Analysis

  • max time kernel
    10s
  • max time network
    115s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    18-06-2021 21:20

General

  • Target

    9804787b31e0025dd2ae9344ca1beae2e701cdf8fd77a60f424295dc9280dc89.bin.exe

  • Size

    564KB

  • MD5

    145e3c224e4ecaf26d4638efb9d622a7

  • SHA1

    70d5b0be6ed51e43c0a19b773cead8793257bbc1

  • SHA256

    9804787b31e0025dd2ae9344ca1beae2e701cdf8fd77a60f424295dc9280dc89

  • SHA512

    f6a45167238bff44410c528fdeaf417cb6fd5a563bb61fb6febd76a26f427657f4f93175cac25a09784029818190645fb9d40f7ce781329a2eda7ae669f3d822

Malware Config

Signatures

  • NetFilter

    NetFilter is a rootkit first seen in June 2021.

  • Downloads MZ/PE file
  • Sets service image path in registry 2 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9804787b31e0025dd2ae9344ca1beae2e701cdf8fd77a60f424295dc9280dc89.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\9804787b31e0025dd2ae9344ca1beae2e701cdf8fd77a60f424295dc9280dc89.bin.exe"
    1⤵
    • Suspicious behavior: LoadsDriver
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1908
    • C:\Windows\SysWOW64\regini.exe
      "C:\Windows\System32\regini.exe" configure.xalm
      2⤵
        PID:960

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads