Analysis
-
max time kernel
151s -
max time network
135s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
05-01-2021 17:52
Static task
static1
Behavioral task
behavioral1
Sample
ig.bin.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
ig.bin.exe
Resource
win10v20201028
General
-
Target
ig.bin.exe
-
Size
21KB
-
MD5
d10baf3651281f8d8ba87c5e824c31af
-
SHA1
2674f1891609f04d576cf295a6c4bc004488357a
-
SHA256
4940614325f6ba206d9eab2b1b82af37e9f662a3b9c97eff00a7a398169e22fa
-
SHA512
1c0d6f387d44c4c4097ebc65f477d9b1728e76a9aac7e6d7c3768e7c3ebddfe6e65611693e2c93a873ca198b2fe31cc13a01b43cbff3a01ca9200f8d7e8757a8
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
e5klrvoj.exepid process 1704 e5klrvoj.exe -
Modifies extensions of user files 9 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
e5klrvoj.exedescription ioc process File renamed C:\Users\Admin\Pictures\WatchHide.tif => C:\Users\Admin\Pictures\WatchHide.tif.ZIEBF_4561drgf e5klrvoj.exe File renamed C:\Users\Admin\Pictures\GetFind.png => C:\Users\Admin\Pictures\GetFind.png.ZIEBF_4561drgf e5klrvoj.exe File renamed C:\Users\Admin\Pictures\InitializeConvert.tiff => C:\Users\Admin\Pictures\InitializeConvert.tiff.ZIEBF_4561drgf e5klrvoj.exe File opened for modification C:\Users\Admin\Pictures\ReadRegister.tiff e5klrvoj.exe File renamed C:\Users\Admin\Pictures\SwitchRestart.tif => C:\Users\Admin\Pictures\SwitchRestart.tif.ZIEBF_4561drgf e5klrvoj.exe File renamed C:\Users\Admin\Pictures\SyncOpen.png => C:\Users\Admin\Pictures\SyncOpen.png.ZIEBF_4561drgf e5klrvoj.exe File renamed C:\Users\Admin\Pictures\GrantFind.png => C:\Users\Admin\Pictures\GrantFind.png.ZIEBF_4561drgf e5klrvoj.exe File opened for modification C:\Users\Admin\Pictures\InitializeConvert.tiff e5klrvoj.exe File renamed C:\Users\Admin\Pictures\ReadRegister.tiff => C:\Users\Admin\Pictures\ReadRegister.tiff.ZIEBF_4561drgf e5klrvoj.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1696 taskkill.exe -
Modifies registry class 2 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache rundll32.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 1656 NOTEPAD.EXE -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
e5klrvoj.exepid process 1704 e5klrvoj.exe -
Suspicious behavior: EnumeratesProcesses 7597 IoCs
Processes:
ig.bin.exepid process 1852 ig.bin.exe 1852 ig.bin.exe 1852 ig.bin.exe 1852 ig.bin.exe 1852 ig.bin.exe 1852 ig.bin.exe 1852 ig.bin.exe 1852 ig.bin.exe 1852 ig.bin.exe 1852 ig.bin.exe 1852 ig.bin.exe 1852 ig.bin.exe 1852 ig.bin.exe 1852 ig.bin.exe 1852 ig.bin.exe 1852 ig.bin.exe 1852 ig.bin.exe 1852 ig.bin.exe 1852 ig.bin.exe 1852 ig.bin.exe 1852 ig.bin.exe 1852 ig.bin.exe 1852 ig.bin.exe 1852 ig.bin.exe 1852 ig.bin.exe 1852 ig.bin.exe 1852 ig.bin.exe 1852 ig.bin.exe 1852 ig.bin.exe 1852 ig.bin.exe 1852 ig.bin.exe 1852 ig.bin.exe 1852 ig.bin.exe 1852 ig.bin.exe 1852 ig.bin.exe 1852 ig.bin.exe 1852 ig.bin.exe 1852 ig.bin.exe 1852 ig.bin.exe 1852 ig.bin.exe 1852 ig.bin.exe 1852 ig.bin.exe 1852 ig.bin.exe 1852 ig.bin.exe 1852 ig.bin.exe 1852 ig.bin.exe 1852 ig.bin.exe 1852 ig.bin.exe 1852 ig.bin.exe 1852 ig.bin.exe 1852 ig.bin.exe 1852 ig.bin.exe 1852 ig.bin.exe 1852 ig.bin.exe 1852 ig.bin.exe 1852 ig.bin.exe 1852 ig.bin.exe 1852 ig.bin.exe 1852 ig.bin.exe 1852 ig.bin.exe 1852 ig.bin.exe 1852 ig.bin.exe 1852 ig.bin.exe 1852 ig.bin.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
ig.bin.exetaskkill.exee5klrvoj.exedescription pid process Token: SeDebugPrivilege 1852 ig.bin.exe Token: SeDebugPrivilege 1696 taskkill.exe Token: SeDebugPrivilege 1704 e5klrvoj.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
