2c41808826974a0fdd3c7b27850143cad077a79e0cf69c011da495d6abee679a

Resubmissions

24-11-2024 19:42

241124-yexs5s1rgq 10

24-11-2024 09:24

241124-lc6xtatmay 10

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
24-11-2024 09:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a2bc9b467f331a26b33cfd70f7bf12c9e2e6b3ebc8d3749c12a7eedf507e9323.exe
Size

254KB
MD5

09b5f5200e59d3a4623d739661ce9832
SHA1

8cfecf1996164ea98bbffbedc951b740cb35ca94
SHA256

a2bc9b467f331a26b33cfd70f7bf12c9e2e6b3ebc8d3749c12a7eedf507e9323
SHA512

932448936c0e6e48ad059b4b224ba94e723f771d7d31f0e183f65ab46fff18ff01d5f7185a30258a1c46c7777677c4f2defefcc1db2645f732f3c13bb98b5977
SSDEEP

3072:nl6lh5pdDkFgvGRPLYYhmB218CdV3GB9Qr8lWmN5PSRs5CMMXQFPml5gdN+98bep:oj7ToPpmBHi2B9mXx98beF+LUDj0YUk

Score

10^/10

credential_access discovery execution ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\K18zGoDMql.README.txt

Ransom Note

ATTENTION! Don’t worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that’s price for you is $490. Please note that you’ll never restore your data without payment. To get this software and key you need join our server discord: discord.gg/ Personal ID: 71714dab686b45fc9552bf93b31d8588

