Overview

overview

8

Static

static

92190c9789...in.exe

windows7_x64

8

92190c9789...in.exe

windows10_x64

8

Resubmissions

27-04-2021 15:25

210427-nlva9ev87e 8

27-04-2021 14:03

210427-vj2ehadz4s 8

Analysis

  • max time kernel
    78s
  • max time network
    110s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    27-04-2021 14:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    92190c9789485a0d96bced7040080f0ae35c02898c3d31a65d50ecd659b80f09.bin.exe

  • Size

    61KB

  • MD5

    077fccc46159f8ccd79fcd50787db1c9

  • SHA1

    288635e27276ba6da3291d0982a8f0f23ae0065e

  • SHA256

    92190c9789485a0d96bced7040080f0ae35c02898c3d31a65d50ecd659b80f09

  • SHA512

    6028a1b66ea3e6baae6c11005596c6a6fff982d132ad23c502bf57c5d0995829f983963ba451142f2780214da6c8588e8f83b2972d289367300094fee9cebe74

Score
8/10
persistenceransomware

Malware Config

Signatures

  • Modifies extensions of user files 2 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 5 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 43 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\92190c9789485a0d96bced7040080f0ae35c02898c3d31a65d50ecd659b80f09.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\92190c9789485a0d96bced7040080f0ae35c02898c3d31a65d50ecd659b80f09.bin.exe"
    1⤵
    • Modifies extensions of user files
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4060
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1384
      • C:\Windows\SysWOW64\Wbem\WMIC.exe
        wmic csproduct get uuid
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1684

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1384-118-0x0000000000000000-mapping.dmp
    Download
  • memory/1684-119-0x0000000000000000-mapping.dmp
    Download
  • memory/4060-114-0x00000000002E0000-0x00000000002E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4060-116-0x0000000004F50000-0x0000000004F51000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4060-117-0x0000000004B30000-0x0000000004B31000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4060-120-0x0000000004A50000-0x0000000004F4E000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/4060-121-0x0000000000B10000-0x0000000000B11000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4060-122-0x0000000004A50000-0x0000000004F4E000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/4060-123-0x0000000004A50000-0x0000000004F4E000-memory.dmp
    Filesize

    5.0MB

    Download