acbe3153184397a7e789f93226ff4d8560f8b4b3a5b57281968f67d246e35cf4

Resubmissions

27/04/2021, 15:25

210427-nlva9ev87e 8

27/04/2021, 14:03

210427-vj2ehadz4s 8

Analysis

max time kernel
95s
max time network
132s
platform
windows7_x64
resource
win7v20210408
submitted
27/04/2021, 14:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

92190c9789485a0d96bced7040080f0ae35c02898c3d31a65d50ecd659b80f09.bin.exe
Size

61KB
MD5

077fccc46159f8ccd79fcd50787db1c9
SHA1

288635e27276ba6da3291d0982a8f0f23ae0065e
SHA256

92190c9789485a0d96bced7040080f0ae35c02898c3d31a65d50ecd659b80f09
SHA512

6028a1b66ea3e6baae6c11005596c6a6fff982d132ad23c502bf57c5d0995829f983963ba451142f2780214da6c8588e8f83b2972d289367300094fee9cebe74

Score

8^/10

persistence ransomware

Malware Config

Signatures

Modifies extensions of user files 10 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\MergeApprove.tiff	92190c9789485a0d96bced7040080f0ae35c02898c3d31a65d50ecd659b80f09.bin.exe
File created	C:\Users\Admin\Pictures\PopShow.crw.givemenitro	92190c9789485a0d96bced7040080f0ae35c02898c3d31a65d50ecd659b80f09.bin.exe
File created	C:\Users\Admin\Pictures\MergeApprove.tiff.givemenitro	92190c9789485a0d96bced7040080f0ae35c02898c3d31a65d50ecd659b80f09.bin.exe
File created	C:\Users\Admin\Pictures\RevokeEdit.crw.givemenitro	92190c9789485a0d96bced7040080f0ae35c02898c3d31a65d50ecd659b80f09.bin.exe
File created	C:\Users\Admin\Pictures\UnprotectBackup.crw.givemenitro	92190c9789485a0d96bced7040080f0ae35c02898c3d31a65d50ecd659b80f09.bin.exe
File created	C:\Users\Admin\Pictures\WatchPing.tiff.givemenitro	92190c9789485a0d96bced7040080f0ae35c02898c3d31a65d50ecd659b80f09.bin.exe
File opened for modification	C:\Users\Admin\Pictures\WatchPing.tiff	92190c9789485a0d96bced7040080f0ae35c02898c3d31a65d50ecd659b80f09.bin.exe
File created	C:\Users\Admin\Pictures\AddGroup.png.givemenitro	92190c9789485a0d96bced7040080f0ae35c02898c3d31a65d50ecd659b80f09.bin.exe
File created	C:\Users\Admin\Pictures\BackupTrace.tif.givemenitro	92190c9789485a0d96bced7040080f0ae35c02898c3d31a65d50ecd659b80f09.bin.exe
File created	C:\Users\Admin\Pictures\ConfirmSet.tif.givemenitro	92190c9789485a0d96bced7040080f0ae35c02898c3d31a65d50ecd659b80f09.bin.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\NR = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\92190c9789485a0d96bced7040080f0ae35c02898c3d31a65d50ecd659b80f09.bin.exe\""	92190c9789485a0d96bced7040080f0ae35c02898c3d31a65d50ecd659b80f09.bin.exe

Drops desktop.ini file(s) 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	92190c9789485a0d96bced7040080f0ae35c02898c3d31a65d50ecd659b80f09.bin.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	92190c9789485a0d96bced7040080f0ae35c02898c3d31a65d50ecd659b80f09.bin.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	92190c9789485a0d96bced7040080f0ae35c02898c3d31a65d50ecd659b80f09.bin.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5	api.ipify.org
6	api.ipify.org

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\wallpaper.png"	92190c9789485a0d96bced7040080f0ae35c02898c3d31a65d50ecd659b80f09.bin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\Wallpaper.jpg"	92190c9789485a0d96bced7040080f0ae35c02898c3d31a65d50ecd659b80f09.bin.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	92190c9789485a0d96bced7040080f0ae35c02898c3d31a65d50ecd659b80f09.bin.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	92190c9789485a0d96bced7040080f0ae35c02898c3d31a65d50ecd659b80f09.bin.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	92190c9789485a0d96bced7040080f0ae35c02898c3d31a65d50ecd659b80f09.bin.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
792	92190c9789485a0d96bced7040080f0ae35c02898c3d31a65d50ecd659b80f09.bin.exe
792	92190c9789485a0d96bced7040080f0ae35c02898c3d31a65d50ecd659b80f09.bin.exe

