Analysis
-
max time kernel
88s -
max time network
8s -
platform
windows7_x64 -
resource
win7v200722 -
submitted
20-10-2020 18:23
Static task
static1
Behavioral task
behavioral1
Sample
shell.bin.exe
Resource
win7v200722
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
shell.bin.exe
Resource
win10v200722
windows10_x64
0 signatures
0 seconds
General
-
Target
shell.bin.exe
-
Size
403KB
-
MD5
4c64b7afcf85249f09da741c700eabb1
-
SHA1
18286de90456e26005c346430d1891522a8b985b
-
SHA256
644704ae267daa0f81613569ade954ad2c308031d55e9480501a6afc1ccea83f
-
SHA512
17dece78cd2315202783caa07179028dc3eda5415e69581b8ee57bbebdc72a89d93d6e547082129eece9c0d11f82285cfa00d7da97aa87a0f9f912e692519cfa
Score
8/10
Malware Config
Signatures
-
Modifies extensions of user files 45 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
shell.bin.exedescription ioc process File renamed C:\Users\Admin\Pictures\FindRead.crw.bak.32aa => C:\Users\Admin\Pictures\FindRead.crw.32aa shell.bin.exe File opened for modification C:\Users\Admin\Pictures\RevokeFormat.tif.bak.32aa shell.bin.exe File opened for modification C:\Users\Admin\Pictures\RemoveUnregister.tiff shell.bin.exe File opened for modification C:\Users\Admin\Pictures\EnterAdd.tif.32aa shell.bin.exe File renamed C:\Users\Admin\Pictures\MoveUnprotect.png.bak.32aa => C:\Users\Admin\Pictures\MoveUnprotect.png.32aa shell.bin.exe File opened for modification C:\Users\Admin\Pictures\NewSkip.png.bak.32aa shell.bin.exe File renamed C:\Users\Admin\Pictures\DenyEnable.png => C:\Users\Admin\Pictures\DenyEnable.png.bak.32aa shell.bin.exe File opened for modification C:\Users\Admin\Pictures\EnterAdd.tif.bak.32aa shell.bin.exe File opened for modification C:\Users\Admin\Pictures\RequestUnprotect.tif.bak.32aa shell.bin.exe File renamed C:\Users\Admin\Pictures\RemoveUnregister.tiff.bak.32aa => C:\Users\Admin\Pictures\RemoveUnregister.tiff.32aa shell.bin.exe File opened for modification C:\Users\Admin\Pictures\MoveUnprotect.png.bak.32aa shell.bin.exe File renamed C:\Users\Admin\Pictures\RemoveUnregister.tiff => C:\Users\Admin\Pictures\RemoveUnregister.tiff.bak.32aa shell.bin.exe File renamed C:\Users\Admin\Pictures\NewSkip.png.bak.32aa => C:\Users\Admin\Pictures\NewSkip.png.32aa shell.bin.exe File opened for modification C:\Users\Admin\Pictures\RemoveComplete.raw.bak.32aa shell.bin.exe File renamed C:\Users\Admin\Pictures\SyncSwitch.raw => C:\Users\Admin\Pictures\SyncSwitch.raw.bak.32aa shell.bin.exe File renamed C:\Users\Admin\Pictures\SyncSwitch.raw.bak.32aa => C:\Users\Admin\Pictures\SyncSwitch.raw.32aa shell.bin.exe File opened for modification C:\Users\Admin\Pictures\FindRead.crw.bak.32aa shell.bin.exe File renamed C:\Users\Admin\Pictures\RequestUnprotect.tif => C:\Users\Admin\Pictures\RequestUnprotect.tif.bak.32aa shell.bin.exe File renamed C:\Users\Admin\Pictures\RevokeFormat.tif => C:\Users\Admin\Pictures\RevokeFormat.tif.bak.32aa shell.bin.exe File renamed C:\Users\Admin\Pictures\RevokeFormat.tif.bak.32aa => C:\Users\Admin\Pictures\RevokeFormat.tif.32aa shell.bin.exe File renamed C:\Users\Admin\Pictures\ExitUnlock.png.bak.32aa => C:\Users\Admin\Pictures\ExitUnlock.png.32aa shell.bin.exe File opened for modification C:\Users\Admin\Pictures\ExitUnlock.png.32aa shell.bin.exe File renamed C:\Users\Admin\Pictures\NewSkip.png => C:\Users\Admin\Pictures\NewSkip.png.bak.32aa shell.bin.exe File opened for modification C:\Users\Admin\Pictures\NewSkip.png.32aa shell.bin.exe File renamed C:\Users\Admin\Pictures\FindRead.crw => C:\Users\Admin\Pictures\FindRead.crw.bak.32aa shell.bin.exe File opened for modification C:\Users\Admin\Pictures\FindRead.crw.32aa shell.bin.exe File opened for modification C:\Users\Admin\Pictures\RevokeFormat.tif.32aa shell.bin.exe File opened for modification C:\Users\Admin\Pictures\SyncSwitch.raw.32aa shell.bin.exe File opened for modification C:\Users\Admin\Pictures\RemoveUnregister.tiff.32aa shell.bin.exe File opened for modification C:\Users\Admin\Pictures\DenyEnable.png.bak.32aa shell.bin.exe File opened for modification C:\Users\Admin\Pictures\ExitUnlock.png.bak.32aa shell.bin.exe File opened for modification C:\Users\Admin\Pictures\RequestUnprotect.tif.32aa shell.bin.exe File renamed C:\Users\Admin\Pictures\RemoveComplete.raw => C:\Users\Admin\Pictures\RemoveComplete.raw.bak.32aa shell.bin.exe File opened for modification