2c41808826974a0fdd3c7b27850143cad077a79e0cf69c011da495d6abee679a

Resubmissions

24-11-2024 19:42

241124-yexs5s1rgq 10

24-11-2024 09:24

241124-lc6xtatmay 10

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
24-11-2024 19:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a2bc9b467f331a26b33cfd70f7bf12c9e2e6b3ebc8d3749c12a7eedf507e9323.exe
Size

254KB
MD5

09b5f5200e59d3a4623d739661ce9832
SHA1

8cfecf1996164ea98bbffbedc951b740cb35ca94
SHA256

a2bc9b467f331a26b33cfd70f7bf12c9e2e6b3ebc8d3749c12a7eedf507e9323
SHA512

932448936c0e6e48ad059b4b224ba94e723f771d7d31f0e183f65ab46fff18ff01d5f7185a30258a1c46c7777677c4f2defefcc1db2645f732f3c13bb98b5977
SSDEEP

3072:nl6lh5pdDkFgvGRPLYYhmB218CdV3GB9Qr8lWmN5PSRs5CMMXQFPml5gdN+98bep:oj7ToPpmBHi2B9mXx98beF+LUDj0YUk

Score

10^/10

credential_access discovery execution ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\F3z4GFgv2s.README.txt

Ransom Note

ATTENTION! Don’t worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that’s price for you is $490. Please note that you’ll never restore your data without payment. To get this software and key you need join our server discord: discord.gg/ Personal ID: 1c66fe1dc36d4408a2b9e0735c4bd3d4

Signatures

Renames multiple (374) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1788	powershell.exe
2620	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
12	discord.com
10	discord.com
11	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	ip-api.com
8	ipinfo.io

