Analysis

  • max time kernel
    118s
  • max time network
    165s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    12-07-2021 18:43

General

  • Target

    11.bin.exe

  • Size

    1.2MB

  • MD5

    b75c7acd1f22f27112a92743c1e690b1

  • SHA1

    213a9b0791dd4a33633920d9327f226b9db5c827

  • SHA256

    28d2e300adc2a932e546456edb9439f2edc216c737aa68665887979e3512dde0

  • SHA512

    0c0581cef5fee7a09d72bc58a03b9d08f4c1bb0388fefeb603e7001f5c73db73d8d172ed53d2e0da62c78ab710b9d96246c1a175dbbced296605ca00dfe3aa1f

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\11.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\11.bin.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1644
    • C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\11.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1752
      • C:\Windows\system32\cmd.exe
        cmd
        3⤵
          PID:1788
      • C:\Users\Admin\AppData\Local\Temp\Lucky Fixed.exe
        "C:\Users\Admin\AppData\Local\Temp\Lucky Fixed.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1744

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\11.bat

      MD5

      9d90fceafccbb5fcb99d4b5561c1ee1e

      SHA1

      047a96822761e48649f0c68c7f17a055c5dd6ca3

      SHA256

      a5e1970266b0f9cc93252b41191a0a0a6b30cb907ca9d8f2b5beef9d550886da

      SHA512

      615b4ec0ca22bb04239aa9f72d235960d191885526827dc241e72b8bc08a4f1c83e64fc2d4ae832340cd476d3acfc2eb540b875f2980eda0e4847d2b29604023

    • C:\Users\Admin\AppData\Local\Temp\Lucky Fixed.exe

      MD5

      c287b77c245838cb2434eb92ae94703d

      SHA1

      580e0781c185063f8a193bb650bb91df79f73fd0

      SHA256

      9c20d4054d168863670376c4961b29c50f03b3c76d307c9f894e5ba25d5605c2

      SHA512

      308537568c896e78ccdf7d1003d3e92e853343991cc8b175d8a432de0a0a5d6c04ef3562b7ad0af396c114dd645b5bf32e5b6a156867db2cbad9835b18229c5c

    • C:\Users\Admin\AppData\Local\Temp\Lucky Fixed.exe

      MD5

      c287b77c245838cb2434eb92ae94703d

      SHA1

      580e0781c185063f8a193bb650bb91df79f73fd0

      SHA256

      9c20d4054d168863670376c4961b29c50f03b3c76d307c9f894e5ba25d5605c2

      SHA512

      308537568c896e78ccdf7d1003d3e92e853343991cc8b175d8a432de0a0a5d6c04ef3562b7ad0af396c114dd645b5bf32e5b6a156867db2cbad9835b18229c5c

    • memory/1644-59-0x0000000001080000-0x0000000001081000-memory.dmp

      Filesize

      4KB

    • memory/1644-69-0x000000001B2C0000-0x000000001B2C2000-memory.dmp

      Filesize

      8KB

    • memory/1744-64-0x0000000000000000-mapping.dmp

    • memory/1744-67-0x0000000001000000-0x0000000001001000-memory.dmp

      Filesize

      4KB

    • memory/1744-70-0x0000000000A40000-0x0000000000AB1000-memory.dmp

      Filesize

      452KB

    • memory/1744-71-0x000000001B1B0000-0x000000001B1B2000-memory.dmp

      Filesize

      8KB

    • memory/1752-61-0x0000000000000000-mapping.dmp

    • memory/1788-63-0x0000000000000000-mapping.dmp