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeDebugPrivilege	792	92190c9789485a0d96bced7040080f0ae35c02898c3d31a65d50ecd659b80f09.bin.exe
Token: SeIncreaseQuotaPrivilege	2012	WMIC.exe
Token: SeSecurityPrivilege	2012	WMIC.exe
Token: SeTakeOwnershipPrivilege	2012	WMIC.exe
Token: SeLoadDriverPrivilege	2012	WMIC.exe
Token: SeSystemProfilePrivilege	2012	WMIC.exe
Token: SeSystemtimePrivilege	2012	WMIC.exe
Token: SeProfSingleProcessPrivilege	2012	WMIC.exe
Token: SeIncBasePriorityPrivilege	2012	WMIC.exe
Token: SeCreatePagefilePrivilege	2012	WMIC.exe
Token: SeBackupPrivilege	2012	WMIC.exe
Token: SeRestorePrivilege	2012	WMIC.exe
Token: SeShutdownPrivilege	2012	WMIC.exe
Token: SeDebugPrivilege	2012	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2012	WMIC.exe
Token: SeRemoteShutdownPrivilege	2012	WMIC.exe
Token: SeUndockPrivilege	2012	WMIC.exe
Token: SeManageVolumePrivilege	2012	WMIC.exe
Token: 33	2012	WMIC.exe
Token: 34	2012	WMIC.exe
Token: 35	2012	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2012	WMIC.exe
Token: SeSecurityPrivilege	2012	WMIC.exe
Token: SeTakeOwnershipPrivilege	2012	WMIC.exe
Token: SeLoadDriverPrivilege	2012	WMIC.exe
Token: SeSystemProfilePrivilege	2012	WMIC.exe
Token: SeSystemtimePrivilege	2012	WMIC.exe
Token: SeProfSingleProcessPrivilege	2012	WMIC.exe
Token: SeIncBasePriorityPrivilege	2012	WMIC.exe
Token: SeCreatePagefilePrivilege	2012	WMIC.exe
Token: SeBackupPrivilege	2012	WMIC.exe
Token: SeRestorePrivilege	2012	WMIC.exe
Token: SeShutdownPrivilege	2012	WMIC.exe
Token: SeDebugPrivilege	2012	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2012	WMIC.exe
Token: SeRemoteShutdownPrivilege	2012	WMIC.exe
Token: SeUndockPrivilege	2012	WMIC.exe
Token: SeManageVolumePrivilege	2012	WMIC.exe
Token: 33	2012	WMIC.exe
Token: 34	2012	WMIC.exe
Token: 35	2012	WMIC.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 792 wrote to memory of 1956	792	92190c9789485a0d96bced7040080f0ae35c02898c3d31a65d50ecd659b80f09.bin.exe	25
PID 792 wrote to memory of 1956	792	92190c9789485a0d96bced7040080f0ae35c02898c3d31a65d50ecd659b80f09.bin.exe	25
PID 792 wrote to memory of 1956	792	92190c9789485a0d96bced7040080f0ae35c02898c3d31a65d50ecd659b80f09.bin.exe	25
PID 792 wrote to memory of 1956	792	92190c9789485a0d96bced7040080f0ae35c02898c3d31a65d50ecd659b80f09.bin.exe	25
PID 1956 wrote to memory of 2012	1956	cmd.exe	27
PID 1956 wrote to memory of 2012	1956	cmd.exe	27
PID 1956 wrote to memory of 2012	1956	cmd.exe	27
PID 1956 wrote to memory of 2012	1956	cmd.exe	27

C:\Users\Admin\AppData\Local\Temp\92190c9789485a0d96bced7040080f0ae35c02898c3d31a65d50ecd659b80f09.bin.exe
"C:\Users\Admin\AppData\Local\Temp\92190c9789485a0d96bced7040080f0ae35c02898c3d31a65d50ecd659b80f09.bin.exe"
1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:792
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1956
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2012

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

memory/792-60-0x0000000000900000-0x0000000000901000-memory.dmp

Filesize
4KB

Download
memory/792-62-0x0000000075041000-0x0000000075043000-memory.dmp

Filesize
8KB

Download
memory/792-65-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/792-66-0x00000000003D5000-0x00000000003E6000-memory.dmp

Filesize
68KB

Download