Overview

overview

8

Static

static

1

8a1c3ee0e1...in.exe

windows7_x64

8

8a1c3ee0e1...in.exe

windows10_x64

8

Analysis

  • max time kernel
    143s
  • max time network
    137s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    16-04-2021 13:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8a1c3ee0e1919990ff018eb286566b50.bin.exe

  • Size

    124KB

  • MD5

    3c93f5734de703d7ad198d2dad3b7ca4

  • SHA1

    e9e4531a8aa8275fbf9b0e480eaeacd4f5a932b3

  • SHA256

    c71384686c8caa0a72dcc7e0a4e93f56b8c66f9523fa1498ec9cf1794144ad70

  • SHA512

    eb12c08e4dbca51410c9cd52abe113f01b1951dbe1f13918f927d8c9545de423a27c4377f2ff919f901d5a91ba3f527c0d8e531514b5220f9bbb8bc4b374b35d

Score
8/10
persistenceransomwarespywarestealerupx

Malware Config

Signatures

  • Drops file in Drivers directory 3 IoCs
  • Modifies extensions of user files 2 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops startup file 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 64 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 10 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8a1c3ee0e1919990ff018eb286566b50.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\8a1c3ee0e1919990ff018eb286566b50.bin.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4012
    • C:\Users\Admin\AppData\Local\Temp\8a1c3ee0e1919990ff018eb286566b50.bin.exe
      "C:\Users\Admin\AppData\Local\Temp\8a1c3ee0e1919990ff018eb286566b50.bin.exe"
      2⤵
      • Drops file in Drivers directory
      • Modifies extensions of user files
      • Drops startup file
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Modifies registry class
      PID:3520

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\11.gif
    MD5

    71e80af2e6a1ff5e3b3289f48062aa80

    SHA1

    f25e4e69d0d510c71bcdc67ab4da2266c694e2b7

    SHA256

    73911a7249188fda4c15aed5fe4026fe9e3ac061cc5d4c5d31efb96ec5e80a8b

    SHA512

    b45b04e268082f9bea74b7f612c0fd26f1faf2a15103624eff5634861e5f1fea060ff49c36975083e8a37db42a23bbc0d5f0673574c2524704fc185008497eae

    Download Submit
  • C:\Users\Admin\AppData\Roaming\EmbeddingExampleXML2FO.png
    MD5

    6980cf38cff59ef485e132eec87dd7fd

    SHA1

    b893a252af5b8923161d7e084f446718ebb790c9

    SHA256

    294ac1f7bf7c4de335d3578804530a26caabeb9d2e9f1e3345b60a7e4709a7e0

    SHA512

    8909ccec26a7e6e7472f12f21c46337cdf09ee97c46a41b30ab209aa2de0178d34a44d6385511a9a9efdfeeb7a0eea7588503ab5718296e5e633d8e58f96dde5

    Download Submit
  • C:\Users\Admin\AppData\Roaming\README_uk_UA.txt
    MD5

    e98722a9f0f83e5de3857a290cb837ef

    SHA1

    f0f9e8c130c443454409d4e3a0db370a89f81c41

    SHA256

    ebf82f0263f798a86db05d69c860d93e9d3d9d38e2ac347e0133b4d7f7cfe19c

    SHA512

    46bf03b7fd6871fd60699568d5680e45ab197397f7fc696dacc613fbadb313e86b5cfc1bfbcfd1057314135d88cb1dd51d3d814885a65fb2ef5575f3479cc90a

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Title_mainImage-mask.png
    MD5

    a534dbb39b25cd463993c98a10f21be7

    SHA1

    da990ed559100f15b56f8eb355483627f25fedbe

    SHA256

    2b7c4ad5f01ace9583241dde497ce1fa8c812c4578810ac9b9aedd0bba5e9ffa

    SHA512

    28417c207b12dcf6fec18031370facedda07ee11e01ed610e87beaa30805851668205d3bc9561b0c3124a48db199f371a540064fdbefb5b4e66ca3f0bf130102

