Analysis
-
max time kernel
118s -
max time network
165s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
12-07-2021 18:43
Static task
static1
Behavioral task
behavioral1
Sample
11.bin.exe
Resource
win7v20210410
General
-
Target
11.bin.exe
-
Size
1.2MB
-
MD5
b75c7acd1f22f27112a92743c1e690b1
-
SHA1
213a9b0791dd4a33633920d9327f226b9db5c827
-
SHA256
28d2e300adc2a932e546456edb9439f2edc216c737aa68665887979e3512dde0
-
SHA512
0c0581cef5fee7a09d72bc58a03b9d08f4c1bb0388fefeb603e7001f5c73db73d8d172ed53d2e0da62c78ab710b9d96246c1a175dbbced296605ca00dfe3aa1f
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Lucky Fixed.exepid process 1744 Lucky Fixed.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 10 ip-api.com 6 api.ipify.org 7 api.ipify.org -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Lucky Fixed.exepid process 1744 Lucky Fixed.exe 1744 Lucky Fixed.exe 1744 Lucky Fixed.exe 1744 Lucky Fixed.exe 1744 Lucky Fixed.exe 1744 Lucky Fixed.exe 1744 Lucky Fixed.exe 1744 Lucky Fixed.exe 1744 Lucky Fixed.exe 1744 Lucky Fixed.exe 1744 Lucky Fixed.exe 1744 Lucky Fixed.exe 1744 Lucky Fixed.exe 1744 Lucky Fixed.exe 1744 Lucky Fixed.exe 1744 Lucky Fixed.exe 1744 Lucky Fixed.exe 1744 Lucky Fixed.exe 1744 Lucky Fixed.exe 1744 Lucky Fixed.exe 1744 Lucky Fixed.exe 1744 Lucky Fixed.exe 1744 Lucky Fixed.exe 1744 Lucky Fixed.exe 1744 Lucky Fixed.exe 1744 Lucky Fixed.exe 1744 Lucky Fixed.exe 1744 Lucky Fixed.exe 1744 Lucky Fixed.exe 1744 Lucky Fixed.exe 1744 Lucky Fixed.exe 1744 Lucky Fixed.exe 1744 Lucky Fixed.exe 1744 Lucky Fixed.exe 1744 Lucky Fixed.exe 1744 Lucky Fixed.exe 1744 Lucky Fixed.exe 1744 Lucky Fixed.exe 1744 Lucky Fixed.exe 1744 Lucky Fixed.exe 1744 Lucky Fixed.exe 1744 Lucky Fixed.exe 1744 Lucky Fixed.exe 1744 Lucky Fixed.exe 1744 Lucky Fixed.exe 1744 Lucky Fixed.exe 1744 Lucky Fixed.exe 1744 Lucky Fixed.exe 1744 Lucky Fixed.exe 1744 Lucky Fixed.exe 1744 Lucky Fixed.exe 1744 Lucky Fixed.exe 1744 Lucky Fixed.exe 1744 Lucky Fixed.exe 1744 Lucky Fixed.exe 1744 Lucky Fixed.exe 1744 Lucky Fixed.exe 1744 Lucky Fixed.exe 1744 Lucky Fixed.exe 1744 Lucky Fixed.exe 1744 Lucky Fixed.exe 1744 Lucky Fixed.exe 1744 Lucky Fixed.exe 1744 Lucky Fixed.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Lucky Fixed.exedescription pid process Token: SeDebugPrivilege 1744 Lucky Fixed.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
11.bin.execmd.exedescription pid process target process PID 1644 wrote to memory of 1752 1644 11.bin.exe cmd.exe PID 1644 wrote to memory of 1752 1644 11.bin.exe cmd.exe PID 1644 wrote to memory of 1752 1644 11.bin.exe cmd.exe PID 1752 wrote to memory of 1788 1752 cmd.exe cmd.exe PID 1752 wrote to memory of 1788 1752 cmd.exe cmd.exe PID 1752 wrote to memory of 1788 1752 cmd.exe cmd.exe PID 1644 wrote to memory of 1744 1644 11.bin.exe Lucky Fixed.exe PID 1644 wrote to memory of 1744 1644 11.bin.exe Lucky Fixed.exe PID 1644 wrote to memory of 1744 1644 11.bin.exe Lucky Fixed.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\11.bin.exe"C:\Users\Admin\AppData\Local\Temp\11.bin.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\11.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\system32\cmd.execmd3⤵PID:1788
-
-
-
C:\Users\Admin\AppData\Local\Temp\Lucky Fixed.exe"C:\Users\Admin\AppData\Local\Temp\Lucky Fixed.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1744
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
9d90fceafccbb5fcb99d4b5561c1ee1e
SHA1047a96822761e48649f0c68c7f17a055c5dd6ca3
SHA256a5e1970266b0f9cc93252b41191a0a0a6b30cb907ca9d8f2b5beef9d550886da
SHA512615b4ec0ca22bb04239aa9f72d235960d191885526827dc241e72b8bc08a4f1c83e64fc2d4ae832340cd476d3acfc2eb540b875f2980eda0e4847d2b29604023
-
MD5
c287b77c245838cb2434eb92ae94703d
SHA1580e0781c185063f8a193bb650bb91df79f73fd0
SHA2569c20d4054d168863670376c4961b29c50f03b3c76d307c9f894e5ba25d5605c2
SHA512308537568c896e78ccdf7d1003d3e92e853343991cc8b175d8a432de0a0a5d6c04ef3562b7ad0af396c114dd645b5bf32e5b6a156867db2cbad9835b18229c5c
-
MD5
c287b77c245838cb2434eb92ae94703d
SHA1580e0781c185063f8a193bb650bb91df79f73fd0
SHA2569c20d4054d168863670376c4961b29c50f03b3c76d307c9f894e5ba25d5605c2
SHA512308537568c896e78ccdf7d1003d3e92e853343991cc8b175d8a432de0a0a5d6c04ef3562b7ad0af396c114dd645b5bf32e5b6a156867db2cbad9835b18229c5c