Signatures

Renames multiple (391) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1656	powershell.exe
1336	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
10	discord.com
11	discord.com
12	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
8	ipinfo.io
6	ip-api.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
488	wmic.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2636	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1656	powershell.exe
2992	powershell.exe
1336	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2096	a2bc9b467f331a26b33cfd70f7bf12c9e2e6b3ebc8d3749c12a7eedf507e9323.exe
Token: SeDebugPrivilege	1656	powershell.exe
Token: SeDebugPrivilege	2992	powershell.exe
Token: SeIncreaseQuotaPrivilege	2356	wmic.exe
Token: SeSecurityPrivilege	2356	wmic.exe
Token: SeTakeOwnershipPrivilege	2356	wmic.exe
Token: SeLoadDriverPrivilege	2356	wmic.exe
Token: SeSystemProfilePrivilege	2356	wmic.exe
Token: SeSystemtimePrivilege	2356	wmic.exe
Token: SeProfSingleProcessPrivilege	2356	wmic.exe
Token: SeIncBasePriorityPrivilege	2356	wmic.exe
Token: SeCreatePagefilePrivilege	2356	wmic.exe
Token: SeBackupPrivilege	2356	wmic.exe
Token: SeRestorePrivilege	2356	wmic.exe
Token: SeShutdownPrivilege	2356	wmic.exe
Token: SeDebugPrivilege	2356	wmic.exe
Token: SeSystemEnvironmentPrivilege	2356	wmic.exe
Token: SeRemoteShutdownPrivilege	2356	wmic.exe
Token: SeUndockPrivilege	2356	wmic.exe
Token: SeManageVolumePrivilege	2356	wmic.exe
Token: 33	2356	wmic.exe
Token: 34	2356	wmic.exe
Token: 35	2356	wmic.exe
Token: SeIncreaseQuotaPrivilege	2356	wmic.exe
Token: SeSecurityPrivilege	2356	wmic.exe
Token: SeTakeOwnershipPrivilege	2356	wmic.exe
Token: SeLoadDriverPrivilege	2356	wmic.exe
Token: SeSystemProfilePrivilege	2356	wmic.exe
Token: SeSystemtimePrivilege	2356	wmic.exe
Token: SeProfSingleProcessPrivilege	2356	wmic.exe
Token: SeIncBasePriorityPrivilege	2356	wmic.exe
Token: SeCreatePagefilePrivilege	2356	wmic.exe
Token: SeBackupPrivilege	2356	wmic.exe
Token: SeRestorePrivilege	2356	wmic.exe
Token: SeShutdownPrivilege	2356	wmic.exe
Token: SeDebugPrivilege	2356	wmic.exe
Token: SeSystemEnvironmentPrivilege	2356	wmic.exe
Token: SeRemoteShutdownPrivilege	2356	wmic.exe
Token: SeUndockPrivilege	2356	wmic.exe
Token: SeManageVolumePrivilege	2356	wmic.exe
Token: 33	2356	wmic.exe
Token: 34	2356	wmic.exe
Token: 35	2356	wmic.exe
Token: SeIncreaseQuotaPrivilege	2732	wmic.exe
Token: SeSecurityPrivilege	2732	wmic.exe
Token: SeTakeOwnershipPrivilege	2732	wmic.exe
Token: SeLoadDriverPrivilege	2732	wmic.exe
Token: SeSystemProfilePrivilege	2732	wmic.exe
Token: SeSystemtimePrivilege	2732	wmic.exe
Token: SeProfSingleProcessPrivilege	2732	wmic.exe
Token: SeIncBasePriorityPrivilege	2732	wmic.exe
Token: SeCreatePagefilePrivilege	2732	wmic.exe
Token: SeBackupPrivilege	2732	wmic.exe
Token: SeRestorePrivilege	2732	wmic.exe
Token: SeShutdownPrivilege	2732	wmic.exe
Token: SeDebugPrivilege	2732	wmic.exe
Token: SeSystemEnvironmentPrivilege	2732	wmic.exe
Token: SeRemoteShutdownPrivilege	2732	wmic.exe
Token: SeUndockPrivilege	2732	wmic.exe
Token: SeManageVolumePrivilege	2732	wmic.exe
Token: 33	2732	wmic.exe
Token: 34	2732	wmic.exe
Token: 35	2732	wmic.exe
Token: SeIncreaseQuotaPrivilege	2732	wmic.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2096 wrote to memory of 1656	2096	a2bc9b467f331a26b33cfd70f7bf12c9e2e6b3ebc8d3749c12a7eedf507e9323.exe	31
PID 2096 wrote to memory of 1656	2096	a2bc9b467f331a26b33cfd70f7bf12c9e2e6b3ebc8d3749c12a7eedf507e9323.exe	31
PID 2096 wrote to memory of 1656	2096	a2bc9b467f331a26b33cfd70f7bf12c9e2e6b3ebc8d3749c12a7eedf507e9323.exe	31
PID 2096 wrote to memory of 2992	2096	a2bc9b467f331a26b33cfd70f7bf12c9e2e6b3ebc8d3749c12a7eedf507e9323.exe	33
PID 2096 wrote to memory of 2992	2096	a2bc9b467f331a26b33cfd70f7bf12c9e2e6b3ebc8d3749c12a7eedf507e9323.exe	33
PID 2096 wrote to memory of 2992	2096	a2bc9b467f331a26b33cfd70f7bf12c9e2e6b3ebc8d3749c12a7eedf507e9323.exe	33
PID 2096 wrote to memory of 2356	2096	a2bc9b467f331a26b33cfd70f7bf12c9e2e6b3ebc8d3749c12a7eedf507e9323.exe	35
PID 2096 wrote to memory of 2356	2096	a2bc9b467f331a26b33cfd70f7bf12c9e2e6b3ebc8d3749c12a7eedf507e9323.exe	35
PID 2096 wrote to memory of 2356	2096	a2bc9b467f331a26b33cfd70f7bf12c9e2e6b3ebc8d3749c12a7eedf507e9323.exe	35
PID 2096 wrote to memory of 2732	2096	a2bc9b467f331a26b33cfd70f7bf12c9e2e6b3ebc8d3749c12a7eedf507e9323.exe	38
PID 2096 wrote to memory of 2732	2096	a2bc9b467f331a26b33cfd70f7bf12c9e2e6b3ebc8d3749c12a7eedf507e9323.exe	38
PID 2096 wrote to memory of 2732	2096	a2bc9b467f331a26b33cfd70f7bf12c9e2e6b3ebc8d3749c12a7eedf507e9323.exe	38
PID 2096 wrote to memory of 2080	2096	a2bc9b467f331a26b33cfd70f7bf12c9e2e6b3ebc8d3749c12a7eedf507e9323.exe	40
PID 2096 wrote to memory of 2080	2096	a2bc9b467f331a26b33cfd70f7bf12c9e2e6b3ebc8d3749c12a7eedf507e9323.exe	40
PID 2096 wrote to memory of 2080	2096	a2bc9b467f331a26b33cfd70f7bf12c9e2e6b3ebc8d3749c12a7eedf507e9323.exe	40
PID 2096 wrote to memory of 1336	2096	a2bc9b467f331a26b33cfd70f7bf12c9e2e6b3ebc8d3749c12a7eedf507e9323.exe	42
PID 2096 wrote to memory of 1336	2096	a2bc9b467f331a26b33cfd70f7bf12c9e2e6b3ebc8d3749c12a7eedf507e9323.exe	42
PID 2096 wrote to memory of 1336	2096	a2bc9b467f331a26b33cfd70f7bf12c9e2e6b3ebc8d3749c12a7eedf507e9323.exe	42
PID 2096 wrote to memory of 488	2096	a2bc9b467f331a26b33cfd70f7bf12c9e2e6b3ebc8d3749c12a7eedf507e9323.exe	44
PID 2096 wrote to memory of 488	2096	a2bc9b467f331a26b33cfd70f7bf12c9e2e6b3ebc8d3749c12a7eedf507e9323.exe	44
PID 2096 wrote to memory of 488	2096	a2bc9b467f331a26b33cfd70f7bf12c9e2e6b3ebc8d3749c12a7eedf507e9323.exe	44
PID 2096 wrote to memory of 2636	2096	a2bc9b467f331a26b33cfd70f7bf12c9e2e6b3ebc8d3749c12a7eedf507e9323.exe	46
PID 2096 wrote to memory of 2636	2096	a2bc9b467f331a26b33cfd70f7bf12c9e2e6b3ebc8d3749c12a7eedf507e9323.exe	46
PID 2096 wrote to memory of 2636	2096	a2bc9b467f331a26b33cfd70f7bf12c9e2e6b3ebc8d3749c12a7eedf507e9323.exe	46

C:\Users\Admin\AppData\Local\Temp\a2bc9b467f331a26b33cfd70f7bf12c9e2e6b3ebc8d3749c12a7eedf507e9323.exe
"C:\Users\Admin\AppData\Local\Temp\a2bc9b467f331a26b33cfd70f7bf12c9e2e6b3ebc8d3749c12a7eedf507e9323.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2096
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1656
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2992
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" os get Caption
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2356
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" computersystem get totalphysicalmemory
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2732
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:2080
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1336
- C:\Windows\System32\Wbem\wmic.exe
  "wmic" path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:488
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\K18zGoDMql.README.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_2

Filesize
10KB

MD5
24388ac2c707ded087f692e27454b7f6

SHA1
031524473accebf07abb4ea6e7dfc180ce202f5e

SHA256
3379e321edc52b9185b3a0166bf3e532fc5192717fbdfb6084153fd94b9da2e0

SHA512
66ca3b831d1ac01453060bccd5c69fcd36a68ffcbfd1382a31cdbb454236915dcd39656e15fd22efebb5743dca1d42e879d2715640569823796235a659adb611

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\CURRENT

Filesize
24B

MD5
cbc537c2311430893229227f07f06370

SHA1
0fee9b74fee7cb4951be7d43d3a370408a2e823b

SHA256
9efa6a94dd91bef58a9c42eca07be4550173d4967a7d8d81266d76c9c434b7ed

SHA512
383c727654d6a3df7e5c8854555c8aa320c66abd68feee1975fe2b8bc4d5bec27cf0f06bdb2512a2858e6a1394c0cd46cdbc22b4e80c05fe155006b7701e32fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_0

Filesize
10KB

MD5
f4504be656029878e405edfd94d493a3

SHA1
d8dc96db8ff1f362c6d2ac91bcebc2dfea4517d5

SHA256
2418b40d913257863976067a836c470033d7f23052ee0a21da916623b3807c66

SHA512
063558f6cfec218715e940a3585a047ce2312b17024cda029bfb3851cffb3173f1354fea779036f8befbdb6c35d45d5f6bcbe530fe6d383dc1ade5c1a751df40

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_1

Filesize
352KB

MD5
933b9a3b09dea50f5e822b7cad3e9846

SHA1
3dd1bede4dfe982f8794ecfbabd9e69603d6b9e0

SHA256
a8fb0050aed9e95d261e71025e1df3d1dfe698d47fb88909dd303cf5c1c4e39b

SHA512
47637e7f16f58fbf538215a1dc3d76145295a2c97a88b94e0150248a5c96b1a3ed3170b26aa08106be51eb7d7462caa31e80d98612ba8b995c2ff2810e501a70

