Analysis
-
max time kernel
150s -
max time network
13s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
24-12-2020 13:18
Static task
static1
Behavioral task
behavioral1
Sample
ransome.bin.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
ransome.bin.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
ransome.bin.exe
-
Size
356KB
-
MD5
3fefd7ead4d1e2c95acb04f2452660cc
-
SHA1
89e435274b2fd76e2a2ac2c55a3204fd8a19ca4a
-
SHA256
a2043ce3176f7789fe5990b614a2cca4578a28fc789e0ce31fec93da9398691b
-
SHA512
21b8e7d2021f14f19d4005012714afd028335753c8f13abb4c4650cdc66a1be9c436a0daebc3fb7664fae14b508edf4519b5271e2efc77b8e78f5a665d3eca73
Score
5/10
Malware Config
Signatures
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
ransome.bin.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\Back.jpg" ransome.bin.exe -
Drops file in Program Files directory 3866 IoCs
Processes:
ransome.bin.exedescription ioc process File created C:\Program Files\Common Files\Microsoft Shared\ink\ipsptg.xml ransome.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Novokuznetsk ransome.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.greychartplugin_5.5.0.165303.jar ransome.bin.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Rainy_River ransome.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_pl.jar ransome.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Dawson_Creek ransome.bin.exe File opened for modification C:\Program Files\Java\jre7\lib\deploy\ffjcext.zip ransome.bin.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_75_ffe45c_1x100.png ransome.bin.exe File opened for modification C:\Program Files\Java\jre7\lib\images\cursors\win32_MoveDrop32x32.gif ransome.bin.exe File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Connectivity.gif ransome.bin.exe File created C:\Program Files\Common Files\System\msadc\msadcf.dll ransome.bin.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationRight_ButtonGraphic.png ransome.bin.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationLeft_SelectionSubpicture.png ransome.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-multitabs.xml ransome.bin.exe File opened for modification C:\Program Files\Mozilla Firefox\omni.ja ransome.bin.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_mlp_plugin.dll ransome.bin.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\photoedge_selectionsubpicture.png ransome.bin.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-previous-over-select.png ransome.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Qyzylorda ransome.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Marquesas ransome.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.webapp.nl_zh_4.4.0.v20140623020002.jar ransome.bin.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libmagnify_plugin.dll ransome.bin.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\circleround_videoinset.png ransome.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\dragHandle.png ransome.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler-charts.xml ransome.bin.exe File opened for modification C:\Program Files\Java\jre7\lib\charsets.jar ransome.bin.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Campo_Grande ransome.bin.exe File opened for modification C:\Program Files\DisconnectImport.mp4 ransome.bin.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Full\dotslightoverlay.png ransome.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe ransome.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-application.xml ransome.bin.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Jakarta ransome.bin.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Indian\Mauritius ransome.bin.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libaom_plugin.dll ransome.bin.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\ipsnld.xml ransome.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\St_Johns ransome.bin.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\services_discovery\libmediadirs_plugin.dll ransome.bin.exe File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\back.png ransome.bin.exe File opened for modification C:\Program Files\7-Zip\Lang\ku.txt ransome.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\COPYRIGHT ransome.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-api.xml ransome.bin.exe File opened for modification C:\Program Files\Java\jre7\lib\resources.jar ransome.bin.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Pontianak ransome.bin.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\spu\libaudiobargraph_v_plugin.dll ransome.bin.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libsepia_plugin.dll ransome.bin.exe File created C:\Program Files\Windows Media Player\Media Renderer\RenderingControl.xml ransome.bin.exe File opened for modification C:\Program Files\7-Zip\Lang\cy.txt ransome.bin.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Page.wmv ransome.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.addons.swt_1.1.1.v20140903-0821.jar ransome.bin.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ks_IN\LC_MESSAGES\vlc.mo ransome.bin.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\liblibmpeg2_plugin.dll ransome.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core-ui.jar ransome.bin.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libsftp_plugin.dll ransome.bin.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_av1_plugin.dll ransome.bin.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT+12 ransome.bin.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Wake ransome.bin.exe File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\rings-desk.png ransome.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Anchorage ransome.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Tongatapu ransome.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.intro_5.5.0.165303.jar ransome.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-swing-tabcontrol.xml ransome.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-selector-api.xml ransome.bin.exe File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\shuffle_over.png ransome.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-charts_ja.jar ransome.bin.exe -
Kills process with taskkill 6 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 1196 taskkill.exe 1980 taskkill.exe 1784 taskkill.exe 1776 taskkill.exe 1716 taskkill.exe 1028 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exedescription pid process Token: SeDebugPrivilege 1196 taskkill.exe Token: SeDebugPrivilege 1028 taskkill.exe Token: SeDebugPrivilege 1716 taskkill.exe Token: SeDebugPrivilege 1776 taskkill.exe Token: SeDebugPrivilege 1784 taskkill.exe Token: SeDebugPrivilege 1980 taskkill.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
ransome.bin.exepid process 476 ransome.bin.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
ransome.bin.exedescription pid process target process PID 476 wrote to memory of 1196 476 ransome.bin.exe taskkill.exe PID 476 wrote to memory of 1196 476 ransome.bin.exe taskkill.exe PID 476 wrote to memory of 1196 476 ransome.bin.exe taskkill.exe PID 476 wrote to memory of 1196 476 ransome.bin.exe taskkill.exe PID 476 wrote to memory of 1980 476 ransome.bin.exe taskkill.exe PID 476 wrote to memory of 1980 476 ransome.bin.exe taskkill.exe PID 476 wrote to memory of 1980 476 ransome.bin.exe taskkill.exe PID 476 wrote to memory of 1980 476 ransome.bin.exe taskkill.exe PID 476 wrote to memory of 1028 476 ransome.bin.exe taskkill.exe PID 476 wrote to memory of 1028 476 ransome.bin.exe taskkill.exe PID 476 wrote to memory of 1028 476 ransome.bin.exe taskkill.exe PID 476 wrote to memory of 1028 476 ransome.bin.exe taskkill.exe PID 476 wrote to memory of 1784 476 ransome.bin.exe taskkill.exe PID 476 wrote to memory of 1784 476 ransome.bin.exe taskkill.exe PID 476 wrote to memory of 1784 476 ransome.bin.exe taskkill.exe PID 476 wrote to memory of 1784 476 ransome.bin.exe taskkill.exe PID 476 wrote to memory of 1776 476 ransome.bin.exe taskkill.exe PID 476 wrote to memory of 1776 476 ransome.bin.exe taskkill.exe PID 476 wrote to memory of 1776 476 ransome.bin.exe taskkill.exe PID 476 wrote to memory of 1776 476 ransome.bin.exe taskkill.exe PID 476 wrote to memory of 1716 476 ransome.bin.exe taskkill.exe PID 476 wrote to memory of 1716 476 ransome.bin.exe taskkill.exe PID 476 wrote to memory of 1716 476 ransome.bin.exe taskkill.exe PID 476 wrote to memory of 1716 476 ransome.bin.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ransome.bin.exe"C:\Users\Admin\AppData\Local\Temp\ransome.bin.exe"1⤵
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM explorer.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM Microsoft.Exchange2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM sqlserver.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM sqlwriter.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM mysqld.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM MSExchange2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1028-4-0x0000000000000000-mapping.dmp
-
memory/1196-2-0x0000000000000000-mapping.dmp
-
memory/1716-7-0x0000000000000000-mapping.dmp
-
memory/1776-6-0x0000000000000000-mapping.dmp
-
memory/1784-5-0x0000000000000000-mapping.dmp
-
memory/1980-3-0x0000000000000000-mapping.dmp