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2580	wmic.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2864	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2620	powershell.exe
2812	powershell.exe
1788	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2176	a2bc9b467f331a26b33cfd70f7bf12c9e2e6b3ebc8d3749c12a7eedf507e9323.exe
Token: SeDebugPrivilege	2620	powershell.exe
Token: SeDebugPrivilege	2812	powershell.exe
Token: SeIncreaseQuotaPrivilege	1920	wmic.exe
Token: SeSecurityPrivilege	1920	wmic.exe
Token: SeTakeOwnershipPrivilege	1920	wmic.exe
Token: SeLoadDriverPrivilege	1920	wmic.exe
Token: SeSystemProfilePrivilege	1920	wmic.exe
Token: SeSystemtimePrivilege	1920	wmic.exe
Token: SeProfSingleProcessPrivilege	1920	wmic.exe
Token: SeIncBasePriorityPrivilege	1920	wmic.exe
Token: SeCreatePagefilePrivilege	1920	wmic.exe
Token: SeBackupPrivilege	1920	wmic.exe
Token: SeRestorePrivilege	1920	wmic.exe
Token: SeShutdownPrivilege	1920	wmic.exe
Token: SeDebugPrivilege	1920	wmic.exe
Token: SeSystemEnvironmentPrivilege	1920	wmic.exe
Token: SeRemoteShutdownPrivilege	1920	wmic.exe
Token: SeUndockPrivilege	1920	wmic.exe
Token: SeManageVolumePrivilege	1920	wmic.exe
Token: 33	1920	wmic.exe
Token: 34	1920	wmic.exe
Token: 35	1920	wmic.exe
Token: SeIncreaseQuotaPrivilege	1920	wmic.exe
Token: SeSecurityPrivilege	1920	wmic.exe
Token: SeTakeOwnershipPrivilege	1920	wmic.exe
Token: SeLoadDriverPrivilege	1920	wmic.exe
Token: SeSystemProfilePrivilege	1920	wmic.exe
Token: SeSystemtimePrivilege	1920	wmic.exe
Token: SeProfSingleProcessPrivilege	1920	wmic.exe
Token: SeIncBasePriorityPrivilege	1920	wmic.exe
Token: SeCreatePagefilePrivilege	1920	wmic.exe
Token: SeBackupPrivilege	1920	wmic.exe
Token: SeRestorePrivilege	1920	wmic.exe
Token: SeShutdownPrivilege	1920	wmic.exe
Token: SeDebugPrivilege	1920	wmic.exe
Token: SeSystemEnvironmentPrivilege	1920	wmic.exe
Token: SeRemoteShutdownPrivilege	1920	wmic.exe
Token: SeUndockPrivilege	1920	wmic.exe
Token: SeManageVolumePrivilege	1920	wmic.exe
Token: 33	1920	wmic.exe
Token: 34	1920	wmic.exe
Token: 35	1920	wmic.exe
Token: SeIncreaseQuotaPrivilege	1916	wmic.exe
Token: SeSecurityPrivilege	1916	wmic.exe
Token: SeTakeOwnershipPrivilege	1916	wmic.exe
Token: SeLoadDriverPrivilege	1916	wmic.exe
Token: SeSystemProfilePrivilege	1916	wmic.exe
Token: SeSystemtimePrivilege	1916	wmic.exe
Token: SeProfSingleProcessPrivilege	1916	wmic.exe
Token: SeIncBasePriorityPrivilege	1916	wmic.exe
Token: SeCreatePagefilePrivilege	1916	wmic.exe
Token: SeBackupPrivilege	1916	wmic.exe
Token: SeRestorePrivilege	1916	wmic.exe
Token: SeShutdownPrivilege	1916	wmic.exe
Token: SeDebugPrivilege	1916	wmic.exe
Token: SeSystemEnvironmentPrivilege	1916	wmic.exe
Token: SeRemoteShutdownPrivilege	1916	wmic.exe
Token: SeUndockPrivilege	1916	wmic.exe
Token: SeManageVolumePrivilege	1916	wmic.exe
Token: 33	1916	wmic.exe
Token: 34	1916	wmic.exe
Token: 35	1916	wmic.exe
Token: SeIncreaseQuotaPrivilege	1916	wmic.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2176 wrote to memory of 2620	2176	a2bc9b467f331a26b33cfd70f7bf12c9e2e6b3ebc8d3749c12a7eedf507e9323.exe	31
PID 2176 wrote to memory of 2620	2176	a2bc9b467f331a26b33cfd70f7bf12c9e2e6b3ebc8d3749c12a7eedf507e9323.exe	31
PID 2176 wrote to memory of 2620	2176	a2bc9b467f331a26b33cfd70f7bf12c9e2e6b3ebc8d3749c12a7eedf507e9323.exe	31
PID 2176 wrote to memory of 2812	2176	a2bc9b467f331a26b33cfd70f7bf12c9e2e6b3ebc8d3749c12a7eedf507e9323.exe	34
PID 2176 wrote to memory of 2812	2176	a2bc9b467f331a26b33cfd70f7bf12c9e2e6b3ebc8d3749c12a7eedf507e9323.exe	34
PID 2176 wrote to memory of 2812	2176	a2bc9b467f331a26b33cfd70f7bf12c9e2e6b3ebc8d3749c12a7eedf507e9323.exe	34
PID 2176 wrote to memory of 1920	2176	a2bc9b467f331a26b33cfd70f7bf12c9e2e6b3ebc8d3749c12a7eedf507e9323.exe	36
PID 2176 wrote to memory of 1920	2176	a2bc9b467f331a26b33cfd70f7bf12c9e2e6b3ebc8d3749c12a7eedf507e9323.exe	36
PID 2176 wrote to memory of 1920	2176	a2bc9b467f331a26b33cfd70f7bf12c9e2e6b3ebc8d3749c12a7eedf507e9323.exe	36
PID 2176 wrote to memory of 1916	2176	a2bc9b467f331a26b33cfd70f7bf12c9e2e6b3ebc8d3749c12a7eedf507e9323.exe	39
PID 2176 wrote to memory of 1916	2176	a2bc9b467f331a26b33cfd70f7bf12c9e2e6b3ebc8d3749c12a7eedf507e9323.exe	39
PID 2176 wrote to memory of 1916	2176	a2bc9b467f331a26b33cfd70f7bf12c9e2e6b3ebc8d3749c12a7eedf507e9323.exe	39
PID 2176 wrote to memory of 2136	2176	a2bc9b467f331a26b33cfd70f7bf12c9e2e6b3ebc8d3749c12a7eedf507e9323.exe	41
PID 2176 wrote to memory of 2136	2176	a2bc9b467f331a26b33cfd70f7bf12c9e2e6b3ebc8d3749c12a7eedf507e9323.exe	41
PID 2176 wrote to memory of 2136	2176	a2bc9b467f331a26b33cfd70f7bf12c9e2e6b3ebc8d3749c12a7eedf507e9323.exe	41
PID 2176 wrote to memory of 1788	2176	a2bc9b467f331a26b33cfd70f7bf12c9e2e6b3ebc8d3749c12a7eedf507e9323.exe	43
PID 2176 wrote to memory of 1788	2176	a2bc9b467f331a26b33cfd70f7bf12c9e2e6b3ebc8d3749c12a7eedf507e9323.exe	43
PID 2176 wrote to memory of 1788	2176	a2bc9b467f331a26b33cfd70f7bf12c9e2e6b3ebc8d3749c12a7eedf507e9323.exe	43
PID 2176 wrote to memory of 2580	2176	a2bc9b467f331a26b33cfd70f7bf12c9e2e6b3ebc8d3749c12a7eedf507e9323.exe	45
PID 2176 wrote to memory of 2580	2176	a2bc9b467f331a26b33cfd70f7bf12c9e2e6b3ebc8d3749c12a7eedf507e9323.exe	45
PID 2176 wrote to memory of 2580	2176	a2bc9b467f331a26b33cfd70f7bf12c9e2e6b3ebc8d3749c12a7eedf507e9323.exe	45
PID 2176 wrote to memory of 2864	2176	a2bc9b467f331a26b33cfd70f7bf12c9e2e6b3ebc8d3749c12a7eedf507e9323.exe	47
PID 2176 wrote to memory of 2864	2176	a2bc9b467f331a26b33cfd70f7bf12c9e2e6b3ebc8d3749c12a7eedf507e9323.exe	47
PID 2176 wrote to memory of 2864	2176	a2bc9b467f331a26b33cfd70f7bf12c9e2e6b3ebc8d3749c12a7eedf507e9323.exe	47

