Analysis
-
max time kernel
38s -
max time network
56s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
19-05-2021 19:16
Static task
static1
Behavioral task
behavioral1
Sample
Lucky Fixed.bin.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
Lucky Fixed.bin.exe
Resource
win10v20210408
General
-
Target
Lucky Fixed.bin.exe
-
Size
1.3MB
-
MD5
1f4f57202ef12656df3582a8adef59d8
-
SHA1
0f66c9ac00c19dd20827a78ffdfa4e63857abffb
-
SHA256
6933c5d70f485687742b49b9310074cc4b948a293527ad0c7c78fb60d47efcb1
-
SHA512
ae67c0aa6a1d87fdedf3ee08c050cb853bef45510383b13033285991ca983985ef1a8329a7782d2e02eb079b6c0246909c0110dfbd22ca921bd209446e1d0fcb
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Decoder.exepid process 1972 Decoder.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 api.ipify.org -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 780 timeout.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Lucky Fixed.bin.exedescription pid process Token: SeDebugPrivilege 812 Lucky Fixed.bin.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
Lucky Fixed.bin.execmd.exedescription pid process target process PID 812 wrote to memory of 1972 812 Lucky Fixed.bin.exe Decoder.exe PID 812 wrote to memory of 1972 812 Lucky Fixed.bin.exe Decoder.exe PID 812 wrote to memory of 1972 812 Lucky Fixed.bin.exe Decoder.exe PID 812 wrote to memory of 3788 812 Lucky Fixed.bin.exe cmd.exe PID 812 wrote to memory of 3788 812 Lucky Fixed.bin.exe cmd.exe PID 3788 wrote to memory of 780 3788 cmd.exe timeout.exe PID 3788 wrote to memory of 780 3788 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Lucky Fixed.bin.exe"C:\Users\Admin\AppData\Local\Temp\Lucky Fixed.bin.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:812 -
C:\ProgramData\Decoder.exe"C:\ProgramData\Decoder.exe"2⤵
- Executes dropped EXE
PID:1972 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\.cmd""2⤵
- Suspicious use of WriteProcessMemory
PID:3788 -
C:\Windows\system32\timeout.exetimeout 43⤵
- Delays execution with timeout.exe
PID:780
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Decoder.exeMD5
de81e7651c6e62b4c7195ac2e6befbc0
SHA11f2dc517abf4b8a789ac4ef9d8c7d1a7f486fe32
SHA256eef661cffbde254d5b9dba578e91f35cfc0a5fd4c6f25e959eef04ee948f1d5b
SHA5123cde05ae78fcd5978cd15bf155f650997489c130cf73539b00c45eb36a5582af11e419efedb3f88cb7caca4691bc1f691b8e4e820276ced697fe82198c4f076b
-
C:\ProgramData\Decoder.exeMD5
de81e7651c6e62b4c7195ac2e6befbc0
SHA11f2dc517abf4b8a789ac4ef9d8c7d1a7f486fe32
SHA256eef661cffbde254d5b9dba578e91f35cfc0a5fd4c6f25e959eef04ee948f1d5b
SHA5123cde05ae78fcd5978cd15bf155f650997489c130cf73539b00c45eb36a5582af11e419efedb3f88cb7caca4691bc1f691b8e4e820276ced697fe82198c4f076b
-
C:\Users\Admin\AppData\Local\Temp\.cmdMD5
217407484aac2673214337def8886072
SHA10f8c4c94064ce1f7538c43987feb5bb2d7fec0c6
SHA256467c28ed423f513128575b1c8c6674ee5671096ff1b14bc4c32deebd89fc1797
SHA5128466383a1cb71ea8b049548fd5a41aaf01c0423743b886cd3cb5007f66bff87d8d5cfa67344451f4490c8f26e4ebf9e306075d5cfc655dc62f0813a456cf1330
-
memory/780-122-0x0000000000000000-mapping.dmp
-
memory/812-114-0x00000000008C0000-0x00000000008C1000-memory.dmpFilesize
4KB
-
memory/812-116-0x000000001BAE0000-0x000000001BB51000-memory.dmpFilesize
452KB
-
memory/812-117-0x0000000000E80000-0x0000000000E82000-memory.dmpFilesize
8KB
-
memory/1972-118-0x0000000000000000-mapping.dmp
-
memory/1972-124-0x0000000000DC0000-0x0000000000DC1000-memory.dmpFilesize
4KB
-
memory/3788-120-0x0000000000000000-mapping.dmp