C:\Users\Admin\Pictures\RemoveComplete.raw.32aa shell.bin.exe File opened for modification C:\Users\Admin\Pictures\MoveUnprotect.png.32aa shell.bin.exe File renamed C:\Users\Admin\Pictures\RemoveComplete.raw.bak.32aa => C:\Users\Admin\Pictures\RemoveComplete.raw.32aa shell.bin.exe File renamed C:\Users\Admin\Pictures\DenyEnable.png.bak.32aa => C:\Users\Admin\Pictures\DenyEnable.png.32aa shell.bin.exe File renamed C:\Users\Admin\Pictures\EnterAdd.tif => C:\Users\Admin\Pictures\EnterAdd.tif.bak.32aa shell.bin.exe File opened for modification C:\Users\Admin\Pictures\SyncSwitch.raw.bak.32aa shell.bin.exe File renamed C:\Users\Admin\Pictures\MoveUnprotect.png => C:\Users\Admin\Pictures\MoveUnprotect.png.bak.32aa shell.bin.exe File renamed C:\Users\Admin\Pictures\ExitUnlock.png => C:\Users\Admin\Pictures\ExitUnlock.png.bak.32aa shell.bin.exe File renamed C:\Users\Admin\Pictures\EnterAdd.tif.bak.32aa => C:\Users\Admin\Pictures\EnterAdd.tif.32aa shell.bin.exe File renamed C:\Users\Admin\Pictures\RequestUnprotect.tif.bak.32aa => C:\Users\Admin\Pictures\RequestUnprotect.tif.32aa shell.bin.exe File opened for modification C:\Users\Admin\Pictures\RemoveUnregister.tiff.bak.32aa shell.bin.exe File opened for modification C:\Users\Admin\Pictures\DenyEnable.png.32aa shell.bin.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
shell.bin.exedescription pid process target process PID 280 set thread context of 1608 280 shell.bin.exe shell.bin.exe -
Drops file in Program Files directory 21831 IoCs
Processes:
shell.bin.exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\Templates\1033\Access\Part\2 Top.accdt shell.bin.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Publisher.en-us\Setup.xml.32aa shell.bin.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0287020.WMF.32aa shell.bin.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO01777_.WMF.bak.32aa shell.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\feature.properties shell.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\Schema\com.jrockit.mc.rjmx.syntheticattribute.exsd shell.bin.exe File opened for modification C:\Program Files\Microsoft Office\OFFICE14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\TEXTVIEW.JPG.32aa shell.bin.exe File opened for modification C:\Program Files\7-Zip\Lang\sv.txt shell.bin.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PARNT_09.MID.bak.32aa shell.bin.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\TR00232_.WMF shell.bin.exe File opened for modification C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\clearkey.dll.sig shell.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-sampler.xml.32aa shell.bin.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Cambridge_Bay shell.bin.exe File opened for modification C:\Program Files\Microsoft Office\OFFICE14\1033\PUBSPAPR\PDIR2F.GIF.32aa shell.bin.exe File opened for modification C:\Program Files\Microsoft Office\OFFICE14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\BUTTON.GIF.32aa shell.bin.exe File opened for modification C:\Program Files\Microsoft Office\OFFICE14\1033\EXCEL.DEV_COL.HXT.32aa shell.bin.exe File opened for modification C:\Program Files\Microsoft Office\OFFICE14\PUBWIZ\DGWEBPQT.XML.bak.32aa shell.bin.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0099155.JPG.bak.32aa shell.bin.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0239611.WMF.32aa shell.bin.exe File opened for modification C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color48.bmp shell.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Vienna shell.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\Cache\binary\com.oracle.jmc.executable.win32.win32.x86_64_5.5.0 shell.bin.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Dhaka shell.bin.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH02738U.BMP.32aa shell.bin.exe File opened for modification C:\Program Files\Microsoft Office\Media\OFFICE14\BULLETS\BD21294_.GIF.32aa shell.bin.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0239975.WMF.32aa shell.bin.exe File opened for modification C:\Program Files\Microsoft Office\Media\CAGCAT10\J0291984.WMF shell.bin.exe File opened for modification C:\Program Files\Windows NT\TableTextService\TableTextServiceSimplifiedZhengMa.txt shell.bin.exe File opened for modification C:\Program Files\Microsoft Office\Document Themes 14\Theme Colors\Pushpin.xml.32aa shell.bin.exe File opened for modification C:\Program Files\Microsoft Office\OFFICE14\Groove\Certificates\groove.net\SERVERS\Management.cer shell.bin.