Overview

overview

8

Static

static

ig.bin.exe

windows7_x64

8

ig.bin.exe

windows10_x64

8

Analysis

  • max time kernel
    151s
  • max time network
    135s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    05/01/2021, 17:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ig.bin.exe

  • Size

    21KB

  • MD5

    d10baf3651281f8d8ba87c5e824c31af

  • SHA1

    2674f1891609f04d576cf295a6c4bc004488357a

  • SHA256

    4940614325f6ba206d9eab2b1b82af37e9f662a3b9c97eff00a7a398169e22fa

  • SHA512

    1c0d6f387d44c4c4097ebc65f477d9b1728e76a9aac7e6d7c3768e7c3ebddfe6e65611693e2c93a873ca198b2fe31cc13a01b43cbff3a01ca9200f8d7e8757a8

Score
8/10
ransomwarespyware

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Modifies extensions of user files 9 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies registry class 2 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 7597 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ig.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\ig.bin.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1852
    • \??\c:\windows\system32\cmstp.exe
      "c:\windows\system32\cmstp.exe" /au C:\Windows\temp\krmsbjoq.inf
      2⤵
        PID:1472
    • C:\Windows\system32\cmd.exe
      cmd /c start C:\Windows\temp\e5klrvoj.exe
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1792
      • C:\Windows\temp\e5klrvoj.exe
        C:\Windows\temp\e5klrvoj.exe
        2⤵
        • Executes dropped EXE
        • Modifies extensions of user files
        • Suspicious behavior: CmdExeWriteProcessMemorySpam
        • Suspicious use of AdjustPrivilegeToken
        PID:1704
    • C:\Windows\system32\taskkill.exe
      taskkill /IM cmstp.exe /F
      1⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1696
    • C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\StartInitialize.png.ZIEBF_4561drgf
      1⤵
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:336
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\StartInitialize.png.ZIEBF_4561drgf
        2⤵
        • Opens file in notepad (likely ransom note)
        PID:1656

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1696-25-0x000007FEF5620000-0x000007FEF589A000-memory.dmp

      Filesize

      2.5MB

      Download

    • memory/1704-20-0x00000000743D0000-0x0000000074ABE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/1704-21-0x0000000000800000-0x0000000000801000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1852-2-0x000007FEF58A0000-0x000007FEF628C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/1852-3-0x00000000010C0000-0x00000000010C1000-memory.dmp

      Filesize

      4KB

      Download