Overview

overview

10

Static

static

10

0033c6e1db...le.exe

windows7_x64

10

0033c6e1db...le.exe

windows10_x64

10

02665fcf9c...le.exe

windows7_x64

10

02665fcf9c...le.exe

windows10_x64

10

1c4b55fefc...le.exe

windows7_x64

10

1c4b55fefc...le.exe

windows10_x64

10

48be948c33...le.exe

windows7_x64

10

48be948c33...le.exe

windows10_x64

10

714f630043...le.exe

windows7_x64

10

714f630043...le.exe

windows10_x64

10

7932343454...le.exe

windows7_x64

10

7932343454...le.exe

windows10_x64

10

aa3e530d45...le.exe

windows7_x64

8

aa3e530d45...le.exe

windows10_x64

10

b6f774f469...le.exe

windows7_x64

10

b6f774f469...le.exe

windows10_x64

10

b739791dd0...le.exe

windows7_x64

10

b739791dd0...le.exe

windows10_x64

10

d6cb46d0b3...le.exe

windows7_x64

10

d6cb46d0b3...le.exe

windows10_x64

10

e1c46a96ef...le.exe

windows7_x64

10

e1c46a96ef...le.exe

windows10_x64

10

Analysis

  • max time kernel
    3s
  • max time network
    9s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    28-05-2021 09:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe

  • Size

    97KB

  • MD5

    212614aa34906a41edd51491c7980529

  • SHA1

    671f1031d3b2cd242a270e17718cc0fe20122ad0

  • SHA256

    d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00

  • SHA512

    21a57568c090f0ed72b599168a16d1bfb2073e639972fb0268e6d91143f5bb54292fd6a15fea20f6d90ee817eafebf771b6c7771318a90de148fd95692f49d6a

Score
10/10
evasionpersistenceransomwaretrojan

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Modifies Windows Defender Real-time Protection settings 3 TTPs
    evasiontrojan
  • Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs
    ransomwareevasion
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Modifies registry key 1 TTPs 1 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe
    "C:\Users\Admin\AppData\Local\Temp\d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe"
    1⤵
    • Windows security modification
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1272
    • C:\Windows\system32\reg.exe
      "reg.exe" delete HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend /f
      2⤵
      • Modifies registry key
      PID:1968
    • C:\Windows\system32\bcdedit.exe
      "bcdedit.exe" /set {default} safeboot network
      2⤵
      • Modifies boot configuration data using bcdedit
      PID:1936
    • C:\Windows\system32\shutdown.exe
      "shutdown.exe" /r /t 0
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1404
    • C:\Windows\system32\net.exe
      "net.exe" user Admin ""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1736
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 user Admin ""
        3⤵
          PID:1192
      • C:\Windows\system32\reg.exe
        "reg.exe" add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\d6cb46d0b3165c6087b15378ac7742c93cae7b5cf81c00d5fcb37a429b705d00.bin.sample.exe","C:\Windows\system32\userinit.exe" /f
        2⤵
        • Modifies WinLogon for persistence
        PID:1756
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" Get-MpPreference -verbose
        2⤵
          PID:840
      • C:\Windows\system32\LogonUI.exe
        "LogonUI.exe" /flags:0x0
        1⤵
          PID:1468

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/840-69-0x0000000000000000-mapping.dmp

          Download

        • memory/1192-68-0x0000000000000000-mapping.dmp

          Download

        • memory/1272-60-0x00000000012F0000-0x00000000012F1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1272-66-0x00000000004A0000-0x00000000004A2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1404-67-0x0000000000000000-mapping.dmp

          Download

        • memory/1468-70-0x000007FEFB991000-0x000007FEFB993000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1468-72-0x0000000002980000-0x0000000002981000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1736-65-0x0000000000000000-mapping.dmp

          Download

        • memory/1756-64-0x0000000000000000-mapping.dmp

          Download

        • memory/1936-63-0x0000000000000000-mapping.dmp

          Download

        • memory/1968-62-0x0000000000000000-mapping.dmp

          Download