Analysis

  • max time kernel
    151s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    28-01-2021 11:56

General

  • Target

    6729001591617.bin.exe

  • Size

    3.6MB

  • MD5

    8e8f7ff797c292231959e4dd410a98da

  • SHA1

    5fba19ae9f76b445d96dbca71f53113492b09d49

  • SHA256

    ace9f321c9967b2ffe3bef9056c113b20040fe8831351082e186125aeea8ab0b

  • SHA512

    c1e510a6d5f57eaad3b744e20145c07241b1e857e1a1832a0878cd6beedf115a40c8bfd655896d800579110687d208a59416044fdbd2811102aac334720a3c27

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Drops startup file 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Uses Tor communications 1 TTPs

    Malware can proxy its traffic through Tor for more anonymity.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2348 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6729001591617.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\6729001591617.bin.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:784
    • C:\Users\Admin\AppData\Local\Temp\6729001591617.bin.exe
      "C:\Users\Admin\AppData\Local\Temp\6729001591617.bin.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1684
      • C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
        "C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"
        3⤵
        • Executes dropped EXE
        PID:1512
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}
    1⤵
    • Drops startup file
    PID:1420

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/784-8-0x0000000000FA0000-0x000000000101B000-memory.dmp

    Filesize

    492KB

  • memory/784-9-0x0000000002F40000-0x00000000030C0000-memory.dmp

    Filesize

    1.5MB

  • memory/784-2-0x0000000075C61000-0x0000000075C63000-memory.dmp

    Filesize

    8KB

  • memory/1684-11-0x0000000000400000-0x000000000045A000-memory.dmp

    Filesize

    360KB

  • memory/1684-12-0x00000000023A0000-0x0000000002449000-memory.dmp

    Filesize

    676KB

  • memory/1684-10-0x00000000000B0000-0x00000000000B1000-memory.dmp

    Filesize

    4KB

  • memory/1684-5-0x0000000000400000-0x000000000045A000-memory.dmp

    Filesize

    360KB

  • memory/1684-17-0x0000000000190000-0x0000000000191000-memory.dmp

    Filesize

    4KB