Analysis
-
max time kernel
63s -
max time network
122s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
12-07-2021 18:43
Static task
static1
Behavioral task
behavioral1
Sample
11.bin.exe
Resource
win7v20210410
General
-
Target
11.bin.exe
-
Size
1.2MB
-
MD5
b75c7acd1f22f27112a92743c1e690b1
-
SHA1
213a9b0791dd4a33633920d9327f226b9db5c827
-
SHA256
28d2e300adc2a932e546456edb9439f2edc216c737aa68665887979e3512dde0
-
SHA512
0c0581cef5fee7a09d72bc58a03b9d08f4c1bb0388fefeb603e7001f5c73db73d8d172ed53d2e0da62c78ab710b9d96246c1a175dbbced296605ca00dfe3aa1f
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
Lucky Fixed.exeDecoder.exepid process 2644 Lucky Fixed.exe 2872 Decoder.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 10 api.ipify.org 12 ip-api.com 16 freegeoip.app 17 freegeoip.app 9 api.ipify.org -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Decoder.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 Decoder.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Decoder.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 208 timeout.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
Lucky Fixed.exeDecoder.exepid process 2644 Lucky Fixed.exe 2644 Lucky Fixed.exe 2872 Decoder.exe 2872 Decoder.exe 2872 Decoder.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Lucky Fixed.exeDecoder.exedescription pid process Token: SeDebugPrivilege 2644 Lucky Fixed.exe Token: SeDebugPrivilege 2872 Decoder.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
11.bin.execmd.exeLucky Fixed.execmd.exedescription pid process target process PID 3492 wrote to memory of 2328 3492 11.bin.exe cmd.exe PID 3492 wrote to memory of 2328 3492 11.bin.exe cmd.exe PID 3492 wrote to memory of 2644 3492 11.bin.exe Lucky Fixed.exe PID 3492 wrote to memory of 2644 3492 11.bin.exe Lucky Fixed.exe PID 2328 wrote to memory of 2076 2328 cmd.exe cmd.exe PID 2328 wrote to memory of 2076 2328 cmd.exe cmd.exe PID 2644 wrote to memory of 2872 2644 Lucky Fixed.exe Decoder.exe PID 2644 wrote to memory of 2872 2644 Lucky Fixed.exe Decoder.exe PID 2644 wrote to memory of 2872 2644 Lucky Fixed.exe Decoder.exe PID 2644 wrote to memory of 3844 2644 Lucky Fixed.exe cmd.exe PID 2644 wrote to memory of 3844 2644 Lucky Fixed.exe cmd.exe PID 3844 wrote to memory of 208 3844 cmd.exe timeout.exe PID 3844 wrote to memory of 208 3844 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\11.bin.exe"C:\Users\Admin\AppData\Local\Temp\11.bin.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3492 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\11.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\system32\cmd.execmd3⤵PID:2076
-
-
-
C:\Users\Admin\AppData\Local\Temp\Lucky Fixed.exe"C:\Users\Admin\AppData\Local\Temp\Lucky Fixed.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\ProgramData\Decoder.exe"C:\ProgramData\Decoder.exe"3⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2872
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\.cmd""3⤵
- Suspicious use of WriteProcessMemory
PID:3844 -
C:\Windows\system32\timeout.exetimeout 44⤵
- Delays execution with timeout.exe
PID:208
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
c29c0d495ed13e703f433d53bdffdab8
SHA174ed36e6b6027b61abcfe2956670ffd9de7fd71a
SHA25620309707aa6fc678963aace7685a37839d439c850b1ba399bdbfbbeddc10ed4b
SHA512fea4c1066ee6df3ebb29a354678a3d0f1398cd216b92b261296fcff580b00e19cefe24d975beebcc41854cceef3df2702d569811358dae4203a924fb52cf5426
-
MD5
c29c0d495ed13e703f433d53bdffdab8
SHA174ed36e6b6027b61abcfe2956670ffd9de7fd71a
SHA25620309707aa6fc678963aace7685a37839d439c850b1ba399bdbfbbeddc10ed4b
SHA512fea4c1066ee6df3ebb29a354678a3d0f1398cd216b92b261296fcff580b00e19cefe24d975beebcc41854cceef3df2702d569811358dae4203a924fb52cf5426
-
MD5
73712247036b6a24d16502c57a3e5679
SHA165ca9edadb0773fc34db7dfefe9e6416f1ac17fa
SHA2568bd49d7e7e6b2c2dc16a4cb0eebb8f28892775fad56c9e4aaa22d59f01883cd0
SHA512548eef10b0118f7d907fa19c12de68b47278afffb3eb9460621efb2b711ebcf6b90d0ea1c077fc480e032bf241fb3f8cc995ec1373e301446f89f1a74a6309de
-
MD5
9d90fceafccbb5fcb99d4b5561c1ee1e
SHA1047a96822761e48649f0c68c7f17a055c5dd6ca3
SHA256a5e1970266b0f9cc93252b41191a0a0a6b30cb907ca9d8f2b5beef9d550886da
SHA512615b4ec0ca22bb04239aa9f72d235960d191885526827dc241e72b8bc08a4f1c83e64fc2d4ae832340cd476d3acfc2eb540b875f2980eda0e4847d2b29604023
-
MD5
c287b77c245838cb2434eb92ae94703d
SHA1580e0781c185063f8a193bb650bb91df79f73fd0
SHA2569c20d4054d168863670376c4961b29c50f03b3c76d307c9f894e5ba25d5605c2
SHA512308537568c896e78ccdf7d1003d3e92e853343991cc8b175d8a432de0a0a5d6c04ef3562b7ad0af396c114dd645b5bf32e5b6a156867db2cbad9835b18229c5c
-
MD5
c287b77c245838cb2434eb92ae94703d
SHA1580e0781c185063f8a193bb650bb91df79f73fd0
SHA2569c20d4054d168863670376c4961b29c50f03b3c76d307c9f894e5ba25d5605c2
SHA512308537568c896e78ccdf7d1003d3e92e853343991cc8b175d8a432de0a0a5d6c04ef3562b7ad0af396c114dd645b5bf32e5b6a156867db2cbad9835b18229c5c