    Download Submit
  • C:\Users\Admin\AppData\Roaming\additional_tools_get_help_icon.png
    MD5

    d3f908f1f23b9feb25568abd3c405026

    SHA1

    0dce4f627d7cd623d68e69941f7dd50f2291af0e

    SHA256

    e6673778ddc02dfd4195128933b18d7c77cecafaf0e4c0cfb87700d34ecaa0f3

    SHA512

    b5a793483ada43de0e480fd999ebe18cb773c52fa104a73fec21d274a1f1dd81cc828a4111cab99a6737d5683d4b980abb4e7df2e71ead10393b5301b03e30ac

    Download Submit
  • C:\Users\Admin\AppData\Roaming\backup.png
    MD5

    6ed51081962a1d8cf23c43605c6b09f0

    SHA1

    0419fdc5163216da78c2d80495897149a508109d

    SHA256

    c4e27de236a56caee688afd40049f18c5b9a8fdde302930110b0c7f10375862e

    SHA512

    864ab8325afed2b5635c30a29b0585a292aaae14b3415f54d78605bea3c7c203c6357531c587043e9154f43020f10d591949477f1a3cfc05941e70c509119595

    Download Submit
  • C:\Users\Admin\AppData\Roaming\body.font.family.xml
    MD5

    741ebea20d92252476c181f1b5b7fb80

    SHA1

    5495217cb8434bfba68e7a821731b35ba7397729

    SHA256

    3e4bc0ae5f439dd0bcefab715bad539c2d869f88f0723cd12de1efd67da4bdd9

    SHA512

    3980a36f0389f33da1ac16fbca8c14e859846da7cd0707c4ed7bb1be9a056f113544b7f0dee37c10e68d7a602c7fd85836bb5dd8fb7f6a891b5dac792a32e393

    Download Submit
  • C:\Users\Admin\AppData\Roaming\callout.list.table.xml
    MD5

    8c441654fcd4735162cd808447e88af8

    SHA1

    6ea09c1a61b1d4261ac931c84b67f1b8bb4f7beb

    SHA256

    88454cdf2039ac24294b9bddecd6fa72a70c3b8313af0a91ceabf6268b400e58

    SHA512

    a5d5bba5b2684042ac5e562d271dbc971ab89d8ce4837c1bfb82d061802af92ab71a5128c3f649f16832dcd74120d3dec40178ae11a4c3e3fc4094a58107907b

    Download Submit
  • C:\Users\Admin\AppData\Roaming\checkbox_normal.png
    MD5

    b25853c16a4bf4db03e508bdc1896b9a

    SHA1

    f47774f2199f386d7985c22a099931dd54467329

    SHA256

    c8d93865df049859558b85a320cfa80d84240dafc4c35d96306a6ce13036bcb7

    SHA512

    2b2457c79d1c7271a7021d203aa374cdd3b630d5ac423b11797eae35d2506c25081c3dfa2dc8a2a5a7ce2fc12fa841cd3cc03b968884f908bdbc70a354d439e7

    Download Submit
  • C:\Users\Admin\AppData\Roaming\description.xml
    MD5

    5db4e1c1fc3924e60534f8df377e5460

    SHA1

    60da040e88331590614af43d291939e703e756df

    SHA256

    10cb3a8816567dac7628cf3e51e637bb8730fff1fb36e52cffb1774cebdca3bb

    SHA512

    78b4b29cdbb985c11abb93d5e7175973c1d2590a7f6c9e5a7c83f901e6645c6bdddabc442daa708c57f71aaa45d907840b2548dc8786e644cf6a8cd57e2af17f

