Analysis
-
max time kernel
151s -
max time network
122s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
28-01-2021 11:56
Static task
static1
Behavioral task
behavioral1
Sample
6729001591617.bin.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
6729001591617.bin.exe
Resource
win10v20201028
General
-
Target
6729001591617.bin.exe
-
Size
3.6MB
-
MD5
8e8f7ff797c292231959e4dd410a98da
-
SHA1
5fba19ae9f76b445d96dbca71f53113492b09d49
-
SHA256
ace9f321c9967b2ffe3bef9056c113b20040fe8831351082e186125aeea8ab0b
-
SHA512
c1e510a6d5f57eaad3b744e20145c07241b1e857e1a1832a0878cd6beedf115a40c8bfd655896d800579110687d208a59416044fdbd2811102aac334720a3c27
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
GetX64BTIT.exepid process 1512 GetX64BTIT.exe -
Drops startup file 1 IoCs
Processes:
DllHost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wsuj.exe DllHost.exe -
Loads dropped DLL 1 IoCs
Processes:
6729001591617.bin.exepid process 1684 6729001591617.bin.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 7 api.ipify.org 8 api.ipify.org -
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2348 IoCs
Processes:
6729001591617.bin.exe6729001591617.bin.exepid process 784 6729001591617.bin.exe 784 6729001591617.bin.exe 784 6729001591617.bin.exe 784 6729001591617.bin.exe 784 6729001591617.bin.exe 784 6729001591617.bin.exe 784 6729001591617.bin.exe 784 6729001591617.bin.exe 784 6729001591617.bin.exe 784 6729001591617.bin.exe 784 6729001591617.bin.exe 784 6729001591617.bin.exe 784 6729001591617.bin.exe 784 6729001591617.bin.exe 784 6729001591617.bin.exe 784 6729001591617.bin.exe 784 6729001591617.bin.exe 784 6729001591617.bin.exe 784 6729001591617.bin.exe 784 6729001591617.bin.exe 784 6729001591617.bin.exe 1684 6729001591617.bin.exe 1684 6729001591617.bin.exe 1684 6729001591617.bin.exe 1684 6729001591617.bin.exe 1684 6729001591617.bin.exe 1684 6729001591617.bin.exe 1684 6729001591617.bin.exe 1684 6729001591617.bin.exe 1684 6729001591617.bin.exe 1684 6729001591617.bin.exe 1684 6729001591617.bin.exe 1684 6729001591617.bin.exe 1684 6729001591617.bin.exe 1684 6729001591617.bin.exe 1684 6729001591617.bin.exe 1684 6729001591617.bin.exe 1684 6729001591617.bin.exe 1684 6729001591617.bin.exe 1684 6729001591617.bin.exe 1684 6729001591617.bin.exe 1684 6729001591617.bin.exe 1684 6729001591617.bin.exe 1684 6729001591617.bin.exe 1684 6729001591617.bin.exe 1684 6729001591617.bin.exe 1684 6729001591617.bin.exe 1684 6729001591617.bin.exe 1684 6729001591617.bin.exe 1684 6729001591617.bin.exe 1684 6729001591617.bin.exe 1684 6729001591617.bin.exe 1684 6729001591617.bin.exe 1684 6729001591617.bin.exe 1684 6729001591617.bin.exe 1684 6729001591617.bin.exe 1684 6729001591617.bin.exe 1684 6729001591617.bin.exe 1684 6729001591617.bin.exe 1684 6729001591617.bin.exe 1684 6729001591617.bin.exe 1684 6729001591617.bin.exe 1684 6729001591617.bin.exe 1684 6729001591617.bin.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
6729001591617.bin.exedescription pid process Token: SeSecurityPrivilege 784 6729001591617.bin.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
6729001591617.bin.exepid process 1684 6729001591617.bin.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
6729001591617.bin.exe6729001591617.bin.exedescription pid process target process PID 784 wrote to memory of 1684 784 6729001591617.bin.exe 6729001591617.bin.exe PID 784 wrote to memory of 1684 784 6729001591617.bin.exe 6729001591617.bin.exe PID 784 wrote to memory of 1684 784 6729001591617.bin.exe 6729001591617.bin.exe PID 784 wrote to memory of 1684 784 6729001591617.bin.exe 6729001591617.bin.exe PID 784 wrote to memory of 1684 784 6729001591617.bin.exe 6729001591617.bin.exe PID 784 wrote to memory of 1684 784 6729001591617.bin.exe 6729001591617.bin.exe PID 784 wrote to memory of 1684 784 6729001591617.bin.exe 6729001591617.bin.exe PID 784 wrote to memory of 1684 784 6729001591617.bin.exe 6729001591617.bin.exe PID 784 wrote to memory of 1684 784 6729001591617.bin.exe 6729001591617.bin.exe PID 784 wrote to memory of 1684 784 6729001591617.bin.exe 6729001591617.bin.exe PID 784 wrote to memory of 1684 784 6729001591617.bin.exe 6729001591617.bin.exe PID 784 wrote to memory of 1684 784 6729001591617.bin.exe 6729001591617.bin.exe PID 784 wrote to memory of 1684 784 6729001591617.bin.exe 6729001591617.bin.exe PID 1684 wrote to memory of 1512 1684 6729001591617.bin.exe GetX64BTIT.exe PID 1684 wrote to memory of 1512 1684 6729001591617.bin.exe GetX64BTIT.exe PID 1684 wrote to memory of 1512 1684 6729001591617.bin.exe GetX64BTIT.exe PID 1684 wrote to memory of 1512 1684 6729001591617.bin.exe GetX64BTIT.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6729001591617.bin.exe"C:\Users\Admin\AppData\Local\Temp\6729001591617.bin.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:784 -
C:\Users\Admin\AppData\Local\Temp\6729001591617.bin.exe"C:\Users\Admin\AppData\Local\Temp\6729001591617.bin.exe"2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"3⤵
- Executes dropped EXE
PID:1512
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}1⤵
- Drops startup file
PID:1420
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exeMD5
b4cd27f2b37665f51eb9fe685ec1d373
SHA17f08febf0fdb7fc9f8bf35a10fb11e7de431abe0
SHA25691f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581
SHA512e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e
-
C:\Users\Admin\AppData\Local\Temp\x64btit.txtMD5
cab2646d12422b439756b9c2fa3a33f4
SHA1ed61d2200b97e6ad340f099c7b12bb0882d80b2c
SHA2561130ace7f8377a70533907a4c1e956793b5722ce029b32816a8120b1184f62ea
SHA512646918acfe050a463f788e044a12434a3c558a048e3f5e4afc6a682d11b9d48e6e4870c10853f1e66f144300f28d375d0432e60ce547e893fce565c9501d7124
-
\Users\Admin\AppData\Local\Temp\GetX64BTIT.exeMD5
b4cd27f2b37665f51eb9fe685ec1d373
SHA17f08febf0fdb7fc9f8bf35a10fb11e7de431abe0
SHA25691f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581
SHA512e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e
-
memory/784-8-0x0000000000FA0000-0x000000000101B000-memory.dmpFilesize
492KB
-
memory/784-9-0x0000000002F40000-0x00000000030C0000-memory.dmpFilesize
1.5MB
-
memory/784-2-0x0000000075C61000-0x0000000075C63000-memory.dmpFilesize
8KB
-
memory/1512-14-0x0000000000000000-mapping.dmp
-
memory/1684-11-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/1684-12-0x00000000023A0000-0x0000000002449000-memory.dmpFilesize
676KB
-
memory/1684-10-0x00000000000B0000-0x00000000000B1000-memory.dmpFilesize
4KB
-
memory/1684-5-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/1684-4-0x0000000000000000-mapping.dmp
-
memory/1684-17-0x0000000000190000-0x0000000000191000-memory.dmpFilesize
4KB