Overview

overview

8

Static

static

ig.bin.exe

windows7_x64

8

ig.bin.exe

windows10_x64

8

Analysis

  • max time kernel
    151s
  • max time network
    135s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    05-01-2021 17:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ig.bin.exe

  • Size

    21KB

  • MD5

    d10baf3651281f8d8ba87c5e824c31af

  • SHA1

    2674f1891609f04d576cf295a6c4bc004488357a

  • SHA256

    4940614325f6ba206d9eab2b1b82af37e9f662a3b9c97eff00a7a398169e22fa

  • SHA512

    1c0d6f387d44c4c4097ebc65f477d9b1728e76a9aac7e6d7c3768e7c3ebddfe6e65611693e2c93a873ca198b2fe31cc13a01b43cbff3a01ca9200f8d7e8757a8

Score
8/10
ransomwarespyware

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Modifies extensions of user files 9 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies registry class 2 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 7597 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ig.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\ig.bin.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1852
    • \??\c:\windows\system32\cmstp.exe
      "c:\windows\system32\cmstp.exe" /au C:\Windows\temp\krmsbjoq.inf
      2⤵
        PID:1472
    • C:\Windows\system32\cmd.exe
      cmd /c start C:\Windows\temp\e5klrvoj.exe
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1792
      • C:\Windows\temp\e5klrvoj.exe
        C:\Windows\temp\e5klrvoj.exe
        2⤵
        • Executes dropped EXE
        • Modifies extensions of user files
        • Suspicious behavior: CmdExeWriteProcessMemorySpam
        • Suspicious use of AdjustPrivilegeToken
        PID:1704
    • C:\Windows\system32\taskkill.exe
      taskkill /IM cmstp.exe /F
      1⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1696
    • C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\StartInitialize.png.ZIEBF_4561drgf
      1⤵
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:336
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\StartInitialize.png.ZIEBF_4561drgf
        2⤵
        • Opens file in notepad (likely ransom note)
        PID:1656

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\Desktop\StartInitialize.png.ZIEBF_4561drgf
      MD5

      c0af4b7095c1e4ca667985edadcdf098

      SHA1

      7797290e44549668e564316d3d1671ce10aefacd

      SHA256

      dc62689935562661b3d040a3558497eeff991e79f7cd6e4436f9a6a0f1e87694

      SHA512

      d36bab1d3d34e438d819e1e211943609e70907ee754e1e5a1eb30018322f3cd54c78f98441b17e17cce52f76aff9135ddea98a2d70cefa1fc64f61dbb42252fe

      Download Submit
    • C:\Windows\Temp\e5klrvoj.exe
      MD5

      d166f7842ec4262f5449b71e7204adf9

      SHA1

      13e771dca99f3fd2350fa4342f4b04dccb5f04a0

      SHA256

      18e8c2a8bc25746a1ed208445ae68144e95227a25774e5802e560c09874a3e82

      SHA512

      98a5e7b2920031c5423603dbb2be36f69c2ee590ec6926f7487b88c041925035f89442a98a1b77670ecd8d10f6b2d76c05db1411348ce2c2594d4c32cdd44c4f

      Download Submit
    • C:\Windows\temp\e5klrvoj.exe
      MD5

      d166f7842ec4262f5449b71e7204adf9

      SHA1

      13e771dca99f3fd2350fa4342f4b04dccb5f04a0

      SHA256

      18e8c2a8bc25746a1ed208445ae68144e95227a25774e5802e560c09874a3e82

      SHA512

      98a5e7b2920031c5423603dbb2be36f69c2ee590ec6926f7487b88c041925035f89442a98a1b77670ecd8d10f6b2d76c05db1411348ce2c2594d4c32cdd44c4f

      Download Submit
    • C:\Windows\temp\krmsbjoq.inf
      MD5

      a14011064139902e0f8c460252229be3

      SHA1

      5f9de92db992c0de8c20334e9f370b6097865aee

      SHA256

      31a9cb030be28ef97c8c4400df794879051f6bb1dff993ea8629fdc7209dd6c2

      SHA512

      4eb6fd20cb700c2729b0d91e8218035600e9a618c71e21e15195c1b7ccdaade9f3acd1d8f8497426c55b3a22254121dd2f6875fa47db2bd5f6428abf8a29acb5

      Download Submit
    • memory/1472-5-0x0000000000000000-mapping.dmp
      Download
    • memory/1656-23-0x0000000000000000-mapping.dmp
      Download
    • memory/1696-25-0x000007FEF5620000-0x000007FEF589A000-memory.dmp
      Filesize

      2.5MB

      Download
    • memory/1704-17-0x0000000000000000-mapping.dmp
      Download
    • memory/1704-18-0x0000000000000000-mapping.dmp
      Download
    • memory/1704-20-0x00000000743D0000-0x0000000074ABE000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/1704-21-0x0000000000800000-0x0000000000801000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1852-2-0x000007FEF58A0000-0x000007FEF628C000-memory.dmp
      Filesize

      9.9MB

      Download
    • memory/1852-3-0x00000000010C0000-0x00000000010C1000-memory.dmp
      Filesize

      4KB

      Download