA5-0C56-44C2-9C0B-50E5D2670DF7}.xps" 133752823341110000
        2⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:5204

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\ProgramData\Adobe\Setup\README.txt

            Filesize

            1KB

            MD5

            a2216a7155bebb30e67f217f6fd232f5

            SHA1

            c8f100b610a63f28921c686a8a4a6fd9aa2153e0

            SHA256

            ef01b2342b49597ad0e326cad64ab471ec4460e09fe66a90e75bc30bf209cfc8

            SHA512

            57f383a840d74bb98185022b21204eb9954b0cf98c9188146dfe902d658e95fc71467195359394cfd73486ccb2315c19930685e6ae046ecd452caeb854fed498

          • C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2

            Filesize

            4KB

            MD5

            ddac2c2ef06598adcad51931d32c6444

            SHA1

            ad0e3ab81184ed417d19e5b0b920b72530dd8e5e

            SHA256

            af9f8ee2fd61d8ae56a0fb8e2cc862807b7e8d637e33cda11da3e19858a169ba

            SHA512

            e014100b63f049e4b0f7fd36f88a1e368687e0520c312adf36b8c336649754516b90467aeb1ebe9c91b06a0230f93d263543f69b4f2aa78b4c0605634f6aa92d

          • memory/5204-908-0x00007FFB8B8F0000-0x00007FFB8B900000-memory.dmp

            Filesize

            64KB

          • memory/5204-907-0x00007FFB8B8F0000-0x00007FFB8B900000-memory.dmp

            Filesize

            64KB

          • memory/5204-906-0x00007FFB8B8F0000-0x00007FFB8B900000-memory.dmp

            Filesize

            64KB

          • memory/5204-905-0x00007FFB8B8F0000-0x00007FFB8B900000-memory.dmp

            Filesize

            64KB

          • memory/5204-904-0x00007FFB8B8F0000-0x00007FFB8B900000-memory.dmp

            Filesize

            64KB

          • memory/5204-909-0x00007FFB89420000-0x00007FFB89430000-memory.dmp

            Filesize

            64KB

          • memory/5204-910-0x00007FFB89420000-0x00007FFB89430000-memory.dmp

            Filesize

            64KB