Analysis
-
max time kernel
10s -
max time network
115s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
18-06-2021 21:20
Static task
static1
Behavioral task
behavioral1
Sample
9804787b31e0025dd2ae9344ca1beae2e701cdf8fd77a60f424295dc9280dc89.bin.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
9804787b31e0025dd2ae9344ca1beae2e701cdf8fd77a60f424295dc9280dc89.bin.exe
Resource
win10v20210410
General
-
Target
9804787b31e0025dd2ae9344ca1beae2e701cdf8fd77a60f424295dc9280dc89.bin.exe
-
Size
564KB
-
MD5
145e3c224e4ecaf26d4638efb9d622a7
-
SHA1
70d5b0be6ed51e43c0a19b773cead8793257bbc1
-
SHA256
9804787b31e0025dd2ae9344ca1beae2e701cdf8fd77a60f424295dc9280dc89
-
SHA512
f6a45167238bff44410c528fdeaf417cb6fd5a563bb61fb6febd76a26f427657f4f93175cac25a09784029818190645fb9d40f7ce781329a2eda7ae669f3d822
Malware Config
Signatures
-
Downloads MZ/PE file
-
Sets service image path in registry 2 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 1908 9804787b31e0025dd2ae9344ca1beae2e701cdf8fd77a60f424295dc9280dc89.bin.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeLoadDriverPrivilege 1908 9804787b31e0025dd2ae9344ca1beae2e701cdf8fd77a60f424295dc9280dc89.bin.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1908 wrote to memory of 960 1908 9804787b31e0025dd2ae9344ca1beae2e701cdf8fd77a60f424295dc9280dc89.bin.exe 79 PID 1908 wrote to memory of 960 1908 9804787b31e0025dd2ae9344ca1beae2e701cdf8fd77a60f424295dc9280dc89.bin.exe 79 PID 1908 wrote to memory of 960 1908 9804787b31e0025dd2ae9344ca1beae2e701cdf8fd77a60f424295dc9280dc89.bin.exe 79
Processes
-
C:\Users\Admin\AppData\Local\Temp\9804787b31e0025dd2ae9344ca1beae2e701cdf8fd77a60f424295dc9280dc89.bin.exe"C:\Users\Admin\AppData\Local\Temp\9804787b31e0025dd2ae9344ca1beae2e701cdf8fd77a60f424295dc9280dc89.bin.exe"1⤵
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Windows\SysWOW64\regini.exe"C:\Windows\System32\regini.exe" configure.xalm2⤵PID:960
-