Overview

overview

8

Static

static

ig.bin.exe

windows7_x64

8

ig.bin.exe

windows10_x64

8

Analysis

  • max time kernel
    136s
  • max time network
    138s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    05-01-2021 17:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ig.bin.exe

  • Size

    21KB

  • MD5

    d10baf3651281f8d8ba87c5e824c31af

  • SHA1

    2674f1891609f04d576cf295a6c4bc004488357a

  • SHA256

    4940614325f6ba206d9eab2b1b82af37e9f662a3b9c97eff00a7a398169e22fa

  • SHA512

    1c0d6f387d44c4c4097ebc65f477d9b1728e76a9aac7e6d7c3768e7c3ebddfe6e65611693e2c93a873ca198b2fe31cc13a01b43cbff3a01ca9200f8d7e8757a8

Score
8/10
ransomwarespyware

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Modifies extensions of user files 7 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 341 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ig.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\ig.bin.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:644
    • \??\c:\windows\system32\cmstp.exe
      "c:\windows\system32\cmstp.exe" /au C:\Windows\temp\rrqjwrx5.inf
      2⤵
        PID:3768
    • C:\Windows\system32\cmd.exe
      cmd /c start C:\Windows\temp\k0hsi4cj.exe
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:3172
      • C:\Windows\temp\k0hsi4cj.exe
        C:\Windows\temp\k0hsi4cj.exe
        2⤵
        • Executes dropped EXE
        • Modifies extensions of user files
        • Suspicious use of AdjustPrivilegeToken
        PID:2836
    • C:\Windows\system32\taskkill.exe
      taskkill /IM cmstp.exe /F
      1⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:584

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ig.bin.exe.log
      MD5

      d63ff49d7c92016feb39812e4db10419

      SHA1

      2307d5e35ca9864ffefc93acf8573ea995ba189b

      SHA256

      375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12

      SHA512

      00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

      Download Submit
    • C:\Windows\Temp\k0hsi4cj.exe
      MD5

      d166f7842ec4262f5449b71e7204adf9

      SHA1

      13e771dca99f3fd2350fa4342f4b04dccb5f04a0

      SHA256

      18e8c2a8bc25746a1ed208445ae68144e95227a25774e5802e560c09874a3e82

      SHA512

      98a5e7b2920031c5423603dbb2be36f69c2ee590ec6926f7487b88c041925035f89442a98a1b77670ecd8d10f6b2d76c05db1411348ce2c2594d4c32cdd44c4f

      Download Submit
    • C:\Windows\temp\k0hsi4cj.exe
      MD5

      d166f7842ec4262f5449b71e7204adf9

      SHA1

      13e771dca99f3fd2350fa4342f4b04dccb5f04a0

      SHA256

      18e8c2a8bc25746a1ed208445ae68144e95227a25774e5802e560c09874a3e82

      SHA512

      98a5e7b2920031c5423603dbb2be36f69c2ee590ec6926f7487b88c041925035f89442a98a1b77670ecd8d10f6b2d76c05db1411348ce2c2594d4c32cdd44c4f

      Download Submit
    • C:\Windows\temp\rrqjwrx5.inf
      MD5

      8c73f25a87e99a656aceaa4a1bd01bce

      SHA1

      6097429bbdf64edd52a6e51a99c83e0efadba6e2

      SHA256

      9571554d2ca05dd1aefa5c29793af8f5e7b09f608ac6fe4d976a3c431173f133

      SHA512

      e86288eb0f267591279329afb80049f5c3940c464243d0bac4216177d67ae136d9f402d3fe7a4c5bc3bbc7a56494e32abc89ee2aa4465c11d271b603299c0bf7

      Download Submit
    • memory/644-3-0x0000000000530000-0x0000000000531000-memory.dmp
      Filesize

      4KB

      Download
    • memory/644-2-0x00007FFC34C00000-0x00007FFC355EC000-memory.dmp
      Filesize

      9.9MB

      Download
    • memory/2836-20-0x0000000005E40000-0x0000000005E41000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2836-13-0x0000000000000000-mapping.dmp
      Download
    • memory/2836-14-0x0000000000000000-mapping.dmp
      Download
    • memory/2836-17-0x0000000073DC0000-0x00000000744AE000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/2836-18-0x0000000000F40000-0x0000000000F41000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2836-21-0x0000000005940000-0x0000000005941000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2836-22-0x0000000005A20000-0x0000000005A21000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3768-11-0x000002226D360000-0x000002226D361000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3768-7-0x000002226D330000-0x000002226D331000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3768-5-0x0000000000000000-mapping.dmp
      Download