Overview

overview

8

Static

static

282b7a6d16...le.exe

windows10_x64

8

Resubmissions

20-10-2021 11:41

211020-ntmllshaa3 8

20-10-2021 11:38

211020-nryabshhdk 8

Analysis

  • max time kernel
    150s
  • max time network
    124s
  • platform
    windows10_x64
  • resource
    win10-en-20210920
  • submitted
    20-10-2021 11:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    282b7a6d1648e08c02846820324d932ccc224affe94793e9d63ff46818003636.bin.sample.exe

  • Size

    52KB

  • MD5

    28945b625617cfdcc444b428de0a7a00

  • SHA1

    9cab670cd0d11e901cdb3f197aa18f1a6e2930ba

  • SHA256

    282b7a6d1648e08c02846820324d932ccc224affe94793e9d63ff46818003636

  • SHA512

    eab6d0816c972a435e11e195194699748058127203bc726061689f986d6dbc49978b4e78b7f93d550233f2f22046888b938ad8ac9c4cf01cfb3de08cf642f19d

Score
8/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Deletes itself 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Discovers systems in the same network 1 TTPs 2 IoCs
    discovery
  • NTFS ADS 2 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\282b7a6d1648e08c02846820324d932ccc224affe94793e9d63ff46818003636.bin.sample.exe
    "C:\Users\Admin\AppData\Local\Temp\282b7a6d1648e08c02846820324d932ccc224affe94793e9d63ff46818003636.bin.sample.exe"
    1⤵
    • Adds Run key to start application
    • NTFS ADS
    • Suspicious use of WriteProcessMemory
    PID:2432
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\cQbe4eP\Jpci0xA.exe 2
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1088
      • C:\Users\Admin\AppData\Local\cQbe4eP\Jpci0xA.exe
        C:\Users\Admin\AppData\Local\cQbe4eP\Jpci0xA.exe 2
        3⤵
        • Executes dropped EXE
        • NTFS ADS
        • Suspicious use of WriteProcessMemory
        PID:1296
        • C:\Users\Admin\AppData\Local\jF1JK:exe
          C:\Users\Admin\AppData\Local\jF1JK:exe 3 C:\Users\Admin\AppData\Local\cQbe4eP\Jpci0xA.exe
          4⤵
          • Executes dropped EXE
          • Drops desktop.ini file(s)
          • Drops file in Program Files directory
          PID:3700
    • C:\Users\Admin\AppData\Local\q4wc:exe
      C:\Users\Admin\AppData\Local\q4wc:exe 1 C:\Users\Admin\AppData\Local\Temp\282b7a6d1648e08c02846820324d932ccc224affe94793e9d63ff46818003636.bin.sample.exe
      2⤵
      • Executes dropped EXE
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:928
      • C:\Windows\SysWOW64\net.exe
        C:\Windows\system32\net.exe view
        3⤵
        • Discovers systems in the same network
        PID:764
      • C:\Windows\SysWOW64\net.exe
        C:\Windows\system32\net.exe view \\RSSLLXYN
        3⤵
        • Discovers systems in the same network
        PID:1696
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Drops file in Windows directory
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2612

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

2
T1082

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

Remote System Discovery

1
T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\KOPoz7\pGOFbz.exe
    MD5

    28945b625617cfdcc444b428de0a7a00

    SHA1

    9cab670cd0d11e901cdb3f197aa18f1a6e2930ba

    SHA256

    282b7a6d1648e08c02846820324d932ccc224affe94793e9d63ff46818003636

    SHA512

    eab6d0816c972a435e11e195194699748058127203bc726061689f986d6dbc49978b4e78b7f93d550233f2f22046888b938ad8ac9c4cf01cfb3de08cf642f19d

    Download Submit
  • C:\Users\Admin\AppData\Local\cQbe4eP\Jpci0xA.exe
    MD5

    28945b625617cfdcc444b428de0a7a00

    SHA1

    9cab670cd0d11e901cdb3f197aa18f1a6e2930ba

    SHA256

    282b7a6d1648e08c02846820324d932ccc224affe94793e9d63ff46818003636

    SHA512

    eab6d0816c972a435e11e195194699748058127203bc726061689f986d6dbc49978b4e78b7f93d550233f2f22046888b938ad8ac9c4cf01cfb3de08cf642f19d

    Download Submit
  • C:\Users\Admin\AppData\Local\cQbe4eP\Jpci0xA.exe
    MD5

    28945b625617cfdcc444b428de0a7a00

    SHA1

    9cab670cd0d11e901cdb3f197aa18f1a6e2930ba

    SHA256

    282b7a6d1648e08c02846820324d932ccc224affe94793e9d63ff46818003636

    SHA512

    eab6d0816c972a435e11e195194699748058127203bc726061689f986d6dbc49978b4e78b7f93d550233f2f22046888b938ad8ac9c4cf01cfb3de08cf642f19d

    Download Submit
  • C:\Users\Admin\AppData\Local\jF1JK:exe
    MD5

    28945b625617cfdcc444b428de0a7a00

    SHA1

    9cab670cd0d11e901cdb3f197aa18f1a6e2930ba

    SHA256

    282b7a6d1648e08c02846820324d932ccc224affe94793e9d63ff46818003636

    SHA512

    eab6d0816c972a435e11e195194699748058127203bc726061689f986d6dbc49978b4e78b7f93d550233f2f22046888b938ad8ac9c4cf01cfb3de08cf642f19d

    Download Submit
  • C:\Users\Admin\AppData\Local\jF1JK:exe
    MD5

    28945b625617cfdcc444b428de0a7a00

    SHA1

    9cab670cd0d11e901cdb3f197aa18f1a6e2930ba

    SHA256

    282b7a6d1648e08c02846820324d932ccc224affe94793e9d63ff46818003636

    SHA512

    eab6d0816c972a435e11e195194699748058127203bc726061689f986d6dbc49978b4e78b7f93d550233f2f22046888b938ad8ac9c4cf01cfb3de08cf642f19d

    Download Submit
  • C:\Users\Admin\AppData\Local\q4wc:exe
    MD5

    28945b625617cfdcc444b428de0a7a00

    SHA1

    9cab670cd0d11e901cdb3f197aa18f1a6e2930ba

    SHA256

    282b7a6d1648e08c02846820324d932ccc224affe94793e9d63ff46818003636

    SHA512

    eab6d0816c972a435e11e195194699748058127203bc726061689f986d6dbc49978b4e78b7f93d550233f2f22046888b938ad8ac9c4cf01cfb3de08cf642f19d

    Download Submit
  • C:\Users\Admin\AppData\Local\q4wc:exe
    MD5

    28945b625617cfdcc444b428de0a7a00

    SHA1

    9cab670cd0d11e901cdb3f197aa18f1a6e2930ba

    SHA256

    282b7a6d1648e08c02846820324d932ccc224affe94793e9d63ff46818003636

    SHA512

    eab6d0816c972a435e11e195194699748058127203bc726061689f986d6dbc49978b4e78b7f93d550233f2f22046888b938ad8ac9c4cf01cfb3de08cf642f19d

    Download Submit
  • memory/764-122-0x0000000000000000-mapping.dmp
    Download
  • memory/928-116-0x0000000000000000-mapping.dmp
    Download
  • memory/1088-115-0x0000000000000000-mapping.dmp
    Download
  • memory/1296-119-0x0000000000000000-mapping.dmp
    Download
  • memory/1696-126-0x0000000000000000-mapping.dmp
    Download
  • memory/3700-123-0x0000000000000000-mapping.dmp
    Download