Overview

overview

10

Static

static

10

be1f6aa3d2...le.exe

windows7_x64

8

be1f6aa3d2...le.exe

windows10_x64

8

Analysis

  • max time kernel
    112s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    24-12-2020 11:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe

  • Size

    425KB

  • MD5

    c486aedae4bb88c1bd5064f12df7e188

  • SHA1

    9880e8a0655cf1d0dad855703b85e1bb9bd4db82

  • SHA256

    be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde

  • SHA512

    fbcccfbc92782740ad542038b2ae3b0d6926d87deeaed6f25dbcf1db4bc00a36af1fe8e74a642fd6a40ee625199b210fad119afbc2a5b7c87c96f603343b2f16

Score
8/10
ransomwarespyware

Malware Config

Signatures

  • Modifies extensions of user files 10 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Drops desktop.ini file(s) 35 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies Internet Explorer settings 1 TTPs 37 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe
    "C:\Users\Admin\AppData\Local\Temp\be1f6aa3d2c2d61721aa96d8530a65387591252248de520ffed4bfdde0368dde.bin.sample.exe"
    1⤵
    • Modifies extensions of user files
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    PID:1068
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:744
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\YOUR_FILES_ARE_ENCRYPTED.HTML
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1900
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1900 CREDAT:275457 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:204
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1900 CREDAT:275466 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:1760

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\YOUR_FILES_ARE_ENCRYPTED.HTML
    MD5

    6778b2816344ffb5c9595dbe9baf8278

    SHA1

    c67830e74ba0fdd2a45fa228e1a15f60fa2a7f61

    SHA256

    f053d371385a99ad526f92986e872fbbb247fdfce43b3cb1bd166a9a119e02df

    SHA512

    af9c9b1b0391aa4114ada57f566a82ffbb14bde81970b99d95d587632dfd5e071d405801ab5a76354b187b23c9e8e939f967767d47e4ce62ca994edef82ab223

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\YOUR_FILES_ARE_ENCRYPTED.HTML
    MD5

    6778b2816344ffb5c9595dbe9baf8278

    SHA1

    c67830e74ba0fdd2a45fa228e1a15f60fa2a7f61

    SHA256

    f053d371385a99ad526f92986e872fbbb247fdfce43b3cb1bd166a9a119e02df

    SHA512

    af9c9b1b0391aa4114ada57f566a82ffbb14bde81970b99d95d587632dfd5e071d405801ab5a76354b187b23c9e8e939f967767d47e4ce62ca994edef82ab223

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\YOUR_FILES_ARE_ENCRYPTED.HTML
    MD5

    6778b2816344ffb5c9595dbe9baf8278

    SHA1

    c67830e74ba0fdd2a45fa228e1a15f60fa2a7f61

    SHA256

    f053d371385a99ad526f92986e872fbbb247fdfce43b3cb1bd166a9a119e02df

    SHA512

    af9c9b1b0391aa4114ada57f566a82ffbb14bde81970b99d95d587632dfd5e071d405801ab5a76354b187b23c9e8e939f967767d47e4ce62ca994edef82ab223

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\H4AAY2AR.txt
    MD5

    839ad1dc20362e030ad901672375e51d

    SHA1

    0ce94608ba170892b56a700bc7a213e268071b9c

    SHA256

    9b0eab81dbf0aeb8ba8e68eb7390c20fb1d7cfc9a5b2c380ab9d94cd42c8fb89

    SHA512

    76905537022eaf580eae6c7143bd3f5d695eabd6d5518d734e9498bb5585d34003947e8219d6160487395319b1b863f49ba8414543f9efb22bde7b0b9d4fa5ca

    Download Submit

  • C:\Users\Admin\Desktop\YOUR_FILES_ARE_ENCRYPTED.HTML
    MD5

    6778b2816344ffb5c9595dbe9baf8278

    SHA1

    c67830e74ba0fdd2a45fa228e1a15f60fa2a7f61

    SHA256

    f053d371385a99ad526f92986e872fbbb247fdfce43b3cb1bd166a9a119e02df

    SHA512

    af9c9b1b0391aa4114ada57f566a82ffbb14bde81970b99d95d587632dfd5e071d405801ab5a76354b187b23c9e8e939f967767d47e4ce62ca994edef82ab223

    Download Submit

  • memory/204-3-0x0000000000000000-mapping.dmp

    Download

  • memory/1732-2-0x000007FEF7E60000-0x000007FEF80DA000-memory.dmp

    Filesize

    2.5MB

    Download

  • memory/1760-5-0x0000000000000000-mapping.dmp

    Download