    Download Submit
  • C:\Users\Admin\AppData\Roaming\formal.object.properties.xml
    MD5

    c6da466da7bc3f969b34f6b0f46f5b0a

    SHA1

    5047ba82ac25506767079ddf156ff6dfb8bfe24d

    SHA256

    c686ea8d6b485c5cf77c035d949e5ee58e7ac4be65fcf940686cbc14213264a5

    SHA512

    9c76e79615e9434917efa96fffeffa1909fb9192708a02cecf6b6005e2ce8fa481bf0e80ffac26c2b945954a0ed2df87539632162cd02244f71be89c847ded33

    Download Submit
  • C:\Users\Admin\AppData\Roaming\html.extra.head.links.xml
    MD5

    2fac14c88cb12905230ed9da3ac993d2

    SHA1

    411e7669c2756918bad08b82c146bb62e3c6378d

    SHA256

    1901c63e8606e7be89a00571b5b980a7895f4cf16fdef13e1a64b2faf655162c

    SHA512

    96fb9dca831cfdfa718bc7500c66a6ad782db57227f26c64448283522f94b5ac1bc63911892fcdca2e9deafe1a1a86c581b971e85a681a36f314c156393a2468

    Download Submit
  • C:\Users\Admin\AppData\Roaming\htmlhelp.button.jump1.title.xml
    MD5

    09f122a61b82b26526eaa4216dd5dd83

    SHA1

    e5f4b42cbbc8d49128f46d796b1daa2298424f2c

    SHA256

    6bcc2222944ad141c58680b2498b4477814d46314a612762efe9f61a815544f3

    SHA512

    f48768689f573c60394229f6761d8cbe9e13874ddbb48416c943728340b7a151cd57bb97f16063753a2d9dc806e02d887bc17bcd794f5254a02a3f622cd067dc

    Download Submit
  • C:\Users\Admin\AppData\Roaming\nonopt.js
    MD5

    6b4ef092f48591188867156535f40586

    SHA1

    3876f4b3eec2d24d8c804305788a9733add332e3

    SHA256

    d0c9b17d5154d0093234bdda25fd60d193ddb517aa9e3a3da3262ee63d5ad82d

    SHA512

    6d6914151b456512a50cbd1f2d6fb1c90a41f0561e93df59c3b47987586c0e69a9d73ab0c47d7e5d82c72a7ac76d534bfc4fb1ebf2c63c7c61ec3c57177d4121

    Download Submit
  • C:\Users\Admin\AppData\Roaming\output.indent.xml
    MD5

    9215752f0ca40036244f01afcf1a837d

    SHA1

    63d2ea9aafb823a711e2012b491647ebbf6e9be2

    SHA256

    ab19889554d2e3a5c4d0b0a36673d64df4f9f5ccbecf895488254c93afdd8d79

    SHA512

    4b59efde0b1e095ae8c4f860190d8327a9663a550c7725c38b6e75d105d660f27ea4b06948e10299b6e7993b258c9a2973b2233a16a4bf5399f4617e2ffdfb70

    Download Submit
  • C:\Users\Admin\AppData\Roaming\phone.png
    MD5

    e861693c9904060c0a3defc08b58eb9c

    SHA1

    39d84135adcf8a3bd80baf4b3f6a3e22a3e10a53

    SHA256

    069b5121529b0e81374bca8408fa6b1de0c2a8420c417f1bafb0dc2b725f72a8

    SHA512

    95da0bd00f31dcd7c1edeb92c24edf5791f681d3090026763078fc5ececfef339bd74049df9c066d6c746beed7db85fc90bcf7805801fa7ee86178e856777d34

    Download Submit
  • C:\Users\Admin\AppData\Roaming\play-static.png
    MD5

    7898207290f8d86a4a58985d18674538

    SHA1

    0e7187f7f82e6b4a81826c10fc917554a52e01db

    SHA256

    1b30b4536931d0c79152a4af8b51ff188988947086a314f4419be243e567980e

    SHA512

    240f7ce2f84f559f05058227b2604fc0b99d97d6f03051c71af2e4989b6c9eeb160a4ad5bb1890978d71afcb697ea1b748ec957f0a50291475f36174159ca7eb