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\THEMES14\STUDIO\THMBNAIL.PNG shell.bin.exe File opened for modification C:\Program Files\Microsoft Office\OFFICE14\1033\PUBFTSCM\SCHEME45.CSS.bak.32aa shell.bin.exe File opened for modification C:\Program Files\Microsoft Office\OFFICE14\1033\PUBSPAPR\ZPDIR34F.GIF.32aa shell.bin.exe File opened for modification C:\Program Files\Microsoft Office\OFFICE14\Groove\ToolBMPs\MessageHistoryIconImagesMask.bmp.bak.32aa shell.bin.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0152430.WMF shell.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Bermuda shell.bin.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe.sig.bak.32aa shell.bin.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0198226.WMF.32aa shell.bin.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO00735_.WMF.bak.32aa shell.bin.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\WB02229_.GIF shell.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Rainy_River.32aa shell.bin.exe File opened for modification C:\Program Files\Microsoft Office\OFFICE14\1033\MSPUB.DEV_K_COL.HXK.32aa shell.bin.exe File opened for modification C:\Program Files\Microsoft Office\OFFICE14\1033\PUBFTSCM\SCHEME48.CSS.bak.32aa shell.bin.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0152694.WMF.bak.32aa shell.bin.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PE02522_.WMF.bak.32aa shell.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_ko.properties.bak.32aa shell.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\about.html shell.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\license.html shell.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\Modules\locale\org-netbeans-modules-profiler-snaptracer_zh_CN.jar.32aa shell.bin.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\zu\LC_MESSAGES\vlc.mo.32aa shell.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Kamchatka.bak.32aa shell.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\HST10.32aa shell.bin.exe File opened for modification C:\Program Files\Microsoft Office\Media\OFFICE14\AUTOSHAP\BD18224_.WMF shell.bin.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\TN00234_.WMF shell.bin.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\NA00487_.WMF.32aa shell.bin.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\prev_hov.png shell.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.core_2.3.0.v20131211-1531.jar.bak.32aa shell.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\Modules\com-sun-tools-visualvm-profiling.jar shell.bin.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO02261_.WMF.32aa shell.bin.exe File opened for modification C:\Program Files\Microsoft Office\OFFICE14\Groove\ToolIcons\SpaceSelector.ico.32aa shell.bin.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\images\hint_down.png shell.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\leftnav.gif.32aa shell.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.nl_zh_4.4.0.v20140623020002.jar.bak.32aa shell.bin.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\FD02116_.WMF shell.bin.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
shell.bin.exeshell.bin.exedescription pid process Token: SeDebugPrivilege 280 shell.bin.exe Token: SeDebugPrivilege 1608 shell.bin.exe Token: SeDebugPrivilege 1608 shell.bin.exe Token: SeDebugPrivilege 1608 shell.bin.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
shell.bin.exedescription pid process target process PID 280 wrote to memory of 1608 280 shell.bin.exe shell.bin.exe PID 280 wrote to memory of 1608 280 shell.bin.exe shell.bin.exe PID 280 wrote to memory of 1608 280 shell.bin.exe shell.bin.exe PID 280 wrote to memory of 1608 280 shell.bin.exe shell.bin.exe PID 280 wrote to memory of 1608 280 shell.bin.exe shell.bin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\shell.bin.exe"C:\Users\Admin\AppData\Local\Temp\shell.bin.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\shell.bin.exeC:\Users\Admin\AppData\Local\Temp\shell.bin.exe2⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1608-0-0x00000000004014E0-mapping.dmp