Analysis
-
max time kernel
19s -
max time network
17s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
26-04-2022 03:48
Static task
static1
Behavioral task
behavioral1
Sample
bin.sh
Resource
win10v2004-20220414-en
windows10-2004_x64
0 signatures
0 seconds
General
-
Target
bin.sh
-
Size
132KB
-
MD5
59ce0baba11893f90527fc951ac69912
-
SHA1
5857a7dd621c4c3ebb0b5a3bec915d409f70d39f
-
SHA256
4293c1d8574dc87c58360d6bac3daa182f64f7785c9d41da5e0741d2b1817fc7
-
SHA512
c5b12797b477e5e5964a78766bb40b1c0d9fdfb8eef1f9aee3df451e3441a40c61d325bf400ba51048811b68e1c70a95f15e4166b7a65a4eca0c624864328647
Score
3/10
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 2 IoCs
Processes:
cmd.exeOpenWith.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings OpenWith.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 4156 NOTEPAD.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
OpenWith.exepid process 2336 OpenWith.exe -
Suspicious use of SetWindowsHookEx 21 IoCs
Processes:
OpenWith.exepid process 2336 OpenWith.exe 2336 OpenWith.exe 2336 OpenWith.exe 2336 OpenWith.exe 2336 OpenWith.exe 2336 OpenWith.exe 2336 OpenWith.exe 2336 OpenWith.exe 2336 OpenWith.exe 2336 OpenWith.exe 2336 OpenWith.exe 2336 OpenWith.exe 2336 OpenWith.exe 2336 OpenWith.exe 2336 OpenWith.exe 2336 OpenWith.exe 2336 OpenWith.exe 2336 OpenWith.exe 2336 OpenWith.exe 2336 OpenWith.exe 2336 OpenWith.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
OpenWith.exedescription pid process target process PID 2336 wrote to memory of 4156 2336 OpenWith.exe NOTEPAD.EXE PID 2336 wrote to memory of 4156 2336 OpenWith.exe NOTEPAD.EXE
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\bin.sh1⤵
- Modifies registry class
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\bin.sh2⤵
- Opens file in notepad (likely ransom note)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4156-130-0x0000000000000000-mapping.dmp