C:\Users\Admin\AppData\Local\Temp\a2bc9b467f331a26b33cfd70f7bf12c9e2e6b3ebc8d3749c12a7eedf507e9323.exe
"C:\Users\Admin\AppData\Local\Temp\a2bc9b467f331a26b33cfd70f7bf12c9e2e6b3ebc8d3749c12a7eedf507e9323.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2176
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2620
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2812
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" os get Caption
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1920
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" computersystem get totalphysicalmemory
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1916
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:2136
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1788
- C:\Windows\System32\Wbem\wmic.exe
  "wmic" path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:2580
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\F3z4GFgv2s.README.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\CURRENT

Filesize
24B

MD5
dbbdb82b93ae5d2d2e5ca2996084d667

SHA1
a9b1089bfde693532f8d424ed5e88f7b772e1c74

SHA256
3d472fabd9e13ca794f8b034931e4608b33fa14baae2739fc30c674deb81dfb9

SHA512
04d1e31de93e68d7851ffe325f15428ea61776e1eb89ff6ec93c91d9b51c98aedc4623155897ae99e4aed2ca25478582f8ea8a53b02bf3136de32f5f6a3b980e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_0

Filesize
10KB

MD5
a2d33aedfdc90e1b36dead8004b76420

SHA1
ed6e9d0a9f05099edba731256f382946d178df18

SHA256
1dfaa1b6e0a579d62b35c3d10e5d92586beeb5b4a80fd1f19098a232b2c5fe2d

SHA512
40bff93322fc4e53bc409d8a53fa369e7a8cc60d21e231dd85d4f211cf9d0f518a7ae89cc5940e6f4dade239146a2eb9207a3a1632d66813f336ba047f445403

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_1

Filesize
352KB

MD5
1e7a2e4e3351463f9379f9554fddff80

SHA1
467e42b348e637060716a77b26ce93021126dbc7

SHA256
de3ccc96e8de648e5beb687fda7490e9e99b766b399860e70af880a223c923f5

SHA512
1c9dd573dc85730554ace04605f958ca94b9a91344b1caa27d941df15ec80f2f2632891bab8482c40913e1bee934fd7ff1cc65e78dcb96e36b735c12a2b338e7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_2

Filesize
10KB

MD5
07bd4594d194b202fff8106c76544d0e

SHA1
93a869c0f2b0995df4db4f7356987ab3988eb2c8

SHA256
66140898bfacadb289d74991ea77749e31143b065a1489b194cb3f06d38f730e

SHA512
85b14ff206d2ebd0bc74567000d8842454829118a614181fb17d760d938c93e0f1fdb228ebc015de0ea48afd357ac8500ce3545626c3b5ad4ccce5193ef2ee4b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_3