ig.bin.exepid process 1852 ig.bin.exe 1852 ig.bin.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
ig.bin.execmd.exerundll32.exedescription pid process target process PID 1852 wrote to memory of 1472 1852 ig.bin.exe cmstp.exe PID 1852 wrote to memory of 1472 1852 ig.bin.exe cmstp.exe PID 1852 wrote to memory of 1472 1852 ig.bin.exe cmstp.exe PID 1792 wrote to memory of 1704 1792 cmd.exe e5klrvoj.exe PID 1792 wrote to memory of 1704 1792 cmd.exe e5klrvoj.exe PID 1792 wrote to memory of 1704 1792 cmd.exe e5klrvoj.exe PID 1792 wrote to memory of 1704 1792 cmd.exe e5klrvoj.exe PID 336 wrote to memory of 1656 336 rundll32.exe NOTEPAD.EXE PID 336 wrote to memory of 1656 336 rundll32.exe NOTEPAD.EXE PID 336 wrote to memory of 1656 336 rundll32.exe NOTEPAD.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\ig.bin.exe"C:\Users\Admin\AppData\Local\Temp\ig.bin.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system32\cmstp.exe"c:\windows\system32\cmstp.exe" /au C:\Windows\temp\krmsbjoq.inf2⤵
-
C:\Windows\system32\cmd.execmd /c start C:\Windows\temp\e5klrvoj.exe1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\temp\e5klrvoj.exeC:\Windows\temp\e5klrvoj.exe2⤵
- Executes dropped EXE
- Modifies extensions of user files
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /IM cmstp.exe /F1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\StartInitialize.png.ZIEBF_4561drgf1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\StartInitialize.png.ZIEBF_4561drgf2⤵
- Opens file in notepad (likely ransom note)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\StartInitialize.png.ZIEBF_4561drgfMD5
c0af4b7095c1e4ca667985edadcdf098
SHA17797290e44549668e564316d3d1671ce10aefacd
SHA256dc62689935562661b3d040a3558497eeff991e79f7cd6e4436f9a6a0f1e87694
SHA512d36bab1d3d34e438d819e1e211943609e70907ee754e1e5a1eb30018322f3cd54c78f98441b17e17cce52f76aff9135ddea98a2d70cefa1fc64f61dbb42252fe
-
C:\Windows\Temp\e5klrvoj.exeMD5
d166f7842ec4262f5449b71e7204adf9
SHA113e771dca99f3fd2350fa4342f4b04dccb5f04a0
SHA25618e8c2a8bc25746a1ed208445ae68144e95227a25774e5802e560c09874a3e82
SHA51298a5e7b2920031c5423603dbb2be36f69c2ee590ec6926f7487b88c041925035f89442a98a1b77670ecd8d10f6b2d76c05db1411348ce2c2594d4c32cdd44c4f
-
C:\Windows\temp\e5klrvoj.exeMD5
d166f7842ec4262f5449b71e7204adf9
SHA113e771dca99f3fd2350fa4342f4b04dccb5f04a0
SHA25618e8c2a8bc25746a1ed208445ae68144e95227a25774e5802e560c09874a3e82
SHA51298a5e7b2920031c5423603dbb2be36f69c2ee590ec6926f7487b88c041925035f89442a98a1b77670ecd8d10f6b2d76c05db1411348ce2c2594d4c32cdd44c4f
-
C:\Windows\temp\krmsbjoq.infMD5
a14011064139902e0f8c460252229be3
SHA15f9de92db992c0de8c20334e9f370b6097865aee
SHA25631a9cb030be28ef97c8c4400df794879051f6bb1dff993ea8629fdc7209dd6c2
SHA5124eb6fd20cb700c2729b0d91e8218035600e9a618c71e21e15195c1b7ccdaade9f3acd1d8f8497426c55b3a22254121dd2f6875fa47db2bd5f6428abf8a29acb5
-
memory/1472-5-0x0000000000000000-mapping.dmp
-
memory/1656-23-0x0000000000000000-mapping.dmp
-
memory/1696-25-0x000007FEF5620000-0x000007FEF589A000-memory.dmpFilesize
2.5MB
-
memory/1704-17-0x0000000000000000-mapping.dmp
-
memory/1704-18-0x0000000000000000-mapping.dmp
-
memory/1704-20-0x00000000743D0000-0x0000000074ABE000-memory.dmpFilesize
6.9MB
-
memory/1704-21-0x0000000000800000-0x0000000000801000-memory.dmpFilesize
4KB
-
memory/1852-2-0x000007FEF58A0000-0x000007FEF628C000-memory.dmpFilesize
9.9MB
-
memory/1852-3-0x00000000010C0000-0x00000000010C1000-memory.dmpFilesize
4KB