Analysis
-
max time kernel
21s -
max time network
17s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
20-01-2021 08:55
Static task
static1
Behavioral task
behavioral1
Sample
06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe
Resource
win10v20201028
General
-
Target
06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe
-
Size
27KB
-
MD5
015e93d82958f4edbc4c8807eeefc430
-
SHA1
9517634369b86197f14ae25ffa69a138ab6fe446
-
SHA256
06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6
-
SHA512
fa9fc3f5565eb6f84331fb068b70b110aefd87d73ec5c9fabda0819886dca3617dbe4b712eda1a68254352f931cd6bca6c4878d515a793697ae410e19884ebbd
Malware Config
Extracted
C:\MSOCache\DECR.TXT
Signatures
-
Modifies extensions of user files 9 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exedescription ioc process File renamed C:\Users\Admin\Pictures\EnterRequest.raw => C:\Users\Admin\Pictures\EnterRequest.raw.__NIST_K571__ 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe File renamed C:\Users\Admin\Pictures\OpenEnter.tif => C:\Users\Admin\Pictures\OpenEnter.tif.__NIST_K571__ 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe File renamed C:\Users\Admin\Pictures\WatchRename.png => C:\Users\Admin\Pictures\WatchRename.png.__NIST_K571__ 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe File opened for modification C:\Users\Admin\Pictures\DisconnectMeasure.tiff 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe File renamed C:\Users\Admin\Pictures\DisconnectMeasure.tiff => C:\Users\Admin\Pictures\DisconnectMeasure.tiff.__NIST_K571__ 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe File renamed C:\Users\Admin\Pictures\ExportGroup.png => C:\Users\Admin\Pictures\ExportGroup.png.__NIST_K571__ 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe File renamed C:\Users\Admin\Pictures\FindAdd.png => C:\Users\Admin\Pictures\FindAdd.png.__NIST_K571__ 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe File renamed C:\Users\Admin\Pictures\FormatSend.crw => C:\Users\Admin\Pictures\FormatSend.crw.__NIST_K571__ 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe File renamed C:\Users\Admin\Pictures\RenameConnect.tif => C:\Users\Admin\Pictures\RenameConnect.tif.__NIST_K571__ 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exedescription ioc process File opened (read-only) \??\U: 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe File opened (read-only) \??\P: 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe File opened (read-only) \??\V: 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe File opened (read-only) \??\K: 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe File opened (read-only) \??\R: 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe File opened (read-only) \??\T: 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe File opened (read-only) \??\Y: 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe File opened (read-only) \??\O: 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe File opened (read-only) \??\G: 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe File opened (read-only) \??\Q: 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe File opened (read-only) \??\H: 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe File opened (read-only) \??\Z: 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe File opened (read-only) \??\X: 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe File opened (read-only) \??\N: 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe File opened (read-only) \??\F: 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe File opened (read-only) \??\J: 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe File opened (read-only) \??\L: 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe File opened (read-only) \??\W: 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe File opened (read-only) \??\E: 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe File opened (read-only) \??\I: 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe File opened (read-only) \??\A: 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe File opened (read-only) \??\S: 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe File opened (read-only) \??\B: 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe File opened (read-only) \??\M: 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe -
Suspicious behavior: EnumeratesProcesses 114 IoCs
Processes:
06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exepid process 1108 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 1108 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 1108 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 1108 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 1108 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 1108 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 1108 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 1108 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 1108 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 1108 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 1108 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 1108 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 1108 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 1108 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 1108 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 1108 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 1108 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 1108 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 1108 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 1108 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 1108 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 1108 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 1108 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 1108 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 1108 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 1108 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 1108 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 1108 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 1108 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 1108 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 1108 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 1108 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 1108 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 1108 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 1108 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 1108 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 1108 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 1108 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 1108 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 1108 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 1108 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 1108 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 1108 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 1108 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 1108 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 1108 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 1108 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 1108 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 1108 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 1108 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 1108 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 1108 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 1108 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 1108 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 1108 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 1108 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 1108 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 1108 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 1108 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 1108 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 1108 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 1108 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 1108 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 1108 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe"C:\Users\Admin\AppData\Local\Temp\06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1108-2-0x00000000760D1000-0x00000000760D3000-memory.dmpFilesize
8KB