cf8844cbd945f7e42a001758cd9807776cf219902b802f2860ac2b59b4282967

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
29-06-2024 04:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

w.exe
Size

147KB
MD5

a076dd9346194f5ce76c015fe9daae49
SHA1

395393bde77493a8ca1df57e1c10466f0c45a2b5
SHA256

cf8844cbd945f7e42a001758cd9807776cf219902b802f2860ac2b59b4282967
SHA512

04c086a9cebb6f0bac69e4a68097e8bd6a539683c947ccad1c4e15601d4c25547c8756fdeeb8e45708915f74393fe91a38af05657d3ae13f374d2e390df812d4
SSDEEP

1536:9zICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xDu+OBVJ8wRy+k3E7WYQWEZHUyz:uqJogYkcSNm9V7DxOnJ8OyRU7WYaHT

Score

10^/10

ransomware spyware stealer

Malware Config

Extracted

Path

C:\lYEPThbqY.README.txt

Ransom Note

------Dear managers!------ If you are reading this, it means your network has been attacked. What does that mean? We hacked your network and now all your files, documents, client database, projects and other important data safely encrypted with reliable algorithms. we also have a copy of all your data. WARNING!!! You don't have to go to the POLICE, etc. Otherwise we will not be able to help you. You cannot acces the files right now. But do not worry. You can get it back! It is easy to recover in a few steps. As proof, we can decrypt any 3 files you provide. We are not interested to ruin your business. We want to get ransom and be happy. Please bring this information to your team leaders as soon as possible. In case of a successfull transaction, we will restore your systems within 4-6 hours and also provide security recommendations. -----------------------WARNING----------------------- If you modify files - our decrypt software won't able to recover data If you use third party software - you can damage/modify files (see item 1) You nedd cipher key / our decrypt software to restore you files. The police or authorities will not be able to help you get the cipher key. We encourage you to consider your decisions. -----------------------RECOVERY----------------------- Use email: [email protected] (Alternate email address: [email protected]) You personal ID: 995619885677

Emails

[email protected]

Signatures

Renames multiple (348) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes itself 1 IoCs

Processes:

387E.tmp

pid process

2196 387E.tmp
Executes dropped EXE 1 IoCs

Processes:

387E.tmp

pid process

2196 387E.tmp
Loads dropped DLL 1 IoCs

Processes:

w.exe

pid process

1752 w.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
1752	w.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

w.exe

description	ioc	process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1340930862-1405011213-2821322012-1000\desktop.ini	w.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-1340930862-1405011213-2821322012-1000\desktop.ini	w.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

387E.tmp

pid process

2196 387E.tmp
Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

w.exe

pid process

1752 w.exe
1752 w.exe
1752 w.exe
1752 w.exe
1752 w.exe
1752 w.exe
1752 w.exe
1752 w.exe
1752 w.exe
1752 w.exe
1752 w.exe
1752 w.exe

pid	process
1752	w.exe
1752	w.exe
1752	w.exe
1752	w.exe
1752	w.exe
1752	w.exe
1752	w.exe
1752	w.exe
1752	w.exe
1752	w.exe
1752	w.exe
1752	w.exe

Suspicious behavior: RenamesItself 26 IoCs

Processes:

387E.tmp

pid	process
2196	387E.tmp
2196	387E.tmp
2196	387E.tmp
2196	387E.tmp
2196	387E.tmp
2196	387E.tmp
2196	387E.tmp
2196	387E.tmp
2196	387E.tmp
2196	387E.tmp
2196	387E.tmp
2196	387E.tmp
2196	387E.tmp
2196	387E.tmp
2196	387E.tmp
2196	387E.tmp
2196	387E.tmp
2196	387E.tmp
2196	387E.tmp
2196	387E.tmp
2196	387E.tmp
2196	387E.tmp
2196	387E.tmp
2196	387E.tmp
2196	387E.tmp
2196	387E.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

