acbe3153184397a7e789f93226ff4d8560f8b4b3a5b57281968f67d246e35cf4

Resubmissions

27/04/2021, 15:25

210427-nlva9ev87e 8

27/04/2021, 14:03

210427-vj2ehadz4s 8

Analysis

max time kernel
78s
max time network
110s
platform
windows10_x64
resource
win10v20210410
submitted
27/04/2021, 14:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

92190c9789485a0d96bced7040080f0ae35c02898c3d31a65d50ecd659b80f09.bin.exe
Size

61KB
MD5

077fccc46159f8ccd79fcd50787db1c9
SHA1

288635e27276ba6da3291d0982a8f0f23ae0065e
SHA256

92190c9789485a0d96bced7040080f0ae35c02898c3d31a65d50ecd659b80f09
SHA512

6028a1b66ea3e6baae6c11005596c6a6fff982d132ad23c502bf57c5d0995829f983963ba451142f2780214da6c8588e8f83b2972d289367300094fee9cebe74

Score

8^/10

persistence ransomware

Malware Config

Signatures

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File created	C:\Users\Admin\Pictures\BackupStop.raw.givemenitro	92190c9789485a0d96bced7040080f0ae35c02898c3d31a65d50ecd659b80f09.bin.exe
File created	C:\Users\Admin\Pictures\SelectMeasure.crw.givemenitro	92190c9789485a0d96bced7040080f0ae35c02898c3d31a65d50ecd659b80f09.bin.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\NR = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\92190c9789485a0d96bced7040080f0ae35c02898c3d31a65d50ecd659b80f09.bin.exe\""	92190c9789485a0d96bced7040080f0ae35c02898c3d31a65d50ecd659b80f09.bin.exe

Drops desktop.ini file(s) 5 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	92190c9789485a0d96bced7040080f0ae35c02898c3d31a65d50ecd659b80f09.bin.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	92190c9789485a0d96bced7040080f0ae35c02898c3d31a65d50ecd659b80f09.bin.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	92190c9789485a0d96bced7040080f0ae35c02898c3d31a65d50ecd659b80f09.bin.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	92190c9789485a0d96bced7040080f0ae35c02898c3d31a65d50ecd659b80f09.bin.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	92190c9789485a0d96bced7040080f0ae35c02898c3d31a65d50ecd659b80f09.bin.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
9	api.ipify.org
8	api.ipify.org

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\wallpaper.png"	92190c9789485a0d96bced7040080f0ae35c02898c3d31a65d50ecd659b80f09.bin.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4060	92190c9789485a0d96bced7040080f0ae35c02898c3d31a65d50ecd659b80f09.bin.exe
4060	92190c9789485a0d96bced7040080f0ae35c02898c3d31a65d50ecd659b80f09.bin.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeDebugPrivilege	4060	92190c9789485a0d96bced7040080f0ae35c02898c3d31a65d50ecd659b80f09.bin.exe
Token: SeIncreaseQuotaPrivilege	1684	WMIC.exe
Token: SeSecurityPrivilege	1684	WMIC.exe
Token: SeTakeOwnershipPrivilege	1684	WMIC.exe
Token: SeLoadDriverPrivilege	1684	WMIC.exe
Token: SeSystemProfilePrivilege	1684	WMIC.exe
Token: SeSystemtimePrivilege	1684	WMIC.exe
Token: SeProfSingleProcessPrivilege	1684	WMIC.exe
Token: SeIncBasePriorityPrivilege	1684	WMIC.exe
Token: SeCreatePagefilePrivilege	1684	WMIC.exe
Token: SeBackupPrivilege	1684	WMIC.exe
Token: SeRestorePrivilege	1684	WMIC.exe
Token: SeShutdownPrivilege	1684	WMIC.exe
Token: SeDebugPrivilege	1684	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1684	WMIC.exe
Token: SeRemoteShutdownPrivilege	1684	WMIC.exe
Token: SeUndockPrivilege	1684	WMIC.exe
Token: SeManageVolumePrivilege	1684	WMIC.exe
Token: 33	1684	WMIC.exe
Token: 34	1684	WMIC.exe
Token: 35	1684	WMIC.exe
Token: 36	1684	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1684	WMIC.exe
Token: SeSecurityPrivilege	1684	WMIC.exe
Token: SeTakeOwnershipPrivilege	1684	WMIC.exe
Token: SeLoadDriverPrivilege	1684	WMIC.exe
Token: SeSystemProfilePrivilege	1684	WMIC.exe
Token: SeSystemtimePrivilege	1684	WMIC.exe
Token: SeProfSingleProcessPrivilege	1684	WMIC.exe
Token: SeIncBasePriorityPrivilege	1684	WMIC.exe
Token: SeCreatePagefilePrivilege	1684	WMIC.exe
Token: SeBackupPrivilege	1684	WMIC.exe
Token: SeRestorePrivilege	1684	WMIC.exe
Token: SeShutdownPrivilege	1684	WMIC.exe
Token: SeDebugPrivilege	1684	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1684	WMIC.exe
Token: SeRemoteShutdownPrivilege	1684	WMIC.exe
Token: SeUndockPrivilege	1684	WMIC.exe
Token: SeManageVolumePrivilege	1684	WMIC.exe
Token: 33	1684	WMIC.exe
Token: 34	1684	WMIC.exe
Token: 35	1684	WMIC.exe
Token: 36	1684	WMIC.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4060 wrote to memory of 1384	4060	92190c9789485a0d96bced7040080f0ae35c02898c3d31a65d50ecd659b80f09.bin.exe	75
PID 4060 wrote to memory of 1384	4060	92190c9789485a0d96bced7040080f0ae35c02898c3d31a65d50ecd659b80f09.bin.exe	75
PID 4060 wrote to memory of 1384	4060	92190c9789485a0d96bced7040080f0ae35c02898c3d31a65d50ecd659b80f09.bin.exe	75
PID 1384 wrote to memory of 1684	1384	cmd.exe	77
PID 1384 wrote to memory of 1684	1384	cmd.exe	77
PID 1384 wrote to memory of 1684	1384	cmd.exe	77

C:\Users\Admin\AppData\Local\Temp\92190c9789485a0d96bced7040080f0ae35c02898c3d31a65d50ecd659b80f09.bin.exe
"C:\Users\Admin\AppData\Local\Temp\92190c9789485a0d96bced7040080f0ae35c02898c3d31a65d50ecd659b80f09.bin.exe"
1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4060
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1384
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1684

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4060-114-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/4060-116-0x0000000004F50000-0x0000000004F51000-memory.dmp

Filesize
4KB

Download
memory/4060-117-0x0000000004B30000-0x0000000004B31000-memory.dmp

Filesize
4KB

Download
memory/4060-120-0x0000000004A50000-0x0000000004F4E000-memory.dmp

Filesize
5.0MB

Download
memory/4060-121-0x0000000000B10000-0x0000000000B11000-memory.dmp

Filesize
4KB

Download
memory/4060-122-0x0000000004A50000-0x0000000004F4E000-memory.dmp

Filesize
5.0MB

Download
memory/4060-123-0x0000000004A50000-0x0000000004F4E000-memory.dmp

Filesize
5.0MB

Download