b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13 | Triage

Sharing

General

Target

b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13.exe
Size

2.3MB
Sample

241123-dcqa3awpdw
MD5

66c6dfe570b7e10fc9b62614a6bb0476
SHA1

75ca6a5a47105af2855ace988f2e86fb8d54f56a
SHA256

b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13
SHA512

90659304debcbe88595c469e1846ff2f8544da480dcd75ba591079eabfa8e9cca9535f8f8130114f33f5c4317a95c735c26386bbd357a9451b9af2391762db54
SSDEEP

24576:w/F1XGA9DHYdqQiF/swJ0r6ck59yjFGWG04J2ksswOGpyCP5WfWr:w91XRlYdqxF/QU5EH6wOVCBW

Score

10^/10

credential_access discovery execution ransomware spyware stealer

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://i.imgur.com/DQ6FCxz.png

Targets

- Target
  
  b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13.exe
- Size
  
  2.3MB
- MD5
  
  66c6dfe570b7e10fc9b62614a6bb0476
- SHA1
  
  75ca6a5a47105af2855ace988f2e86fb8d54f56a
- SHA256
  
  b44af07de17ed16af4d6699b9462bee6855a0a0207ec787d41f00fbed81e1c13
- SHA512
  
  90659304debcbe88595c469e1846ff2f8544da480dcd75ba591079eabfa8e9cca9535f8f8130114f33f5c4317a95c735c26386bbd357a9451b9af2391762db54
- SSDEEP
  
  24576:w/F1XGA9DHYdqQiF/swJ0r6ck59yjFGWG04J2ksswOGpyCP5WfWr:w91XRlYdqxF/QU5EH6wOVCBW
Score

10^/10

credential_access discovery execution ransomware spyware stealer
- Renames multiple (8750) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Blocklisted process makes network request
- Credentials from Password Stores: Windows Credential Manager
  Suspicious access to Credentials History.
  credential_access stealer
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
  ransomware
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Windows Credential Manager

Unsecured Credentials

Credentials In Files

Discovery

Browser Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Defacement

Tasks

static1

behavioral1

behavioral2

credential_accessdiscoveryexecutionransomwarespywarestealer