    Download Submit
  • C:\Users\Admin\AppData\Roaming\printer.png
    MD5

    bd09b3de440413ad45dc037b889889c7

    SHA1

    c1e72444a7a0697c8622fa84a881d4fe644a2de4

    SHA256

    657d65c54ada3ba5dd5a20ff326cc496723f41979f09b443bbf88658c45f4c8a

    SHA512

    637b5da35672ff6a9ad36518c7007c3bd0fb102d09c4ea30fc324071991650b5c45bac712ca509f340785aeb32e69969bb024b028dc35f60b93911a35561e82e

    Download Submit
  • C:\Users\Admin\AppData\Roaming\rebuild-all.xml
    MD5

    9a002974e41bd4fbddee78e1d8baa168

    SHA1

    f1eccc8b4edc7e33f866694668e4238c77c024f4

    SHA256

    28ccb66608ae1d7f73545ab5f49ce2b81ed06b79e7169ea030b4102830a18f9a

    SHA512

    d28ebd41f9dea6c22e37d13e06811cd5feb4de5fdcbe44c6faee4b4116b20812d7de4b43508fae823dae6070ee3c9f45e03b0e9d47b47d75e2474794c0c8ec37

    Download Submit
  • C:\Users\Admin\AppData\Roaming\speaker.png
    MD5

    88efd1161cf4654856f261f89cbd16fa

    SHA1

    bcc3c2e4c4e0189ae69bc39a7261e920580d631a

    SHA256

    7e5ab6d48d5e03b93c1fac0ce126ea28e6abce29f6ae506a217f12234c13ca78

    SHA512

    fa0f489d2a89782723079dcb667858f3df35066d8bd7f1074eab39e99fb1c0ac12e84e06f4733c6d665458f33ab3c6ea819fdd8647674a4ea63a62cc33ee810d

    Download Submit
  • C:\Users\Admin\AppData\Roaming\startTest-2.png
    MD5

    70cf7033b10b2986ef79e91a2124c47f

    SHA1

    64da3d4452b6588bd5c7770954ab0fe735fe818a

    SHA256

    4b9b30bd26135d5e5ef0d2fe72f8309f2092ac0bebe851b1b56f663389bc3820

    SHA512

    04a1d8dd12ac774313d341183355c6fb318dc8db107d896b171ca1a2e3e6bcb350b1e6fe87a7fb71c3eb6c06375e08bf3491862dcd2e2824ed4f56dbd70cae65

    Download Submit
  • C:\Users\Admin\AppData\Roaming\test.js
    MD5

    b0078e645316564f40400933e6ce7be8

    SHA1

    47f9401df7932d243d387d2d4cd3e08cc217ddbb

    SHA256

    797f5ac99db9433c19300bb549380800f487d00102e7c14eed4757b1fb8e0d25

    SHA512

    0203dec33873ce50400ccc6583aa5690bf4eff6e7b405fc0d72b6033fa7bcb9624111f0b35fab876485417a81c4138daf71eba2a86d9cb21c9adf165cc67a2a7

    Download Submit
  • C:\Users\Admin\AppData\Roaming\toc-blank.png
    MD5

    362d67f899016b3165be05f860f2bb58

    SHA1

    bad55f41d26ce462f13379b8e4ac7825704c8536

    SHA256

    dede084d552bd7b8f56815cdaa5838ff88202f90e50022d9af933da0edc4856c

    SHA512

    e2e4bcd02ca884abb8caebd5189d3614f1d425d03c7ce64fa2d2f855335430ca28e6243fd25b5d6aad07beb1695df1e1776cc4369f332ea62fa7dd61f38f6e55

