Analysis
-
max time kernel
39s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
20-01-2021 08:55
Static task
static1
Behavioral task
behavioral1
Sample
06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe
Resource
win10v20201028
General
-
Target
06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe
-
Size
27KB
-
MD5
015e93d82958f4edbc4c8807eeefc430
-
SHA1
9517634369b86197f14ae25ffa69a138ab6fe446
-
SHA256
06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6
-
SHA512
fa9fc3f5565eb6f84331fb068b70b110aefd87d73ec5c9fabda0819886dca3617dbe4b712eda1a68254352f931cd6bca6c4878d515a793697ae410e19884ebbd
Malware Config
Extracted
\??\M:\DECR.TXT
Signatures
-
Modifies extensions of user files 10 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\FindResize.tiff 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe File renamed C:\Users\Admin\Pictures\SubmitOpen.tif => C:\Users\Admin\Pictures\SubmitOpen.tif.__NIST_K571__ 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe File renamed C:\Users\Admin\Pictures\PushDisable.tiff => C:\Users\Admin\Pictures\PushDisable.tiff.__NIST_K571__ 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe File renamed C:\Users\Admin\Pictures\UnregisterDisable.png => C:\Users\Admin\Pictures\UnregisterDisable.png.__NIST_K571__ 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe File renamed C:\Users\Admin\Pictures\CompressDisable.raw => C:\Users\Admin\Pictures\CompressDisable.raw.__NIST_K571__ 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe File renamed C:\Users\Admin\Pictures\ConfirmRevoke.raw => C:\Users\Admin\Pictures\ConfirmRevoke.raw.__NIST_K571__ 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe File renamed C:\Users\Admin\Pictures\DisconnectInvoke.tif => C:\Users\Admin\Pictures\DisconnectInvoke.tif.__NIST_K571__ 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe File renamed C:\Users\Admin\Pictures\FindResize.tiff => C:\Users\Admin\Pictures\FindResize.tiff.__NIST_K571__ 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe File renamed C:\Users\Admin\Pictures\PublishRestart.raw => C:\Users\Admin\Pictures\PublishRestart.raw.__NIST_K571__ 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe File opened for modification C:\Users\Admin\Pictures\PushDisable.tiff 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe -
Drops startup file 1 IoCs
Processes:
06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\DECR.TXT 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exedescription ioc process File opened (read-only) \??\F: 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe File opened (read-only) \??\N: 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe File opened (read-only) \??\M: 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe File opened (read-only) \??\W: 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe File opened (read-only) \??\R: 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe File opened (read-only) \??\A: 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe File opened (read-only) \??\H: 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe File opened (read-only) \??\J: 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe File opened (read-only) \??\Z: 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe File opened (read-only) \??\X: 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe File opened (read-only) \??\B: 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe File opened (read-only) \??\I: 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe File opened (read-only) \??\S: 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe File opened (read-only) \??\G: 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe File opened (read-only) \??\U: 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe File opened (read-only) \??\O: 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe File opened (read-only) \??\P: 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe File opened (read-only) \??\K: 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe File opened (read-only) \??\L: 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe File opened (read-only) \??\Q: 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe File opened (read-only) \??\E: 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe File opened (read-only) \??\T: 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe File opened (read-only) \??\Y: 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe File opened (read-only) \??\V: 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe -
Modifies Control Panel 1 IoCs
Processes:
ShellExperienceHost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\Colors ShellExperienceHost.exe -
Suspicious behavior: EnumeratesProcesses 276 IoCs
Processes:
06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exepid process 648 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 648 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 648 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 648 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 648 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 648 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 648 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 648 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 648 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 648 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 648 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 648 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 648 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 648 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 648 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 648 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 648 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 648 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 648 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 648 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 648 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 648 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 648 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 648 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 648 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 648 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 648 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 648 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 648 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 648 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 648 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 648 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 648 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 648 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 648 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 648 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 648 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 648 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 648 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 648 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 648 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 648 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 648 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 648 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 648 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 648 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 648 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 648 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 648 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 648 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 648 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 648 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 648 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 648 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 648 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 648 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 648 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 648 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 648 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 648 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 648 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 648 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 648 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe 648 06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
ShellExperienceHost.exepid process 3948 ShellExperienceHost.exe 3948 ShellExperienceHost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe"C:\Users\Admin\AppData\Local\Temp\06d370217abec9468bc22c30ba3be72b8de1a7459f9e927656dcf2613a314bf6.bin.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
PID:648
-
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca1⤵
- Modifies Control Panel
- Suspicious use of SetWindowsHookEx
PID:3948