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_3

Filesize
10KB

MD5
1e34706ad3f566bcbaf7e669b65ab4ae

SHA1
3453bf3a6d92b07836e0b1fc57209457a51728fc

SHA256
6b51bfee7d4c492b53b1449b5eba065cd6b1996c699e3c3d535ebad9856a875b

SHA512
6c535b511738021eff0dca9dba6e79e861232e4bc857331733e64213241e09cee42bfe9e78e9a03b22114578d850c477f0cf5c805b6686d5b9e1db5c7c4e97a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\K18zGoDMql.README.txt

Filesize
668B

MD5
31ca9e1e7e2f646a0523e596167a4e6b

SHA1
04240a529c938eab852b35e60ea0f5757bcd72f2

SHA256
181315dd17b39f821167f19a98e4e305f172691187aebaf02ff074e0da4a5759

SHA512
6b44d0b6d341c5d1592d1d4d80a60f9d767375a3cfd93c07cffe7e5bb6ccb7cd0a2254664fcd52cca76cb327f34148bae261d75fa8bfd5fe64aafbe4e037bb62

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
7ec89abe0ce17c1c77a6bd7ba8f1e303

SHA1
e8049b260f6875b0983c5c0185f04168841c382f

SHA256
707e3d83203f415beb469dcf2c6c1c25356d24bcac4e496055f33624c6f3de92

SHA512
e64c505163feac1151cc61cf428ff296fbeb64fad21afe7075c2cbbc400d1afb530dfb39e9995b1986f50d0d3e9286442cfe0255acbc71a2482126812efdb527

Download Submit
C:\Users\Admin\Desktop\ReadResume.xlsx

Filesize
17KB

MD5
aacda9ab88f6b9a58c5a499a472734ee

SHA1
6693a4028e7f839e49407cb3e69b3710e114857b

SHA256
8dda3bab3fc0ed891116b840ebc48604a4f9f111a2b4dd051130758134bdad18

SHA512
9de426da02183d0bd9e05da3c02b9157e184d45e588c45442c8a10b18fe793350c6ca8ee5b565a65b34e0e3add8e36dc796f1b29fea559a532d91b22d91d41bd

Download Submit
memory/1336-33-0x0000000002810000-0x0000000002818000-memory.dmp

Filesize
32KB

Download
memory/1656-14-0x000007FEEF1B0000-0x000007FEEFB4D000-memory.dmp

Filesize
9.6MB

Download
memory/1656-11-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

Filesize
2.9MB

Download
memory/1656-15-0x000007FEEF1B0000-0x000007FEEFB4D000-memory.dmp

Filesize
9.6MB

Download
memory/1656-10-0x000007FEEF46E000-0x000007FEEF46F000-memory.dmp

Filesize
4KB

Download
memory/1656-17-0x000007FEEF1B0000-0x000007FEEFB4D000-memory.dmp

Filesize
9.6MB

Download
memory/1656-16-0x000007FEEF1B0000-0x000007FEEFB4D000-memory.dmp

Filesize
9.6MB

Download
memory/1656-12-0x0000000000570000-0x0000000000578000-memory.dmp

Filesize
32KB

Download
memory/1656-13-0x000007FEEF1B0000-0x000007FEEFB4D000-memory.dmp

Filesize
9.6MB

Download
memory/2096-0-0x000007FEF5973000-0x000007FEF5974000-memory.dmp

Filesize
4KB

Download
memory/2096-35-0x000007FEF5973000-0x000007FEF5974000-memory.dmp

Filesize
4KB

Download
memory/2096-432-0x000007FEF5970000-0x000007FEF635C000-memory.dmp

Filesize
9.9MB

Download
memory/2096-2-0x000007FEF5970000-0x000007FEF635C000-memory.dmp

Filesize
9.9MB

Download
memory/2096-1-0x0000000000950000-0x0000000000994000-memory.dmp

Filesize
272KB

Download
memory/2096-747-0x000007FEF5970000-0x000007FEF635C000-memory.dmp

Filesize
9.9MB

Download
memory/2992-24-0x00000000022C0000-0x00000000022C8000-memory.dmp

Filesize
32KB

Download
memory/2992-23-0x000000001B4E0000-0x000000001B7C2000-memory.dmp

Filesize
2.9MB

Download