Filesize
10KB

MD5
770f79994a900d33693a1256ce2add41

SHA1
a94be7dbb7c12aa0e0d1164e7f497dd8a748776d

SHA256
aba7112186dd1cadd3e58d1086807ca514b51af5bdb77e58c200496fdc9ab075

SHA512
ab285acd4fa4aba14ad0642fbf5c25cc1d04a6bd46f83e7b9e0778736bdf04251eb58dd9799167f29b9457a9a0f6f3d59e7e0d58523eed645939cd34c5bd87ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\F3z4GFgv2s.README.txt

Filesize
668B

MD5
bf6b28575cbf7eff9e46d01352ad689e

SHA1
29e7d940e23b5d65c194ea7f65973d51bff26432

SHA256
75212adf1bf62d9b66ad19149a1cc1d6678b8d1e705fc02eb8389c47dac51970

SHA512
e5f4c0ceda262c04132d9923a6305b18d88918a80d6fe1faaed17e6c7056fc47ddb63c151c1a973af9a71db93389767a5363b19130374535b055fa251fb943fe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
71c6d21764ef1c966a7a2dbe19e89204

SHA1
93234cf6f2f9e62727234619e02f92a61ad16f4e

SHA256
646243d200581d7d240f946812654bef53ba5eb23f0ca73de9cb069c89fa2abc

SHA512
c690532163abc45f9373162ef120bd3e6ba419fb24e1d0e618b6081065d220d892055fce717eb4c8d1a9f0669fa4527117331f5e8f90b6dd8250829b187d4141

Download Submit
C:\Users\Admin\Desktop\WriteRevoke.xlsx

Filesize
14KB

MD5
13978be385498d722ab4b0dd780efb77

SHA1
50e2b8814e5fdc54efac1297c56da122a5807da1

SHA256
63832d0c9a0ab312c79987b915cac3dc9219fb1134669f3ed5ada3038784979d

SHA512
f1e0dd2bf76ba164e65847f2d9e7725d8ffcc29a98b838b8f6a50f44bc01b185fb694fcac0693d6707c75714b8fbfae3e5ff97371ef4397241ba0df883221916

Download Submit
memory/2176-40-0x000007FEF5EC3000-0x000007FEF5EC4000-memory.dmp

Filesize
4KB

Download
memory/2176-719-0x000007FEF5EC0000-0x000007FEF68AC000-memory.dmp

Filesize
9.9MB

Download
memory/2176-1-0x0000000000990000-0x00000000009D4000-memory.dmp

Filesize
272KB

Download
memory/2176-2-0x000007FEF5EC0000-0x000007FEF68AC000-memory.dmp

Filesize
9.9MB

Download
memory/2176-0-0x000007FEF5EC3000-0x000007FEF5EC4000-memory.dmp

Filesize
4KB

Download
memory/2176-41-0x000007FEF5EC0000-0x000007FEF68AC000-memory.dmp

Filesize
9.9MB

Download
memory/2620-21-0x000007FEEDC80000-0x000007FEEE61D000-memory.dmp

Filesize
9.6MB

Download
memory/2620-16-0x000007FEEDC80000-0x000007FEEE61D000-memory.dmp

Filesize
9.6MB

Download
memory/2620-14-0x000000001B720000-0x000000001BA02000-memory.dmp

Filesize
2.9MB

Download
memory/2620-15-0x0000000001E00000-0x0000000001E08000-memory.dmp

Filesize
32KB

Download
memory/2620-13-0x000007FEEDF3E000-0x000007FEEDF3F000-memory.dmp

Filesize
4KB

Download
memory/2620-17-0x000007FEEDC80000-0x000007FEEE61D000-memory.dmp

Filesize
9.6MB

Download
memory/2620-20-0x000007FEEDC80000-0x000007FEEE61D000-memory.dmp

Filesize
9.6MB

Download
memory/2620-19-0x000007FEEDC80000-0x000007FEEE61D000-memory.dmp

Filesize
9.6MB

Download
memory/2620-18-0x000007FEEDC80000-0x000007FEEE61D000-memory.dmp

Filesize
9.6MB

Download
memory/2812-27-0x000000001B650000-0x000000001B932000-memory.dmp

Filesize
2.9MB

Download
memory/2812-28-0x0000000002320000-0x0000000002328000-memory.dmp

Filesize
32KB

Download