w.exe

description	pid	process
Token: SeAssignPrimaryTokenPrivilege	1752	w.exe
Token: SeBackupPrivilege	1752	w.exe
Token: SeDebugPrivilege	1752	w.exe
Token: 36	1752	w.exe
Token: SeImpersonatePrivilege	1752	w.exe
Token: SeIncBasePriorityPrivilege	1752	w.exe
Token: SeIncreaseQuotaPrivilege	1752	w.exe
Token: 33	1752	w.exe
Token: SeManageVolumePrivilege	1752	w.exe
Token: SeProfSingleProcessPrivilege	1752	w.exe
Token: SeRestorePrivilege	1752	w.exe
Token: SeSecurityPrivilege	1752	w.exe
Token: SeSystemProfilePrivilege	1752	w.exe
Token: SeTakeOwnershipPrivilege	1752	w.exe
Token: SeShutdownPrivilege	1752	w.exe
Token: SeDebugPrivilege	1752	w.exe
Token: SeBackupPrivilege	1752	w.exe
Token: SeBackupPrivilege	1752	w.exe
Token: SeSecurityPrivilege	1752	w.exe
Token: SeSecurityPrivilege	1752	w.exe
Token: SeBackupPrivilege	1752	w.exe
Token: SeBackupPrivilege	1752	w.exe
Token: SeSecurityPrivilege	1752	w.exe
Token: SeSecurityPrivilege	1752	w.exe
Token: SeBackupPrivilege	1752	w.exe
Token: SeBackupPrivilege	1752	w.exe
Token: SeSecurityPrivilege	1752	w.exe
Token: SeSecurityPrivilege	1752	w.exe
Token: SeBackupPrivilege	1752	w.exe
Token: SeBackupPrivilege	1752	w.exe
Token: SeSecurityPrivilege	1752	w.exe
Token: SeSecurityPrivilege	1752	w.exe
Token: SeBackupPrivilege	1752	w.exe
Token: SeBackupPrivilege	1752	w.exe
Token: SeSecurityPrivilege	1752	w.exe
Token: SeSecurityPrivilege	1752	w.exe
Token: SeBackupPrivilege	1752	w.exe
Token: SeBackupPrivilege	1752	w.exe
Token: SeSecurityPrivilege	1752	w.exe
Token: SeSecurityPrivilege	1752	w.exe
Token: SeBackupPrivilege	1752	w.exe
Token: SeBackupPrivilege	1752	w.exe
Token: SeSecurityPrivilege	1752	w.exe
Token: SeSecurityPrivilege	1752	w.exe
Token: SeBackupPrivilege	1752	w.exe
Token: SeBackupPrivilege	1752	w.exe
Token: SeSecurityPrivilege	1752	w.exe
Token: SeSecurityPrivilege	1752	w.exe
Token: SeBackupPrivilege	1752	w.exe
Token: SeBackupPrivilege	1752	w.exe
Token: SeSecurityPrivilege	1752	w.exe
Token: SeSecurityPrivilege	1752	w.exe
Token: SeBackupPrivilege	1752	w.exe
Token: SeBackupPrivilege	1752	w.exe
Token: SeSecurityPrivilege	1752	w.exe
Token: SeSecurityPrivilege	1752	w.exe
Token: SeBackupPrivilege	1752	w.exe
Token: SeBackupPrivilege	1752	w.exe
Token: SeSecurityPrivilege	1752	w.exe
Token: SeSecurityPrivilege	1752	w.exe
Token: SeBackupPrivilege	1752	w.exe
Token: SeBackupPrivilege	1752	w.exe
Token: SeSecurityPrivilege	1752	w.exe
Token: SeSecurityPrivilege	1752	w.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

w.exe387E.tmp

description	pid	process	target process
PID 1752 wrote to memory of 2196	1752	w.exe	387E.tmp
PID 1752 wrote to memory of 2196	1752	w.exe	387E.tmp
PID 1752 wrote to memory of 2196	1752	w.exe	387E.tmp
PID 1752 wrote to memory of 2196	1752	w.exe	387E.tmp
PID 1752 wrote to memory of 2196	1752	w.exe	387E.tmp
PID 2196 wrote to memory of 1160	2196	387E.tmp	cmd.exe
PID 2196 wrote to memory of 1160	2196	387E.tmp	cmd.exe
PID 2196 wrote to memory of 1160	2196	387E.tmp	cmd.exe
PID 2196 wrote to memory of 1160	2196	387E.tmp	cmd.exe

C:\Users\Admin\AppData\Local\Temp\w.exe
"C:\Users\Admin\AppData\Local\Temp\w.exe"
1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1752

C:\ProgramData\387E.tmp
"C:\ProgramData\387E.tmp"
2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2196

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\387E.tmp >> NUL
3⤵
PID:1160

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x14c
1⤵
PID:2404

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1340930862-1405011213-2821322012-1000\desktop.ini
Filesize
129B

MD5
eb46c087f9a1db75204edd67d09c09c0

SHA1
dd4e5daa53b465e6e288199acc5cd4b29f715bd4

SHA256
9f7aa7f211cfc579501d97f6aa857fe1a3edd6c3a884b809986510a7deb14715

SHA512
2b10315e85c93a5c4a7496043ea973ad9bfa8d8a51f00a8056ef2d5003e639943cad7f5480aad21c3d987380d279f16fdab7ab97380caa0083e3802fa619272d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DDDDD
Filesize
147KB

MD5
3a22ebb98d78492052781540701310c1

SHA1
2c3f373837e23cf65e1f3b07eb22212f909fe530

SHA256
2de37cc4093a8287b00f4a35cfc13f4730952db42bb159aefbe7ffc533aadff4

SHA512
c815a81b2fb5c7a3d07d98ba4ed3d3b8cee0c0c35f91c0c42d94f9905706bcb43f696dda24fca1148dd9a690af734127fa43c4894776d7169bdfa7e2cd8ee969

Download Submit
C:\lYEPThbqY.README.txt
Filesize
1KB

MD5
dacad7942139d7c0f4dafab58837d7a2

SHA1
424261a69795e01741eb143419e36ef52421a2d0

SHA256
4925fdf22c5e0935ccf5f989085508dd64f0cb2ed0efa0d22a571117d0e70c2a

SHA512
75ac3030fa5b60c5335244d966470e4e5c68c3a94adfa464a7804cf98fc891fefc8c50d85dc1163b350990a6a4007d83996efd7034e9f9e38a9ea65fe392dfb6

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1340930862-1405011213-2821322012-1000\CCCCCCCCCCC
Filesize
129B

MD5
1f535308ba04800eef1d43eaedc0921c

SHA1
c90524f4c627551dccba567ebe6c27104c8d3e3d

SHA256
d218a5851afb7e9c6e8442079c19b1b0de01ef0fb9e1602cafc649bb6762c8a8

SHA512
7649ff40695304b9588f1670773342d929400d61cdf39e58c06e2e62336e0cb1dd35fdf92d0d3ec484f5a67bef75acc43e0b4eaf5a28dffad5b69ab74180f148

Download Submit
\ProgramData\387E.tmp
Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
memory/1752-0-0x0000000000110000-0x0000000000150000-memory.dmp

Filesize
256KB

Download
memory/2196-861-0x0000000000380000-0x00000000003C0000-memory.dmp

Filesize
256KB

Download
memory/2196-864-0x0000000000380000-0x00000000003C0000-memory.dmp

Filesize
256KB

Download
memory/2196-866-0x000000007EF20000-0x000000007EF21000-memory.dmp

Filesize
4KB

Download
memory/2196-865-0x000000007EF80000-0x000000007EF81000-memory.dmp

Filesize
4KB

Download
memory/2196-859-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

Filesize
4KB

Download
memory/2196-892-0x000000007EF40000-0x000000007EF41000-memory.dmp

Filesize
4KB

Download
memory/2196-893-0x000000007EF60000-0x000000007EF61000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads