Analysis
-
max time kernel
117s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
15-12-2024 04:02
Static task
static1
Behavioral task
behavioral1
Sample
d2100ffe58eb50c05d97a3da738ccd1f0be9672c057c26a10140af80595b78c3.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
d2100ffe58eb50c05d97a3da738ccd1f0be9672c057c26a10140af80595b78c3.exe
Resource
win10v2004-20241007-en
General
-
Target
d2100ffe58eb50c05d97a3da738ccd1f0be9672c057c26a10140af80595b78c3.exe
-
Size
881KB
-
MD5
9049faba5517305c44bd5f28398fb6b9
-
SHA1
036c6b32f3e7d7d689c9b4d482091eebcc669bfa
-
SHA256
d2100ffe58eb50c05d97a3da738ccd1f0be9672c057c26a10140af80595b78c3
-
SHA512
65a33506f970675775468f80b94a3f8bb2d3672e6fb08fc9f2e5107020095ca6d4bca927c59b72488e2ef4208a64a56ced7511ea14c0445cd50ea3ff9b827f6a
-
SSDEEP
12288:I2wMm7l55+OeO+OeNhBBhhBBaELPA081o9baXpL3K+HDFgZUid4X9dCU5+Kazw4t:I2wMm7lfCIL3K+gY9dfcw4h3DX9X1
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\Decryptfiles.txt
Signatures
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Deletes itself 1 IoCs
pid Process 2212 cmd.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Decryptfiles.txt d2100ffe58eb50c05d97a3da738ccd1f0be9672c057c26a10140af80595b78c3.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Decryptfiles.txt d2100ffe58eb50c05d97a3da738ccd1f0be9672c057c26a10140af80595b78c3.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\XPSUDTARW = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d2100ffe58eb50c05d97a3da738ccd1f0be9672c057c26a10140af80595b78c3.exe" d2100ffe58eb50c05d97a3da738ccd1f0be9672c057c26a10140af80595b78c3.exe -
Drops desktop.ini file(s) 10 IoCs
description ioc Process File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini d2100ffe58eb50c05d97a3da738ccd1f0be9672c057c26a10140af80595b78c3.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini d2100ffe58eb50c05d97a3da738ccd1f0be9672c057c26a10140af80595b78c3.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini d2100ffe58eb50c05d97a3da738ccd1f0be9672c057c26a10140af80595b78c3.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini d2100ffe58eb50c05d97a3da738ccd1f0be9672c057c26a10140af80595b78c3.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini d2100ffe58eb50c05d97a3da738ccd1f0be9672c057c26a10140af80595b78c3.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini d2100ffe58eb50c05d97a3da738ccd1f0be9672c057c26a10140af80595b78c3.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini d2100ffe58eb50c05d97a3da738ccd1f0be9672c057c26a10140af80595b78c3.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini d2100ffe58eb50c05d97a3da738ccd1f0be9672c057c26a10140af80595b78c3.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini d2100ffe58eb50c05d97a3da738ccd1f0be9672c057c26a10140af80595b78c3.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini d2100ffe58eb50c05d97a3da738ccd1f0be9672c057c26a10140af80595b78c3.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d2100ffe58eb50c05d97a3da738ccd1f0be9672c057c26a10140af80595b78c3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2212 cmd.exe 1624 PING.EXE -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1624 PING.EXE -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2100 d2100ffe58eb50c05d97a3da738ccd1f0be9672c057c26a10140af80595b78c3.exe 2100 d2100ffe58eb50c05d97a3da738ccd1f0be9672c057c26a10140af80595b78c3.exe 2100 d2100ffe58eb50c05d97a3da738ccd1f0be9672c057c26a10140af80595b78c3.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2728 wmic.exe Token: SeSecurityPrivilege 2728 wmic.exe Token: SeTakeOwnershipPrivilege 2728 wmic.exe Token: SeLoadDriverPrivilege 2728 wmic.exe Token: SeSystemProfilePrivilege 2728 wmic.exe Token: SeSystemtimePrivilege 2728 wmic.exe Token: SeProfSingleProcessPrivilege 2728 wmic.exe Token: SeIncBasePriorityPrivilege 2728 wmic.exe Token: SeCreatePagefilePrivilege 2728 wmic.exe Token: SeBackupPrivilege 2728 wmic.exe Token: SeRestorePrivilege 2728 wmic.exe Token: SeShutdownPrivilege 2728 wmic.exe Token: SeDebugPrivilege 2728 wmic.exe Token: SeSystemEnvironmentPrivilege 2728 wmic.exe Token: SeRemoteShutdownPrivilege 2728 wmic.exe Token: SeUndockPrivilege 2728 wmic.exe Token: SeManageVolumePrivilege 2728 wmic.exe Token: 33 2728 wmic.exe Token: 34 2728 wmic.exe Token: 35 2728 wmic.exe Token: SeIncreaseQuotaPrivilege 2728 wmic.exe Token: SeSecurityPrivilege 2728 wmic.exe Token: SeTakeOwnershipPrivilege 2728 wmic.exe Token: SeLoadDriverPrivilege 2728 wmic.exe Token: SeSystemProfilePrivilege 2728 wmic.exe Token: SeSystemtimePrivilege 2728 wmic.exe Token: SeProfSingleProcessPrivilege 2728 wmic.exe Token: SeIncBasePriorityPrivilege 2728 wmic.exe Token: SeCreatePagefilePrivilege 2728 wmic.exe Token: SeBackupPrivilege 2728 wmic.exe Token: SeRestorePrivilege 2728 wmic.exe Token: SeShutdownPrivilege 2728 wmic.exe Token: SeDebugPrivilege 2728 wmic.exe Token: SeSystemEnvironmentPrivilege 2728 wmic.exe Token: SeRemoteShutdownPrivilege 2728 wmic.exe Token: SeUndockPrivilege 2728 wmic.exe Token: SeManageVolumePrivilege 2728 wmic.exe Token: 33 2728 wmic.exe Token: 34 2728 wmic.exe Token: 35 2728 wmic.exe Token: SeBackupPrivilege 2136 vssvc.exe Token: SeRestorePrivilege 2136 vssvc.exe Token: SeAuditPrivilege 2136 vssvc.exe Token: SeIncreaseQuotaPrivilege 2548 wmic.exe Token: SeSecurityPrivilege 2548 wmic.exe Token: SeTakeOwnershipPrivilege 2548 wmic.exe Token: SeLoadDriverPrivilege 2548 wmic.exe Token: SeSystemProfilePrivilege 2548 wmic.exe Token: SeSystemtimePrivilege 2548 wmic.exe Token: SeProfSingleProcessPrivilege 2548 wmic.exe Token: SeIncBasePriorityPrivilege 2548 wmic.exe Token: SeCreatePagefilePrivilege 2548 wmic.exe Token: SeBackupPrivilege 2548 wmic.exe Token: SeRestorePrivilege 2548 wmic.exe Token: SeShutdownPrivilege 2548 wmic.exe Token: SeDebugPrivilege 2548 wmic.exe Token: SeSystemEnvironmentPrivilege 2548 wmic.exe Token: SeRemoteShutdownPrivilege 2548 wmic.exe Token: SeUndockPrivilege 2548 wmic.exe Token: SeManageVolumePrivilege 2548 wmic.exe Token: 33 2548 wmic.exe Token: 34 2548 wmic.exe Token: 35 2548 wmic.exe Token: SeIncreaseQuotaPrivilege 2548 wmic.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2100 wrote to memory of 2728 2100 d2100ffe58eb50c05d97a3da738ccd1f0be9672c057c26a10140af80595b78c3.exe 30 PID 2100 wrote to memory of 2728 2100 d2100ffe58eb50c05d97a3da738ccd1f0be9672c057c26a10140af80595b78c3.exe 30 PID 2100 wrote to memory of 2728 2100 d2100ffe58eb50c05d97a3da738ccd1f0be9672c057c26a10140af80595b78c3.exe 30 PID 2100 wrote to memory of 2728 2100 d2100ffe58eb50c05d97a3da738ccd1f0be9672c057c26a10140af80595b78c3.exe 30 PID 2100 wrote to memory of 2548 2100 d2100ffe58eb50c05d97a3da738ccd1f0be9672c057c26a10140af80595b78c3.exe 36 PID 2100 wrote to memory of 2548 2100 d2100ffe58eb50c05d97a3da738ccd1f0be9672c057c26a10140af80595b78c3.exe 36 PID 2100 wrote to memory of 2548 2100 d2100ffe58eb50c05d97a3da738ccd1f0be9672c057c26a10140af80595b78c3.exe 36 PID 2100 wrote to memory of 2548 2100 d2100ffe58eb50c05d97a3da738ccd1f0be9672c057c26a10140af80595b78c3.exe 36 PID 2100 wrote to memory of 2212 2100 d2100ffe58eb50c05d97a3da738ccd1f0be9672c057c26a10140af80595b78c3.exe 37 PID 2100 wrote to memory of 2212 2100 d2100ffe58eb50c05d97a3da738ccd1f0be9672c057c26a10140af80595b78c3.exe 37 PID 2100 wrote to memory of 2212 2100 d2100ffe58eb50c05d97a3da738ccd1f0be9672c057c26a10140af80595b78c3.exe 37 PID 2100 wrote to memory of 2212 2100 d2100ffe58eb50c05d97a3da738ccd1f0be9672c057c26a10140af80595b78c3.exe 37 PID 2212 wrote to memory of 1624 2212 cmd.exe 40 PID 2212 wrote to memory of 1624 2212 cmd.exe 40 PID 2212 wrote to memory of 1624 2212 cmd.exe 40 PID 2212 wrote to memory of 1624 2212 cmd.exe 40 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\d2100ffe58eb50c05d97a3da738ccd1f0be9672c057c26a10140af80595b78c3.exe"C:\Users\Admin\AppData\Local\Temp\d2100ffe58eb50c05d97a3da738ccd1f0be9672c057c26a10140af80595b78c3.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2100 -
\??\c:\Windows\system32\wbem\wmic.exec:\VQENMJ\VQEN\..\..\Windows\VQEN\VQEN\..\..\system32\VQEN\VQEN\..\..\wbem\VQEN\VQENM\..\..\wmic.exe shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2728
-
-
\??\c:\Windows\system32\wbem\wmic.exec:\sQhpKI\sQhp\..\..\Windows\sQhp\sQhp\..\..\system32\sQhp\sQhp\..\..\wbem\sQhp\sQhpK\..\..\wmic.exe shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2548
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\d2100ffe58eb50c05d97a3da738ccd1f0be9672c057c26a10140af80595b78c3.exe"2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1624
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2136
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5b39bd748f7464f1c02a856aeb7117a03
SHA1397aafccfd7992b50eb70e4ec21a9fe18cf7dbef
SHA256388ebe1fff279cb8c6cff13c400c9dfdf37d7b291fc69082566075975d007652
SHA512d003457a03caa3d7e400370f9576d30501eacdd9f76be98304d35583df560ef4b4a80b63b5177bdef20594a2d9482a485370c5727263ac4f136b13c7029060af