    Download Submit
  • C:\Users\Admin\AppData\Roaming\toc.list.type.xml
    MD5

    43857d8eeeab390852d5ea5cd7b9e886

    SHA1

    1bad0716afe3e86ee1b36a33d7f3c5d840333118

    SHA256

    6d441a2f06dec53852478760f60c3f4df6c789410bdd45477fae052685aa0ac2

    SHA512

    96d4d9c829dc3ab83aabdd69545fe8bfacd3d77fd10a863dc921cb1b1321405094e67ce10537fb5567e17627bd3faf547b953d35d702d74cf816debbb0e4d36a

    Download Submit
  • C:\Users\Admin\AppData\Roaming\uninstall.png
    MD5

    8dd3b69ef8d9f556e73b2180f4f9a6f3

    SHA1

    8a660110ac1b86bb588e4baa2b7e0f71c1180f57

    SHA256

    4ca0a43918d222639034eff1617e0619ab6f37307ffa4d3fd4bcae21be9addc4

    SHA512

    99f3a00f311e381dfdb46febb56d1f234ba7b734f74b07bedae43e39e5e71ba359312cc23fcdb7c74e60891f5508834e6e27b96248c2be3290f7e09d551b0c02

    Download Submit
  • C:\Users\Admin\AppData\Roaming\xbCollapsibleLists.js.xml
    MD5

    1f95e0cbd011cbba77dab38f891d2608

    SHA1

    c9c08934d2763a46a06d7bb655e1d9165ee4d8a3

    SHA256

    330bc9c93e771b86782867511f48b0d5de222d791e912456626380aaf9deaf6c

    SHA512

    9b32f90e01f7da857cc3608e76865066480034a78e5c46679cf4dc88a7dc85c2bdf56992fa0bdcd25e63dc972babeacd169fd31fd08260249e0f0d93e52f487b

    Download Submit
  • \Users\Admin\AppData\Local\Temp\nsr2448.tmp\System.dll
    MD5

    883eff06ac96966270731e4e22817e11

    SHA1

    523c87c98236cbc04430e87ec19b977595092ac8

    SHA256

    44e5dfd551b38e886214bd6b9c8ee913c4c4d1f085a6575d97c3e892b925da82

    SHA512

    60333253342476911c84bbc1d9bf8a29f811207787fdd6107dce8d2b6e031669303f28133ffc811971ed7792087fe90fb1faabc0af4e91c298ba51e28109a390

    Download Submit
  • \Users\Admin\AppData\Roaming\IP.dll
    MD5

    c54d2d96c56ff690e39d0d7608d6ead6

    SHA1

    f929f3e499c871930942ede00d718db4894dbb19

    SHA256

    3cbacb864a94e8f0b0d4fa1b578ace134d0d0582c62b8b7cc809a42cecd1348e

    SHA512

    03d9f7d32918351dc6750043b79d583829ea53b4d7c51f0b042dbab267e3b4046dc4339875b99721435be9b81e113043a30eb5472671a3762eccdc7f6c369603

    Download Submit
  • \Users\Admin\AppData\Roaming\IP.dll
    MD5

    c54d2d96c56ff690e39d0d7608d6ead6

    SHA1

    f929f3e499c871930942ede00d718db4894dbb19

    SHA256

    3cbacb864a94e8f0b0d4fa1b578ace134d0d0582c62b8b7cc809a42cecd1348e

    SHA512

    03d9f7d32918351dc6750043b79d583829ea53b4d7c51f0b042dbab267e3b4046dc4339875b99721435be9b81e113043a30eb5472671a3762eccdc7f6c369603

    Download Submit
  • memory/3520-120-0x0000000000400000-0x000000000040E000-memory.dmp
    Filesize

    56KB

    Download
  • memory/3520-119-0x000000000040C680-mapping.dmp
    Download
  • memory/3520-118-0x0000000000400000-0x000000000040E000-memory.dmp
    Filesize

    56KB

    Download
  • memory/4012-117-0x0000000002260000-0x000000000226D000-memory.dmp
    Filesize

    52KB

    Download