Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-11-2024 09:21

General

  • Target

    78db508226ccacd363fc0f02b3ae326a2bdd0baed3ae51ddf59c3fc0fcf60669.exe

  • Size

    865KB

  • MD5

    dbf3707a9cd090853a11dda9cfa78ff0

  • SHA1

    5af5403d8e003812a34c7b085d878680d7130ad5

  • SHA256

    78db508226ccacd363fc0f02b3ae326a2bdd0baed3ae51ddf59c3fc0fcf60669

  • SHA512

    68b1627ed20e6980c32c44df3560fc3eeed37db2c47caaf8db86461c594a5d040a7404be777374af512fe05fcdc2f15a6014a914b1445c2e23adb741db68c7e0

  • SSDEEP

    12288:SCdOy3vVrKxR5CXbNjAOxK/j2n+4YG/6c1mFFja3mXgcjfRlgsUBga+Q9bN9jQl:SCdxte/80jYLT3U1jfsWa+QpN9jQl

Malware Config

Signatures

  • Renames multiple (340) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\78db508226ccacd363fc0f02b3ae326a2bdd0baed3ae51ddf59c3fc0fcf60669.exe
    "C:\Users\Admin\AppData\Local\Temp\78db508226ccacd363fc0f02b3ae326a2bdd0baed3ae51ddf59c3fc0fcf60669.exe"
    1⤵
    • Checks computer location settings
    • Enumerates connected drives
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1484
    • C:\Users\Admin\AppData\Roaming\scvhost.exe
      "C:\Users\Admin\AppData\Roaming\scvhost.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Enumerates connected drives
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      PID:4024

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727658826891613.txt.locked

    Filesize

    77KB

    MD5

    e130744887a8b60505f8d55a21f6e40a

    SHA1

    f86fa40fe462a9d7857e6e5cecf380f381790f81

    SHA256

    37a2dc8593ea862a9d512f4f46d13cf2f417a8ac45bca14baf6136eb67250afa

    SHA512

    c6ef49d52a4d02815c8dba1bb640b49b36ae9ab464ad9eed746020c743afbda7d772e47cb53c0f842b3b10991ce6c88400d9089a40e3807949d4112cb8189f70

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727660257997193.txt.locked

    Filesize

    47KB

    MD5

    ea2352483516014d022413504a74c72d

    SHA1

    6aa1aae252345cc6f03ab658cbbdf130357ea6e0

    SHA256

    edfadb0405fbfd1da0861e76511142a4d50604ebb72006ea21fface3c2977c79

    SHA512

    9f5296a11836733d084dd89283d8de063f3d0a598b826d2e34dc36bce1ae3c0ce9b3f75d7c1ad3aea384a6e9840f45e746a18892f3466785cf1875d825f9dfbd

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727666145703406.txt.locked

    Filesize

    65KB

    MD5

    1bfc3cb82b5351b01836fe75f0d0845f

    SHA1

    d0dfaf96fda7a95289e96502f8c324cdfda6badd

    SHA256

    d3b85bf0aaf23d910491caccbefb949b3d35429ad55212919a9284258fd1406d

    SHA512

    7346162a717cd2405303fa9744ac7b7fe13fbb29fcf8f5d89d476057c79133daffb40ae7a3f89f6f29d0a00a95eae7b0e3dba1795ffe2dccdf64e2387b1ab695

  • C:\Users\Admin\AppData\Local\Temp\xkrfmsz

    Filesize

    26KB

    MD5

    daa74c9be0ea2bcbf174c3398e98dbfb

    SHA1

    e5a23e3853fdcf2fab54d6a708091086a0370282

    SHA256

    4c37593255835b87267a97e401eb97a177f9ee96fd8edb83b7df4e539d2f26ac

    SHA512

    6b3ccf7a0ce3a68bf0f7e8823e9129baa10c26b56d698a079564bc2c8a1ca60ecae7ae9b24f3b592f53a07f2b3128f0520e3a02c408e8d927c24ff720ac28d9c

  • C:\Users\Admin\AppData\Roaming\3C313738876E48CAD3B4C9FD0DA247CA

    Filesize

    4KB

    MD5

    9c819cdb7bdfe050c8d22a0d7ce68df2

    SHA1

    a73124bfbf34b1448f92d00f305025f3ad93c56d

    SHA256

    ec942dae0505de28a0b6102b6422f6b37c78fc727f402af9096ccc265e9cde7c

    SHA512

    e6bbb80e0a9ad31ae49a8af6c46c462d76322bd2388d053d6f470d706a9a574828f480d7c4c35b15eefb1e383ebf1150d9d07621e224d49675890b35cdf8ed36

  • C:\Users\Admin\AppData\Roaming\7C40D317FC40C897D1FCBA2A96BB2401

    Filesize

    55B

    MD5

    d8b961c8432a069dc3f743b33b1a8983

    SHA1

    bd0f181c12879b562c496c5c3f1760d335061564

    SHA256

    ad144641e38eb701a569b7889e1bf5e080375a7bc4e21ff2ad35d3e352d924f6

    SHA512

    7d8ec6db750f0a6a2db861e98e4b5a23a67bf15b1f05435f06935b2e0871dd4743b454b7350c8b0e37366ea78b53147f98fb2f64b7cc9d868076531bce49badd

  • C:\Users\Admin\AppData\Roaming\scvhost.exe

    Filesize

    865KB

    MD5

    dbf3707a9cd090853a11dda9cfa78ff0

    SHA1

    5af5403d8e003812a34c7b085d878680d7130ad5

    SHA256

    78db508226ccacd363fc0f02b3ae326a2bdd0baed3ae51ddf59c3fc0fcf60669

    SHA512

    68b1627ed20e6980c32c44df3560fc3eeed37db2c47caaf8db86461c594a5d040a7404be777374af512fe05fcdc2f15a6014a914b1445c2e23adb741db68c7e0