Resubmissions

04-09-2021 18:09

210904-wrxmsshegj 10

31-08-2020 12:21

200831-tnfgvzw7da 10

Analysis

  • max time kernel
    151s
  • max time network
    135s
  • platform
    windows10_x64
  • resource
    win10-en
  • submitted
    04-09-2021 18:09

General

  • Target

    bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe

  • Size

    77KB

  • MD5

    4e24780d9700a1cb9d741d7ef51889f1

  • SHA1

    4700da92e1f99b576ff517d3fa18103c67ac0d11

  • SHA256

    bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4

  • SHA512

    c1d2501b95822796d6116711d426463dd95fd059201e11cf19f9ba8709782e6997cd4d2c04eb163199d305e04e04462ed032a53f50f9df0f4ff495dfb75450a0

Malware Config

Signatures

  • InfinityLock Ransomware

    Also known as InfinityCrypt. Based on the open-source HiddenTear ransomware.

  • Modifies extensions of user files 4 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\bfaebc86c1712aa80f501d859de686078b9f21e89174bd23a19b27af93b40ce4.bin.exe"
    1⤵
    • Modifies extensions of user files
    • Drops file in Program Files directory
    • Checks processor information in registry
    • Suspicious use of AdjustPrivilegeToken
    PID:3940
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Drops file in Windows directory
    • Checks SCSI registry key(s)
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2056
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:4232

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/3940-115-0x0000000000F60000-0x0000000000F61000-memory.dmp

      Filesize

      4KB

    • memory/3940-117-0x00000000030B0000-0x00000000030D9000-memory.dmp

      Filesize

      164KB

    • memory/3940-118-0x00000000058B0000-0x00000000058B1000-memory.dmp

      Filesize

      4KB

    • memory/3940-119-0x0000000005E50000-0x0000000005E51000-memory.dmp

      Filesize

      4KB

    • memory/3940-120-0x0000000005950000-0x0000000005951000-memory.dmp

      Filesize

      4KB

    • memory/3940-121-0x00000000030E0000-0x00000000030E1000-memory.dmp

      Filesize

      4KB

    • memory/3940-122-0x0000000005820000-0x0000000005821000-memory.dmp

      Filesize

      4KB

    • memory/3940-123-0x0000000005B40000-0x0000000005B41000-memory.dmp

      Filesize

      4KB

    • memory/3940-124-0x0000000008EF0000-0x0000000008EF1000-memory.dmp

      Filesize

      4KB

    • memory/3940-125-0x00000000030E3000-0x00000000030E5000-memory.dmp

      Filesize

      8KB