6933c5d70f485687742b49b9310074cc4b948a293527ad0c7c78fb60d47efcb1

General

Target

Lucky Fixed.bin.exe
Size

1.3MB
MD5

1f4f57202ef12656df3582a8adef59d8
SHA1

0f66c9ac00c19dd20827a78ffdfa4e63857abffb
SHA256

6933c5d70f485687742b49b9310074cc4b948a293527ad0c7c78fb60d47efcb1
SHA512

ae67c0aa6a1d87fdedf3ee08c050cb853bef45510383b13033285991ca983985ef1a8329a7782d2e02eb079b6c0246909c0110dfbd22ca921bd209446e1d0fcb

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

Decoder.exe

pid process

1972 Decoder.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

6 api.ipify.org
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

780 timeout.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Lucky Fixed.bin.exe

description pid process

Token: SeDebugPrivilege 812 Lucky Fixed.bin.exe

pid	process
1972	Decoder.exe

flow	ioc
6	api.ipify.org

pid	process
780	timeout.exe

description	pid	process
Token: SeDebugPrivilege	812	Lucky Fixed.bin.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

Lucky Fixed.bin.execmd.exe

description	pid	process	target process
PID 812 wrote to memory of 1972	812	Lucky Fixed.bin.exe	Decoder.exe
PID 812 wrote to memory of 1972	812	Lucky Fixed.bin.exe	Decoder.exe
PID 812 wrote to memory of 1972	812	Lucky Fixed.bin.exe	Decoder.exe
PID 812 wrote to memory of 3788	812	Lucky Fixed.bin.exe	cmd.exe
PID 812 wrote to memory of 3788	812	Lucky Fixed.bin.exe	cmd.exe
PID 3788 wrote to memory of 780	3788	cmd.exe	timeout.exe
PID 3788 wrote to memory of 780	3788	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\Lucky Fixed.bin.exe
"C:\Users\Admin\AppData\Local\Temp\Lucky Fixed.bin.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:812

C:\ProgramData\Decoder.exe
"C:\ProgramData\Decoder.exe"
2⤵
- Executes dropped EXE
PID:1972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\.cmd""
2⤵
- Suspicious use of WriteProcessMemory
PID:3788

C:\Windows\system32\timeout.exe
timeout 4
3⤵
- Delays execution with timeout.exe
PID:780

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Decoder.exe
MD5
de81e7651c6e62b4c7195ac2e6befbc0

SHA1
1f2dc517abf4b8a789ac4ef9d8c7d1a7f486fe32

SHA256
eef661cffbde254d5b9dba578e91f35cfc0a5fd4c6f25e959eef04ee948f1d5b

SHA512
3cde05ae78fcd5978cd15bf155f650997489c130cf73539b00c45eb36a5582af11e419efedb3f88cb7caca4691bc1f691b8e4e820276ced697fe82198c4f076b

Download Submit
C:\ProgramData\Decoder.exe
MD5
de81e7651c6e62b4c7195ac2e6befbc0

SHA1
1f2dc517abf4b8a789ac4ef9d8c7d1a7f486fe32

SHA256
eef661cffbde254d5b9dba578e91f35cfc0a5fd4c6f25e959eef04ee948f1d5b

SHA512
3cde05ae78fcd5978cd15bf155f650997489c130cf73539b00c45eb36a5582af11e419efedb3f88cb7caca4691bc1f691b8e4e820276ced697fe82198c4f076b

Download Submit
C:\Users\Admin\AppData\Local\Temp\.cmd
MD5
217407484aac2673214337def8886072

SHA1
0f8c4c94064ce1f7538c43987feb5bb2d7fec0c6

SHA256
467c28ed423f513128575b1c8c6674ee5671096ff1b14bc4c32deebd89fc1797

SHA512
8466383a1cb71ea8b049548fd5a41aaf01c0423743b886cd3cb5007f66bff87d8d5cfa67344451f4490c8f26e4ebf9e306075d5cfc655dc62f0813a456cf1330

Download Submit
memory/780-122-0x0000000000000000-mapping.dmp

Download
memory/812-114-0x00000000008C0000-0x00000000008C1000-memory.dmp

Filesize
4KB

Download
memory/812-116-0x000000001BAE0000-0x000000001BB51000-memory.dmp

Filesize
452KB

Download
memory/812-117-0x0000000000E80000-0x0000000000E82000-memory.dmp

Filesize
8KB

Download
memory/1972-118-0x0000000000000000-mapping.dmp

Download
memory/1972-124-0x0000000000DC0000-0x0000000000DC1000-memory.dmp

Filesize
4KB

Download
memory/3788-120-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing